Welcome to Purple Support

Data Categorization

  • Updated

Data Classification, Definitions & Retention

PCI - Data that pertains to an individual's payment card. Purple do not collect any PCI data. 

Personal - Data that pertains to a single identifiable person. Removed after 13 months of inactivity (i.e. the end-user hasn't used the service for 13 months). 

Client confidential - Data that if lost, would cause significant or ongoing financial or brand damage to a client. Removed at the end of a customer relationship or upon request. 

See how we compliantly capture first-party data, wherever your visitors are from

Data Collected

Pre-Authentication

Purple collects data about the client's device as soon as the client loads a splash page. This data is passed in the form of URL parameters by the network controller to the splash page, or is taken from HTTP headers passed by the browser.

Data type  Example Categorization Collected from
Client WiFi MAC address 00-00-00-00-00-00 Client
Confidential
URL
Access point MAC address 00-00-00-00-00-00 Internal URL
Venue/Company Store 52, Acme Shops Internal Customer database
SSID Free WiFi Internal URL
User-agent string Mozilla/5.0 (Linux;
Android 4.0.4; Galaxy
Nexus Build/IMM76B)
AppleWebKit/535.19
(KHTML, like Gecko)
Chrome/18.0.1025.133
Mobile Safari/535.19
Personal Request headers
The language of the page
being accessed, by default
from the browser's request
headers but the user may
override this by choosing
another language
en_GB Personal Request headers/user
input

 

Session/browsing data

Purple collects data about the individual web pages a user loads as part of the onboarding process, as well as some basic diagnostic information about those page loads to perform health checks and diagnose problems.

Purple does not track individual client transactions once they have completed the onboarding process (i.e. once they have logged in to use the Internet at the establishment).

This data is linked to the user via the client MAC passed by the controller (see Pre-authentication, above), and by the user's own web authentication (see Web authentication, below).

Data type  Example Categorization Collected from

URL loaded

/access/ Client
Confidential
Browser request

 

Web authentication

At the splash page, the end user is invited to enter data to authenticate to the WiFi. The exact data collected differs according to the configuration defined by the customer, and at a minimum the data collected may be no more than an acceptance of the terms and conditions of joining the WiFi. The customer may present the end user with multiple ways to authenticate, which are separated into three categories:

1. Registration form: This presents the user with a form that has to be populated by the user to proceed. The customer can choose which fields are optional and which are mandatory, but as a minimum at least one of email address or mobile number must be mandatory (which are used as a unique identifier of the user). 

2. Social authentication: Customers may choose to allow end users to authenticate via 3rd party authentication providers such as Facebook or X. In this case, the user is forwarded to the social provider to log in, and are invited to share data with the customer. After logging in at the provider, the data the user has agreed to share is passed back to the Purple platform. This data varies from provider to provider. If an end user chooses to authenticate via social authentication, they will still also have to enter any configured mandatory fields from the registration form (above) that haven't already been collected from the social authentication provider.

3. Custom authentication: Some customers may also have custom authentication methods, on a case by case basis agreed with Purple. These authentication methods are typically proprietary CRM systems. They typically behave in a way similar to social authentication providers (above), and the data collected from these systems is treated as Personal data.  

 

Registration form

These are the default fields available for registration forms, but customers can also add custom fields
that could be any data type. These custom fields are always treated as personal.

Data type  Example Categorization Collected from
First name Dan Personal User input
Last name Smith Personal User input
Email Dan.Smith@Gmail.com Personal User input
Mobile +447700123123 Personal User input
Password MyPassword123 Personal User input
Gender Male Personal User input
Title Mr Personal User input
Date of birth 1990-01-01 Personal User input
Postcode/ZIP OL9 8EH Personal User input

 

Facebook

More data is collected from Facebook than from other social providers. This data may or may not be collected from end users, depending on the user's own privacy settings and which data the user chooses to share at the point of authentication on Facebook (end users have granular control over data sharing and can choose not to share some of the data requested).

Data type  Example Categorization Collected from
First name Dan Personal Facebook
Last name Smith Personal Facebook
Email Dan.Smith@Gmail.com Personal Facebook
Gender Male Personal Facebook
Date of birth 1990-01-01 Personal Facebook
Home town Edinburgh, UK Personal  Facebook
User likes - a list of pages the user has liked Apple, Coca Cola, Facebook Personal Facebook

 

Additional Authentication Data

The customer may require other data during the registration process, including but not limited to surveys or NPS scores. Any user-input responses are always categorised as personal.

