Privacy Policy

1 Who we are

Purple Giraffe Studio ("we", "us", "our") operates the website purplegiraffe.cc and the EU greenwashing compliance audit tool at purplegiraffe.cc/audit. We are based in Nairobi, Kenya.

This Privacy Policy explains how we collect, use, and protect personal data in connection with our services. We are committed to handling your data responsibly and transparently.

For users in the European Economic Area (EEA), we process your personal data in accordance with the General Data Protection Regulation (GDPR) where applicable, even as a non-EEA business processing data of EEA residents.

2 What data we collect

2.1 Data you provide

• Email address — provided voluntarily when you request a full report or contact us
• Website URL — the URL you submit for compliance scanning
• Content you paste — if you use the manual paste feature, the text content you submit
• Communications — emails and messages you send us

2.2 Data collected automatically

• Scan results — compliance scores, violations found, and report data associated with each scan
• IP address and browser information — collected by our hosting provider for security and performance purposes
• Usage data — pages visited, scan events, and general usage patterns

2.3 Payment data

We do not collect or store payment card details. All payment processing is handled by Paddle.com Market Limited. Paddle may share your email address and transaction reference with us for order fulfilment. See Paddle's privacy policy at paddle.com/legal/privacy.

3 How we use your data

We use the data we collect for the following purposes:

• Service delivery — generating your compliance report, delivering it by email, and making it available for download
• Email communications — sending your report, follow-up emails about your scan, and responses to your enquiries (see Section 4)
• Service improvement — analysing scan data in aggregate to improve the accuracy of our compliance analysis
• Security — detecting fraud, abuse, and unauthorised access
• Legal obligations — complying with applicable laws, responding to lawful requests

Our legal basis for processing under GDPR is:

• Contract performance (Article 6(1)(b)) — processing necessary to deliver the service you purchased
• Legitimate interests (Article 6(1)(f)) — improving our service, security, and fraud prevention
• Consent (Article 6(1)(a)) — for marketing emails where we seek your consent

4 Email communications

If you provide your email address during the upgrade flow, we will send you:

• Your compliance report (immediately after payment confirmation)
• A follow-up email 48 hours after a free scan if you have not purchased
• A value email 7 days after a free scan with a free fix you can implement
• A follow-up 5 days after purchase asking if the report was useful

You can opt out of follow-up emails at any time by replying "unsubscribe" or contacting hello@purplegiraffe.cc. Transactional emails (report delivery, payment confirmation) cannot be opted out of as they are necessary for service delivery.

We do not send unsolicited marketing emails. We do not add your email to any third-party mailing list without your explicit consent.

5 Third parties we share data with

We share personal data with the following third parties only as necessary to deliver our services:

• Paddle.com Market Limited — payment processing and invoicing. Paddle acts as our Merchant of Record.
• Anthropic, PBC — AI analysis of website content submitted for scanning. Content submitted through our tool is processed by Anthropic's API. See Anthropic's privacy policy at anthropic.com/privacy.
• Mailtrap / transactional email provider — sending compliance report emails. We use a transactional email service to deliver reports.
• Hosting provider — our website and application are hosted on a third-party server. Server logs may include your IP address.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

6 Data retention

We retain your data for the following periods:

• Scan records and reports — 24 months from the date of scan, after which they are anonymised or deleted
• Email address — retained for as long as your scan record exists, or until you request deletion
• Payment records — retained for 7 years as required for tax and accounting purposes (held by Paddle)

You may request deletion of your personal data at any time (see Section 7). Deletion of scan records will also remove access to the associated full report.

7 Your rights

Depending on your country of residence, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your personal data ("right to be forgotten")
• Portability — request your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request that we restrict processing in certain circumstances
• Withdraw consent — withdraw consent for processing where consent is the legal basis

To exercise any of these rights, contact us at hello@purplegiraffe.cc. We will respond within 30 days. We may need to verify your identity before acting on your request.

If you are in the EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your national data protection supervisory authority.

8 Cookies

Our website uses minimal cookies necessary for the operation of the service, including session cookies to maintain your scan state. We do not use advertising cookies or third-party tracking cookies.

Your browser settings allow you to control or delete cookies. Disabling session cookies may affect the functionality of the audit tool.

9 Children

Our services are intended for business users only and are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at hello@purplegiraffe.cc.

10 Changes to this policy

We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the most recent revision. We will notify you by email of material changes where we hold your email address.

11 Contact

For any privacy-related questions, data access requests, or deletion requests: