Privacy Policy

last_updated: 2026-07-07 reading_time: ~4 min

Drupal Steady ("we", "us", "our") helps site owners move older Drupal sites onto a current, supported version. This policy explains what personal data we collect, why we collect it, and what rights you have under UK data protection law — the UK GDPR and the Data Protection Act 2018.

We are the data controller for the personal data described below. If anything here is unclear, or you'd like to get in touch about any of it, use the contact form on this website.

The website scanner

Our home page has a scanner that checks which version of Drupal a site is running. When you enter a website address and run a scan:

  • We send a handful of ordinary web requests to the address you give us — much like a browser would — and read the public response to work out the likely Drupal version.
  • We don't store the address you scanned, the result, or your IP address as part of the scan. The check runs, the answer comes back to you, and nothing about it is kept.
  • To stop the scanner being abused, we do briefly keep a count of recent requests tied to your IP address, so we can cap how many scans run in a short window. An IP address counts as personal data, so to be clear: we process it only for this abuse-prevention purpose, under our legitimate interest, and these counts expire on their own after a short time.

The scanner only reads what a site already publishes openly. It doesn't try to reach private areas, log in, or pull content from the site being checked.

The contact form

When you message us through the contact form, we collect the name, email address, subject and message you send. We use these only to reply to you and, where it's relevant, to talk through a possible migration project.

Your message is stored on our website so we can read it and respond. Our lawful basis is our legitimate interest in answering enquiries, together with taking steps at your request before entering into a contract.

Server logs

Like most sites, our server automatically records standard technical details — your IP address, browser type, and the pages requested. We rely on these to keep the service secure and running properly, which is our legitimate interest, and we hold them only as long as that purpose needs.

Cookies

We keep cookies to a minimum. The only ones we use are strictly necessary to operate the site and keep it secure — for example, a session cookie and a form security (CSRF) token — and these don't require consent. We don't use advertising cookies, we don't sell your data, and nobody can pay to influence what this site tells you.

Who we share data with

We don't sell your personal data. We share it only with the service providers who help us run the website — our hosting provider, for instance — and only as far as that requires. We may also disclose information where the law requires it.

Our servers sit within the European Economic Area. Because we're a UK controller storing data in the EEA, that data does leave the UK — a transfer the law permits, as the EEA benefits from UK adequacy. If any provider processes data beyond the EEA, we put appropriate safeguards in place (such as the ICO's International Data Transfer Agreement or standard contractual clauses) to keep it protected to the standard UK law expects.

How long we keep data

  • Scan requests: not stored — only short-lived rate-limiting counts, which expire automatically.
  • Contact form submissions: kept as long as we need them to handle your enquiry and any project that follows, then deleted.
  • Server logs: kept only as long as security and troubleshooting require.

Your rights

Under UK data protection law you can ask to see the personal data we hold about you, have it corrected or erased, restrict or object to how we use it, and request portability — in the circumstances the law allows. To exercise any of these, get in touch through the contact form.

If you're unhappy with how we've handled your data, you can complain to the Information Commissioner's Office (ICO), the UK's supervisory authority, at ico.org.uk. We'd appreciate the chance to put things right first, but that's your right either way.

Changes to this policy

We may revise this policy now and then. Any changes appear on this page, and the "last updated" date in the page header will reflect them.