Purpl

Privacy Policy

Effective: 28/03/2024
This Privacy Policy explains when and why we collect personal information, how we use it
and how we keep it secure.
We strive for transparency about how we process your personal data. We work hard to
provide clear and straightforward descriptions of our privacy practices because we want you
to understand them. We’re sorry this might lead to a lengthy read at times, but we want you
to be fully informed.
We review this policy regularly and where necessary make updates to ensure it accurately
reflects how we use your data. We will notify you if there are changes which affect how your
data is processed.
We hope this policy helps you to understand how we use your data. If you have any
questions you can contact us emailing us at [email protected]

  1. Who Are We?

    a) We are The Purpl Co Limited, a company registered in England and
    Wales. Our company number is 14553148. Our registered office is at 7 Bell
    Yard, London, England, WC2A 2JR.
    b) We own and operate the website, www.purpldiscounts.com which we will
    refer to as Purpl.
    c) For simplicity throughout this notice, ‘we’ and ‘us’ also means Purpl.
    d) We design our platforms and services with your privacy in mind.
    e) We are registered with the Information Commissioner’s Register of Data
    Controllers under number [ ZB675308 ].
  2. What Is This Policy For?
    a) The Policy set out below explains how we manage your personal data.
    Personal data relates to information about any identified or identifiable living
    person that we collect, or you provide to us when you use or access Purpl.
    Please read on to find out:
    i. what kinds of personal data we collect
    ii. how we use and protect it
    iii. to whom we disclose it
    iv. how you can access and rectify it
    v. and how we use cookies on Purpl.
    b) Please do not use Purpl unless you are completely happy with this Policy. If
    you do use Purpl, we will assume that you accept this Policy.
  3. Changes To This Policy
    a) We may amend this Policy from time to time when deemed necessary. We will notify you of any changes by updating this page with the new Policy, so we advise that you periodically review this Policy for any changes.
    b) We will assume you agree to the Policy or revised versions of the Policy if you use Purpl after the effective date shown at the top of the Policy.
  4. When do we collect your personal data?
    a) When you visit Purpl and use your account to buy products and services from
    our Selling Partners.
    b) When you make an online purchase and check out as a guest (in which case
    we just collect data required to process your order).
    c) When you create an account with us.
    d) When you shop online, we capture information through cookies and similar
    technologies.
    e) When you engage with us on social media.
    f) When you contact us by any means with queries, comments, complaints etc.
    g) When you ask one of our Selling Partners to email you information about a
    product or service.
    h) When you choose to complete any forms or surveys.
    i) When you comment on or review our products and services.
    j) When any individual requests access to personal data related to them,
    including opinions. So if your comment or review includes information about
    the Selling Partner who provided that service, it may be passed on to them if
    requested.
    k) When you’ve given a third party permission to share with us the information
    they hold about you.
    l) When we collect data from publicly-available sources when you have given
    your consent to share information.
    m) When the information is made public as a matter of law.
  5. What Personal or Other Data Do We Collect?
    a) If you have an account with us: your name and email address. For your
    security, we’ll also keep an encrypted record of your login password.
    b) Whilst we will collect information provided by you in order to verify that you
    are registered with a disability, we will encrypt and store only the confirmation
    of the successful verification. This sensitive personal data will not be passed
    on to any party and the cached copies will be deleted after the verification
    process.
    c) As part of the verification process, we will temporarily cache the personal data
    on your disability documentation. This may include title (gender), name, home
    address and facial image.
    d) Details of how you use Purpl or interactions with us.

    For example:
  • details of purchases you make
  • items viewed or added to your basket
  • voucher redemptions
  • brands you show interest in
  • web pages you visit

e) How and when you contact us.

f) Copies of documents you provide to prove your age or identity where the law
requires this. This may include your passport or driver’s licence. This will
include details of your full name, address, date of birth and facial image. If
you provide a passport, the data will also include your place of birth, gender
and nationality.

g) Your preferences on Purpl including marketing and communications.

h) To deliver the best possible web experience we and our contractors and
Selling Partners automatically collect technical information. This is about how
we may receive and store certain information automatically when you interact
with us.

Examples include:

  • the internet protocol (IP) address used to connect your computer to the
    internet
  • connection information such as browser type and version
  • information about your mobile or other device including device type and
    device identifier
  • operating system and platform
  • country and telephone code where your computer is located
  • a unique reference number linked to the data you enter on our system
  • login details
  • clickstream data
  • details of your activity on Purpl with date/time stamps including the pages
    you visited
  • searches you made and goods purchased

i) Information gathered by the use of cookies in your web browser. Learn more
about how we use cookies and similar technologies.

j) Open rates, click through rates on email marketing campaign tracking
elements.

k) Personal details which help us to recommend items of interest.

l) Your social media username, if you interact with us through those channels,
to help us respond to your comments, questions or feedback

6. How and why do we use your personal data?

a) We want to give you the best possible customer experience. One way to
achieve that is to get the richest picture we can of who you are by combining
the data we have about you.
b) We then use this to offer you promotions, products and services that are most
likely to interest you.
c) The data privacy law allows this as part of our legitimate interest. This helps
to understand our customers and provide the highest levels of service.
d) Of course, if you wish to change how we use your data, you’ll find details in
the ‘What are my rights?’ section below.
e) Remember, if you choose not to share your personal data with us, or refuse
certain contact permissions, we might not be able to provide some services
you’ve asked for.
f) Here’s how we may use your personal data and why:

I. To process any orders that you make by using Purpl.
For example, your details may be passed to a third party (Selling
Partner) to supply or deliver the product or service that you ordered,
and we may keep your details for a reasonable period afterwards in
order to fulfil any contractual obligations such as refunds, guarantees
and so on.
ii. To respond to your queries, refund requests and complaints. Handling
the information you send helps us to respond. We may also keep a
record of these to inform any future communication with us and to
demonstrate how we communicated with you throughout. We do this
based on our contractual obligations to you, our legal obligations and
our legitimate interests in providing you with the best service. We
consistently review our understanding of how we can improve our
service based on your experience.
iii. To send you email notifications when you place a product in your
basket and you abandon your browsing before completing your
checkout. We do this based on our legitimate interest.
iv. To provide you with tracking information so that you can follow your
order. We do this under legitimate interest to enhance your customer
experience and give you more information around where your delivery
is and when your order will arrive.
v. To protect our business and your account from fraud and other illegal
activities. This includes using your personal data to maintain, update
and safeguard your account. We’ll also monitor your browsing activity
with us to quickly identify and resolve any problems and protect the
integrity of our websites. We’ll do all of this as part of our legitimate
interest. For example, by checking your password when you login and
using automated monitoring of IP addresses to identify possible
fraudulent log-ins from unexpected locations.
vi. To process payments and to prevent fraudulent transactions. We do
this on the basis of our legitimate business interests. This also helps
to protect our customers from fraud.

vii. If we discover any criminal activity or alleged criminal activity through
our use of fraud monitoring and suspicious transaction monitoring, we
will process this data for the purposes of preventing or detecting
unlawful acts. Our aim is to protect the individuals we interact with
from criminal activities.
viii. With your consent, or whenever you purchase with us and choose to
receive our updates, we will use your personal data, preferences and
details of your transactions to keep you informed by email, web, text,
or telephone about relevant products and services including tailored
special offers, discounts, promotions, events, competitions and so on.
This is only applicable within the UK. Of course, you are free to opt out
of hearing from us by any of these channels at any time.
ix. To send you communications required by law or which are necessary
to inform you about our changes to the services we provide you. For
example, updates to this Privacy Notice, product recall notices, and
legally required information relating to your orders. These service
messages will not include any promotional content and do not require
prior consent when sent by email or text message. If we do not use
your personal data for these purposes, we would be unable to comply
with our legal obligations.
x. To display the most interesting content to you on Purpl, we’ll use data
we hold about your favourite brands or products and so on. We do so
on the basis of your consent to receive email notifications and/or for
our website to place cookies or similar technology on your device. If
not through the use of cookies or similar technology, then on the basis
of our legitimate interest.
For example, we might display a list of items you’ve recently looked at,
or offer you recommendations based on your purchase history and
any other data you’ve shared with us.
xi. To develop, test and improve the systems, services and products we
provide to you. We’ll do this on the basis of our legitimate business
interests.
For example, we’ll record your browser’s Session ID to help us
understand more when you leave us online feedback about any
problems you’re having.
xii. To comply with our contractual or legal obligations to share data with
law enforcement.
For example, when a court order is submitted to share data with law
enforcement agencies or a court of law.
xiii. To send you survey and feedback requests to help improve our
services. These messages will not include any promotional content
and do not require prior consent when sent by email or text message.
We have a legitimate interest to do so as this helps make our products
or services more relevant to you.

