Home>Privacy Policy

Privacy Policy

Privacy Policy

At the Royal Osteoporosis Society (ROS) we’re committed to protecting and respecting your privacy and keeping your data safe.

1. Introduction and Purpose

This Privacy Policy (and any other documents referred to in it) sets out how we collect and use your data, and your rights to have your personal data protected.

Processing personal data allows us to make more informed decisions about the support and services we provide and the fundraising we conduct. It helps us to make more efficient use of our resources and ultimately, to bring us closer to beating osteoporosis.

You can read our Supporter Charter which outlines our commitment to ethical fundraising practice. We’re also registered with the Fundraising Regulator, and comply with requirements of the Fundraising Preference Service and the Gambling Commission.

The data controller is the Royal Osteoporosis Society, a charity registered under number 1102712 ( England and Wales) SC039755 (Scotland); and is a company limited by guarantee registered under number 04995013 (England and Wales). Our registered address is St James House, Bath, BA2 3BH.

2. What we do not do

The ROS does not sell, trade or rent your personal information to others, for marketing purposes or otherwise. Please see our Supporter Charter for more information.

3. How we use your information

Here we outline how we use your information based on your connection with the Charity and the legal basis we rely on under the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR) to process your information.

Members (individuals or health professionals)

We use the information you’ve given to us as part of your Membership Registration to provide you with your membership benefits. We process your personal data to fulfil our contractual obligation.

Some examples of how we use your personal data:

  • Name and address - to post you a copy of Osteoporosis News (or Osteoporosis Review if you’re a Healthcare Professional member) and to provide you with information about changes to our services and to let you know about other services and benefits we offer as part of your membership
  • Bank details - to process payment for your membership
  • Your date of birth - to send you a birthday card

We rely on your proactive consent (‘opt-in’) to send you further information about ROS, including fundraising appeals, etc. When you become a member, we’ll ask if you want to opt-in to these communications.  If you do opt-in, you can choose to opt-out at any time.

Alternatively, if you fall into another category outlined in this policy, we may process your personal data for other purposes.

Volunteers

This includes trustees, ambassadors, and all other types of ROS volunteers.

We rely on consent to process your data when you become a volunteer. However, for trustees we also have a legal obligation to collect certain other types of information.

We use the information you’ve provided as part of your Volunteer Application Form to:

  • process your references, where applicable,
  • contact you about your volunteer role,
  • send you the Volunteer Network News email update, and other documents and communications relating to your role, by email or post, whilst you’re a volunteer. We’ll hold your contact details and the details of your volunteer role for six years after your last day in order to keep a record of your volunteer experience with us, and to resolve any complaints

We rely on your proactive consent (‘opt-in’) to send you further information about ROS, including fundraising appeals, etc. When you become a volunteer, we’ll ask if you want to opt-in to these communications.  If you do opt-in, you can choose to opt-out at any time.

If you attend a support group

We’ll only contact you about local support group activities when you’ve given us your proactive consent for us to do so. 

You can opt-out of local support group activity and receiving events information at any time, and your information will be retained in line with our Data Protection Policy.

We rely on your proactive consent (‘opt-in’) to send you further information about ROS, including fundraising appeals, etc. When you attend a support group, we’ll ask if you want to opt-in to these communications.  If you do opt-in, you can choose to opt-out at any time.

If you’re a healthcare professional

We use the contact details you give us;

  • when you sign up to attend events (including digital live events and on-demand recordings),
  • when you contact us about training we offer (including eLearning, and live or on-demand networking events)
  • when you enrol onto our courses,
  • provide you with information about future training, events, professional development and partnership opportunities which we believe may be of interest to you.

We’ll always rely on a lawful basis to process your data and communicate with you, and you can opt-out at any time. The lawful basis that we rely on depends on why we are processing your information, and include: 

Consent (If you’ve given your proactive consent to the processing of your personal information for one or more specific purposes. Taking an action to agree you’re happy with us to process your information could include clicking a button or replying to an email. We might use this basis to contact you via email to market our services or to fundraise) 

Legitimate interests (If we process your personal information for this reason, we believe we have a legitimate reason and that this reason is not overridden by your interests, rights, and freedoms. If we rely on our legitimate interest, you have the right to object) 

You can unsubscribe and opt-out from receiving these communications at any time. 

