Privacy & Data Protection Policy
Purple has established this Policy so that you can understand the care with which we intend to treat your personal data.
The Purple group strive to comply with all applicable laws that are designed to protect your privacy, based on this Policy as a standard.
This Policy describes how we collect and process personal data by persons who provide us with their personal data, whether through our website (https://www.thisispurple.com/) or otherwise interacting with us, as set out below.
How to contact us
If you have any questions regarding your personal data and how we may use it, including any queries relating to this Policy, please contact us at firstname.lastname@example.org.
From 25 May 2018, our data processing activities will be governed by the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPRs”). For the purpose of the GDPRs, we are the ‘Data Controller’ of all personal data obtained by us as set out in this Policy, because we ultimately determine how your personal data will be handled by us or our sub-contractors, who would be our ‘Data Processors’.
If we handle your personal data then you are a “Data Subject”. This means you have certain rights under the GDPRs in relation to how your personal data is processed, which are set out in this Policy.
‘Personal data’ is any information that can be used to identify you, including your name, e-mail address, IP address, or any other data that could reveal your physical, physiological, generic, mental, economic, cultural or social identity.
‘Special category data’ means information about you that is sensitive and includes your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
Please navigate the drop down buttons below for our full policies.
Personal data that we collect in relation to you (but is not limited to):
- Your name
- Your e-mail address and contact information
- Your internet protocol address or other online identifiers
- Location data
- Genetic identity factors
- Pseudonymous data
- Event attendance and dietary requirements
If you contact us (by telephone, e-mail, instant messenger or voice over IP) we will collect your personal data and process it in accordance with the processes outlined in this Policy, including our Privacy Principles and the basis for processing your personal data. This may include discussing matters with you in relation to an enquiry about our services or a contract that we may enter into with you, or because you have subscribed to our newsletter or request a publication from us.
We may also collect personal data about you from use of CCTV which may be in operation at our offices, or those offices where we provide our services. Any personal data collected from use of CCTV will be used by us for the purposes of ensuring the safety and security of our staff or those people coming onto our premises, or the premises where we provide our services. Such CCTV will be retained for as long as is necessary to ensure there are no issues relating to safety and security that need to be addressed and then only for so long as needed to deal with such issues. If there are no issues to address, then such footage shall be kept for no longer than we believe is reasonably necessary.
This Policy tells you what to expect when we collect your personal data.
We will only process your personal data if we have a legal basis for doing so, as outlined in this Policy or as notified to you at the time we collect your personal data, and for the purposes for which it was collected for, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you prior to commencing that processing and we will explain the legal basis which allows us to do this. Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
Your personal data may be shared in accordance with our principles on transfers to third parties as set out later in this Policy, including (but not limited to) the following:
- any member of our Group, including our subsidiaries or holding companies;
- third parties where we are under a duty to disclose your personal data to comply with any legal obligation, or to appropriate regulators or other law enforcement organisations;
- third party suppliers to us, including (for example) insurance providers, brokers, auditors and our IT providers.
If your personal data is to be shared with any other third parties, we will take steps to protect your personal data.
Where you provide us with special category data, we may use such data on an anonymised basis for the purposes of monitoring and producing anonymised reports, including for the purposes of our reporting on equality, diversity and inclusion. However, we shall obtain your consent for such processing.
We are not allowed to process your personal data unless we have a legal basis for doing so.
There are four main legal bases that we rely on when it comes to processing someone’s personal data. These are:
- “Legitimate interest” – this is where we need to process your personal data, for example, if we need to contact you because you have raised a general query with us or where we are in contact with you about this or similar requests, or, in terms of your IP address and any information gathered via “Cookies”, to aid your use and navigation of our website (https://www.thisispurple.com) or partner links on our web. We may also have a legitimate interest to contact you about services that may be of interest to you as part of our marketing campaigns, in accordance with this Policy.
- “Necessary for performing a contract” – this is where if we are in a contract with you (or about to enter into a contract with you and you have requested certain pre-contract details) and we need to use your personal details to complete this contract – for example, we might need to use your e-mail address to communicate with you, which would count as processing your personal data.
- “Consent” – this is where we set out specific circumstances where we want to process your personal data and request your consent for this. We will make sure that your consent is explicit. We will usually ask you to tick a box (or similar) to confirm that you have provided your consent. For example, unless we have a legitimate interest to contact you about our services that we would like to market to you, then we would obtain your consent to market to you in the alternative. If you have any questions about the specific circumstances please contact our Data Protection Officer (details above). Please note that you can withdraw your consent at any point by contacting our Data Protection Officer for further information at email@example.com.
- “Compliance with a legal obligation” – this is where we might need to process your personal data in order to comply with a common law or statutory obligation, such as disclosures for compliance with HMRC requirements, requirements relating to money laundering or other such disclosures. We will only process your personal data for this reason if it is necessary and we would not otherwise be able to comply with that legal obligation without such processing.
- Notice about what we do with your data
We will only process your personal data in accordance with notices set out in this Policy, or as provided to you at the time we collect your personal data (if necessary for the intended processing).
- Choice on providing us your personal data
If you choose not to provide the personal data we request, you can still visit the Purple website, but you may be unable to access certain services that involve our interaction with you.
If you chose to have a relationship with Purple, such as a contractual or other business relationship or partnership, we will naturally continue to contact you in connection with that business relationship, in accordance with this Policy and any additional contractual terms agreed with you.