xiv. Help inform business decisions for example which third party websites
we partner with to ensure our advertising reaches our customers.
xv. To develop, test and improve the systems, services and products we
provide to you. We’ll do this on the basis of our legitimate business
interests.

7. How long will we keep your personal data?

a) Whenever we collect or process your personal data, we’ll only keep it for as
long as is necessary for the purpose for which it was collected.
b) At the end of that retention period, your data will either be deleted completely
or anonymised, for example by aggregation with other data so that it can be
used in a non-identifiable way for statistical analysis and business planning.
c) Some examples of customer data retention periods: 
i. Facial Image: cached for up to 24 hours to allow you to complete
registration. Otherwise deleted on verification completion.
ii. Orders:
When you place an order, we’ll keep the personal data you give us for
five years so we can comply with our legal and contractual obligations.
In the case of certain products, such as electrical and nursery items,
we’ll keep the data for 10 years.

8. Who do we share your personal data with?

a) Payment details including credit card numbers are supplied direct to our
payment partner mentioned on our website. We do not store or receive your
credit card information. To ensure your details are not being used without
consent, your personal data may be supplied by our payment partners to
relevant third parties including credit reference and fraud prevention
agencies, who may keep a record of that information.
b) We may share your personal data with third party Selling Partners in order to
process and deliver your order including the management of payments and
refunds.
c) We may disclose personal data so far as reasonably necessary if we have
reason to believe that it breaches our terms and conditions, or that such steps
are necessary to protect us or others, or that a criminal act has been
committed, or if there has been a complaint about content posted by you, or if
we are required to do so by law or appropriate authority.
d) We may store or transfer personal data outside the European Economic Area
(EEA) for the purposes stated in this policy. If so, we will comply with the
applicable laws relating to data transfer outside the EEA.
e) Except as otherwise specifically included in this policy, this document
addresses only the use and disclosure of information we collect from you. If
you disclose your information to third parties, whether they are suppliers of
services on Purpl (e.g. payment providers) or other websites, different rules
will apply to their use or disclosure of your information. Please check their
privacy policies carefully.

f) Here’s the policy we apply to those organisations to keep your data safe and
protect your privacy:
i. We provide only the information they need to perform their specific
services.
ii. They may only use your data for the exact purposes we specify in our
contract with them.
iii. We work closely with them to ensure that your privacy is respected
and protected at all times.

g) We sometimes share your personal data with trusted third parties. Examples
of the kind of third parties we work with are:

i. IT companies who support our website and other business systems.
We use Amazon Web Services (“AWS”) for our verification application
and general hosting services. A detailed FAQ of AWS’s data privacy
can be found here.
ii. Operational companies to manage customer support. We use Zoho
Desk datacenters located in the European Union. Zoho Desk has
security built into every layer of the product. They meet the industry
standards for ISO 27001, and SOC 2 Type 2 for data privacy and
protection and are fully GDPR compliant.
iii. Direct marketing companies who help us manage our electronic
communications with you. We use “MailChimp”, a newsletter platform,
to send news and updates. The e-mail addresses of our recipients, as
well as further data described in the context of this information, are
being stored on the servers of MailChimp in the USA. MailChimp uses
this information to send out and evaluate the newsletters and updates
on our behalf. In addition, MailChimp can use this data to optimise or
improve its own services, e.g. for the technical optimisation of the
dispatch and the presentation of the newsletter/update. However,
MailChimp does not use the data of our email recipients to contact
them independently or transfer data to other third parties.  Mailchimp’s
privacy policy can be found  here. 
iv. We use Mailchimp also for transactional emails, which are messages
that are sent in response to an action you take on a website or
application. They contain data or content that is specific to that user,
and are typically sent to individuals one at a time. Examples include:
Password reset emails.
v. Google Analytics whose data privacy and security policies may be
found here.
vi. Facebook whose data privacy and security policies may be found
here.
vii. Instagram whose data privacy and security policies may be found
here.
viii. Linkedin whose data privacy and security policies may be found here.

