Privacy notice

Privacy Notice

Introduction
This Privacy Notice sets out how the Dragon Group (the “Group”, “we”, “us” or “our”) collects and records personal information and what we do with that information. It also includes a description of your data protection rights. The controller of personal information is Dragon Infosec Limited.

If you have any queries, comments or requests in relation to your personal information or this Privacy Notice, you can email us at privacy@dragoninfosec.com. We reserve the right to modify this Privacy Notice at any time. The up-to-date version of this Privacy Notice can be found on our website at www.dragoninfosec.com.

The Dragon Group
The Dragon Group is a trading group that consists of Dragon Infosec Limited and its subsidiaries.

Information we collect
We collect, receive, store and process (either electronically or on a manual basis) the following information about you:
Contact details – e.g. name, address, landline and mobile numbers, email address
Identity information – e.g. date and place of birth, photo ID, passport information, nationality, national insurance number and taxpayer identification number
Financial information – e.g. bank account details, subscription or investment amounts
Other information and records about you that are collected from you or from third parties (e.g. identity or reference checks) via correspondence, filling in forms or communicating with us, whether face-to-face, by phone, email, online, or otherwise;
Cookies and similar technologies we use to recognise you, remember your preferences and tailor the content we provide to you

The individuals to whom this Privacy Notice is relevant includes: customers and potential customers, suppliers and our directors and shareholders. For the most part, the source of personal information we collect will be the individual or the third parties described in this Privacy Notice.

Use of your information
We record and use your personal information for the following purposes:
To perform or carry out any agreement (including any subscription or investment, or any service or employment contract) between you and us, including general communication and the management or administration of your and our respective rights and obligations under any such agreement
Where relevant, to meet legal, regulatory and compliance requirements to which we are subject (e.g. any obligation as to the prevention or detection of money laundering or other financial crime, and any requirement of financial regulators)
To pursue our legitimate interests (e.g. any due diligence requirements on persons we may seek to employ, work with or engage in business with, make payments to and manage third parties, direct marketing purposes (in accordance with applicable law), Group administrative and relationship management purposes, maintaining company data and shareholders register)
Ensuring cyber security and reporting possible criminal acts or threats to public security)
To provide you with information that you have specifically requested or that we have asked if you would like to receive
To deal with enquiries and complaints made by or about you
Where relevant, for the establishment, exercise or defence of legal claims
To prevent, investigate and/or report crime or suspicions of crime (including fraud)
To protect the rights, property, or safety of us, our customers, or others

Sharing your information
We disclose or transfer personal information to other parties as follows:
To Group companies
To third party service providers that perform functions on our behalf, including website hosting, marketing agencies, IT and infrastructure provision, money laundering or other due diligence, legal and other professional advisors
To third parties undertaking money laundering or other due diligence in relation to us
If we are under a duty to disclose or share your personal information in order to comply with any legal obligation, to enforce or apply any agreement or its terms and conditions or to protect the rights, property, or safety of Group companies, our customers, or others
To government authorities, and to other third parties when compelled to do so by government and law enforcement authorities or otherwise as required or permitted by law, including but not limited to in response to court orders and subpoenas. We also disclose user information when we have reason to believe that someone is causing injury to or interference with our rights or property, or anyone else that could be harmed by such activities. Additionally, we cooperate with law enforcement inquiries and other third parties to enforce laws, intellectual property rights and other rights
To prospective sellers or buyers as part of a sale or merger of our business or assets

Security
We take reasonable steps to protect your personal information from loss, misuse, unauthorised access, disclosure, alteration or destruction. Unfortunately no data transmission or storage can be guaranteed to be 100% secure. As a result we cannot warrant the security of any information you provide to us and you do so at your own risk.

Transfers
We may transfer personal information to countries outside the European Economic Area (“EEA”) to our Group companies and to third parties, including to countries which have different data protection standards to those which apply in the EEA.

For countries deemed adequate by the European Commission, we rely on the European Commission’s decision to protect your personal information. For other countries, we may use standard contractual clauses or rely on a service provider’s Privacy Shield certification or a service provider’s (EU data protection authority approved) corporate rules that are in place to protect your personal information. You have a right to ask us for a copy of the standard contractual clauses or a copy of the other methods used (by contacting us as set out below). Sometimes we may be required to transfer your personal data where it is necessary for the performance of any agreement between you and us.

Retention
Personal information will be retained only as long as necessary for the fulfilment of the purposes for which it was collected. The appropriate retention period will depend upon factors such as: the nature, amount and sensitivity of the information, the risk of harm from unauthorised use or disclosure, the form the information takes and the purpose for collecting it. Personal information that is no longer required to fulfil the identified purposes for which it was collected will be destroyed, erased or made anonymous unless otherwise required by existing or future laws or regulations, for crime prevention or enforcement or in order to deal with claims or complaints.

Legal basis for processing
We process your personal information when it is necessary for the performance of a contract to which you are the party or in order to take steps at your request prior to entering into a contract. If you do not provide the personal information that we need, we may not be able to perform the relevant contract.

We process your personal information when we are required to do this by law, including in response to requests by government or law enforcement authorities conducting an investigation or court orders.

We also process your personal information when it is necessary for the purposes of a legitimate interest pursued by us or a third party (when these interests are not overridden by your data protection rights). These legitimate interests include: responding to requests and enquiries from you or a third party, conducting data analytics to improve customer experience, informing you about our products and services and ensuring that our operations are conducted in an appropriate and efficient manner.

In some circumstances, we may ask for your consent to process your information in a particular way.

Your rights
You may ask us for a copy of your information and, where applicable, to correct it, erase it or to transfer it to other organisations at your request. You may withdraw your consent where we rely upon it for processing your information. Where we process your personal information because we have a legitimate interest in doing so (as explained above), you also have a right to object to this. These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your personal information.

We hope that we can satisfy queries you may have about the way we process your personal information. However, if you have unresolved concerns you also have the right to complain to data protection authorities (in the UK, this is the Information Commissioner’s Office). You can bring the complaint in your member state of residence, place of work or where an alleged infringement of data protection law occurred.

To protect your privacy and security we will take reasonable steps to verify your identity when dealing with requests.