GDPR Compliance

Last updated: 1 February 2026

1. Our Commitment

Drakon Systems Ltd is committed to protecting the privacy and rights of individuals in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations as a data controller.

2. Lawful Basis for Processing

We process personal data only where we have a lawful basis to do so. The bases we rely on include:

  • Consent — When you voluntarily provide your email address (e.g. waitlist signup). You may withdraw consent at any time by emailing us.
  • Legitimate Interests — Server access logs for security monitoring, fraud prevention, and service improvement. We balance our interests against your rights and freedoms.
  • Contract Performance — When we launch our SaaS platform, processing account data will be necessary to provide the service you have subscribed to.
  • Legal Obligation — Where we are required to retain data to comply with tax, accounting, or other legal requirements.

3. Data Subject Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

You may request a copy of all personal data we hold about you. We will respond within 30 days.

Right to Rectification (Article 16)

You may request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

You may request deletion of your personal data where there is no compelling reason for its continued processing. Also known as the "right to be forgotten".

Right to Data Portability (Article 20)

You may request your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV).

Right to Object (Article 21)

You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to Restrict Processing (Article 18)

You may request that we limit how we use your data while a complaint or request is being resolved.

To exercise any of these rights, contact us at support@drakonsystems.com. We will respond within 30 days. No fee is charged for reasonable requests.

4. Data Protection Officer

Given our current size and processing activities, we are not required to appoint a formal DPO under Article 37. However, all data protection enquiries are handled by our data protection lead:

Data Protection Lead

Drakon Systems Ltd

support@drakonsystems.com

We will appoint a formal DPO if our processing activities require it in the future.

5. Cookie Consent

Our website displays a cookie consent banner on your first visit, compliant with the Privacy and Electronic Communications Regulations (PECR). We currently use only essential cookies (consent preference stored in localStorage). Non-essential cookies (e.g. analytics) will only be set after you give explicit consent.

Our cookie consent mechanism:

  • Only sets non-essential cookies after obtaining explicit consent
  • Provides clear information about each cookie's purpose
  • Allows users to reject non-essential cookies
  • Remembers your choice so you are not asked again
  • You can withdraw consent at any time by clearing your browser's local storage for this site

6. International Data Transfers

Our infrastructure is hosted on Fly.io, which may process data in regions outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place:

  • Transfers to countries with UK adequacy decisions (including EU/EEA countries)
  • Standard Contractual Clauses (SCCs) where adequacy decisions do not apply
  • Processor agreements with all third-party service providers

The ShieldCortex npm package processes all data locally on your machine — no data is transferred to our servers or any third party.

7. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware, where the breach is likely to result in a risk to individuals' rights and freedoms
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
  • Document all breaches in our internal breach register, including facts, effects, and remedial actions taken
  • Conduct a post-incident review and implement measures to prevent recurrence

To report a security vulnerability, contact security@drakonsystems.com.

8. Data Minimisation & Retention

We adhere to the principle of data minimisation — we only collect and process data that is necessary for the stated purpose. Our retention periods are:

Data TypeRetention Period
Server access logs30 days
Waitlist emailsUntil product launch or deletion request
SaaS account dataDuration of account + 30 days
Financial records6 years (legal requirement)

9. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

We encourage you to contact us first at support@drakonsystems.com so we can try to resolve your concern directly.

10. Contact

Drakon Systems Ltd
England, United Kingdom
support@drakonsystems.com