Privacy Policy

Website Privacy Notice

Draig Therapeutics Limited (company number 13405365) (“us”, “we”, or “our”) is the data controller for the data we collect about you on our website http://www.draigtherapeutics.com (the “Site”). We take your privacy very seriously and we are committed to protecting and respecting your privacy.

We are registered with the Information Commissioner’s Office (the ICO) in the United Kingdom with registration number ZB765800. This notice informs you of our policies regarding the collection, use, disclosure and storage of your Personal Information.

This Draig Privacy Notice applies to you if you are:

A service user of this Site;
A Draig clinical trial participant;
A healthcare professional conducting a Draig clinical trial;
An employee, contractor or other associated party associated with Draig;
An employee, contractor or other associated party contracted by Draig ’s Service Providers; or,
Any other individual with whom Draig may conduct commercial operations.

We have developed this Privacy Notice to inform you of the data we collect, what we do with your information, what we do to keep it secure as well as the rights and choices you have over your Personal Data. It is important that you read this notice so that you are aware of how and why we are using such information.

Additional privacy notices may be provided to you depending on the type of interactions you have with us or the relationship you have with us, for example if you are a clinical trial participant, a healthcare professional or a third-party service provider. Links to these privacy notices are provided under the section ‘Additional Privacy Notices’.

Data Protection Legislation

Throughout this document we refer to Data Protection Legislation.

Where data is processed by a controller or processor established in the European Union (EU) or comprises the data of people in the European Union, it is subject to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’) as well as any local data protection implementation laws. This includes any replacement legislation coming into effect from time to time.

In the United Kingdom (UK), Data Protection Legislation means the Data Protection Act 2018 (‘DPA 2018’), United Kingdom General Data Protection Regulation (‘UK GDPR’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and Data (Use and Access) Act 2025, and any legislation implemented in connection with the aforementioned legislation.

Draig is the Data Controller (‘controller’) for the Personal Data we process, unless otherwise stated.

We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and supervisory authorities. For further details on how you can contact our DPO, please see the Contact Us section below.

Information Collection and Use

We only collect Personal Data that we know we will genuinely use and in accordance with the Data Protection Legislation and/or legislation related to clinical trials, such as the EU Clinical Trial Regulations (EU CTR). The type of Personal Data that we will collect on you will depend on whether you are a clinical trial participant, a healthcare professional, an employee, or a user of this website:

Clinical Trial participant

Your name*
Your date of birth*
Your age*
Your gender*
Your contact information (telephone number or email address)*
Where applicable, the name of your legally authorized representative*
Where applicable, the name and contact details of your partner*
Your pseudonymized unique identification number(s)
Your health data
Your genetic data
Your ethnicity

Healthcare professional (HCP)

Your name
Your employment details

Employees and Contractors of Draig or Draig’s Service Providers

Your name
Your date of birth
Your contact information (telephone number, email address, or mailing address)
Your employment details
Where relevant, your pseudonymized unique identification number(s) (e.g., payroll no.)
Where relevant, your financial information (e.g., bank information)
Where relevant, your Right to Work information (e.g., nationality)
Where relevant, your health data (e.g., sick leave information)

Website User†

Your name
Your contact information (email address)
Your Contact Us form responses
Your Usage Data (e.g., your IP address)
Cookies and Tracking Technologies

* This participant personal data is collected by Draig’s Research Sites, acting on their behalf as Data Processors. This data may be shared with clinicians, health authorities, ethics bodies and other personnel as authorized by Draig, but only where Draig is legally obligated to provide this data in accordance with Clinical Trial Regulations and other applicable laws. Draig will not directly receive participant personal data and will not instruct their Data Processors to process or share this information other than where the law requires.

† You are under no statutory or contractual requirement or obligation to provide us with your Personal Data; however, we require at least the information above in order for us to deal with you as a Service User in an efficient and effective manner.

How we use your information

We will only process your Personal Data when the law allows us to do so. We will have provided you with our lawful basis for processing your Personal Data at the point the information was initially collected from you. We will not store, process, or transfer your data unless we have an appropriate lawful reason to do so.

