Purple Post
- Privacy Notice –
This privacy notice sets out the standards that you can expect from Made Purple Ltd when we request or hold personal information (‘personal data’) about you, how you can get access to a copy of your personal data and what you can do if you think the standards are not being met.
Made Purple Ltd is a company registered in England and Wales under company registration number 11151840. The company has developed a secure video calling platform named Purple Visits to help assist people in custody and their families maintain visual contact when traditional social visits are not possible.
Data collected
The types of data we collect are:
- Full Name
- Email address
- Date of birth
- Full address
- Telephone number
- Location details
- ID documentation
- Profile image
- Your contact’s name, location and prison number
- Recordings of purple post sent and recived (text, images, voice notes)
Purposes of data collection
If you download our App or register with us online, we will store and process your data to enable us to provide our services. We collect, store and process your personal data, such as your name, email address, date of birth and contact information to enable us to provide the service to you and fulfil the contract made between you and us when you agreed to our Terms and Conditions.
You will be required to provide, as the visitor, photographic ID. A copy of your ID will be stored within our system to enable prison staff to verify your identity. We only store or process data which you have given to us and which we need to enable the appropriate establishment to offer your loved one a virtual calling option.
Personal data gathered during a virtual call, including any call recordings and security related data, is collected for law enforcement purposes. This data is processed by us on behalf of the relevant prison.
Legal basis for processing
Personal data is processed to enable us to perform our contract with you, as per Article 6(1)(b) of the GDPR. The contractual services for which the data processing is necessary can be found within our Terms and Conditions of Service. This data includes your email address and telephone number. Made Purple Ltd is the data controller for this information.
To ensure the service we provide meets your needs and expectations, we also collect data on your location. This data is used for research and development purposes and is processed in accordance with Article 6(1)(f) of the GDPR, for a legitimate interest. Made Purple Ltd is the data controller for this information.
The Ministry of Justice (MoJ), when acting as the data controller for your data, process data in accordance with DPA 2018, Part 3, Chapter 1, Section 35(2)(b) as the processing is necessary for the performance of a task carried out for a law enforcement purpose. This data includes your name, data of birth, address, unique identifiers and other security related data, such as ID documentation, profile images and call recordings. Some of this data is classed as sensitive which means processing special category data for law enforcement purposes. The relevant condition for the sensitive processing is schedule 8 paragraph 1 (statutory purposes). This includes the processing of biometric data for the purpose of facial verification. This is used at the following times:
- a) when a new user verifies their account (ID is matched with the user “selfie”)
- b) when a caller enters their call (user profile picture is matched with user “selfie”)
- c) when a caller wants to rejoin a paused call (user profile picture is matched with user “selfie”)
- d) during calls to ensure that they are an authorised visitor (face on screen matched with user “selfie”)
Who we share your data with and why?
Our Data Protection Officer is responsible for managing access to the personal data we store. Generally speaking, only the Data Protection Officer and authorised members of staff within Made Purple Ltd, the prison that facilitated the call, the organisation managing the prison and the overruling government agency responsible for the prison will access your data from within Purple Visits. If you are concerned about who might access the data you provide and you wish to clarify how your data is handled within the prison, you can contact their Data Protection Officer directly (contact details at the end of this notice).
Some of the services we use will also store a copy of your data. For example, our email provider (who may keep a record of your email address) and any providers they use to provide their services. If you send your details over a social media platform, that platform may keep a copy of your messages.
Who else might your data be shared with?
We reserve the right to share your personal data with other third parties if required for legal reasons. For example, in the case of a request under the RIPA (Regulation of Investigatory Powers Act 2000) legislation, a tax audit, or to prevent fraud. All data collected via the service or any other form of communication will be available to the prison whose ability to handle your data will be governed under their own privacy policy.
How long will we keep your personal information?
We may need to keep your personal details for up to 6 years after you have deleted your account. After this date your data will be anonymised, unless you have ‘opted in’ to receive ongoing communications. Please contact the relevant prison to confirm how long they will hold onto the data you provide within the app as this may vary and could be significantly longer. All messages sent via Purple Post will be kept by Made Purple for a period of 93 days after they have been deleted by both parties (both you and the person you have sent them to). Prisons, Secure hospitals or government officials will have access to these messages for 93 days after the date they have been sent / received. Please contact the relevant prison directly to find out how they use your information to prevent crime and protect the public.