 

Post-authentication / network

Once the user has authenticated, the network controller starts passing basic network usage data to Purple's RADIUS servers via RADIUS accounting.

Data type  Example Categorization Collected from
Internal network IP address 10.0.0.101 Personal Network controller (via
RADIUS)
External network IP
address
87.1.1.1 Internal Network controller (via
RADIUS)
Client WiFi MAC address 00-00-00-00-00-00 Personal Network controller (via
RADIUS)
Access point MAC address 00-00-00-00-00-00 Internal Network controller (via
RADIUS)
Bytes uploaded 12345678 Internal Network controller (via
RADIUS)

Bytes downloaded

12345678 Internal Network controller (via
RADIUS)
Session start time 2023-01-01    00:00:00 Internal Network controller (via
RADIUS)
Session stop time 2023-01-01    00:00:00 Internal Network controller (via
RADIUS)
Session termination clause Idle-Timeout Internal Network controller (via
RADIUS)

 

Location data

Location data is data collected passively about WiFi-enabled devices in range of network access points. When a WiFi-enabled device makes probe requests looking for known WiFi network names, each access point in range can capture the WiFi MAC address of the device along with an RSSI (received signal strength indicator), which can be used to estimate how far from the access point the device is. When a device is associated with a WiFi network, the client MAC address and RSSI values are taken from network traffic and don't depend on probe requests.

When a customer has multiple access points collecting this data, the customer's network controller may also triangulate the data received by MAC address and return an X,Y coordinate which is an estimate of the position of the device relative to an uploaded map. Data for a single device MAC address and location is grouped into 'visits'. The collection of this data is optional and will depend on whether it is supported by the customer's network hardware. The exact data returned is also dependent on the customer's network hardware, but the data collected is aggregated by Purple into the data types below:

Data type  Example Categorization Collected from
Client WiFi MAC address (may be randomised, i.e.
not the client's real WiFi MAC address) 
00-00-00-00-00-00 Personal Network controller or
vendor location engine
Access point MAC address 00-00-00-00-00-00 Internal Network controller or
vendor location engine
Venue/company Store 52, Acme shops Internal Customer database

Time of request

  Internal Network controller or
vendor location engine
RSSI (received signal strength indicator) 50 Internal Network controller or
vendor location engine
X,Y coorindate 200,34 Client confidential Network controller or
vendor location engine
Visit start 2023-01-01    09:00:00 Internal Aggregation 
Visit end 2023-01-01    17:00:00 Internal Aggregation 

 

Feature specific

NLP

For those customers who have purchased and implemented our NLP sentiment analysis module, we collect the following via authentication with the company’s email account.

Data type  Example Categorization Collected from
Email address Dan.Smith@Gmail.com Personal Company's authenticated email account
Sentiment Positive/negative/can’t
determine
Internal Email body parse by
sentiment analysis
Email body "Hi, my experience at
your venue was great
thanks!”
Personal Company’s
authenticated email
account 

 

Wayfinding

For those customers who have purchased and implemented our Wayfinding module.

Data type  Example Categorization Collected from Used for
Email address Dan.Smith@Gmail.com Personal Company's authenticated email account Sending emails
containing the
personalised link
from the kiosk
(optional)
Access point MAC address 00-00-00-00-00-00 Internal Network controller
or vendor location
engine
positioning
Client WiFi MAC
address (may be
randomised, i.e. not the client's real WiFi MAC address)
00-00-00-00-00-00 Personal Network controller
or vendor location
engine
positioning
Venue/company Store 52, Acme shops Internal Customer database positioning

Time of request

  Internal Network controller or
vendor location engine
monitoring
RSSI (received signal strength indicator) 50 Internal Network controller or
vendor location engine
positioning
X,Y coordinate 200,34 Client confidential Network controller or
vendor location engine
positioning
Visit start 2023-01-01    09:00:00 Internal Aggregation  monitoring
Visit end 2023-01-01    17:00:00 Internal Aggregation  monitoring

 

Sensors

For those customers who have purchased and implemented our Sensors module.

Data type  Example Categorization Collected from
Image/Video (Obfuscated) Image of person
blurred and identifying
features removed and
replaced with a
coloured circle
Personal Xovis Sensor
Gender Male/Female/Unidenti
fied
Client
Confidential
Xovis Sensor
Share online:
Was this article helpful?
0 out of 0 found this helpful