Privacy — Dragonfod Dynamics

Version 1.0 Effective 15 April 2026 ICO Reg · Pending

This notice explains how Dragonfod Dynamics Ltd ("Dragonfod", "we") collects and uses personal data under the UK General Data Protection Regulation and the Data Protection Act 2018. It covers visitors to dragonfod.com and people who contact us by email or the briefing request form.

1. Data controller

Dragonfod Dynamics, Plas Afon, Betws-y-Coed, Conwy LL24 0BN, Wales. Our ICO registration is pending. Data Protection Officer: dpo@dragonfod.com.

2. What we collect

From visitors to the Site:

Aggregate traffic data (IP address range, user agent, referrer, pages viewed). We do not profile individual visitors.
Anonymous performance metrics (page load time, video load progress).
No third-party advertising identifiers. No cross-site tracking. No cookie banner because we do not set non-essential cookies.

From people who contact us:

Name, organisation, email address, country, and the content of your message.
Any attachments you choose to send us.
Correspondence metadata (timestamps, delivery status).

3. Why we collect it

We use the data to:

Respond to your enquiry — this is our legitimate interest in operating as a business, or the performance of a contract if you are already a customer.
Verify eligibility for programme briefings — necessary for compliance with export control law.
Keep the Site available and secure — our legitimate interest in detecting and preventing abuse.
Satisfy legal obligations including tax and anti-money-laundering checks.

We do not use your data to train machine-learning models, sell advertising, or profile you for any other commercial purpose.

4. Where it lives

All personal data is stored on infrastructure physically located within the United Kingdom, operated under UK MOD List X chain-of-custody requirements. We do not transfer personal data to any country outside the UK.

5. How long we keep it

Enquiry correspondence is retained for up to 24 months from the last contact, then deleted. Data held under a signed contract or programme engagement is retained for the statutory period required by UK tax, export-control, and defence-contracting law (typically 7–10 years). Aggregate traffic data is retained for 90 days, then deleted.

6. Who we share it with

We do not sell personal data. We do not share it with advertisers. We may share personal data:

With our professional advisors (legal, accounting) under written confidentiality;
With UK MOD or US DoD where required for security vetting of potential programme participants;
Where required by law or a lawful order of a UK court.

7. Your rights

Under the UK GDPR you have the right to:

Access a copy of your personal data;
Request correction of inaccurate data;
Request erasure (subject to our retention obligations);
Object to processing based on legitimate interest;
Withdraw consent where consent is the legal basis;
Complain to the Information Commissioner's Office at ico.org.uk.

To exercise any of these rights, write to dpo@dragonfod.com. We respond within 28 days.

8. Cookies

We do not set cookies for analytics, advertising, or cross-site tracking. The Site uses sessionStorage to remember whether you have already seen the intro animation within the current browser session — this never leaves your device and is deleted when you close the tab.

9. Security

Personal data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access to production systems is restricted to UK-resident staff with active UK MOD security clearance. We operate a published Responsible Disclosure policy for good-faith security researchers.

10. Changes

We may update this notice. Material changes will be communicated by prominent notice on the Site for 30 days. The current version is always at this URL with a revised effective date.

11. Contact

Questions about this notice, or about your data: dpo@dragonfod.com.