As a healthcare professional you may also make a donation or volunteer for the Charity, please see the other categories for further information about how your information will be processed under those circumstances.

Your payment details will be used only to process your payment for events or training.

If you’ve given a donation to the Charity

We’ll use the payment details you have provided to process the donation. If you have consented to Gift Aid, we’ll also record and process this information for the purpose of claiming Gift Aid.

We may combine information you provide to us with information available from public and external sources to gain a better understanding of our supporters to improve our fundraising methods, products, and services. 

We’ll always rely on a lawful basis to process your data and communicate with you, and you can opt-out at any time. The lawful basis that we rely on depends on why we are processing your information, and include either Consent or Legitimate interest. 

Consent (If you’ve given your proactive consent to the processing of your personal information for one or more specific purposes. Taking an action to agree you’re happy for us to process your information could include clicking a button or replying to an email. We might use this basis to contact you via email to market our services or to fundraise) 

Legitimate interest (If we process your personal information for this reason, we believe we have a legitimate reason and that this reason is not overridden by your interests, rights and freedoms. If we rely on our legitimate interest, you have the right to object). 

Profiling 

As a fundraising organisation, we undertake in-house research and, from time to time, engage specialist agencies to gather information about you from publicly available sources, for example, Companies House, the Electoral Register, company websites, social networks such as LinkedIn, political and property registers and news archives.   

We may also carry out profiling to fast-track the research using trusted third-party partners.  You will always have the right to opt-out of this processing. We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch. This may include people connected to our current major supporters, trustees or other lead volunteers.  

We also use publicly available sources to carry out due diligence on donors and to meet financial compliance regulation. 

This research helps us to understand more about you as an individual so we can focus conversations we have with you about fundraising and volunteering in the most effective way and make sure that we provide you with an experience, as a donor or potential donor, which is appropriate for you. 

Please note that we will not contact you if you have previously opted out of receiving communications from the Charity. 

If you’ve signed up to participate in, or expressed an interest in, a fundraising or information event

We’ll use the information you’ve provided to communicate with you about the event you’re participating in, or are interested in, and also about future events that you may be interested in. We rely on your legitimate interest to do this.

In addition, we may receive your contact details from a third party with whom you’ve registered for the purpose of raising money for the ROS or taking part in an information event.  In this case we’ll use the registration details provided by the event organiser to send you information about the event and about your fundraising activities. For example, if you choose to raise money for us through an online fundraising portal such as JustGiving and give consent for them to share your information with us, we’ll receive your data in line with their privacy policy and use it to keep in touch with you about your fundraising.

If you are or have been an employee of the Charity or are applying to work with us

  • See separate Employee Privacy Notice
  • If you’re applying for a job at the Charity please see our Applicant Privacy Notice

If you contact our Helpline

How we use your information 

We operate a Helpline to provide information and support to people affected by osteoporosis. When you contact our helpline, we process your personal information for different purposes using different legal bases: 

Accessing our helpline 

If you contact our Helpline by phone we may record your call. We rely on your explicit consent to record your call and call recordings are used to help us enhance the service we provide, and better identify safeguarding issues in line with our Safeguarding Policy. We also record information about you, such as your experience with osteoporosis and the purpose of your call, to ensure you are provided with relevant information and support and to help us understand who the Helpline is reaching.  Call recordings are retained for a period of 6 months and other information held about you is retained for 3 years.  

If you contact our Helpline via email, we rely on the legal basis of substantial public interest, specifically, support for individuals with a particular disability or medical condition.  We rely on this basis as we are unable to ask for your consent before you contact us. We rely on this same legal basis to record information about you, such as your experience with osteoporosis and the purpose of your call, to ensure you are provided with relevant information and support and to help us understand who the Helpline is reaching.  Emails are retained for a period of 6 months and other information held about you is retained for 3 years.  You may also choose to opt-in to our evaluation survey that is linked in our email response to you. We rely on you consent to record this information about you and this data helps us understand how well the service is working.  We retain this information about you for 3 years.  

