Vendor Privacy Notice
VENDOR PRIVACY NOTICE
Introduction
This Privacy Notice (this “Notice”) is made available by Draig and its affiliated entities (referred to as “Draig”, “we”, “us” or “our”) and is intended to assist you in understanding how we collect, process, secure, and transfer personal data you share with us. We also describe how you can contact us to learn more information about our privacy practices. The terms “you”, “your” or “user” refer to the person interacting with Draig as a supplier or business partner, and any entity on whose behalf such supplier or business partner may be acting.
It is important that you read this privacy notice together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements any other notices and privacy policies we may provide to you and is not intended to override them.
Who we are
Draig is the Data Controller and is responsible for the processing of your personal data.
The data we collect about you
Draig will collect and may utilize your personal data for the purposes described below:
| Category of Data | Purpose for Processing | Lawful Basis for Processing |
|---|---|---|
| Contact details (Example, your name, nationality, postal address, telephone number, e-mail address) | • Facilitating communications.
• Communicating to provide you with information. • Responding to your requests or communications. • To carry out due diligence on you and/or your company as a prospective counterparty to Draig. This includes assessing financial standing, HSSE profile, technical & quality standards and corruption/money laundering risk. |
Our Legitimate Interest in managing, and communicating with, our vendors |
| Identification information such as passport ID, date of birth, other paper copies of identity | • Verifying your identity as part of our vendor onboarding process, where applicable.
• Facilitating compliance with applicable laws, regulations or other requirements. |
Our Legitimate Interest in managing, and communicating with, our vendors |
| Data about your directors, employees and/or agents | • To review publicly available sources of information, such as the FDA debarment list and Companies House documents, in order to comply with bribery and corruption prevention laws, and to prevent, detect or investigate dishonesty, malpractice or seriously improper conduct in line with internal processes, where applicable. | Our Legitimate Interest in maintaining professional integrity in our supply chain |
| Relationship Data e.g. your connection/ relationship with Draig and your mode of interaction with Draig. | • Maintaining records of your relationship with Draig
• Assessing, analysing and improving your service and training our staff. • Managing our relationship with you. |
Our Legitimate Interest in managing, and communicating with, our vendors |
| Payment Transactions Data (e.g. bank account details, payment order or other financial data including information regarding your tax status or the source of your assets) | • Billing, maintaining accounts, and preparing invoices.
• Managing and administering your accounts and holdings. • Facilitating compliance with applicable laws, regulations, or other requirements. |
Our Contractual Obligation to pay our vendors for their services |
| Other Financial Data including investment portfolio/fund details, investment fund details
and Market Trades data including information about ownership by individuals or organisations. |
• Keeping track of all financial transactions connected to Draig. | Our Legal Obligation to maintain accurate financial records |
| Communications Data including e-mail information, third party information, chat information, instant messages, corporate and media broadcasts, disputes or litigation, correspondence between solicitors and stakeholders and transcripts or minutes. | • Keeping track of our communication with you, managing our relationship with you.
• Maintaining a technology-related log or monitoring significant events. • To check your instructions to us, assess, analyse and improve our service, train our staff, manage risk or to prevent and detect fraud and other crimes. |
Our Legitimate Interest in managing, and communicating with, our vendors |
| Information about your use of communication systems, for example data obtained through electronic means such as swipe card records*
Note – this information will be collected if you have been provided with a Draig account and office access as part of your service delivery) |
• To monitor our network to prevent and detect unauthorised or malicious activity.
• Facilitating compliance with applicable laws, regulations, or other requirements. |
Our Legitimate Interest in maintaining a secure work environment |
| Special Categories of Personal Data about you (example, details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health or about criminal convictions and offences)
Note – this information may be collected if you are likely to spend a significant amount of time at Draig offices. |
• To comply with our legal obligations, including to ensure health and safety in the workplace, for example information about allergies or any reasonable adjustments required. | Our Legal Obligation to maintain a safe and accessible work environment |
| Vital Interest Data including:
Communications data; Information about your use of communication systems; and, Special Category Health Data as relevant. |
• To act in your vital interest
• To act in the vital interest of a third party |
To act in your Vital Interest, or the Vital Interest of a third party |
Automated Technologies and AI Use
Automated technologies
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
As you use our Website, we may automatically collect various data such as Technical Data about your equipment, browsing actions and patterns and Usage Data. We collect this personal data by using cookies and other similar technologies placed on your device when you visit our website if you provided us with your consent.
