Privacy Policy
Last updated: May 4, 2026
1. Introduction
This Privacy Policy explains how PurpleOps Ltd. ("PurpleOps", "we", "us", "our") processes personal data when you visit the purple-ops.io website (the "Website"), submit a form, subscribe to our newsletter, or otherwise interact with us. It is written to satisfy our obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the ePrivacy Directive.
This policy covers the Website only. Use of the PurpleOps platform under a Platform Agreement is governed by a separate Data Processing Agreement provided to customers during onboarding.
2. Data controller
The data controller for the Website is PurpleOps Ltd.
- General contact: team@purple-ops.io
- Privacy / data-protection contact: team@purple-ops.io
If you are an EU/EEA/UK resident and would like to reach our data-protection point of contact, please use the privacy address above and reference "GDPR request" in your subject line.
3. What we collect and why
We collect only what is needed to operate the Website, respond to enquiries, and improve our service.
3.1 Contact form
When you submit the contact form on /contact-us we collect the name, work email, company, and message you provide.
- Purpose: respond to your enquiry, qualify potential business interest.
- Legal basis: Art. 6(1)(b) GDPR (steps taken at your request before entering a contract), and Art. 6(1)(f) (our legitimate interest in handling business enquiries).
- Retention: kept for up to 24 months from last interaction, then deleted or anonymised.
3.2 Newsletter subscription
When you subscribe to the PurpleOps newsletter we collect your email address and the timestamp of your double opt-in confirmation.
- Purpose: deliver the newsletter you requested and prove valid consent if challenged.
- Legal basis: Art. 6(1)(a) GDPR, your consent (collected via double opt-in).
- Retention: kept until you unsubscribe (one-click link in every email) or for 24 months of inactivity, whichever comes first.
3.3 Demo requests
When you book a demo on /book-demo we collect the contact details required to schedule the call.
- Purpose: arrange and follow up on the requested demo.
- Legal basis: Art. 6(1)(b) GDPR, pre-contractual measures at your request.
- Retention: 24 months from last interaction, unless you become a customer.
3.4 Server logs and security telemetry
Our hosting provider (Cloudflare) automatically processes certain technical data on every request: IP address, user-agent, referer, timestamps, and country derived from the IP. We use this for security, abuse prevention, and to detect outages.
- Legal basis: Art. 6(1)(f) GDPR, our legitimate interest in keeping the Website secure and available.
- Retention: Cloudflare access logs are retained for up to 30 days; aggregated security data may be kept longer in non-identifying form.
3.5 Cookies and analytics
For details of every cookie set, the categories, providers, and how to manage them, see our Cookie Policy. Analytics, marketing and functional cookies are only set with your prior consent in the EU/EEA/UK.
4. We do not sell your personal data
PurpleOps does not sell, rent, or trade personal data collected through the Website. We do not run programmatic advertising on the Website and we do not use your data to build profiles for sale to third parties.
5. Sub-processors and service providers
We use a small number of trusted vendors to operate the Website. Each acts under a written data-processing agreement and only on our documented instructions.
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | Hosting (Workers), CDN, DDoS & bot protection, D1 database, R2 object storage | Global (EU edge for EU traffic) |
| Mailgun (Sinch) | Transactional email and newsletter delivery | EU / US |
| Google LLC (Analytics) | Aggregate website analytics, only with your consent | EU / US |
We will keep this list current. If you would like the exhaustive sub-processor register or copies of the relevant data-processing agreements, please contact team@purple-ops.io.
6. International transfers
Some of our sub-processors operate outside the EU/EEA/UK (notably in the United States). When personal data is transferred to such jurisdictions we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, supplemented where appropriate by additional technical measures (encryption in transit and at rest, pseudonymisation of identifiers in logs). Cloudflare is certified under the EU-US Data Privacy Framework where applicable.
7. Your rights
If you are in the EU/EEA/UK you have the following rights under GDPR. Equivalent rights apply for residents of jurisdictions with comparable laws (e.g. CCPA/CPRA in California, LGPD in Brazil).
- Access: obtain a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): ask us to delete your data where one of the GDPR grounds applies.
- Restriction: ask us to limit processing while we resolve a query.
- Portability: receive the data you provided to us in a machine-readable format.
- Object: object to processing based on legitimate interests, including direct marketing.
- Withdraw consent at any time, where processing is based on consent (for example, cookies or the newsletter). Withdrawal does not affect prior lawful processing.
- Lodge a complaint with your local supervisory authority. A list of EU/EEA authorities is available at edpb.europa.eu; for the UK see the ICO.
To exercise any right, email team@purple-ops.io. We will respond within one month and may need to verify your identity before acting on the request.
8. Security
We apply industry-standard technical and organisational measures to protect personal data: TLS 1.3 in transit, encrypted storage at rest, principle of least privilege for staff access, multi-factor authentication on administrative systems, and continuous logging of administrative actions. Despite these measures, no method of transmission over the Internet is 100 % secure; if we become aware of a personal-data breach affecting your data we will notify you and the relevant supervisory authority where required by law.
9. Children
The Website is intended for business audiences and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Changes to this Policy
We may update this Privacy Policy as our practices or applicable laws change. Material updates will be indicated by changing the "Last updated" date above. For significant changes we will provide a prominent notice on the Website (and, where appropriate, by email).
11. Contact
For any privacy-related question or to exercise your rights, contact us at team@purple-ops.io.