Optional services  

If you request an information booklet as part of the call, we rely on legitimate interests to send you an invitation to become a member of the Charity at the same time. There’s no obligation to sign up and this is the only additional information we’ll send to you unless you have given us your proactive consent to send further charity communications. 

As part of your call, we may also invite you to opt-in to further communications from the Charity that may be of benefit to you in helping you take care of your bone health, and to find out more about other charity activities such as membership and fundraising. We rely on your proactive consent to send you these communications and if we don’t have it, we will not contact you. 

You can withdraw your consent for these optional services at any time without affecting your access to our helpline. 

If you want to change frequency of emails, you can change your notification settings, or press ‘unsubscribe’ in a notification email sent to you.  

Data sharing and security 

Our service provider: Our Helpline call handling and recording is managed by Route 101 as our technical service provider. We have a comprehensive Data Processing Agreement with Route 101, ensuring they: 

  • Only use your data to provide forum services to us 
  • Cannot sell or share your data with third parties 
  • Implement appropriate security measures to protect your information 
  • Delete your data when our agreement ends 

Third party sharing: We do not share your data with other organisations for marketing or commercial purposes. Limited sharing may occur if required by law or to protect user safety such as in an instance where a caller is at risk of harm. 

If you’re a corporate partner or prospective partner

We’ll contact you using information that is publicly available on your website, or information that you have provided to a charity representative to contact you about potential ways in which we can work together.

We also rely on legitimate interest to send those identified as corporate partners news and updates. These will only be sent to those who have registered interest in working with the Charity and have an interest in receiving these updates. They provide you with information about our work and potential partnership opportunities.

If you use our website

If we collect personal data from you through our website, we’ll use it for the purposes for which you have provided it.  More information on this can be found in the relevant sections above/below.  For example, if you’ve used our website to complete the osteoporosis risk checker, the osteoporosis risk checker section below will explain what information we have collected, and how we use it.

All personal data that you provide to us using forms on our website will be stored securely in accordance with our Data Protection Policy. Further information is provided at the point at which you provide us with this information. 

We may also invite you to participate in an evaluation, or to give us feedback on the website. Information gathered through these surveys is used anonymously to help us understand more about who is using our site, and how our service is performing. We’ll only use your information for other purposes if you then give your proactive consent as part of the evaluation.

Our website also uses cookies, which are small bits of data downloaded onto your device, to enable our website to function properly and to distinguish you from other users of our website.

The cookies we use also help us to improve our site, to make the information provided more relevant to you and to provide you with a good experience when you browse our website.

There is a notification for all website users that gives you the opportunity to consent to non-essential cookies being used. More details about the non-essential cookies that we use can be found in our cookies policy.

When you visit our website, the following information may be collected automatically:

  • Technical information, including the IP address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and the type of device you’re using;
  • Information about your visit, including the route into and through our site, length of visit and pages you viewed.

We’ll use this information:

  • to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to help keep our site safe and secure;
  • to improve our website to ensure that content is presented in the best way for you, and for the device you’re using;
  • to allow you to participate in interactive features of our service, when you choose to do so;
  • to make suggestions and recommendations to you and other users of our website about goods or services that may interest you, or them;
  • to gain a better understanding of our supporters and beneficiaries to enable us to improve our services or the effectiveness of our fundraising.

When we set strictly necessary cookies, and they use information about you, we rely on legitimate interests as our legal basis to use this information, because the functionality of the website is a legitimate interest of ours.

Strictly necessary cookies use information for the purposes in bold above.

When we set other cookies (for the purposes not in bold above), we rely on consent, which you can withdraw at any time by updating your browser settings.  Then when you next visit our website, you’ll be presented with the option to consent to cookies if you want to change your mind.

Where possible, we anonymise the information that we collect through cookies, to ensure that an individual is not identifiable.  For example, we may collect information about the number of visits to a particular page, but not link that to the individual who has accessed the page.