You are able to set your cookies as required. Please see the Cookies Policy for further details.
AI
As part of our ongoing efforts to improve the efficiency we may use some artificial intelligence (AI) tools that support communication and system functionalities. Some of the third-party software tools may process your personal data, such as Microsoft o365 suite of applications including Connected Experiences including the Microsoft Copilot functionality, an AI tool.
Throughout the application process, your personal data may be processed within the Microsoft office 365 suite of applications. This may include processing by Microsoft Copilot AI as part of Microsoft Connected Experiences, in accordance with Microsoft’s privacy and security standards. For more information about how Microsoft may process your personal data, see the Microsoft privacy statement which can be accessed here: Microsoft Privacy Statement – Microsoft privacy. If you have any questions or concerns about this processing, please contact our Data Protection Officer on the contact email address set out in the ‘Contact us’ section.
We handle all personal data in compliance with all applicable data protection laws and regulations and implement robust security measures and implement policies. If you wish to receive more information on this type of processing, please contact us.
Our use of AI tools for processing your personal data is carried out on the basis of our Legitimate Interests. We balance our interests against your data protection rights and apply appropriate safeguards to protect your personal data.
Who we might share your information with
Where necessary to fulfil the purposes described in this Notice, Draig may disclose your personal data to certain third-parties, other vendors and service providers or affiliated employees, contractors and entities as described below.
Whenever Draig shares your personal data with companies acting as our authorized agents and service providers, these companies agree to use your personal data only for specified purposes. Furthermore, the recipient will implement and maintain reasonable security procedures and practices appropriate to the nature of your information to protect your personal data from unauthorized access, destruction, use, modification or disclosure.
We will transfer and disclose your personal data to the following categories of recipients where it is lawful to do so, and subject to the implementation of appropriate protections:
| Category of Third-Party | Purpose for Disclosure |
|---|---|
| Subsidiaries and affiliated entities | • Internal research and statistical analysis purposes. |
| Service Providers
who work for, or provide services to us (including their employees, sub-contractors, directors, officers or any professional service provider, such as accountants, auditors, lawyers, IT systems providers and IT contractors, credit and criminal record checks) |
• To support Draig’s commercial/business objectives.
• To render professional advice where there is a dispute over a transaction. • IT performance-related monitoring, maintenance, or security. • Performing analytics to help in website or application planning and development. |
| Cloud storage solutions | • To store Draig data.
• To ensure the safety and security of our data. |
| Other vendors or suppliers | • Billing, maintaining accounts, and preparing invoices. |
| Law enforcement, government, courts or regulators, or fraud prevention agencies | • To verify your identity.
• Draig’s public or legal duty to assist with detecting fraud and tax evasion, financial crime prevention, regulatory reporting, litigation or defending legal rights. |
| Professional Consultants | • To provide professional/expert advice in connection with Draig’s business objectives. |
| Other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents. | • To meet our legal, regulatory and compliance obligations. |
| Any prospective or new Draig entities (e.g. if we restructure, or acquire or merge with other companies) or any businesses that buy part of or all of a Draig. | • In relation to compliance / due diligence
If this occurs the new owners of the business will only be permitted to use your information in the same or similar way as set out in this privacy notice. |
How long we keep your information for
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. By law, we have to keep basic information about our vendors (including contact, identity, financial and transaction data) for six years after they cease being suppliers for tax purposes.
In some circumstances you can ask us to delete your data: see below for further information.
In some circumstances we will anonymise your personal data (so that it is no longer your personal information as it cannot be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Your Privacy Rights
You may have rights relating to your Personal Data. Depending on the applicable data privacy law, you may have the right to direct Draig to take certain actions related to your Personal Data. You may have the right to request confirmation as to whether Draig is processing your personal data, and if so:
- You may have the right to request information relating to the categories of data involved, purposes of processing, recipients of your data, retention periods/criteria, and your rights as a Data Subject.
- You may have the right to access any of your personal data that Draig is processing.
- You may have the right to rectify any inaccurate or incomplete personal data that Draig is processing.
- You may have the right to request erasure or restriction of any personal data that Draig is processing, subject to certain exceptions.
- You may have the right to obtain a copy of your personal data in a commonly-used and machine-readable format.
- You may have the right to request your information not be sold or otherwise disclosed to a third-party.
- You may have the right to lodge a complaint with us directly
- You may have the right to lodge a complaint with your local Data Protection Authority or other relevant Supervisory Authority.
If you wish to exercise any of the rights set out above, please contact us.
Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. For EU, you can find your country’s regulatory body here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. If you have any questions about which supervisory authority applies in your jurisdiction, please contact us using the contact details set out in the Contact Us section as set out below.
In the UK, the Information Commissioner's Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here: For the public | ICO.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
Providing Draig with other people’s data
If you give us any Personal Data that does not relate to you (e.g., information about your financial adviser and/or your employees), you must ensure that you have the required legal basis to collect and share such Personal Data. You must also tell them what information you have given to us, and make sure they agree we can use it as set out in this policy. You must also tell them how they can see what information we have about them and correct any mistakes.
Data Security
Data security is of great importance to Draig. We have put in place appropriate technical and organizational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorized way, altered, or disclosed.
We take security measures to protect your information including:
- Limiting access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, key card access and other related technologies).
- Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law.
- Implementing access controls to our information technology.
- Deploying appropriate procedures and technical security measures (including strict encryption, anonymization and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.
International Transfers
Draig uses service providers in multiple countries. Therefore, we may need to transfer and use your Personal Data outside of the country where we collect it from you. We implement appropriate measures to protect your Personal Data when we transfer your Personal Data outside of your home country. This includes appointment of the EU representatives to handle local data queries, as well as having appropriate agreements in place to protect your data, such as data transfer agreements that incorporate standard data protection clauses.
You can request a copy of the standard contractual clauses we use from our DPO using the contact details in the Contact Us section below.
Consequences of not providing Personal Data to us
Providing your personal data to Draig is voluntary for you. Should you choose not to provide your personal information to us, your interaction with us may be adversely impacted.
Also, the provision of your personal information may be necessary to allow us to perform a contract with you and/or to provide services to you.
What happens if our business changes hands
We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.
Links to Other Websites
Our careers portal and recruitment pathway may contain links to websites or mobile applications we do not own or control. Our Privacy Notice does not cover this processing. Please read the privacy notices on those websites and mobile applications if you would like to find out how they collect, use and share your Personal Data.
Changes to This Privacy Notice
This Privacy Notice is effective as of 19 February 2026 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.
We reserve the right to update or change our Privacy Notice at any time and you should check this Privacy Notice periodically. Your continued use of the website after we post any changes to the Privacy Notice on this page will constitute your understanding of these changes.
Contact Us
If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this Privacy Notice or the way your Personal Data is processed, please contact our Data Protection Officer (DPO) by one of the following means:
By email: dpo@draigtherapeutics.com
By telephone: +44 (0) 203 979 1289
By post: Draig Therapeutics, Sbarc | Spark, Maindy Road, Cardiff, CF24 4HQ, Wales
To contact the EU Representative please use email: eurep@draigtherapeutics.com
Glossary
“Data Controller” means the person or organisation that determines how and why your data is being collected and used.
“Personal data” refers to any information relating to an identified or identifiable natural person, whether that information can be used alone or in conjunction with other information to identify a natural person.
“Process” (or “Processing”) means any operation or set of operations which is performed on personal data or sets of personal data, whether by automated means, such as collection, use, and erasure. Thank you for taking the time to read our privacy notice.
Thank you for taking the time to read our notice.