h) Sharing your data with third parties for their own purposes: We will only do
this in very specific circumstances, for example:

i. For fraud management, we may share information about fraudulent or
potentially fraudulent activity in our premises or systems. This may
include sharing data about individuals with law enforcement bodies.
ii. We may also be required to disclose your personal data to the police
or other enforcement, regulatory or Government body, in your country
of origin or elsewhere, upon a valid request to do so. These requests
are assessed on a case-by-case basis and take the privacy of our
customers into consideration.

i) To help personalise and support your journey through Purpl websites we
currently use the following companies, who will process your personal data as
part of their contracts with us:
i. Cookiebot
ii. Mailchimp
iii. Google
iv. Linkedin
v. Facebook
vi. Instagram
vii. Zoho

9. How Do We Protect Personal Data?

a) We know how much data security matters to all our customers so it is a high
priority for us. We take great care of the data we collect from you and take all
precautions and steps to protect it.
b) We secure access to all transactional areas of our websites and apps using
‘https’ technology.
c) Access to your personal data is password-protected with account additional
user restrictions, and sensitive data (such as disability verification) is secured
and encrypted to ensure it is protected.
d) We regularly monitor our system for possible vulnerabilities and attacks.
e) Email and other electronic communications are not secure if they have not
been encrypted. Your communications will pass through a number of network
nodes before they reach us, so we do not accept responsibility for any
unauthorised access to or loss of personal data that stems from a cause
beyond our control. Nor can we be held responsible for the actions or
omissions of other users or third parties who may misuse your personal data
which they collect from Purpl.

10. Where your personal data may be processed?

a) Purpl is a UK based company and so it might be that we will transfer your
data to the UK, which is outside of the EU. We may also need to share your

personal data with third parties and suppliers outside the European Economic
Area (EEA).
b) Protecting your data outside the UK
i. We may transfer personal data that we collect from you to third-party
data processors in countries that are outside the UK. For example,
this might be required in order to fulfil your order, process your
payment details or provide support services.
ii. If we do this, we have procedures in place to ensure your data
receives the same protection as if it were being processed in the UK.
For example, our contracts with third parties stipulate the standards
they must follow at all times.

c) Any transfer of your personal data will follow applicable laws and we will treat
the information under the guiding principles of this Privacy policy.

11. Your Rights Under The Data Protection Act 2018 & GDPR

a) You have the right to request personal data that we hold about you, subject to
us reserving the right to withhold such data to the extent permitted by law. We
may charge an administration fee in line with data protection laws and we
may also require appropriate evidence of identity. Note that you may be able
to rectify certain aspects of your personal data within your account on our
service (if applicable).
b) If you are located within the EU and the GDPR regulations apply to our
processing of your personal data, you have the right to request the following
from us:

i. Access to personal data of yours that we hold
ii. That we correct or rectify any incorrect personal data that we hold
iii. That we erase any personal data of yours that we hold
iv. To receive your personal data provided to us

c) Please contact us if you believe that the EU GDPR regulations apply to you
and you wish to exercise your rights under GDPR. Please note that we might
ask you to verify your identity before responding to requests.
d) You also have the right to complain to a Data Protection Authority about our
use and collection of your personal information. For more information, please
contact the relevant data protection authority in your area.
e) For further information about your rights under UK data protection laws, see
the website of the UK Information Commissioner here.

12. Third-Party Sites

a) Purpl may contain links to other websites operated by third-parties. Please be
aware that this Policy only applies to the personal information that Purpl
collects. Purpl cannot be held responsible for personal information that third
parties might store, collect or use throughout their website. Please ensure you
read the privacy policy of every website you visit carefully.