Effective: 19/07/2024

This Privacy Policy explains when and why we collect personal information, how we use it and how we keep it secure.

We strive for transparency about how we process your personal data. We work hard to provide clear and straightforward descriptions of our privacy practices because we want you to understand them. We’re sorry this might lead to a lengthy read at times, but we want you to be fully informed.

We review this policy regularly and where necessary make updates to ensure it accurately reflects how we use your data. We will notify you if there are changes which affect how your data is processed.

We hope this policy helps you to understand how we use your data. If you have any questions you can contact us emailing us at [email protected]

1. Who are we?

a) We are The Purpl Co Limited, a company registered in England and Wales. Our company number is 14553148. Our registered office is at 7 Bell Yard, London, England, WC2A 2JR.

b) We own and operate the website, www.purpldiscounts.com which we will refer to as Purpl.

c) For simplicity throughout this notice, ‘we’ and ‘us’ also means Purpl.

d) We design our platforms and services with your privacy in mind.

e) We are registered with the Information Commissioner’s Register of Data Controllers under number [ZB675308].

2. What is this policy for?

a) The Policy set out below explains how we manage your personal data. Personal data relates to information about any identified or identifiable living person that we collect, or you provide to us when you use or access Purpl. Please read on to find out:

i. what kinds of personal data we collect
ii. how we use and protect it
iii. to whom we disclose it
iv. how you can access and rectify it
v. and how we use cookies on Purpl.

b) Please do not use Purpl unless you are completely happy with this Policy. If you do use Purpl, we will assume that you accept this Policy.

3. Changes to this policy

a) We may amend this Policy from time to time when deemed necessary. We will notify you of any changes by updating this page with the new Policy, so we advise that you periodically review this Policy for any changes.

b) We will assume you agree to the Policy or revised versions of the Policy if you use Purpl after the effective date shown at the top of the Policy.

4. When do we collect your personal data?

a) When you visit Purpl and use your account to buy products and services from our Selling Partners.

b) When you make an online purchase and check out as a guest (in which case we just collect data required to process your order).

c) When you create an account with us.

d) When you shop online, we capture information through cookies and similar technologies.

e) When you engage with us on social media.

f) When you contact us by any means with queries, comments, complaints etc.

g) When you ask one of our Selling Partners to email you information about a product or service.

h) When you choose to complete any forms or surveys.

i) When you comment on or review our products and services.

j) When any individual requests access to personal data related to them, including opinions. So if your comment or review includes information about the Selling Partner who provided that service, it may be passed on to them if requested.

k) When you’ve given a third party permission to share with us the information they hold about you.

l) When we collect data from publicly-available sources when you have given your consent to share information.

m) When the information is made public as a matter of law.

5. What personal or other data do we collect?

a) If you have an account with us for your own disability: your name, email address, your verification document ID and expiry date. For your security, we’ll also keep an encrypted record of your login password.

b) If you have an account with us on behalf of a child or adult as a parent/guardian/carer:
your name, email address, the verification document ID (and associated name), reference ID
(e.g. from a DLA letter or a Scottish Disability payment letter) and expiry date. For your
security, we’ll also keep an encrypted record of your login password.

c) Whilst we will collect information provided by you in order to verify that you are registered with a disability, we will encrypt and store only the confirmation of the successful verification. This sensitive personal data will not be passed on to any party and the cached copies will be deleted after the verification process.

d) As part of the verification process, we will temporarily cache the personal data on your disability documentation. This may include title (gender), name, home address and facial image.

e) Details of how you use Purpl or interactions with us. For example:

i. details of purchases you make
ii. items viewed or added to your basket
iii. voucher redemptions
iv. brands you show interest in
v. web pages you visit

f) How and when you contact us.

g) Copies of documents you provide to prove your age or identity where the law requires this. This may include your passport or driver’s licence. This will include details of your full name, address, date of birth and facial image. If you provide a passport, the data will also include your place of birth, gender and nationality.

h) Your preferences on Purpl including marketing and communications.

i) To deliver the best possible web experience we and our contractors and Selling Partners automatically collect technical information. This is about how we may receive and store certain information automatically when you interact with us. Examples include:

i. the internet protocol (IP) address used to connect your computer to the internet
ii. connection information such as browser type and version
iii. information about your mobile or other device including device type and device identifier
iv. operating system and platform
v. country and telephone code where your computer is located
vi. a unique reference number linked to the data you enter on our system
vii. login details
viii. clickstream data
ix. details of your activity on Purpl with date/time stamps including the pages you visited
x. searches you made and goods purchased

j) Information gathered by the use of cookies in your web browser. Learn more about how we use cookies and similar technologies.

k) Open rates, click through rates on email marketing campaign tracking elements.

l) Personal details which help us to recommend items of interest.

m) Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback

6. How and why do we use your personal data?

a) We want to give you the best possible customer experience. One way to achieve that is to get the richest picture we can of who you are by combining the data we have about you.

