Purple Hippo Web Ltd respects your privacy and is committed to protecting your personal data.
This privacy notice will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.
- Important information and who we are;
- The data we collect about you;
- How is your personal data collected;
- How we use your personal data;
- Who we share this information with;
- How we keep your information secure.
- How long we keep your personal data;
- Your legal rights;
1. Important information and who we are
This privacy notice aims to give you information on how we collect and process your personal data through your use of this website, including any data you may provide through this website when you fill in a contact form, sign up to our newsletter or purchase a product or service.
Purple Hippo Web Ltd is the data controller and responsible for your personal data (collectively referred to as “Purple Hippo Web Ltd”, “we”, “us” or “our” in this privacy notice).
We provide web design and WordPress development services to clients. Throughout this document we are going to refer to our website and any services that we offer such as web development, consultancy, hosting and maintenance as “services”.
Full name of legal entity: Purple Hippo Web Ltd
Email address: firstname.lastname@example.org
Postal address: 6 Saddlers Place, Martlesham Heath, Ipswich, Suffolk, IP5 3SS
Telephone number: 07817 218563
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
2. The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity Data includes first name, maiden name, last name or title.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes the names of customers making payments to our bank accounts (but not their account numbers or sort codes).
- Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- Credentials – you may provide us with credentials for accessing a website, for example hosting account login details, WordPress login details or (S)FTP or SSH details.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
3. How is your personal data collected
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity and Contact details by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- apply for our products or services;
- subscribe to our service or publications;
- request marketing to be sent to you;
- give us some feedback.
- Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, for example Technical Data from analytics providers such as Google based outside the EU.
4. How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
Purposes for which we will use your personal data
We have set out below, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
To process and deliver our service
When we provide you with our services we will use your personal data to create invoices, managing payments, set-up project management software, communicate with you about the service, host your website during development and backup and restore your website. This is necessary for us to perform the contract with you and for our legitimate interest in recovering debts.
To manage our relationship with you
This is for performance of a contract with you, to comply with our legal obligations, and for our legitimate interest to keep our records updated and to study how customers use our services.
To enable you to take part in a prize draw, competition or survey.
This is for performance of a contract with you and is necessary for our legitimate interest to study how customers use our services to improve/ develop our business.
To administer and protect our business and this website
This includes troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data.
This is necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) and to comply with a legal obligation.
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you.
This is necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy).
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences.
This is necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy).
To make suggestions and recommendations to you about goods or services that may be of interest to you.
This is necessary for our legitimate interests (to develop our products/services and grow our business).
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:
Promotional offers from us
We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased goods or services from us [or if you provided us with your details when you entered a competition or registered for a promotion] and, in each case, you have not opted out of receiving that marketing.
We will get your express opt-in consent before we share your personal data with any company outside of Purple Hippo Web Ltd for marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. Sharing information
We never sell your information to any third party, but we do share your information in the circumstances outlined below, with safeguards in place to help protect your privacy.
Employees and independent contractors – it may be the case we need to share your details with a contractor who we have employed to work on your project. They need this information to be able to communicate with you and access various things e.g. your server or website.
Third party provider – to help us run our business we use several third party vendors to provide services to us, for example accounting software and payment providers. We need to provide them with your details so they carry out that services successfully and safely. We also use some services to store our data on such as iCloud and Dropbox. All this data is stored in a secure way (see below).
Each third-party provider has been vetted by us to ensure that privacy policies and practices meet or exceed the same levels of compliance and standards that we follow. Where appropriate and available, we hold additional signed Data Privacy Agreements with these companies as an additional layer of accountability in order to help ensure your data is safe and secure.
As Required by Law – we may disclose information about you in response to a court order, or other governmental request.
To Protect Rights and Property – we may disclose information about you when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Purple Hippo, third parties, or the public at large. For example, if we have a good faith belief that there is an imminent danger of death or serious physical injury, we may disclose information related to the emergency without delay.
Information shared publicly
We like to show off our work to help market our products and services with others. Unless agreed in our contract we may share the work we have done in our portfolio or list your site in a list of sites which uses one of our products or plugins.
We may also share your company or project name with others when discussing our work and work we have done in the past with clients.
Whilst nothing is ever 100% secure, we work very hard to protect information about you against unauthorised access, use, alteration or destruction and we take reasonable measures to do so.
See wordpress.org/about/security for details on the security of the WordPress core itself.
- Prevention is best when it comes to security, and as a first step, we follow all WordPress Code Standards in the plugins that we build and use.
- All staff /contractors) undergo initial training to ensure proper understanding of all security-related processes.
- All staff / contractors only have access to systems that are directly required to complete the functions of their job.
- We only use third-party services that adhere to the highest levels of privacy and security practices.
- All the data we store on you is stored on servers or computers which use encryption when sending data from one device to another. Where services allow us to, we always use Two Factor Authentication to improve security of login information and reduce the risk of login information being used to gain unauthorised access.
- Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Website maintenance customers.
If you subscribe to a website maintenance plan with us then we will ensure that all WordPress core and plugin security updates are implemented on your website immediately.
Data Breach Procedure
Should any event occur where customer data has been lost, stolen, or potentially compromised, our policy is to alert our customers via email no later than 48 hours of us becoming aware of the event. We will also report such incident to any required data protection authority. We will work closely with any customers affected to determine next steps such as any end-user notifications, needed patches, and how to avoid any similar event in the future.
7. How long we keep your personal data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Where we have provided web development services we will retain a copy of your website on our local server and we will retain your credentials to access your live website and hosting account whilst you engage us to maintain and support your website via a maintenance plan.
If you choose not to take out a maintenance plan or you cancel your maintenance plan then we will delete any copies of your website from our local server and delete the credentials to access your live website and hosting account from our records within 14 days.
In some circumstances you can ask us to delete your data: see “your right to be forgotten” below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
8. Your Rights
You have several choices regarding the information we store about you:
- Limit the information that you provide – you can choose to provide us with only the information we require to operate our services and not any optional information.
- Opt-out of electronic communications – you may choose to opt out of receiving electronic communications from us by following the instructions in those messages. If you do opt out, we may still send you other messages such as those about your account (e.g. service expiration emails) and legal notices.
- Set your browser to reject cookies – you can set your browser to reject cookies which will mean we will not track data from your we usually collect via cookies (see above). This comes with the drawback that some of our services may not operate or function properly without the aid of cookies.
Your “right to be forgotten”
You have a right to both access the information we hold from you as well as asking us to remove the information we hold from our systems. You can request either of these, doing so by completing the a request here. If you request we delete your information, you understand this may mean that we cannot continue providing you with the service or product you are currently using. We will also request that other organisations we have shared your data with do the same. If you require a list of these organisations, please indicate this when contacting us with your request.
For further information on what these rights are please visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
Purple Hippo is primarily a UK based business but we do work with clients and third party providers from across the world. By accessing or using our services or providing your information to us you consent to us processing, transferring and storing your information in countries which could be outside of the UK and/or different from your home country.
By continuing to use this site, our other sites and our products and services constitutes your acceptance of any changes.
May 14, 2018 – Updated language of the policy to be more user-friendly, specifically outlining requirements in preparation for meeting the GDPR.