Legal

Privacy Policy

How InPass and PurpleMESH Solutions collect, use, and protect your information.

Last updated: March 2026

1. Overview

InPass is a product of PurpleMESH Solutions ("we", "us", "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when insurance carriers ("Carriers") and their policyholders ("End Users") use the InPass platform.

By using InPass, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the platform.

Our role under data protection law. PurpleMESH Solutions is headquartered in Hyderabad, India. For data we collect directly through this website and our marketing operations, we act as a Data Fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and as a Controller under the EU/UK General Data Protection Regulation ("GDPR"). For policyholder data that our carrier customers transmit to us through the InPass API, we act as a Data Processor under DPDP / Processor under GDPR, operating under the carrier's documented instructions.

2. Information We Collect

From Carriers (B2B customers): When a carrier integrates InPass, we collect:

  • Business contact details (name, email, company, role)
  • API credentials and integration configuration data
  • Policy data transmitted via the InPass API (policy numbers, coverage details, holder names — as configured by the carrier)
  • Usage and analytics data (pass delivery rates, wallet add events, API call logs)

From End Users (policyholders): InPass operates as a pass delivery mechanism on behalf of carriers. We collect minimal end-user data:

  • Device type (Apple or Google) for pass delivery routing
  • Pass add/remove events (anonymized)
  • We do not store full policyholder PII beyond what is required to render and deliver the wallet pass

3. How We Use Your Information

  • To generate, deliver, and update wallet passes on behalf of carriers
  • To provide carrier analytics and adoption reporting
  • To operate, maintain, and improve the InPass platform
  • To respond to support requests and communicate product updates
  • To comply with applicable legal obligations

4. Data Sharing

We do not sell your data. We do not share personal information with third parties for marketing purposes. We may share data with:

  • Service providers: Cloud infrastructure, analytics, and security vendors operating under data processing agreements
  • Apple and Google: Pass delivery requires transmission to Apple PassKit and Google Wallet APIs — governed by their respective privacy policies
  • Legal requirements: Where required by applicable law, court order, or governmental authority

5. Data Retention

Carrier account data is retained for the duration of the contract plus 90 days. Pass delivery logs are retained for 12 months for analytics purposes. End-user pass data is retained only as long as the pass is active. Carriers may request deletion of their data at any time by contacting hello@purplemesh.in.

6. Security

InPass implements industry-standard security measures including:

  • All passes are cryptographically signed using Apple PassKit certificates and Google Wallet signing keys
  • Data in transit is encrypted using TLS 1.2+
  • Data at rest is encrypted using AES-256
  • Access controls, audit logging, and periodic security reviews are in place
  • We are working toward SOC 2 Type II certification

7. Your Rights

Depending on your jurisdiction, you have some or all of the following rights over your personal data:

  • Access — obtain a copy of the personal data we hold about you
  • Correction — have inaccurate or incomplete data fixed
  • Erasure / deletion — have your data deleted, subject to lawful retention obligations
  • Withdraw consent — at any time, where processing is based on consent
  • Object or restrict — stop or limit certain processing (GDPR)
  • Portability — receive your data in a structured, machine-readable format (GDPR)
  • Nominate — designate someone to exercise your rights in the event of death or incapacity (DPDP Act)
  • Grievance redressal — raise a complaint with our Grievance Officer (DPDP Act); see Section 10
  • Lodge a complaint — with a supervisory authority (the Data Protection Board of India, or your local EU/UK regulator)

To exercise any of these rights, contact us at hello@purplemesh.in. We will respond within 30 days.

8. Children's Privacy

InPass is a B2B platform not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify carriers of material changes via email or platform notification. Continued use of InPass after changes constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related questions, data-rights requests, or DPDP Act grievances, please contact our Grievance Officer:

Under the DPDP Act, if your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India.