Under Data Protection Legislation, the lawful bases we rely on for processing your information are:

GDPR Article 6(1)(a) – your consent;*
GDPR Article 6(1)(b) – We have a contractual obligation;
GDPR Article 6(1)(c) – We have a legal obligation;
GDPR, Article 6(1)(d) – In order to protect the vital interests of You or a third party;
GDPR, Article 6(1)(e) – We have a public interest; or,
GDPR, Article 6(1)(f) – We have a legitimate interest.

* Where the lawful basis for processing is Consent, you are able to remove your consent at any time. You can do this by contacting our DPO using the contact details provided in the Contact Us section below.

We also collect, use and share Aggregated Data for various purposes. For example, your website usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Notice.

We may use your information for the following purposes:

Processing Activity	Lawful Basis
Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Consent, to collect information from you and process your health information in order to conduct a clinical trial	Consent
Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Legitimate Interest, to collect information from you and process your health information in order to conduct a clinical trial	Legitimate Interest in conducting clinical research
Where you are a clinical trial participant in a jurisdiction where clinical trials occur on the lawful basis of Legal Obligation, to collect information from you and process your health information in order to conduct a clinical trial	Legal Obligation
Where you are a Health Care Professional (HCP) involved in the planning, delivery, or oversight of Draig clinical trials, to collect information from you and process your employment information in order to conduct a clinical trial	Legitimate Interest in conducting clinical research
Where you are an employee of Draig, to collect information from you and make available our services to you	Contractual Obligation
Where you are an employee of Draig’s Service Providers, to collect information from you or your employer and make available our services to your employer	Legitimate Interest in managing Draig’s affairs
Where you are an employee of Draig’s Service Providers, to collect information from you and take payment from you, make a payment to you, give you a refund or request a refund	Contractual Obligation
Where you are an employee of Draig’s Service Providers, to collect information from you or your employer and liaise with your employer about your contact details and/or the nature and performance of your work, as required	Legitimate Interest in managing Draig’s affairs
To collect information from you and monitor, provide and maintain our Service	Legitimate Interest in providing Services to you
To contact you following your inquiry where you have provided your contact information and to reply to any questions, suggestions, issues, or complaints, including any Data Subject Requests, about which you have contacted us	Legitimate Interest in providing Services to you
To collect your Usage Data in order to power our security measures and services so you can safely access our website and other Services	Legitimate Interest in providing a secure platform
To contact you, where you have provided your contact information, about news and information relating to our Services through service messages	Legitimate Interest in contacting you about our Services
B2B direct marketing to you, where you have provided your contact information, about products and services from us where you are classified as a corporate subscriber and/or the ‘soft opt-in’ applies under UK PECR	Legitimate Interest in marketing our Services to you
B2B direct marketing to you, where you have provided your contact information, about products and services from us where you are a sole trader, partnership or otherwise classified as an individual subscriber and/or the ‘soft opt-in’ does not apply under UK PECR	Consent
To retain any accounting information generated during the course of our interaction for statutory accountancy retention periods	Legal Obligation
To respond to and defend against legal claims, where you have provided us with information which may give rise to legal claims	Legal Obligation

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We may receive information about you from other sources including business partners, third parties, affiliates, contract research organisation and publicly available information.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Automated Technologies and AI Use

As part of our ongoing efforts to improve the efficiency, quality of our research and clinical trial activities, we may use artificial intelligence (AI) tools to support data analysis, communication, and system functionality. Some of these third-party software platforms, systems may process your personal data, such as Microsoft office 365 suite of applications including Connected Experiences and Microsoft Copilot, an AI tool. Other systems, such as ChatGPT, utilised by us may also include AI features and functionalities that may process your personal data.

Throughout our professional relationship, your personal data may be processed within the Microsoft office 365 suite of applications. This may include processing by Microsoft Copilot AI as part of Microsoft Connected Experiences, in accordance with Microsoft’s privacy and security standards. For more information about how Microsoft may process your personal data, see the Microsoft privacy statement which can be accessed here: Microsoft Privacy Statement – Microsoft privacy. If you have any questions or concerns about this processing, please contact our Data Protection Officer on the contact email address set out in the ‘Contact us’ section.