- Access and accuracy of your data
To the extent that you do provide us with personal data, we wish to maintain accurate personal data. Where we collect personal data from you, we want to provide a means for you to contact us should you need to update or correct that information. If for any reason those means are unavailable or inaccessible, you may send updates and corrections about your personal data to firstname.lastname@example.org and we will incorporate the changes to your personal data that we hold and try to do so as soon as practicable.
- Third party services/processing
Third parties provide certain services available on our behalf. We may provide personal data that we have collected on the website to third party service providers to help us deliver programmes, products, information, and services. Service providers are also an important means by which the Purple maintains its website and mailing lists.
Where we provide your personal data to third parties who are acting on our behalf (known as “Data Processors”) we will have in place a written agreement with each third party confirming on what basis the third party will handle your personal data and will ensure that there are sufficient safeguards and processes in place to protect your personal data.
The third parties that we may send your personal data to are either within the European Economic Area (“EEA”) or to Group companies under suitable protection mechanism as laid out in the GDPRs.
- How we decide to how long to retain your personal data
We cannot definitively set out how long we will retain all personal data in this Policy – this is a general notice that deals with different personal data collected for a variety of reasons. However, we decide how long we will retain your personal data based on the following factors:
- If we are performing a contract for you – for the length of that contract and for approximately 10 years afterward to deal with any post-contract issues.
- If you are in contact with us – we will retain your personal data as long as it is necessary for us to conclude the relevant correspondence with you.
- Whether we think there is a likelihood of you contacting us again in the near future or if we think we need to contact you again, provided that the legal basis (see above) for doing so still exists, for no longer than is necessary in respect of that legal basis.
- Automated decision making
We may introduce various technologies that may make an automated decision which uses your personal data to reach a specific decision. If we intend to use such automated decision-making technologies, you will be told at the time we wish to introduce such technologies and we will obtain your consent to such use and processing of your personal data.
- Your rights as a Data Subject
You have the following rights in relation to your personal data:
- The right to be informed – this is information on for what purpose we are processing it and what personal data we are processing.
- The right of access – you have the right to be provided with copies of the personal data of you that we are processing as well as confirmation of the processing we are doing. You can do this by sending a “subject access request” to the contact details noted above for our consideration.
- The right to rectification – if you think the personal data that we hold on you is inaccurate or incomplete you can tell us and we will fix it.
- The right to erasure (also known as the right to be forgotten) – if you want us to permanently delete the personal data we hold for you then you can ask us to do so.
- The right to restrict processing – if you do not like how we are using your personal data then you can let us know and we will stop processing it in that way.
- The right to data portability – if you want us to pass on your personal data to someone else then please let us know. This transfer should not affect the integrity or otherwise damage your personal data.
- The right to withdraw your consent – you can withdraw your consent for us to process your personal data (if we have relied on your consent to process your personal data) at any time by contacting us. If we have relied only on your consent as the basis to process your personal data then we will stop processing your personal data at the point you withdraw your consent. Please note that if we can also rely on other bases to process your personal data aside from consent then we may do so even if you have withdrawn your consent for different purposes under that different legal basis.
- Rights in relation to automated decision making and profiling – if we use either automated decision making or profiling then you have a right to know. Also, we will seek your consent if either of these are used to make a decision that affects you. As with all consent, you can withdraw it at any time.
To exercise any of your rights, please contact our Data Protection Officer at email@example.com. In addition to the above, as a data subject you can file a complaint with your local data protection authority within the EEA if you are not happy with how we are processing your personal data. Please note that you can use whichever local data protection authority within the EEA that is most convenient for you.
Where you request your right to request access to the personal data we process about you, you will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We will try to respond to all legitimate access requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Our website is not structured to necessarily attract children. Accordingly, we do not intend to collect personal data from anyone we know to be under 16 years of age.
Although our services are not targeted at children, there may be some incidental collection of personal data relating to children that takes place as part of our service offering, or in respect of our staff arrangements. If we know or suspect we are going to handle personal data in relation to children and are relying on consent to do so, then we will obtain consent from a parent or guardian of the relevant child before handling that child’s personal data.
When someone visits www.thisispurple.com our main corporate website or any of our related sites within the group we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting any of our websites. We will not associate any data gathered from these sites with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will make it clear when we collect it and explain what we intend to do with it.
Our Group websites contain links to external websites. Please note that we are not responsible for the privacy practices of any websites other than our own.
Remember the Risks Whenever You Use the Internet: While we do our best to protect your personal data, we cannot guarantee the security of any information that you transmit to us and you are solely responsible for maintaining the secrecy
We would like to place cookies on your computer to help us make your use of our website better. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Just so you know, the main cookies on your site are from Google Analytics tracking and there’s also a session cookie generated by our website that is essential to the running of the website but holds no personal data.
Please see our Cookies Policy for further details about the cookies we use.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Other tracking technologies: Some of our website pages utilise cookies and other tracking technologies. A cookie is a small text file that may be used, for example, to collect information about website activity. Some cookies and other technologies may serve to recall personal data previously indicated by a website user. Most browsers allow you to control cookies, including whether or not to accept them and how to remove them.
You may set most browsers to notify you if you receive a cookie, or you may choose to block cookies with your browser, but please note that if you choose to erase or block your cookies, you will need to re-enter your details to gain access to certain parts of the website.
We may also analyse information that does not contain personal data for trends and statistics.
Where personal data is sent from our website about visitors to our website, this is secured by encryption using the latest protocols and working methods to keep such data secure.
Changes to this Policy
As and when necessary, changes to this Policy will be posted on our website. Where changes are significant, we may also email you and where required by law, we will obtain your consent to these changes.