Privacy Policy

01 Who We Are

Smash-It-IT Ltd ("we", "us", "our") is a company registered in England and Wales, operating the website smashitit.co.uk. We are the data controller responsible for your personal information under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

02 Information We Collect

We collect personal information in the following circumstances:

Information you provide directly

• Contact & order details — your name, email address, telephone number and delivery/billing address when you make an enquiry or place an order.
• Account credentials — if you create an account, we hold a username and an encrypted password.
• Payment information — we do not store full card details; payments are processed by PCI-DSS compliant third-party providers on our behalf.
• Communications — messages you send us via email, contact forms or telephone.
• Marketing preferences — your opt-in or opt-out choices for promotional communications.

Information collected automatically

• Technical data — IP address, browser type and version, operating system and referring URLs.
• Usage data — how you navigate our site, time spent on pages and links clicked.
• Cookie data — see Section 8 for full details.

03 How We Use Your Information

We process your data only where we have a lawful basis under UK GDPR:

Contract performance

• Processing and fulfilling your order for a custom-built PC or related product or service.
• Managing returns, repairs and warranty claims.
• Sending order confirmations, dispatch notifications and invoices.

Legitimate interests

• Preventing and detecting fraud or misuse of our services.
• Improving website performance and user experience.
• Responding to enquiries and providing customer support.
• Analysing aggregated, anonymised usage trends.

Consent

• Sending you marketing emails, newsletters or promotional offers — only where you have explicitly opted in.
• Placing non-essential cookies on your device.

Legal obligation

• Maintaining financial records as required by HMRC and applicable company law.
• Cooperating with law enforcement or regulatory authorities where legally required.

04 Disclosure to Third Parties

We do not sell, rent or trade your personal data. We may share it only with the following categories of third party, and only to the extent necessary:

Service providers & processors

• Payment processors — to handle card and online payments securely.
• Delivery and courier companies — to ship products to you.
• IT and hosting providers — who store website data on secure servers.
• Email and CRM platforms — used to manage customer communications.
• Analytics providers — to help us understand website usage (data is shared in aggregated or pseudonymised form only).

Legal & regulatory bodies

• We may disclose data to the police, HMRC, courts or other public authorities where required by law, or to protect the rights, property or safety of our customers, staff or business.

Business transfers

• In the event of a merger, acquisition or sale of business assets, your data may transfer to a successor entity subject to equivalent privacy protections.

05 Method of Disclosure

When we share data with authorised third parties we use the following methods to ensure secure transfer:

• Encrypted transmission — all data transferred electronically is sent over TLS/SSL-encrypted connections.
• Authenticated API integrations — where we connect with third-party platforms, we use authenticated, encrypted API calls.
• Contractual safeguards — data is shared only with parties who have signed a Data Processing Agreement (DPA) committing them to UK GDPR standards.
• Data minimisation — we share only the fields strictly required for the specific purpose.
• No unprotected international transfers — if data is sent outside the UK or EEA, we ensure adequate protection is in place via UK adequacy regulations or Standard Contractual Clauses (SCCs).

06 Security Practices

We maintain a range of technical and organisational measures to protect your personal information:

Technical measures

• HTTPS / TLS encryption across the entire website.
• Encrypted data storage — passwords are hashed using a strong algorithm; payment tokens are stored encrypted.
• Role-based access controls — staff access only the data needed for their role; access is logged and regularly reviewed.
• Firewall and intrusion detection on our hosting infrastructure.
• Regular software patching and vulnerability scanning.
• Secure, separated backups stored independently from primary systems.

Organisational measures

• Staff training on data protection and security awareness.
• Internal data protection policies and acceptable use standards.
• Documented data breach response procedures, including ICO notification within 72 hours where required.
• Regular review of third-party supplier security standards.

07 Data Retention

We retain personal data only for as long as necessary for the purpose collected, or as required by law:

• Customer order records — retained for 7 years to comply with HMRC requirements.
• Account data — held for the duration of your account; deleted following verified closure request.
• Marketing data — held until you withdraw consent or opt out.
• Website analytics data — anonymised or deleted after 26 months.
• Enquiry / contact data — retained for up to 2 years after last contact.

After applicable retention periods, data is securely and permanently deleted or anonymised.

08 Cookies

Our website uses cookies — small text files placed on your device. We use the following categories:

• Strictly necessary — essential for the website to function (e.g. session management, shopping basket). These require no consent.
• Analytics — help us understand how visitors interact with our site. Used only with your consent.
• Functional — remember your preferences such as login state. Used with your consent.
• Marketing — used to deliver relevant advertising. Used only with your explicit consent.

You can manage or withdraw cookie consent at any time via your browser settings or our cookie preference centre on the website.

09 Your Rights

Under UK GDPR you have the following rights regarding your personal data:

• Right of access — request a copy of the data we hold about you (a Subject Access Request).
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure — request deletion of your data where we have no lawful reason to retain it.
• Right to restrict processing — ask us to pause processing in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decisions — we do not make solely automated decisions that have a legal or similarly significant effect on you.

To exercise any of these rights, contact us using the details in Section 11. We will respond within 30 calendar days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

10 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal obligations. The effective date at the top of this page will always indicate when the policy was last revised.

Where changes are material, we will notify you by email (if we hold your address) or by placing a prominent notice on our website. Continued use of our website following an update constitutes acceptance of the revised policy.

11 Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact us: