1. Purpose
This Privacy Policy defines Purple how Bridge collects, uses, stores, discloses, and
protects personal information in accordance with applicable data protection laws and recognized security and privacy frameworks. The policy establishes controls and responsibilities to ensure personal data is handled lawfully, transparently, and securely, supporting compliance with ISO/IEC 27001 and SOC 2. Trust Services
2. Scope
This policy applies to:
All personal data processed by Purple Bridge.
Employees, contractors, consultants, and temporary staff
Customers, clients, vendors, partners, and website users
All systems, applications, databases, cloud platforms, and third parties involved in processing personal data
This policy covers personal data processed in electronic, physical, verbal, or any other form.
3. Definitions
3.1 Personal Data
Any information that identifies or can reasonably be linked to an identified or identifiable individual.
3.2 Sensitive Personal Data
Personal data that requires a higher level of protection due to its nature, including financial data, authentication data, government identifiers, health-related data, or other data classified as sensitive
under applicable laws.
3.3 Processing
Any operation performed on personal data including collection, recording, storage, use, disclosure,transmission, or deletion.
3.4 Data Subject
An individual whose personal data is processed by Purple Bridge.
4. Privacy Principles
Purple Bridge. processes personal data in accordance with the following principles:
Lawfulness and Fairness
Personal data is processed only for legitimate business purposes and in a fair and lawful manner.
Transparency
Individuals are informed about how their personal data is collected, used, stored, and shared.
Purpose Limitation
Personal data is collected only for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
Data Minimization
Only personal data that is necessary and relevant for business operations is collected and processed.
Accuracy
Reasonable steps are taken to ensure personal data is accurate, complete, and up to date.
Storage Limitation
Personal data is retained only for as long as necessary to fulfil business or legal requirements.
Confidentiality and Security
Personal data is protected against unauthorized access, disclosure, alteration, or destruction.
5. Collection of Personal Data
Purple Bridge. may collect personal data through:
Business relationships with customers and clients
Employment and recruitment processes
Vendor and third-party engagements
Website usage and digital platforms
Legal and regulatory obligations
Collected data may include identification details, contact information, employment data, account-
related information, and technical or usage data, as applicable.
6. Use of Personal Data
Personal data is used only for legitimate business purposes, including:
Delivering products and services
Managing contractual relationships
Internal business operations
Security monitoring and incident response
Compliance with legal and regulatory requirements
Improving service quality and operational efficiency
Personal data is not used for purposes beyond those communicated unless legally permitted.
7. Data Sharing and Disclosure
Purple Bridge. shares personal data only when necessary and under controlled
conditions. Personal data may be disclosed to:
Authorized employees on a need-to-know basis
Approved vendors, service providers, or processors performing services on behalf of the
organization
Regulatory or government authorities when required by law
Professional advisors such as auditors or legal consultants
All third parties are required to implement appropriate confidentiality, security, and privacy controls
consistent with this policy and contractual obligations.
8. Third-Party and Vendor Management
Third parties that process personal data on behalf of Purple Bridge. are subject to due
diligence and contractual requirements, including:
Data protection and confidentiality obligations
Defined scope and purpose of data processing
Security controls aligned with industry standards
Rights to audit or obtain assurance reports, where applicable
Personal data is shared with third parties only for approved business purposes.
9. Data Retention and Disposal
Personal data is retained only for the duration necessary to:
Fulfill the stated business purpose
Comply with legal, regulatory, or contractual obligations
Retention periods are defined and documented.
At the end of the retention period, personal data is securely deleted, anonymized, or destroyed
using approved methods to prevent unauthorized recovery.
10. Access Control and Authorization
Access to personal data is restricted to authorized individuals based on:
Job roles and responsibilities
Principle of least privilege
Management approval and documented access requests
Access rights are reviewed periodically and revoked promptly when no longer required.
11. Information Security Safeguards
Purple Bridge. implements appropriate administrative, technical, and physical
safeguards to protect personal data, including:
Logical access controls and authentication mechanisms
Encryption of personal data where applicable
Secure configuration of systems and applications
Monitoring and logging of access and activities
Physical security controls for facilities and devices
Security controls are reviewed and updated periodically to address evolving risks.
12. Incident Management and Breach Handling
Personal data incidents are managed through an established incident response process that
includes:
Identification and containment of incidents
Assessment of impact and root cause
Timely remediation actions
Notification to affected parties and authorities, where required
All incidents are documented and reviewed to improve preventive controls.
13. Data Subject Rights
Purple Bridge. respects the rights of individuals whose personal data is processed.
Subject to applicable laws, individuals may have the right to:
Access their personal data
Request correction of inaccurate or incomplete data
Request deletion of personal data, where legally permissible
Object to or restrict certain processing activities
Withdraw consent where processing is based on consent
Requests related to personal data rights are handled in a timely and documented manner.
14. Consent Management
Where consent is required, Purple Bridge. ensures that:
Consent is obtained in a clear and informed manner
The purpose of data processing is communicated prior to collection
Consent is recorded and maintained as evidence
Individuals can withdraw consent through a simple and accessible process
Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
15. Cross-Border Data Transfers
Personal data may be transferred or accessed across geographic boundaries only when:
There is a legitimate business requirement
Appropriate safeguards are implemented to protect the data
Transfers comply with applicable data protection laws
Safeguards may include contractual clauses, risk assessments, or equivalent protective measures.
16. Children’s Personal Data
Purple Bridge. does not knowingly collect personal data from children unless required
by law or explicitly permitted.
Where applicable, appropriate consent and safeguards are implemented to protect children’s
personal data.
17. Compliance Monitoring and Audits
Compliance with this Privacy Policy is supported through:
Periodic internal reviews and assessments
Information security and privacy audits
Monitoring of regulatory changes
Management oversight and corrective actions
Non-compliance with this policy may result in disciplinary action or contractual consequences.
18. Training and Awareness
Purple Bridge. ensures that personnel with access to personal data:
Receive appropriate privacy and information security training
Understand their responsibilities regarding personal data protection
Are informed of consequences for improper handling of personal data
Training is conducted at onboarding and periodically thereafter.
19. Policy Violations and Disciplinary Actions
Violations of this Privacy Policy may result in:
Disciplinary action in accordance with organizational procedures
Contractual remedies for third parties
Legal or regulatory consequences where applicable
All violations are investigated and addressed in a consistent and documented manner.