Our use of AI tools for processing your personal data is carried out on the basis of our Legitimate Interests. We balance our interests against your data protection rights and apply appropriate safeguards to protect your personal data.

Who we might share your information with

We may share your personal data with other organisations in the following circumstances:

From time to time, we may need to share your Personal Data with our strategic clinical trial partners;
If the law or a public authority says we must share the Personal Data;
If we need to share Personal Data in order to establish, exercise or defend our legal rights – this includes providing Personal Data to others for the purposes of detecting and preventing fraud; or
From time to time, employ the services of other parties for dealing with certain processes necessary for the operation of our services.

We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:

Our Contract Research Organizations (CRO) and EU representative;
Our Clinical Trial Data Processors,
Our IT Service Providers, such as Microsoft Corporation.

We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organization apart from us or further sub-processors who must comply with our Data Processor Agreement. They will hold your Personal Data securely and retain it for the period we instruct.

How long we keep your information for

We retain a record of your Personal Data in order to provide you with a high quality and consistent service. We will always retain your Personal Data in accordance with the Data Protection Legislation and never retain your information for longer than is necessary. Draig follows a Retention Schedule which outlines how long Draig will retain your Personal Data. Draig considers the retention period to begin from the point at which Draig last contacted you or otherwise reviewed your record to determine whether it was still active, unless otherwise required by law. As such, unless otherwise required by law, your data will be retained for the period specified in the summarized table below and then securely deleted in accordance with our internal policies and procedures.

Purpose	Retention Period
Processing data in relation to You as a clinical trial participant	25 years following the conclusion of the clinical trial, as determined by EU Clinical Trial Regulations (EU-CTRs)
Processing data in relation to You as a Health Care Professional (HCP) involved in the planning, delivery, or oversight of an Draig ’s clinical trial	25 years following the conclusion of the clinical trial, as determined by EU Clinical Trial Regulations (EU-CTRs)
Processing data in relation to You as an employee, contractor or other associated party contracted by Draig	6 years following the termination of your employment
Processing data in relation to You as an employee, contractor or other associated party contracted by Draig ’s Service Providers	6 years following the termination of your employment
Processing data in relation to You as a service user of this website	1 year
Processing data in relation to You as any other individual with whom Draig may conduct commercial operations	6 years

How we keep you updated on our products and services

Where you are a clinical trial participant or a Health Care Professional involved in the planning, delivery, or oversight of an Draig clinical trial, we will contact you through our Contracted Research Organization (CRO) where it is necessary to do so.

Where you are an employee of Draig, we will contact you through existing Draig communication channels, including email, where it is appropriate to do so.

Where you are an employee of Draig’s Service Providers, a user of this website who has provided us with your contact information, or any other business contact, we will send you relevant news about our services in a number of ways including by email, but only if we have a Legitimate Interest to do so. Where we do not have a Legitimate Interest, we will not send you marketing communications unless we have asked for, and gained, your consent.

We make every effort to ensure that we only send such communications to those acting in a business capacity and do not send such materials to consumers via personal email addresses if it is clear they are not acting in such a capacity or have not otherwise provided their consent.

All email communications will have an option to unsubscribe and so if you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences. Alternatively, you can contact our DPO using the contact details provided in the Contact Us section below.

Giving your reviews and sharing your thoughts

When using our website and other Services, you may be able to share information through social networks like Facebook and X. For example, when you ‘like’, ‘share’ or review our Services. When doing this, your Personal Data may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so that you are comfortable with how your information is used and shared on them.

Log Data

Like many site operators, we collect information that your browser sends whenever you visit our Site (“Log Data”).

This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Site that you visit, the time and date of your visit, the time spent on those pages, and other statistics.

In addition, we may use third-party services such as Google Analytics that collect, monitor, and analyse this data.

Cookies

Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your computer’s hard drive.