Where you have consented to targeting cookies, Google will set a cookie that tracks your progress through the website.  This is used by Google to link to other information that they hold about you to build a profile of your browsing history.  We might then ask Google to show adverts for the Charity to users who they know to have a similar profile to yours, to reach individuals who might be interested in visiting our website.  Google may also use this information to select relevant adverts for you, based on individuals with similar profiles.  If you’ve signed into your Google account (and have accepted all relevant cookies), Google may build a profile linked to your account, and your visit to our website will be part of that profile.

More information about how Google uses your personal data can be found at policies.google.com

We also work with Meta (Facebook) to increase our website engagement.  Meta will set a cookie similar to the one described above which will build a profile based on your IP address and your browsing history.

We also send Meta information about your email address if you’ve provided us with one and have consented to this by accepting third party cookies.  The information that we provide is "hashed".  This means that your email address is turned into a randomised code.  Meta can then compare this with the information that they hold and match the email address to your account.  This enables Meta to link your association with us to the profile that they hold, and they will use this information when providing targeted adverts to individuals. This can only be carried out where you have agreed to the placing of cookies from both us and Meta, and if you don’t have an account with Meta, no personal data will be provided to them.  The randomised code applied to a non-Meta user's email will not match with the Meta database and then be deleted by them.

More information on how Meta uses your personal data can be found at facebook.com/privacy/policy

Where the cookies we’ve described above use any identifiable information about you, such as your email address or your IP address, we rely on consent as our lawful basis for this.  You can withdraw your consent at any time, as set out above. 

If you use our osteoporosis risk checker

If you participate in the osteoporosis risk checker on our website, we’ll use the information that you’ve supplied to provide you with an indication of your level of risk of developing osteoporosis, and actions you can take to look after your bone health. 

If you provide us with your email address during this process, we’ll send your results to your email, along with follow up information about keeping your bones healthy, and information relevant to your risk result such as recommended actions, plus updates on our latest news, campaigns, fundraising and membership activities and events.

If you provide your phone number, we may contact you by phone to tell you more about our work and how you can join our mission to help those living with osteoporosis to live well. There is no obligation to give.

We rely on consent as our lawful basis for this, and by inputting your name, email address and/or phone number, you have consented to be contacted in this way for the purposes stated. You can unsubscribe and opt-out of receiving these communications at any time.

We’ll collect your location information using the IP address of the device that you access our osteoporosis risk checker from.

We may also use anonymised or pseudonymised data (including location data gathered from your IP address) to further our charitable purposes by, for example, producing statistics based on the responses provided. When we do this, we’ll ensure that you will not be identifiable from the information that we use. We may share this information with our sponsors on an anonymised basis. 

If you use our BoneMed Online service

If you use our BoneMed Online service we use the details you give us to deliver tailored information through the information summary and follow-up emails and support the evaluation of the service.

  • Types of personal data collected – name, email, postcode (if supplied), gender, age, ethnic group, and health information supplied in answers to the initial assessment questions.
  • Where we get your personal data from – we only use the personal data you’ve provided to us through your completion of the initial assessment questionnaire.
  • What we use your personal data for – We use your data to deliver tailored information to you. We also use your data for evaluation. The ROS is committed to supporting as many people as possible. We want to ensure we reach everyone who needs our help. In order to do this, we want to understand who we’re already reaching, and who we aren’t. By evaluating the different groups of people who are already accessing our BoneMed Online service, we’ll be able to put in place a plan to reach those people who are currently in need of our support but are not yet getting it.
  • Our lawful basis for holding your information – to use your personal data for the delivery of, and evaluation of our service, we rely on your consent. You can withdraw your consent for us to use your information for this purpose at any time. If you’d like to withdraw your consent then please email dataprotection@theros.org.uk and we will no longer use your information for service evaluation purposes.
  • We’ll only hold your information for the purposes of delivering and evaluating the BoneMed Online service for as long as is reasonably necessary. You can request the deletion of the data we hold by emailing dataprotection@theros.org.uk.

If you use our Online Community

What information do we collect?

We collect information from you when you register on our site and gather data when you participate in the forum by reading, writing, and evaluating the content shared here.

When registering on our site, you will be asked to enter your name and e-mail address to create your account. You may, however, visit our site without registering. Your e-mail address will be verified by an email containing a unique link. If that link is visited, we know that you control the e-mail address.

When registered and posting, we record the IP address that the post originated from. We also may retain server logs which include the IP address of every request to our server.

How we use your information

We operate an online community forum to provide peer support for people affected by osteoporosis. When you register for and use our forum, we process your personal information for different purposes using different legal bases:

Core forum services (Legitimate Interests)

We process your information based on our legitimate interests as a health charity to provide community support services. This includes:

  • Account management: Creating and maintaining your forum account, including name, username, email address, and password
  • Forum functionality: Displaying your posts and profile information to enable community interaction
  • Content moderation: Monitoring posts to ensure community guidelines are followed and user safety
  • Safety compliance: Implementing measures required by the Online Safety Act to protect users from harmful content
  • Basic analytics: Understanding forum usage to improve our services
  • Email notifications: Sending you updates about forum activity or responses to your posts (If you want to change the frequency of emails, you can change your notification settings in your Forum account. You can also ‘unsubscribe’ from receiving notification emails sent to you by clicking on the link within notification emails).

Our legitimate interests are balanced against your rights through your voluntary participation, transparent information about our processing, your control over posted content, and your ability to delete your account at any time.

Optional services (Consent)

We will ask for your specific consent before using your information for:

  • Service integration: Connecting your forum account with other ROS services and support
  • Research participation: Including your data in surveys or studies to improve our services
  • Connecting with the broader work of the ROS, including marketing communications: Sending you information about other ROS services and activities [If you consent, a record will be created for you in our Customer Relations Management database (CRM) to facilitate this. It will contain your name and email address. It will not hold any other data about you].

You can withdraw your consent for these optional services at any time without affecting your core forum access. To withdraw consent, email: dataprotection@theros.org.uk

We rely on Article 9(2)(g) processing under Schedule 1, Condition 16 of the Data Protection Act 2018 - support for individuals with a particular medical condition (osteoporosis), as our basis for processing health data in line with data protection law.

For further detail about data sharing and security, data retention and your rights, please refer to our full Privacy Policy for our Online Community: [insert link]. 

Other

There may be other circumstances where we process your personal data, here are some examples:

  • If you offer to share your story with us we may collect information in addition to your contact details, in relation to your experience of living with the condition. This may include health information. We require your proactive consent to hold and process this type of information. We’ll give you the choice to decide with whom your story is shared, and provide you with further details about how your story might be shared when you submit your information.
  • We may keep records of our correspondence with you and may ask for feedback to ensure we provide you with a high-quality service.
  • Where you have provided your consent to receive specific categories of communication (mentioned above), we may keep you informed about our work, our latest news, blogs, information and events, fundraising activities and appeals, campaigns and more.
  • If you submit an application for a research and innovation grant, we’ll process your application in line with our Association of Medical Research Charities (AMRC) audited Research and Innovation Grants Application Process, and ROS Research Code of Conduct. This means we’ll share it with the ROS Research and Innovation Grants Assessment Panel and also appropriate External Expert Reviewers.
  • If you participate in a research project or consultation group led by us, you’ll have given your proactive consent to participate and/or applied to be part of a volunteer panel. Your personal information will be used for the purpose of inviting you to consultation events and for the purposes of the project. You may also be offered the opportunity to give your consent (opt-in) to receive wider charity communications which may be of interest to you.

We may also use the information you provide us with to help detect fraud.

4. Data received or shared with third-parties

Your information may be shared with us if you’ve provided your proactive consent or have submitted information to a third-party supplier in order that we can provide the service that you have requested. For example, a fundraising platform or company that arranges challenge events to raise charity funds.

We don’t purchase any data from third party suppliers but data from other organisations may be passed to us if you have given them consent to share your information with us, or where they are acting on our behalf to provide a service for you.

We work closely with our third-party suppliers to ensure that they operate in accordance with the Data Protection Act 2018, the UK GDPR, GDPR and this Privacy Policy. Further information can be found in our Data Protection Policy.

