ICO registration:

For the purposes of data protection legislation, PTG is the controller for the processing of your personal data and has registered with the Information Commissioner’s Office (“ICO”). PTG’s registration number is ZB282656.

Information we use about you if you engage with us to use our Software (as a customer admin or individual user):

What information do we collect and process?

• Your e-mail address

• Name

• Department/Role

• A user access token placed via the use of a cookie as set out below

When do we collect this?

When you choose to engage us to use our Software

How do we use this information?

To allow you to access and use our Software

Our reasons

Contractual necessity and/or legitimate interests. We need this information to authenticate you as a user and allow you to access and use our Software

Information we use about you within the Software:

1. What information do we collect and process?

   Image data being snapshots of a particular station area which may include individual people in such image. Such individuals will, however, immediately have their faces blurred and so be anonymised upon our first processing of this image

   When do we collect this?

   On a daily basis.

   How do we use this information?

   In order for the customer to get a visual representation of the particular station area in order to better understand the analytics data provided by the Software

   Our reasons

   Legitimate interests. This legitimate interests based processing does not outweigh the rights/freedoms of the passengers because: (a) in a very high percentage of cases a passenger wouldn’t be able to be recognised anyway; and (b) even where they were to be able to be recognised the blurring of their faces happens so quickly that the small risk of someone being able to recognise such passenger is outweighed by the benefits the use of the Software has on that passenger in relation to e.g., making the station safer to use, easier to use and so forth moving forward.

2. What information do we collect and process?

   Anonymous analytics data

   When do we collect this?

   On a continuous basis

   How do we use this information?

   As the core feature of our Software i.e., providing analytics

   Our reasons

   N/A – the data is anonymous

Sharing your information with third parties:

Some of the information PTG collects from you is passed to third parties. These third parties are:

1. Our storage provider, currently AWS

2. Bizmate S.R.L, Via G. Leopardi, 96 95127 Catania, our subcontractor which has developed and offers V-App, used in connection with our provision of the Software

3. Our regulator (the ICO) and other professional advisers that we may work with from time to time such as our lawyers and accountants

4. Other companies within the PTG group

5. In anonymised form, PTG may share the information with

1. any third party, in relation to the sale of some or all of PTG’s business, or its assets, or as part of any business restructuring or reorganisation. PTG will take steps with the aim of ensuring that your rights continue to be protected if your personal data is transferred under these circumstances;

2. data aggregators and platform providers as part of an analysis of user metrics or sales performance; or

3. law enforcement agencies in compliance with law enforcement.

Links to third party websites:

PTG is not responsible for the privacy policies and practices of other sites even if you access them via the Software platform. You should check the policy of each site you visit and contact its owner or operator if you have any concerns or questions.

Security:

PTG has implemented technology and policies to safeguard your privacy from unauthorised access and improper use.

Storage and Data Retention:

We store your personal data in the UK. We retain your personal data for as long as reasonably necessary in line with the purposes for which it was originally collected. Where we engage any third party which transfers your personal data outside the UK and/or EEA then we ensure that we have in place appropriate agreements with such third party dealing with any adequacy requirements and transfer impact assessment requirements as required under applicable data protection legislation.

Cookies:

1. What are Cookies?

   Cookies are small text files that are placed on your device when you use the Software. PTG’s use of cookies is detailed below.

2. More information

   To find out more about how cookies work, how to manage and delete them and to see which ones have been set please visit www.aboutcookies.org or www.allaboutcookies.org.

PTG uses cookies and similar technologies in the following ways when you use the Software:

Necessary Cookies

PTG uses the following necessary cookies to: (a) manage sessions between customers/users and the AUTH server; and (b) to store access & refresh tokens.

authorizationCode

1. limited availability (60 min)

2. bound to a clientId and userId

3. can be exchanged for an accessToken and refreshToken once

accessToken

1. limited availability (2h)

2. bound to a userId

3. can be used for an unlimited number of requests before expiration

4. JSON web token, containing the basic user profile

refreshToken

1. unlimited availability (never expires)

2. bound to a userId

3. can be exchanged for a new accessToken and refreshToken once

Login flow

1. Redirect to the login page (passing response_type=code, redirect_uri and client_id as query parameters).

2. Exchange client credentials (and TOTP) for an authorizationCode.

3. Redirect to the callbackUrl (passing the authorizationCode).

4. Exchange authorizationCode for an accessToken and refreshToken.

5. Exchange refreshToken for a new accessToken and refreshToken, when accessToken is expired/invalid.

6. Redirect to the logout page on logout.

Exercising your rights:

You can contact us using the details set out in paragraph 10 below if you wish to: (i) access a copy of the personal data that we hold about you; (ii) correct any items of personal data that we hold about you; and/or (iii) have any items of personal data that we hold about you erased or object to our processing of such items of personal data. Please note that the foregoing rights only apply to the information set out in paragraph 2. The information set out in paragraph 3 is anonymous (in the case of the analytics data) or we process it to make it anonymous (in the case of the image data). In order to exercise your rights (where permitted by law to do so) in connection with such image data, you will need to contact the entity which is responsible for placing such smart cameras at the particular location.

PTG Details:

If at any time you would like to contact PTG about your views on this Policy or any enquiry relating to your personal information, you can do so by sending an e-mail to us at data@purpletransform.com or write to us at “Data Protection Query, Purple Transformation Group, The Granary, Kingston House Estate, Kingston Bagpuize, Oxfordshire, England, OX13 5AX”. You also have the right to make a complaint to the ICO by contacting them at any time.