Privacy policy

1. INTRODUCTION

Last updated: 22/07/2024

Go Purpl LTD, which operates https://gopurpl.io/ and its owner(s) respect the privacy of anyone who uses the website. This Privacy Notice was created to demonstrate commitment to privacy.

This website, https://gopurpl.io/ (“the website”) gathers important information from its visitors and customers. This Privacy Notice is published to communicate how the information about the website users is gathered, used and protected. Any services provided to you by the website are subject to this Privacy Notice. References in the Privacy Notice to the https://gopurpl.io/, “we”, “us”, “our”, “site”, “website” or similar refer to the website https://gopurpl.io/ and any of its affiliates.

Any client or visitor, by using this site and using our services agrees to this Privacy Notice. If you do not agree to this Privacy Notice, you must stop using https://gopurpl.io/

We use your data to provide and improve our services. By using the services, you agree to the collection and use of information in accordance with this Notice.

Please contact us for further inquiries.

2. WHO WE ARE AND OTHER IMPORTANT INFORMATION

2.1 We are GOPURPL LTD, registered in England and Wales with company number 14874584 with our registered address at Cambridge House 16 High Street, Saffron Walden, CB10 1AX (we, us or our).

2.2 For all visitors to our Website, we are the controller of your information (which means we decide what information we collect and how it is used).

2.3 We are registered with the Information Commissioner’s Office (ICO), the UK regulator for data protection matters, under number C1512047.

3. Contact Details

3.1 If you have any questions about this Privacy Notice or the way that we use information, please get in touch using the following details:

Data Protection Officer

Name: Robert Healey
Email address: dpo@purpl.io

4. THE INFORMATION WE COLLECT ABOUT YOU

Personal data means any information which does (or could be used to) identify a living person. We have grouped together the types of personal data that we collect, and where we receive it from, below.

4.2 Type of personal data:

  • Identity Data: your first and last name or title.
  • Contact Data: your email address, telephone numbers, home address.
  • Technical Data: internet protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating system and platform on the devices you use to access our systems.
  • Usage Data: information about how you use our systems.
  • Financial Data: where you provide this over our Website to purchase one of our products or services.
  • Location Data: your device location if you log into our systems remotely.
  • Feedback: information and responses you provide when completing surveys and questionnaires.
  • Photo and Image Data: profile picture, images, videos and audio.
  • Profile Data: email address, password, username, chat logs, audit trail of systems used and documents accessed and downloaded.
  • Marketing and Communication Data: includes your preferences in receiving marketing from us and our third parties and your communication preferences.


Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and obtain your consent to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law

5. HOW WE USE YOUR INFORMATION

5.1 We are required to identify a legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:

  • fulfil our contract with you.
  • comply with a legal obligation that we have.
  • pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g. your right to privacy); and
  • do something for which you have given your consent.


5.2 Below is set out the lawful basis we rely on when we use your personal data. If we intend to use your personal data for a new reason that is not listed below, we will update our Privacy Notice.

5.2.1 Contract
  • To administrate or perform our contract with you.
  • To process your payment information in connection with any contract we have with you.
  • To send you updates about the services you have bought (e.g. confirmation of order, arrival time).


5.2.2 Legal Obligation
  • Recording your preferences (e.g. marketing) to ensure that we comply with data protection laws.
  • Where we send you information to comply with a legal obligation (e.g. where we send you information about your legal rights).
  • Where we retain information to enable us to bring or defend legal claims.


5.2.3 Legitimate Interests
  • Where using your information is necessary to pursue our legitimate business interests to:
  • improve and optimise our Website;
  • monitor and make improvements to our Website to enhance security and prevent fraud;
  • provide our services to you and ensure the proper functioning of our Website; and
  • protect our business and defend ourselves against legal claims.
  • Where we use your information for our legitimate interests, we have assessed whether such use is necessary and that such use will not infringe on your other rights and freedoms.

5.2.4 Consent
  • Where you have provided your consent to providing us with information or allowing us to use or share your information.
  • Where you have consented to receive marketing material from us.


5.3 Where we need to collect your personal data (for example, in order to fulfil a contract, we have with you), failure to provide us with your personal data may mean that we are not able to provide you with the services. Where we do not have the information required about you to fulfil an order, we may have to cancel the service ordered.

5.4 We may anonymise the personal data we collect (so it can no longer identify you) and then combine it with other anonymous information so it becomes aggregated data. Aggregated data helps us identify trends (e.g. what percentage of users responded to a specific survey). Data protection law does not govern the use of aggregated data and the various rights described below do not apply to it.

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you – for example, to provide you with Services. In this case, we may have to cancel the Planet account or Service you have with us – but we will notify you at that time if this is the case.

6. WHO WE SHARE YOUR INFORMATION WITH

6.1 We share (or may share) your personal data with:
  • Our personnel: our employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.
  • Our supply chain: other organisations that help us provide our goods. We ensure these organisations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.
  • Any actual or potential buyer of our business.

6.2 If we were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response.

7. WHERE YOUR INFORMATION IS LOCATED OR TRANSFERRED TO

7.1 We store your personal data on our servers in the USA. We have proper mechanisms in place to ensure that transfer to that country is in compliance with relevant data protection laws.

7.2 Except as set out above, we will only transfer information outside of the UK or EEA where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located, e.g. by using contracts approved by the ICO or the UK Secretary of State).

7.3 If you access our Website whilst abroad then your personal data may be stored on servers located in the same country as you or your organisation.

8. HOW WE KEEP YOUR INFORMATION SAFE

8.1 We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:

  • access controls and user authentication (including multi-factor authentication);
  • internal IT and network security.
  • regular testing and review of our security measures.
  • staff policies and training.
  • incident and breach reporting processes.
  • business continuity and disaster recovery processes.


8.2 If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). When we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.

8.3 If you notice any unusual activity on the Website, please contact us dpo@purpl.io.

9. HOW LONG WE KEEP YOUR INFORMATION

9.1 Where we act as the controller, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for.

9.2 To decide how long to keep personal data (also known as its retention period), we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm to you if an incident were to happen, whether we require the personal data to achieve the purposes we have identified or
whether we can achieve those purposes through other means (e.g. by using aggregated data instead), and any applicable legal requirements (e.g. minimum accounting records for HM Revenue & Customs).

9.3 We may keep Identity Data, Contact Data and certain other data (specifically, any exchanges between us by email or any other means) for up to seven years after the end of our contractual relationship with you.

9.4 If you browse our Website, we keep personal data collected through our analytics tools for only as long as necessary to fulfil the purposes we collected it for.

9.5 If you have asked for information from us or you have subscribed to our mailing list, we keep your details until you ask us to stop contacting you.

10. INTERNATIONAL TRANSFERS

Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by making sure that at least one of the following safeguards is implemented:

  • The countries that your personal data is being transferred to have been deemed to provide an adequate level of protection by the European Commission.
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
  • For data transfers to the United States of America, we participate in the EU-U.S, Swiss-U.S. Data Privacy Frameworks, and the UK-US data bridge, (collectively, the “DPF”) issued by the U.S. Department of Commerce. We will comply with the commitments under the DPF and its robust internal data protection policies with respect to personal data transferred from the European Economic Area (“EEA”). We will only transfer personal data under the DPF if the recipient is self-certified under the DPF.
  • Where we use providers based in the US, who have not self-certified under the EU-U.S. Data Privacy Framework, we include third party Standard Contractual Clauses together with encryption technology to ensure the data is protected.


In any case, before an international transfer of data takes place, we carry out Data Transfer Assessments in order to measure the risk associated with such transfers.

11. YOUR LEGAL RIGHTS

11.1 You have specific legal rights in relation to your personal data.

11.2 We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. Usually there is no cost for exercising your data protection rights, but we may charge a fee where we decide to proceed with a request that we believe is unfounded or excessive. If this happens, we will always inform you in writing.

11.3 We will respond to your legal rights request without undue delay, but within one month of us receiving your request or confirming your identity (whichever is later). We may extend this deadline by two months if your request is complex, or we have received multiple requests at once. If we need to extend the deadline, we will let you know and explain why we need the extension.

11.4 We do not respond directly to requests which relate to personal data for which we act as the processor. In this situation, we forward your request to the relevant controller and await their instruction before we take any action.

11.5 If you wish to make any of the right requests listed below, you can reach us at dpo@purpl.io.

11.6 Your rights include:
  • Access: You must be told if your personal data is being used and you can ask for a copy of your personal data as well as information about how we are using it to make sure we are abiding by the law.
  • Correction: You can ask us to correct your personal data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
  • Deletion: You can ask us to delete or remove your personal data if there is no good reason for us to continue holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.
  • Restriction: You can ask us to restrict how we use your personal data and temporarily limit the way we use it.
  • Objection: You can object to us using your personal data if you want us to stop using it. If we think there is a good reason for us to keep using the information, we will let you know and explain our decision.
  • Portability: You can ask us to send you or another organisation an electronic copy of your personal data.
  • Complaints: If you are unhappy with the way we collect and use your personal data, you can complain to the ICO or another relevant supervisory body, but we hope that we can respond to your concerns before it reaches that stage. Please contact us at dpo@purpl.io.

12. NOTICE UPDATES

Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least once a year. Whenever changes to such laws and regulations are made, privacy notices and procedures are revised to conform with the requirements of the applicable laws and regulations.