Data Protection Statement

Protecting personal data is fundamental to how we operate as a software studio. We are committed to handling personal data lawfully, fairly, transparently, and securely, and to building privacy considerations into the products and services we deliver from the outset rather than as an afterthought.

This statement applies to personal data we process in two distinct contexts:

• Our own website and business operations — the marketing and portfolio website at tragenx.com, and the enquiries we receive through it, where we decide why and how personal data is processed.
• Client engagements — the software, web, mobile, and AI development services we deliver to business clients, where we typically process personal data on a client's behalf and under their instructions.

TRAGenX is a business-to-business studio. We do not knowingly direct our website or services at children, and we do not operate consumer accounts, payments, or e-commerce through this website.

We process personal data in accordance with the United Kingdom's data-protection regime. The principal instruments that govern our processing are:

• the UK General Data Protection Regulation (UK GDPR);
• the Data Protection Act 2018 (DPA 2018); and
• the Privacy and Electronic Communications Regulations 2003 (PECR), which govern cookies and similar technologies.

The independent supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO), ico.org.uk. The governing law of our website terms is the law of England and Wales.

Where we deliver services to clients located in the European Economic Area (EEA), the wider EMEA region, or the Gulf (including the United Arab Emirates and Saudi Arabia), we work with those clients to give effect to any additional data-protection obligations that apply to their processing under the relevant local laws. Our own processing as a controller, however, remains governed by the UK framework described above.

Data-protection law distinguishes between a "controller" (who decides why and how personal data is processed) and a "processor" (who processes personal data on a controller's behalf and on its instructions). Our role depends on the activity.

When we are the controller

We act as the controller for personal data relating to our own website and marketing activities — for example, the details you submit through our Contact form or our Get a Quote form, and the information we hold about prospective and existing business contacts. In this role we determine the purposes and means of the processing, and our Privacy Policy explains how we handle that data.

When we are the processor

When we build and operate software or development services for a client, any personal data within those systems generally belongs to the client's own users, customers, or staff. In that context the client is the controller and TRAGenX typically acts as a processor, handling personal data only on the client's documented instructions.

These processor engagements are governed by a separate written Data Processing Agreement (DPA) between TRAGenX and the client that meets the requirements of Article 28 of the UK GDPR. The DPA, not this statement, defines our obligations for that client's data. See Engaging TRAGenX as a processor below.

We design our processing around the seven principles set out in the UK GDPR. Each shapes the way we collect, use, and safeguard personal data:

• Lawfulness, fairness and transparency — we process personal data on a valid lawful basis, in ways people would reasonably expect, and we tell them what we are doing.
• Purpose limitation — we collect personal data for specified, explicit, and legitimate purposes and do not use it in ways incompatible with those purposes.
• Data minimisation — we collect only the personal data we actually need; our forms ask for limited information and clearly mark optional fields.
• Accuracy — we take reasonable steps to keep personal data accurate and up to date and to correct or erase inaccurate data.
• Storage limitation — we keep personal data only for as long as necessary for the purpose for which it was collected.
• Integrity and confidentiality (security) — we use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or damage.
• Accountability — we take responsibility for our processing and are able to demonstrate our compliance with the principles above.

When we act as a controller, we rely on the following lawful bases under Article 6 of the UK GDPR, depending on the activity:

• Legitimate interests — to respond to enquiries submitted through our Contact and Get a Quote forms, to operate and secure our website (including anti-spam protection), and to communicate with business contacts about prospective or existing engagements. We balance these interests against the rights and interests of the individuals concerned.
• Performance of a contract, or steps taken at your request before entering into a contract — where we are scoping, quoting for, or delivering services to you or your organisation.
• Compliance with a legal obligation — where we must process or retain personal data to meet our legal, regulatory, or accounting obligations.
• Consent — where we ask for it for a specific purpose; where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.

When we act as a processor for a client, we do not select the lawful basis. The client, as controller, is responsible for ensuring that an appropriate lawful basis exists for the processing we carry out on its behalf.

Subject to the conditions and exemptions in the UK GDPR and the DPA 2018, individuals have the following rights in respect of their personal data:

• the right to be informed about how their personal data is used;
• the right of access to a copy of their personal data;
• the right to rectification of inaccurate or incomplete data;
• the right to erasure (the "right to be forgotten") in certain circumstances;
• the right to restrict processing in certain circumstances;
• the right to data portability;
• the right to object to processing, including processing based on legitimate interests; and
• rights in relation to automated decision-making and profiling — we do not carry out automated decision-making that produces legal or similarly significant effects on individuals through this website.

Where TRAGenX is the controller, you can exercise these rights by contacting us by email at info@pyramidledger.com. We will respond within the statutory time limits, normally one month. For full detail on how we handle personal data collected through this website, please read our Privacy Policy.

Where TRAGenX is a processor and your request concerns data we hold on a client's behalf, the client is the controller and is responsible for responding. We will promptly forward such requests to the relevant client and assist them as set out in our DPA. If you are unsure who the controller is, contact us and we will help direct your request.