For absalute clarity, your message may be kept by the person you have sent it to even after its no longer available to you following a deletion.
Disabling your account via the Purple Post app will ensure that your selfie, ID and utility bill image as well as the selfie, ID and utility bill images of any additional participants added to your account will be deleted by Made Purple Ltd 93 days after this action has been taken.
Your account status does not impact the retention policy for messages stated above.
The Ministry of Justice, when acting as the data controller for your data, will keep data in line with Prison Rule 35D and PSI 04/2016:
https://www.justice.gov.uk/offenders/psis/prison-service-instructions-2016
International transfers
All data held by Made Purple Ltd will never be passed outside of the UK (unless the establishment that your purple post is sent to is outside of the UK) your data is stored in a secure data centre based in London, England. In the event of a disaster our back up data centre is based in Cardiff, Wales and your data may be stored there for a period of time until the London data centre becomes operational.
Is there any Automated Decision Making?
(a decision made solely by automated means without any human involvement)
The Purple Post system will automate the verification process of your account and if activated pre-message. It will also check for any adult content in your images.
This happens at the following times.
- a) when a new user verifies their account
- b) when a user sends a message
This is required to maintain prison security throughout the messaging process.
How does our website use cookies?
Our website stores cookies on your browser to allow you to place an order with us. Our website’s cookies are temporary and cannot be used to identify individual visitors. To read more on Purple Post cookies please click here.
What are your rights?
Under data protection legislation, you have rights we need to make you aware of. The rights available to you depend on the reason for processing your information. These rights include:
- Information about how your personal data is processed and to request a copy of that personal data. This is also known as a Subject Access Request.
- Any inaccuracies in your personal data are rectified without delay.
- Any incomplete personal data is completed, including by means of a supplementary statement.
- Processing of your personal data is restricted.
- Erasure of your personal information, this enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it.
- Where we are relying on a contract with you, request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format.
- Object to automated decision making, including profiling, that has a legal or significant effect on you as an individual. In these circumstances you can obtain human intervention in the decision making, we have a process in place to handle these requests.
Any requests will be considered in the context of the companies’ statutory duties and the necessity of processing personal information for that purpose. There are some exemptions, which means we may not always be able to comply with your request in its entirety.
You can exercise your rights by contacting our data protection officer using the details provided below and making a request. For data owned by another organisation/prison, please contact them using the details provided below. You may be asked to provide us with proof of your identity before any request can be processed.
Who can I contact for more information?
Personal Data collected within the Purple Visits is managed by Made Purple Ltd. Made Purple Ltd is responsible for making sure that your data is stored and processed safely. You can contact us via email at [email protected].
If you do not have access to email, or you are in a prison or establishment which does not provide email facilities, you can write to Made Purple Ltd. at the below address:
Made Purple Ltd, Keystone Innovation Centre, Croxton Road, Thetford, Norfolk,IP24 1JD
Government Data Protection Officer
Should you wish to find out more about how your data is handled by the government organisation responsible for the prison your Purple Visit was facilitated in please see details below:
The Ministry Of Justice Data Protection Officer is Ms Yinka Williams, The Data Protection Officer can be contacted via email at [email protected] or [email protected] or by post at 5th Floor, 102 Petty France, Westminster, London, SW1H9AJ
The States of Jersey’s Data Protection Officer can be contacted at [email protected]
The States of Guernsey’s Data Protection Officer can be contacted at [email protected]
The NIPS Data Protection Officer details can be found at https://www.justice-ni.gov.uk/contact
The Scottish Prison Service’s Data Protection Officer can be written to at Scottish Prison Service, Calton House, 5 Redheughs Rigg, Edinburgh, EH12 9HW
Complaints
If you consider that your personal information has been misused or mishandled, you may make a
complaint to the Information Commissioner, who is the independent regulator.
The Information Commissioner can be contacted on 0303 123 1113 or at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Email: [email protected].
Review of this notice
This notice will be regularly reviewed and may be subject to revision. This version of the Privacy Notice was last updated in July 2024.