Privacy Policy

Data controller

New Purple is the “data controller” for personal data we collect through our website and business operations.

Our details

• Legal name: [TBC]
• Registered address: [TBC]
• Trading address (if different): [TBC]
• Email: [TBC]]
• General contact: [TBC]

Data protection contact

For privacy questions or to exercise your rights, contact: [TBC privacy email].

We may ask for information to verify your identity before responding to certain requests (for your protection).

We may collect the following categories of personal data:

A) Information you provide directly

• Identity data: name, job title, company name
• Contact data: email, phone number, address (if needed for invoicing/contracting)
• Enquiry data: message content submitted via forms, email, chat, or calls
• Project data: content you share with us to deliver work (briefs, assets, copy, feedback, credentials you choose to provide, and similar)
• Payment/admin data: billing contact details, invoicing information (we do not store full card details on our systems)
• Recruitment data (if applicable): CVs, portfolios, and application messages

B) Information we collect automatically when you use our website

• Usage data: pages visited, time on page, clicks, referring pages
• Device/technical data: IP address, browser type, OS, device identifiers
• Cookie and consent data: your cookie preferences and consent status (where applicable)

C) Information from third parties

• Business contact information from your organisation or public sources (e.g., company website, LinkedIn) where relevant to an enquiry or relationship
• Technical providers’ logs (hosting, security, and performance monitoring)

We do not intentionally collect special category data (e.g., health, biometrics, political opinions) and ask that you do not send it to us unless strictly necessary. If you do, we will handle it with additional care and may delete it if not needed.

We use personal data only where permitted by law and for legitimate business purposes, including:

1) Responding to enquiries and providing information

So we can reply, arrange calls, prepare proposals, and understand your needs.

2) Providing and improving our services

To deliver digital, design, branding, audio, studio, or AI-related services; manage projects; communicate with you; and maintain quality.

3) Operating and securing our website

To keep the site reliable, prevent fraud/abuse, troubleshoot issues, and maintain performance.

4) Marketing and business development

To share updates about our work, services, insights, or events where allowed by law (and you can opt out at any time).

5) Admin, invoicing, and record-keeping

To maintain business records, manage accounts, and comply with legal and tax obligations.

6) Legal rights and compliance

To protect our rights, handle disputes, enforce agreements, and comply with lawful requests.

We process personal data under one or more of these legal bases:

Contract

Where processing is needed to provide a service you request or to take steps at your request before entering a contract.

Legitimate interests

Where we have a genuine business reason (e.g., responding to enquiries, improving services, securing systems) and your rights do not override those interests.

Consent

Where required (commonly for non-essential cookies and some marketing communications).

Legal obligation

Where we must comply with legal duties (e.g., tax, accounting, responding to lawful authority requests).

If you want details about the lawful basis for a specific activity, contact us and we’ll explain.

We use cookies and similar technologies to operate our website and (where enabled) measure performance and improve user experience.

• Strictly necessary cookies: required for core site functions and security.
• Functional cookies: remember preferences (where enabled).
• Analytics cookies: help us understand website usage (where enabled).
• Marketing cookies: used for advertising/retargeting (only where enabled).

Cookie banner and preferences

We use a cookie consent tool: [TBC – name of platform or “in development”].

You can change your cookie preferences at any time via: [TBC – link/button label].

Cookie Policy

For more detail (including cookie lists), see: Cookie Policy [TBC link].

We may share personal data with trusted service providers where necessary to run our business and deliver services. Examples include:

• Website hosting, CDN, and infrastructure providers: [TBC]
• Email and communication tools: [TBC]
• Analytics/performance tools (if enabled): [TBC]
• CRM, project management, file storage: [TBC]
• Payment/invoicing/accounting providers: [TBC]
• Security tools (spam prevention, firewall, monitoring): [TBC]
• Professional advisers: accountants, insurers, legal advisers (where necessary)

We only share data where needed, require appropriate safeguards, and do not sell personal data.

Client work

When delivering client services, we may process data provided by the client, and may share it with subcontractors (e.g., specialist developers) only where needed and under confidentiality obligations.

Some of our providers may process data outside the UK. Where personal data is transferred internationally, we use appropriate safeguards, such as:

• UK International Data Transfer Agreement (IDTA) and/or
• UK Addendum to EU Standard Contractual Clauses, and/or
• other lawful transfer mechanisms permitted by UK GDPR.

Details of relevant safeguards can be requested via [TBC privacy email].

If we provide AI-related services or use AI-enabled tools in our workflow, we may process text, images, audio, or other content you submit.

What this may involve

• Using tools to help draft, summarise, classify, or generate content
• Testing and improving user experience (e.g., chatbot flows)
• Automations that route content between systems (e.g., forms → CRM)

Important notes

• We aim to minimise personal data used in AI workflows and recommend you avoid including sensitive personal data unless necessary.
• Where third-party AI providers are used, processing is subject to their terms and our contractual safeguards.
• If a specific project requires stronger controls (e.g., “no external AI processing”), we can agree this in writing as part of the project scope and technical design.

We do not make solely automated decisions that produce legal or similarly significant effects about you via our website as standard. If this changes for a specific feature, we will clearly explain it and provide rights/choices where required.

We keep personal data only as long as necessary for the purposes described, including:

• Enquiries: typically [TBC – e.g., 12–24 months] after last contact
• Client project communications and records: typically [TBC – e.g., duration of relationship + 6 years] for accounting/legal reasons
• Invoicing/tax records: typically 6 years (UK standard practice)
• Website logs/security records: [TBC]
• Marketing lists: until you unsubscribe or we clean inactive records

We may retain data longer where required by law, for dispute resolution, or to protect our legal rights.

Under UK GDPR you have rights including:

• Access: request a copy of your personal data
• Rectification: correct inaccurate data
• Erasure: request deletion in certain circumstances
• Restriction: limit how we use data in certain cases
• Portability: receive certain data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests and to direct marketing
• Withdraw consent: where processing is based on consent (e.g., certain cookies, some marketing)

To exercise your rights, email [TBC privacy email].

We will respond within the required timeframe (usually one month).

If you receive marketing from us, you can opt out at any time using:

• the unsubscribe link in emails, or
• by contacting [TBC privacy email].

We may still send essential service communications (e.g., project or contractual messages).

We use appropriate technical and organisational measures to protect personal data, such as:

• access controls and least-privilege permissions
• secure hosting and transport encryption where supported
• backups and monitoring
• staff/contractor confidentiality obligations where applicable

No online system is 100% secure. If a breach occurs that risks your rights and freedoms, we will notify relevant parties as required by law.

Our website and services are not directed to children and we do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us to request deletion.

Our website may link to third-party sites. We are not responsible for their privacy practices. Please review their privacy policies separately.

We may update this policy from time to time. The “Last updated” date at the top shows when it was last changed. If changes are significant, we may provide additional notice.