b) We then use this to offer you promotions, products and services that are most likely to interest you.

c) The data privacy law allows this as part of our legitimate interest. This helps to understand our customers and provide the highest levels of service.

d) Of course, if you wish to change how we use your data, you’ll find details in the ‘What are my rights?’ section below.

e) Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.

f) Here’s how we may use your personal data and why:

i. To process any orders that you make by using Purpl. For example, your details may be passed to a third party (Selling Partner) to supply or deliver the product or service that you ordered, and we may keep your details for a reasonable period afterwards in order to fulfil any contractual obligations such as refunds, guarantees and so on.
ii. To respond to your queries, refund requests and complaints. Handling the information you send helps us to respond. We may also keep a record of these to inform any future communication with us and to
demonstrate how we communicated with you throughout. We do this based on our contractual obligations to you, our legal obligations and our legitimate interests in providing you with the best service. We consistently review our understanding of how we can improve our service based on your experience.
iii. To send you email notifications when you place a product in your basket and you abandon your browsing before completing your checkout. We do this based on our legitimate interest.
iv. To provide you with tracking information so that you can follow your order. We do this under legitimate interest to enhance your customer experience and give you more information around where your delivery
is and when your order will arrive.
v. To protect our business and your account from fraud and other illegal activities. This includes using your personal data to maintain, update and safeguard your account. We’ll also monitor your browsing activity with us to quickly identify and resolve any problems and protect the integrity of our websites. We’ll do all of this as part of our legitimate interest. For example, by checking your password when you login and using automated monitoring of IP addresses to identify possible fraudulent log-ins from unexpected locations.
vi. To process payments and to prevent fraudulent transactions. We do this on the basis of our legitimate business interests. This also helps to protect our customers from fraud.
vii. If we discover any criminal activity or alleged criminal activity through our use of fraud monitoring and suspicious transaction monitoring, we will process this data for the purposes of preventing or detecting
unlawful acts. Our aim is to protect the individuals we interact with from criminal activities.
viii. With your consent, or whenever you purchase with us and choose to receive our updates, we will use your personal data, preferences and details of your transactions to keep you informed by email, web, text, or telephone about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on. This is only applicable within the UK. Of course, you are free to opt out of hearing from us by any of these channels at any time.
ix. To send you communications required by law or which are necessary to inform you about our changes to the services we provide you. For example, updates to this Privacy Notice, product recall notices, and legally required information relating to your orders. These service messages will not include any promotional content and do not require prior consent when sent by email or text message. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.
x. To display the most interesting content to you on Purpl, we’ll use data we hold about your favourite brands or products and so on. We do soon the basis of your consent to receive email notifications and/or for our website to place cookies or similar technology on your device. If not through the use of cookies or similar technology, then on the basis of our legitimate interest. For example, we might display a list of items you’ve recently looked at, or offer you recommendations based on your purchase history and
any other data you’ve shared with us.
xi. To develop, test and improve the systems, services and products we provide to you. We’ll do this on the basis of our legitimate business interests. For example, we’ll record your browser’s Session ID to help us understand more when you leave us online feedback about any problems you’re having.
xii. To comply with our contractual or legal obligations to share data with law enforcement. For example, when a court order is submitted to share data with law enforcement agencies or a court of law.
xiii. To send you survey and feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so as this helps make our products or services more relevant to you.
xiv. Help inform business decisions for example which third party websites we partner with to ensure our advertising reaches our customers.
xv. To develop, test and improve the systems, services and products we provide to you. We’ll do this on the basis of our legitimate business interests.

7. How long will we keep your personal data?

a) Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.

b) At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

c) Some examples of customer data retention periods: 

i. Facial Image: cached for up to 24 hours to allow you to complete registration. Otherwise deleted on verification completion.
ii. Orders: When you place an order, we’ll keep the personal data you give us for five years so we can comply with our legal and contractual obligations. In the case of certain products, such as electrical and nursery items, we’ll keep the data for 10 years.

8. Who do we share your personal data with?

a) Payment details including credit card numbers are supplied direct to our payment partner mentioned on our website. We do not store or receive your credit card information. To ensure your details are not being used without consent, your personal data may be supplied by our payment partners to relevant third parties including credit reference and fraud prevention agencies, who may keep a record of that information.

b) We may share your personal data with third party Selling Partners in order to process and deliver your order including the management of payments and refunds.

c) We may disclose personal data so far as reasonably necessary if we have reason to believe that it breaches our terms and conditions, or that such steps are necessary to protect us or others, or that a criminal act has been committed, of there has been a complaint about content posted by you, of if we are required to do so by law or appropriate authority.

d) We may store or transfer personal data outside the European Economic Area (EEA) for the purposes stated in this policy. If so, we will comply with the applicable laws relating to data transfer outside the EEA.

e) Except as otherwise specifically included in this policy, this document addresses only the use and disclosure of information we collect from you. If you disclose your information to third parties, whether they are suppliers of services on Purpl (e.g. payment providers) or other websites, different rules will apply to their use or disclosure of your information. Please check their privacy policies carefully.

f) Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:

i. We provide only the information they need to perform their specific services.
ii. They may only use your data for the exact purposes we specify in our contract with them.
iii. We work closely with them to ensure that your privacy is respected and protected at all times.

g) We sometimes share your personal data with trusted third parties. Examples of the kind of third parties we work with are:

i. IT companies who support our website and other business systems. We use Amazon Web Services (“AWS”) for our verification application and general hosting services. A detailed FAQ of AWS’s data privacy can be found here.
ii. Operational companies to manage customer support. We use Zoho Desk data-centers located in the European Union. Zoho Desk has security built into every layer of the product. They meet the industry
standards for ISO 27001, and SOC 2 Type 2 for data privacy and protection and are fully GDPR compliant.
iii. Direct marketing companies who help us manage our electronic communications with you. We use “MailChimp”, a newsletter platform, to send news and updates. The e-mail addresses of our recipients, as well as further data described in the context of this information, are being stored on the servers of MailChimp in the USA. MailChimp uses this information to send out and evaluate the newsletters and updates on our behalf. In addition, MailChimp can use this data to optimise or improve its own services, e.g. for the technical optimisation of the dispatch and the presentation of the newsletter/update. However, MailChimp does not use the data of our email recipients to contact them independently or transfer data to other third parties.  Mailchimp’s privacy policy can be found  here. 
iv. We use Mailchimp also for transactional emails, which are messages that are sent in response to an action you take on a website or application. They contain data or content that is specific to that user,
and are typically sent to individuals one at a time. Examples include: Password reset emails.
v. Google Analytics whose data privacy and security policies may be found here.
vi. Facebook whose data privacy and security policies may be found here.
vii. Instagram whose data privacy and security policies may be found here.
viii. Linkedin whose data privacy and security policies may be found here.

h) Sharing your data with third parties for their own purposes: We will only do this in very specific circumstances, for example:

i. For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
ii. We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.

i) To help personalise and support your journey through Purpl websites we currently use the following companies, who will process your personal data as part of their contracts with us:
i. Cookiebot
ii. Mailchimp
iii. Google
iv. Linkedin
v. Facebook
vi. Instagram
vii. Zoho

9. How Do We Protect Personal Data?

a) We know how much data security matters to all our customers so it is a high priority for us. We take great care of the data we collect from you and take all precautions and steps to protect it.

b) We secure access to all transactional areas of our websites and apps using ‘https’ technology.

c) Access to your personal data is password-protected with account additional user restrictions, and sensitive data (such as disability verification) is secured and encrypted to ensure it is protected.

d) We regularly monitor our system for possible vulnerabilities and attacks.

e) Email and other electronic communications are not secure if they have not been encrypted. Your communications will pass through a number of network nodes before they reach us, so we do not accept responsibility for any unauthorised access to or loss of personal data that stems from a cause beyond our control. Nor can we be held responsible for the actions or omissions of other users or third parties who may misuse your personal data which they collect from Purpl.

10. Where your personal data may be processed?

a) Purpl is a UK based company and so it might be that we will transfer your data to the UK, which is outside of the EU. We may also need to share your personal data with third parties and suppliers outside the European Economic Area (EEA).

b) Protecting your data outside the UK:

i. We may transfer personal data that we collect from you to third-party data processors in countries that are outside the UK. For example, this might be required in order to fulfil your order, process your payment details or provide support services.
ii. If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed in the UK. For example, our contracts with third parties stipulate the standards
they must follow at all times.

c) Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy policy.

11. Your Rights Under The Data Protection Act 2018 & GDPR

a) You have the right to request personal data that we hold about you, subject to us reserving the right to withhold such data to the extent permitted by law. We may charge an administration fee in line with data protection laws and we may also require appropriate evidence of identity. Note that you may be able to rectify certain aspects of your personal data within your account on our service (if applicable).

b) If you are located within the EU and the GDPR regulations apply to our processing of your personal data, you have the right to request the following from us:

i. Access to personal data of yours that we hold
ii. That we correct or rectify any incorrect personal data that we hold
iii. That we erase any personal data of yours that we hold
iv. To receive your personal data provided to us

c) Please contact us if you believe that the EU GDPR regulations apply to you and you wish to exercise your rights under GDPR. Please note that we might ask you to verify your identity before responding to requests.

d) You also have the right to complain to a Data Protection Authority about our use and collection of your personal information. For more information, please contact the relevant data protection authority in your area.

e) For further information about your rights under UK data protection laws, see the website of the UK Information Commissioner here.

12. Third-Party Sites

Purpl may contain links to other websites operated by third-parties. Please be aware that this Policy only applies to the personal information that Purpl collects. Purpl cannot be held responsible for personal information that third parties might store, collect or use throughout their website. Please ensure you read the privacy policy of every website you visit carefully.