When you submit your information to a third party, it’s important to check their Privacy Policy for details of how they use your data before submitting your personal information.

5. How we store your personal data and keep it safe

Any information you provide to us is stored in a way that makes us compliant with all legal requirements and industry best practice.

We make use of the services of some third-party suppliers, and your data may be stored on one or more of these services (such as You Tube, etc.). We only select and use third-party suppliers where they meet our governance requirements and hold well recognised certifications which independently validate their processes, people and technology.

Any data collected will be mainly stored on services based in the UK or the European Economic Area (EEA). However due to the nature of public-cloud services, your data could be processed outside of these zones. In this case we’ll make sure that we follow guidance from the National Cyber Security Centre (NCSC) as well as the relevant lawful safe-harbour agreements.

Where any payment information is taken and processed using third parties, we’ll ensure that these suppliers meet current legislation and industry guidance. In the case of recurring payments, your payment information will be held securely by the processing system for the purpose of these payments only.

We’ll ensure that your data is always transmitted and stored in a safe manner by using current and well-known encryptions methods. We’ll always do our best to protect your data once it’s received by us, using the approaches and methods described above. However, we cannot absolutely guarantee the security of your data. Any transmission of your personal data is at your own risk.

Our Data Protection Policy outlines how we protect your information, how long we keep it, and some further detail around making a subject access request.

6. Your rights

The UK GDPR provides you with the following rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure, unless your data is being processed in line with a legal requirement
  5. The right to restrict processing, except for processing related to a legal requirement
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Wherever we collect information about you, we’ll explain to you why we are collecting it and what we’ll do with it.

If you have any questions about how we handle your information or want to find out more about your rights as outlined above, please don’t hesitate to contact us.

You can also contact the Information Commissioner’s Office if you want to:

  • Find out more about your rights,
  • Make a complaint or raise a concern about the processing of your personal data

Contact details can be found here: ico.org.uk/concerns 

7. Contact us

Please contact us if you wish to amend your communication preferences, update your contact information or to see what information we hold about you. 

Membership & Supporter Care Team
Royal Osteoporosis Society
FREEPOST RTJH-ERRL-ZEBK
St James House
The Square
Lower Bristol Road
Bath   
BA2 3BH

or email us: supporters@theros.org.uk
or call us on 01761 473287

Any questions, comments or requests regarding this Privacy Policy are welcomed and should be addressed to:

Data Protection Lead,
Royal Osteoporosis Society
St James House
The Square
Lower Bristol Road
Bath
BA2 3BH

or email: dataprotection@theros.org.uk

8. Changes to our Privacy Policy

Any future changes we make to our Privacy Policy will be posted on our website and, where appropriate, notified to you by email or post. Please check back frequently to see any updates or changes to our Privacy Policy.

Last Updated 28 October 2025

Appendix A: Glossary

Personal data: information which identifies a living individual, is biographical or which has the individual as its focus and which affects the privacy of that individual, either in a personal or professional capacity. Any expression of opinion about the individual or any indication of the intentions of any person in respect of the individual will be personal data.

Provided the information in question can be linked to an identifiable individual, the following are likely to be examples of personal data:

  • an individual’s salary or other financial information
  • information about an individual’s family life or personal circumstances,
  • employment or personal circumstances, any opinion about an individual’s state of mind

The following are examples of information, which will not normally be personal data:

  • mere reference to a person’s name, where the name is not associated with any other personal information
  • the content of that document or email does not amount to personal data about the individual unless there is other information about the individual in it.

Legal Basis: in order to process personal data we must have a valid lawful basis to do so. There are six lawful bases which can be relied upon to process your personal data, and we must clearly identify which basis we are using.

  1. Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  6. Legitimate interest: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

We’ll ask you for your consent before we send you information about fundraising appeals and other similar communications. This is to make sure you only receive the information you want.

Opt-out: this refers to your opportunity to unsubscribe. An exception would be when we are processing your personal data to fulfil a request, for example, the processing of a donation.

You can opt-out by following the instructions given to you, you can ring our Membership and Supporter Care Team on 01761 473287 or you can use the unsubscribe link on your email.