Privacy policy
Last updated: 2026-04-30
PenDraco Company Limited ("PenDraco", "we", "us", "our") operates the website at pendraco.com and provides the services described there. We are a Texas limited company; our registered office and all formal notices are at the address listed in the imprint.
This policy explains what personal information we collect, why we collect it, how we use and share it, and the choices you have. We try to keep it short and concrete.
Scope of this policy
Who this covers. This policy applies to visitors to pendraco.com and to clients and prospective clients who contact us about our services. PenDraco's offerings are oriented to businesses; we do not market or sell our services to individuals for personal, family, or household purposes.
Who this does not cover. If you are an end user of an application or integration we built for a client, the personal information you provide is processed by us as a service provider (processor) on that client's behalf — the client is the controller of that data and their privacy policy governs your use of the application. Direct any access, correction, or deletion requests for that data to the client; we will assist them in responding.
Not a data broker. PenDraco is not a data broker. We do not sell personal information, we do not "share" personal information for cross-context behavioural advertising as defined under the California Consumer Privacy Act (CCPA / CPRA) or the Texas Data Privacy and Security Act, and we are not subject to data-broker registration in any jurisdiction in which we operate.
Information we collect
You give us:
- Contact details when you email us or fill in the contact form (name, email address, the body of your message, and anything you choose to include).
- Engagement details when we work with you (company name, project scope, billing details, anything you share so we can deliver the work).
Collected automatically when you visit pendraco.com:
- Standard server access logs: IP address, user agent, the URLs you request, the date/time of the request, and the HTTP referrer.
- Strictly necessary cookies / local storage used by the site itself (session, theme, PWA installation state). No third-party advertising or tracking cookies.
We do not run ads, advertising tags, or conversion-tracking pixels on pendraco.com itself, and we do not use third-party analytics that profile you across sites. Separately, we do purchase paid advertising on third-party platforms (for example, Reddit) to promote PenDraco's own products and services — see "Advertising on third-party platforms" below for what that does and does not involve.
How we use the information
- To respond to inquiries and deliver the services you asked for.
- To run, secure, and improve the website (debugging, abuse prevention, capacity planning).
- To meet our legal, accounting, and tax obligations as a Texas company.
We do not sell or share your personal information for cross-context behavioural advertising. We will not use personal information in any way that is materially different from the purposes set out in this policy without first letting you know — and, where the law requires it, asking for your consent.
Legal basis (for visitors in the EU / UK)
Where the GDPR or UK GDPR applies, we rely on:
- Performance of a contract — to deliver services you requested.
- Legitimate interests — to operate, secure, and improve the site (we balance these against your rights).
- Legal obligation — for tax, accounting, and lawful requests.
- Consent — only where the law specifically requires it; you can withdraw it at any time.
Sharing
We share personal information only with:
- Service providers (sub-processors) acting under written contract on our behalf — e.g. our hosting, email, error monitoring, and developer tools. Each is bound by confidentiality and use-restriction terms that prohibit them from using your personal information for their own purposes. We remain responsible for ensuring that these third parties handle personal information consistently with this policy.
- Authorities where we are legally required to (a valid subpoena, court order, or comparable legal process under U.S. or applicable foreign law). Where permitted, we will notify you before disclosing.
- A successor entity in the event of a merger, acquisition, or sale of substantially all of our assets — with notice and continuity of this policy's protections.
A current list of sub-processors is available on request to [email protected].
Advertising on third-party platforms
We purchase paid advertising on third-party platforms — for example, Reddit — to promote PenDraco's products and services to potential clients. When we run those campaigns:
- We do not install third-party advertising or conversion-tracking pixels on pendraco.com, so your visit to our site is not joined back to any ad-platform identifier on our end.
- The third-party platform (e.g. Reddit) is responsible for any data collection that happens on its own platform when you see or click one of our ads — that collection is governed by their privacy policy, not ours.
- We may receive aggregated, non-identifying campaign reports (impressions, clicks, cost-per-click, broad demographic / interest bands) from those platforms. We do not receive identifiers that let us track individual users back across sessions or across sites.
- We do not "sell" or "share for cross-context behavioural advertising" (as those terms are defined under the CCPA / CPRA and the Texas Data Privacy and Security Act). The platform-level audience targeting is performed by the ad platform using its own data about its users, not data we share.
If a future ad campaign requires installing a conversion pixel on pendraco.com, we will update this policy first and add a clear cookie-consent / opt-out control before turning it on.
International transfers
PenDraco is U.S.-based (Texas). If you contact us from outside the U.S., your information will be transferred to and processed in the United States. We use commercially reasonable safeguards (encrypted transport, access controls, and where applicable Standard Contractual Clauses) to protect that data.
Retention
- Inquiries that do not lead to an engagement: kept for 24 months so we can recognise repeat contact, then deleted.
- Engagement records: kept for as long as we provide the service plus the period required by U.S. tax / accounting law (currently 7 years after the last invoice).
- Server logs: retained for up to 90 days for security and operational purposes, then rotated out.
Your choices and rights
Choices everyone has.
- Email us at [email protected] to ask what we hold about you, correct it, or delete it.
- Browser controls. You can clear our strictly-necessary cookies / local storage from your browser at any time. Doing so will reset your theme preference and PWA install state.
- Marketing. PenDraco does not currently send marketing emails. If we add an opt-in newsletter in the future, every message will include a one-click unsubscribe link.
Jurisdictional rights.
- Texas residents (Texas Data Privacy and Security Act): the right to confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising / sale / certain profiling. We do not engage in any of those, but the rights still apply.
- California residents (CCPA / CPRA): the rights to know, delete, correct, and limit use of sensitive personal information. We do not sell or share for cross-context behavioural advertising. If a verified request is denied, you can appeal to [email protected] with the subject "Privacy appeal".
- EU / UK residents (GDPR / UK GDPR): rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time. We ask that you contact us first so we can try to resolve any concern directly; you also have the right to lodge a complaint with your national supervisory authority.
How to exercise these rights.
- Submit a request. Email [email protected] with the subject "Privacy" and the right you want to exercise. You don't need to use any specific form.
- Identity verification. To protect you, we will only act on a request once we are reasonably satisfied it comes from you. For most requests, replying from the email address we already have on file is enough; if we hold no email-linked record, we may ask for additional information sufficient to verify identity (e.g. confirming details of a prior engagement).
- Authorised agents. California residents may use an authorised agent to submit a request — we will require the agent's written authorisation and may verify the request directly with you.
- Response time. We aim to respond within 30 days. If a request is genuinely complex, we may extend by a further 30 days and will tell you why.
- Non-discrimination. We will not discriminate against you, change pricing, or degrade services for exercising any privacy right.
Children's privacy
The site is not directed at children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.
Security
We use TLS for all traffic to and from pendraco.com, encrypt backups at rest, and restrict access to client and visitor data to people who need it on a least-privilege basis. We use commercially reasonable technical and organisational safeguards designed to provide a level of security appropriate to the risk of processing. No service can guarantee absolute security; if a breach affects you, we will notify you and any required regulators in line with applicable U.S. state and federal law (and, where relevant, GDPR / UK GDPR notification timelines).
Changes to this policy
We will update the date at the top of this page when this policy changes. For material changes, we will post a clear notice on the site (and, where we have your address, contact you directly) before the change takes effect.
Contact
Privacy questions or requests:
- Email: [email protected]
- Postal: PenDraco Company Limited, 2700 Cullen Blvd, Suite 841946, Pearland, TX 77584, USA
If you contact us about a privacy matter, please put "Privacy" in the subject line so we route it correctly.