Like many sites, we use “cookies” to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Site. Please see our Cookies Policy for more information.

Children’s privacy

We do not seek or knowingly collect any personal information about children under 13 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 13, we will make commercially reasonable efforts to delete such information from our database.

If you are the parent or guardian of a minor child who has provided us with personal information, you may contact us using the information below to request it be deleted.

Your Privacy rights

You have the following rights:

The right to be informed about our collection and use of personal data. You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
Request access to your personal data (commonly known as a ‘data subject access request’), to receive a copy of the personal data we hold about you and to check it is being lawfully processed. We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.
If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date. You can request correction of the personal data that we hold about you.
You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation.
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For example, where we have no good reason for us to continue to process it, or where you have exercised the right to object to processing. However, the right to erasure does not apply where we have a legal obligation to retain your personal data.
You have the right to ask us request that we restrict the processing of your personal data, for example if you want us to suspend processing of certain data to establish its accuracy or the reason for processing it. The right is not absolute and only applies in certain circumstances.
You have the right to request the transfer of your personal data to another controller. This right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format.
You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. Draig does not intend to conduct any automated decision-making for your Personal Data

If you wish to exercise any of the rights set out above, please contact us (dpo@draigtherapeutics.com)

Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. You can find your country’s regulatory body here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. If you have any questions about which supervisory authority applies in your jurisdiction, please Contact Us as set out below.

In the UK, the Information Commissioner’s Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here: https://ico.org.uk/for-the-public.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (we would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance under dpo@draigtherapeutics.com). Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

Data Security

Data security is of great importance to Draig. We have put in place appropriate technical and organizational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorized way, altered, or disclosed.

We take security measures to protect your information including:

Limiting access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, key card access and other related technologies);
Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
Implementing access controls to our information technology; and,
Deploying appropriate procedures and technical security measures (including strict encryption, anonymization and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.

International Transfers

Your Personal Data is processed at Draig’s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to Devices located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. In particular, when Draig shares clinical trials data with Trusted Data Processors, your Personal Data, which will be pseudonymised in any case, would be stored and processed within third countries. Where this occurs, Draig will ensure that:

the security and confidentiality of your Personal Data is secure at all times;
any Data Controller receiving your Personal Data has entered into an agreement with Draig which contains standard data protection clauses as required by UK and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer; and,
any Data Processor receiving your Personal Data has entered into an agreement with Draig which contains the required Data Processor clauses as well as standard data protection clauses as required by UK and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer.

Where you are based in the UK or EU and we were required to transfer your Personal Data out of the UK or EU to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the ICO or European Commission (as relevant) providing adequate protection of Personal Data. You can obtain a copy of this documentation by contacting the EU Representative or DPO identified in the Contact Us section below.

What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.

Links to Other Websites

Our website may contain links to third-party websites or services that are not owned or controlled by Draig Therapeutics.

Draig Therapeutics has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third-party websites or services. You further acknowledge and agree that Draig Therapeutics shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods, or services available on or through any such websites or services. Draig’s inclusion of such links does not imply any endorsement of the content on such sites or of their owners or operators except as disclosed through the Services. Any information submitted by you directly to these third parties is subject to that third party’s privacy notice.

We expressly disclaim any and all liability for the actions of third parties, including but without limitation to actions relating to the use and/or disclosure of personal information by third parties.

Changes to This Privacy Policy

This Privacy Notice is effective as of the 4^th September 2025 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.

We reserve the right to update or change our Privacy Notice at any time, and you should check this Privacy Notice periodically. Your continued use of the website after we post any changes to the Privacy Notice on this page will constitute your understanding of these changes.

Contact Us

If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this Privacy Notice or the way your Personal Data is processed, please contact our Data Protection Officer (DPO) by one of the following means:

By email: dpo@draigtherapeutics.com

By telephone: +44 (0) 203 979 1289
By post: Draig Therapeutics, Sbarc | Spark, Maindy Road, Cardiff, CF24 4HQ,
Wales

EU Representative is Mubarik Ahman, who can be contacted via email: eurep@draigtherapeutics.com