We apply technical and organisational measures appropriate to the nature of the data and the risks involved. As a remote-first software studio, our measures include:

• Encryption in transit — our website and form submissions are served over HTTPS using current TLS, so data is encrypted as it travels between your browser, our infrastructure, and our processors.
• Access control and least privilege — access to personal data and systems is restricted to those who need it, using strong authentication and role-based permissions, with access reviewed and revoked when no longer required.
• Vendor due-diligence — we assess the security and data-protection posture of the processors we rely on and put written contracts in place with them before entrusting them with personal data.
• Logging and monitoring — we use the logging, monitoring, and security capabilities of our infrastructure to detect, investigate, and respond to suspicious activity.
• Secure development practices — we apply secure-by-design and privacy-by-design principles in the software we build, including code review, dependency management, and managing secrets and credentials securely.
• Staff awareness — the people who work on our behalf are bound by confidentiality and receive guidance on their data-protection and security responsibilities.

No method of transmission or storage is completely secure, but we maintain and review these measures to keep the risk to an appropriate level, and we adapt the controls we apply on client projects to meet the requirements agreed in each engagement.

To run our website and deliver form submissions, we rely on a small number of carefully selected service providers that process personal data on our behalf:

• Cloudflare, Inc. — provides our hosting, Cloudflare Workers, content delivery network (CDN), and security services, and operates the Cloudflare Turnstile anti-spam check. When you submit a form, your IP address is processed transiently to verify Turnstile, a privacy-friendly CAPTCHA.
• Brevo (formerly Sendinblue) — our transactional-email processor, which delivers the contents of your form submission to TRAGenX by email.

We may also share personal data with our professional advisers, or where we are required to do so by law or regulation. We do not use this website to sell or rent personal data, and we do not use Google Analytics, advertising cookies, marketing pixels, or any cross-site or third-party tracking. Cookies and similar storage on this website are limited to strictly necessary functions (Cloudflare security and Turnstile), together with a small amount of browser sessionStorage used to remember interface state, such as that a blog pop-up has been dismissed; sessionStorage is not a cookie and is cleared when the browser tab closes.

International transfers

Some of our processors are based outside the UK, including in the United States, which can mean personal data is transferred internationally. Where personal data leaves the UK, we ensure an appropriate safeguard recognised under the UK GDPR is in place, such as:

• UK adequacy regulations, where the destination country is recognised by the UK as providing an adequate level of protection;
• the UK International Data Transfer Agreement (IDTA); or
• the UK Addendum to the EU Standard Contractual Clauses (the SCC Addendum), together with any additional measures needed to protect the data.

On client engagements, any sub-processors we use to deliver services are governed by the relevant DPA, and we maintain transparency about them as described below.

We keep personal data only for as long as it is needed for the purpose for which it was collected, and then delete it or anonymise it.

• Enquiries from the Contact and Get a Quote forms — retained for as long as needed to respond to and follow up on your enquiry, and to manage any resulting relationship or engagement.
• Business records — retained where we have a legal, regulatory, or accounting obligation to keep them, for the period required by the relevant rules.
• Security and operational logs — retained for a limited period for security, troubleshooting, and abuse-prevention purposes.
• Client (processor) data — retained and deleted in accordance with the instructions and timescales set out in the applicable DPA; on termination of a client engagement we return or delete the personal data as agreed with the client.

When we no longer need personal data, we dispose of it securely. The IP address processed for Turnstile verification is handled transiently as part of the anti-spam check rather than retained by us as a standing record.

We maintain procedures to detect, report, and investigate personal data breaches — that is, any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Our approach is to:

• Detect — use the monitoring and logging capabilities of our infrastructure, together with reports from our team and processors, to identify suspected incidents promptly.
• Assess — investigate and assess the nature, scope, and likely consequences of the incident, including the risk to the rights and freedoms of the individuals affected.
• Contain and remediate — take steps to contain the incident, mitigate any harm, and prevent recurrence.
• Notify — where we are the controller and the breach is likely to result in a risk to individuals, notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it; where the breach is likely to result in a high risk to individuals, inform those affected without undue delay.

Where we are acting as a processor, we will notify the affected client (the controller) without undue delay after becoming aware of a personal data breach and assist them in meeting their own breach-notification obligations, as set out in the applicable DPA.

Business clients who engage us to build or operate software that involves personal data can rely on a clear, compliant processing framework. When we act as a processor on your behalf, we support your compliance in the following ways:

• Data Processing Agreement — a written DPA meeting the requirements of Article 28 of the UK GDPR is available and forms part of our engagement, setting out the subject-matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of individuals concerned.
• Processing on documented instructions — we process personal data only on your documented instructions, and we maintain confidentiality across our team.
• Sub-processor transparency — we tell you about the sub-processors we use to deliver your services, ensure equivalent data-protection obligations flow down to them, and give you the opportunity to object to changes as provided in the DPA.
• Assistance with data-subject requests — we help you respond to requests from individuals exercising their rights in relation to the data we process for you.
• Support for your compliance — we assist you with your obligations around security, breach notification, and, where relevant, data protection impact assessments and prior consultation, and we make available information needed to demonstrate compliance.
• Return or deletion — at the end of the engagement we return or delete the personal data as you direct.

International transfers within client engagements are handled using the same safeguards described in Sub-processors and international transfers. To request our DPA or discuss a prospective engagement, contact us by email at info@pyramidledger.com.

If you have any questions about this statement, wish to exercise your rights, or want to raise a concern about how we handle personal data, you can contact us by email at info@pyramidledger.com. As a remote-first studio, email is our contact channel for data-protection matters. We will always try to resolve any concern directly and promptly.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please consider contacting us first.

We may update this Data Protection Statement from time to time to reflect changes in our practices or the law. The current version is always available on this page, and we encourage you to review it periodically alongside our Privacy Policy.