Our current turnaround time is 7-10 working days
What are you building for?
Tailored recommendationsPC builds across the site will be filtered to match your chosen use-case.

Privacy Policy

Last updated

This policy explains how CREATE PCS LTD ("CREATE PCs", "we", "us", "our") collects, uses, shares and protects personal information when you visit createpcs.co.uk (the "Site") or use any of our services (the "Services"). We are the data controller for the personal information we collect from you, and we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Registered office: Kings Court, London Road, Stevenage, Hertfordshire, SG1 2NG. Company number 13023802, registered in England and Wales.

Contact: 03333 444 127 · [email protected]

1. Information we collect

We collect personal information in the following ways:

Information you give us

  • Name, billing address, delivery address, email address, phone number — when you place an order, request a quote, or contact us through a form.
  • Payment information — handled by our payment processor (Stripe). We do not see or store full card numbers. We retain a tokenised reference, the last 4 digits and the expiry date so we can match payments to orders.
  • Order and build details — the configuration you ordered, special instructions you sent us, correspondence about the build, and warranty/RMA history.
  • Account credentials — if you save a build or create an account. Passwords are stored as one-way salted hashes; we cannot read your password.

Information we collect automatically

  • IP address, browser type, device type, operating system, referring URL, and pages viewed — collected by our hosting platform (Railway) and analytics providers.
  • Cookies and similar technologies — see our Cookies Policy for the full table.
  • Session interactions — Microsoft Clarity records mouse movements, clicks and scrolls during your visit (where you consent) to help us spot UX problems. Recordings are masked: form inputs and personal data are obscured before they reach Microsoft.
  • AI assistant chats — if you use the AI assistant in our PC configurator, we record the messages you send, the assistant’s replies, the build you were configuring at the time, and any feedback you give (a 👍/👎 and an optional comment). We use this to improve the assistant and the configurator. An email address is only stored if you choose to verify one in the chat. Please don’t enter sensitive personal information into the assistant — it isn’t the place for payment details.

2. Why we use your information

We process personal information for the following purposes, on the legal bases shown:

  • To fulfil your order — your name, address, phone, build configuration and payment details are processed under our contractual obligation to deliver what you bought.
  • To accept and process payment — Stripe processes your payment under our contract with them; for orders above £10,000 we also collect a card deposit and bank-transfer reference so we can reconcile the balance.
  • To send transactional emails — order confirmations, status updates, dispatch notifications and warranty correspondence, sent via Resend. This is necessary for the contract between us.
  • To provide customer support — phone, email and live correspondence about your order, build or warranty claim. Legal basis: contract.
  • To detect and prevent fraud — including card-not-present checks where billing and delivery addresses differ. Legal basis: legitimate interests (preventing financial loss).
  • To improve our website — analytics, session replay and conversion tracking. Legal basis: your consent, given via the cookie banner.
  • To send marketing — only where you have opted in. You can unsubscribe at any time using the link in any marketing email.
  • To meet legal and accounting obligations — invoices, VAT records and statutory retention periods. Legal basis: legal obligation.

3. Who we share your information with

We never sell your data. We share it only with the processors and partners we need to in order to run the business. The current list:

  • Stripe (Stripe Payments UK, Ltd.) — processes card payments, Apple Pay, Google Pay and bank-transfer (Pay by Bank) transactions. Stripe receives your name, email, billing address and card details.
  • Resend (Resend, Inc.) — sends transactional emails (order confirmations, status updates, enquiry acknowledgements). Receives your email address and the contents of the message.
  • Cloudflare, Inc. — provides DNS, CDN and bot-mitigation for the website. Receives IP address and request metadata.
  • Railway Corp. — hosts the website and database. Application logs and database backups are stored here.
  • Microsoft Clarity — session replay and heatmap analytics, where you have consented to "Statistics" cookies. Personal data in form fields is masked before recording.
  • Anthropic (Anthropic PBC) — powers the AI assistant in our PC configurator. When you chat with the assistant, the messages you send and the current build context are sent to Anthropic’s API to generate a reply. Anthropic does not use data submitted through its API to train its models, and retains it only briefly for safety and abuse monitoring. We also keep our own copy of these conversations (see "Information we collect automatically", above) to improve the service.
  • Google (Google LLC / Google Ireland Limited) — Google Analytics 4 (where you consent), Search Console (passive), and Google Customer Reviews (where you opt in after purchase).
  • CookieYes — manages cookie consent and stores your preferences. Receives a consent record only.
  • Couriers — your name, delivery address and phone number are passed to the courier we use to ship your order (commonly DPD or APC).
  • Professional advisers — solicitors, accountants and auditors, where required to operate the business.
  • Public authorities — where we are legally required to disclose information (e.g. court order, tax authority request).

4. International transfers

Most of our processors are based in the UK, EU or have UK adequacy decisions. Some (Stripe, Resend, Cloudflare, Microsoft, Google, Railway) are US-headquartered and process some data in the US. Where data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses with the UK addendum, or — for the US — the EU-US Data Privacy Framework and its UK extension, as applicable.

5. How long we keep your information

  • Order records — 7 years after the order, to meet HMRC accounting and VAT retention requirements.
  • Warranty records — for the duration of the warranty period (typically 5 years from delivery), plus 1 year.
  • Marketing consent and unsubscribe records — until you ask us to delete them or 3 years after your last interaction, whichever is sooner.
  • Analytics data — Google Analytics retention is set to 14 months; Microsoft Clarity retention is set to the platform default (currently 1 year).
  • Server and application logs — typically 30 days, longer where needed for security investigations.
  • AI assistant conversations — up to 24 months, after which they are deleted or anonymised. Kept only to improve the assistant and the configurator.

6. Your rights

Under UK GDPR you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data, subject to our legal obligation to retain certain records (e.g. for HMRC).
  • Restriction — ask us to pause processing while we investigate a concern.
  • Portability — receive your data in a structured, machine-readable format and have it sent to another controller where technically feasible.
  • Objection — object to processing based on our legitimate interests, or to direct marketing at any time.
  • Withdraw consent — where we process on the basis of your consent, you can withdraw it at any time (this will not affect any processing carried out before the withdrawal).
  • Complain to the ICO — you can complain to the Information Commissioner’s Office at ico.org.uk. We’d prefer you raise the issue with us first so we can try to fix it.

To exercise any of these rights, email [email protected] from the email address associated with your account or order. We respond within one month.

7. Security

We use industry-standard measures to protect your data: TLS encryption in transit, encrypted databases at rest, hashed passwords, role-based admin access, and least-privilege API keys. Despite our efforts, no method of transmission or storage is completely secure — if you suspect your account has been compromised, contact us immediately at [email protected].

8. Children

Our Services are not directed at children. You must be at least 18 to place an order. Children between 13 and 18 may use the Services only with the permission and supervision of a parent or guardian. We do not knowingly collect personal information from children under 13.

9. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. If we make material changes that affect how we use your personal data, we will notify you by email or with a prominent notice on the Site before they take effect.

10. Contact us

Privacy questions, data subject requests, or anything else about how we handle your information:

Email: [email protected]

Phone: 03333 444 127

Post: CREATE PCS LTD, Kings Court, London Road, Stevenage, Hertfordshire, SG1 2NG