Privacy Policy
Effective date: 04 September 2025
Draig Therapeutics Limited (company number 13405365) ("us", "we", or "our") is the data controller for the data we collect about you on our website http://www.draigtherapeutics.com (the "Site"). We are registered with the Information Commissioner's Office under registration number ZB765800.
This privacy notice applies to website users, clinical trial participants, healthcare professionals involved in trials, employees, contractors, associated parties, and any individuals conducting commercial operations with us.
1. Data Protection Legislation
For data processed within the European Union, the EU General Data Protection Regulation (EU GDPR) applies. In the UK, data protection is governed by the Data Protection Act 2018, UK GDPR, PECR regulations, and the Data (Use and Access) Act 2025.
Draig acts as the data controller unless stated otherwise and has appointed a Data Protection Officer (DPO) to monitor compliance and serve as a contact point for data subjects and supervisory authorities.
2. Information We Collect and How We Use It
The personal data we collect varies depending on your relationship with us:
| Category | Personal Data Collected |
|---|---|
| Clinical Trial Participants | Name, date of birth, age, gender, contact information, legally authorized representative details, partner information, pseudonymized identification numbers, health data, genetic data, and ethnicity |
| Healthcare Professionals | Name and employment details |
| Employees and Contractors | Name, date of birth, contact information, employment details, pseudonymized identification numbers, financial information, right to work documentation, and health data |
| Website Users | Name, email address, contact form responses, usage data, and cookie information |
Research sites collect participant data as data processors on Draig's behalf.
3. How We Use Your Information
Processing occurs only under a lawful basis including consent, contractual obligations, legal requirements, vital interest protection, public interest, or legitimate interest. Consent may be withdrawn at any time through the DPO. Aggregated data may be used for analysis, but where combined with personal data it remains subject to personal data protections.
Processing activities and lawful bases include:
- Clinical trial data processing (consent, legitimate interest, or legal obligation depending on jurisdiction)
- Healthcare professional employment information (legitimate interest)
- Employee services and payment processing (contractual obligation)
- Service provider liaison (legitimate interest)
- Website monitoring and security (legitimate interest)
- Inquiry responses (legitimate interest)
- Service messages (legitimate interest)
- B2B marketing to corporate subscribers (legitimate interest)
- Individual subscriber B2B marketing (consent)
- Accounting record retention (legal obligation)
- Legal defence (legal obligation)
Data is used only for original collection purposes unless a compatible alternative use is identified, with notification provided if needed.
4. Automated Technologies and AI Use
As part of our ongoing efforts to improve the efficiency and quality of our research and clinical trial activities, we may use artificial intelligence (AI) tools to support data analysis, communication, and system functionality. Third-party platforms including Microsoft Office 365 and Microsoft Copilot may process personal data in accordance with Microsoft's privacy standards. Other systems including ChatGPT may also process personal data. AI tool use is based on legitimate interests with appropriate safeguards applied.
5. Who We Might Share Your Information With
We may share your data in the following circumstances:
- With clinical trial partners
- When legally required to do so
- For legal defence and fraud prevention
- With service providers supporting our operations
Data processors — including Contract Research Organisations, clinical trial data processors, and IT service providers — operate under data processor agreements preventing unauthorised sharing or processing.
6. How Long We Keep Your Information For
| Category | Retention Period |
|---|---|
| Clinical trial participants and involved healthcare professionals | 25 years following trial conclusion (per EU Clinical Trial Regulations) |
| Employees and contractors of Draig | 6 years after employment termination |
| Service provider employees and contractors | 6 years after employment termination |
| Website service users | 1 year |
| Commercial operation contacts | 6 years |
Retention is measured from the last contact date or record review unless law requires otherwise.
7. How We Keep You Updated on Our Products and Services
Clinical trial participants and healthcare professionals receive updates through contracted research organisations when necessary. Draig employees receive communications through company channels including email.
Service provider employees, website users, and business contacts receive news via email only when legitimate interest applies or consent has been obtained. Communications target business-capacity recipients and exclude consumers without consent. Email communications include unsubscribe options, with preferences adjustable through links or by contacting the DPO.
8. Giving Your Reviews and Sharing Your Thoughts
When using our website and other services, you may be able to share information through social networks. Personal data shared this way may become visible to social network providers and other users. Recipients bear responsibility for setting appropriate privacy controls on their social accounts.
9. Log Data
Website visitors' browser-transmitted information is collected, including IP addresses, browser specifications, visited pages, visit timing, and duration statistics. Third-party services such as Google Analytics collect and analyse this information.
10. Cookies
Cookies are files with a small amount of data, which may include an anonymous unique identifier. Browsers receive and store these files. Browser settings can refuse cookies or indicate when they are sent, though some site features may become unavailable. For detailed information please see our Cookie Policy.
11. Children's Privacy
We do not seek or knowingly collect any personal information about children under 13 years of age. If such information is discovered, we will make reasonable efforts to delete it from our databases. Parents or guardians of minors who have provided information may request deletion using the contact details below.
12. Your Privacy Rights
You have the following rights in relation to your personal data:
- Right to be informed — about how your personal data is collected and used
- Right of access — to personal data held about you (data subject access requests require identity verification)
- Right to rectification — correction of inaccurate, incomplete, or outdated personal data
- Right to object — absolute for direct marketing; conditional in other circumstances
- Right to erasure — the right to be forgotten (non-absolute and context-dependent)
- Right to restriction — of processing (non-absolute, circumstance-dependent)
- Right to data portability — to other controllers in structured, machine-readable formats
- Rights related to automated decision-making — Draig does not intend to conduct solely automated decision-making with significant legal effects
Requests should be directed to dpo@draigtherapeutics.com. UK residents may also complain to the Information Commissioner's Office at https://ico.org.uk/for-the-public at any time, though we would appreciate the opportunity to address your concerns first.
13. Data Security
We have implemented appropriate technical and organisational measures to prevent accidental loss, unauthorised access, alteration, or disclosure of personal data. Security measures include:
- Building and resource access limitation through passes and key card systems
- A data breach reporting and notification system
- Information technology access controls
- Encryption, anonymisation, and archiving techniques protecting information across all systems, networks, websites, applications, offices, and stores
14. International Transfers
Processing may occur at Draig offices and other relevant party locations, potentially involving transfers of data outside your original jurisdiction where different data protection laws apply. Clinical trial data sharing with trusted data processors may involve third-country storage and processing with pseudonymisation applied.
All transfers ensure security, confidentiality, and appropriate data protection agreements containing standard contractual clauses or alternative safeguards. UK and EU-based individuals receive additional protections through standard clause contracts where transfers occur to countries without adequate protection laws. Copies of standard contractual clauses are available from the EU Representative or DPO.
15. What Happens if Our Business Changes Hands?
Business expansion or reduction involving sales or transfers of control may result in personal data being transferred with the affected part of the business. New owners must use the data only for the original purposes described in this privacy notice.
16. Links to Other Websites
Our website may contain links to third-party websites and services. Draig is not responsible for their content, privacy policies, or practices and does not endorse linked sites except through explicit disclosure. Information submitted directly to third parties is governed by their own privacy notices.
17. Changes to This Privacy Policy
This notice is effective from 04 September 2025. Updates take effect immediately upon posting. Continued use of the site constitutes acceptance of any changes.
18. Contact Us
To exercise your rights, ask questions, or lodge a complaint, please contact our Data Protection Officer:
Email: dpo@draigtherapeutics.com
Telephone: +44 (0) 203 979 1289
Mail: Draig Therapeutics, Sbarc | Spark, Maindy Road, Cardiff, CF24 4HQ, Wales
EU Representative (Mubarik Ahman): eurep@draigtherapeutics.com
Privacy Policy | Cookie Policy | Additional Privacy Notices
Draig Therapeutics
Sbarc | Spark
Maindy Road
Cardiff, CF24 4HQ, Wales
