Skip to main content
Legal

Privacy Policy

Last updated: 30 April 2026 · Version 1.0

The short version. We collect only the information we need to take your order, ship it and look after your account. We never sell your data. Payments are handled by Stripe and never touch our servers. You can ask to see, correct or delete your data at any time.

1. Who we are

CARIX is a trading style of A Star Customs, based in the United Kingdom. For the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, we are the data controller of any personal data you provide through carix.uk.

2. Personal data we collect

Account data

When you register an account we collect your email address, your display name (optional), and a securely hashed copy of your password. We do not store your password in plain text.

Order data

When you place an order we collect your shipping address, your billing address (if different), your contact phone number where provided, the products you ordered, and the customisation details for any Custom Products.

Payment data

Payments are processed by Stripe. Your card number, expiry, CVC and any 3D-Secure authentication are exchanged directly between your browser and Stripe — they never reach our servers. We receive a Stripe payment-intent ID, the last four digits of the card and the result of the charge, which we store against your order for accounting and customer-support purposes.

Communication data

If you submit a contact form or email us we keep a record of the message and our reply so we can follow up.

Technical data

Our web server records standard request logs (IP address, timestamp, request path, user-agent) for the operation, security and debugging of the Website. These logs are kept for a short period and are not used for marketing or profiling.

3. How we collect it

  • Directly from you when you create an account, place an order, or contact us.
  • From Stripe in respect of payment outcomes, in line with their privacy policy.
  • Automatically from your device through standard server logs and the strictly-necessary cookies described in clause 8.

4. How we use your data

  • To accept and process your order and take payment.
  • To make and ship your Products and to keep you updated on the status of your order.
  • To manage your account, including authentication, password reset and order history.
  • To respond to your enquiries and provide customer support.
  • To detect, investigate and prevent fraud or misuse of the Website.
  • To meet our legal and accounting obligations (for example tax record-keeping).
  • To improve the Website, its design and our products. We do not use your data for automated decision-making or profiling.

5. Lawful bases for processing

  • Contract. We process order, account and payment data because it is necessary to perform our contract with you (your order).
  • Legitimate interests. We process technical and security data, and a minimum of communication data, in our legitimate interest of operating, securing and improving the Website. We balance this against your rights and freedoms; you may object — see clause 11.
  • Legal obligation. We retain certain order and tax records for the periods required by UK law.
  • Consent. Where required by law, we ask for your consent before sending marketing emails or setting non-essential cookies. You may withdraw consent at any time.

6. Who we share data with

We share personal data only with the third parties that help us run the business:

  • Stripe — payment processing.
  • Royal Mail and our courier partners — fulfilment and delivery of your order. They receive your name, shipping address and a tracking reference.
  • Our hosting and email infrastructure providers — operating the Website and sending order-confirmation emails. These providers act as data processors on our behalf under written agreements.
  • Professional advisers and authorities — accountants, auditors and law-enforcement bodies where we are legally required or permitted to share information.

We do not sell your personal data and we do not share it with advertising networks.

7. International transfers

Some of our service providers (notably Stripe and certain email-delivery services) may process data outside the United Kingdom. Where this happens we rely on UK-approved transfer mechanisms — most often the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, together with an assessment of the adequacy of protection in the destination country.

8. Cookies

We use a small number of strictly-necessary cookies to keep you signed in, remember your basket between page loads, and protect against cross-site request forgery. These do not require consent under the Privacy and Electronic Communications Regulations 2003.

We do not currently use third-party advertising or tracking cookies. If we add analytics cookies in the future we will ask for your consent first and update this policy.

9. How long we keep your data

  • Order records: 6 years after the order date, in line with UK tax-record requirements.
  • Account data: for as long as your account remains active, plus a short grace period after closure for fraud-prevention purposes.
  • Contact-form messages: up to 2 years after our final reply, then deleted unless we need to keep them for a legal reason.
  • Server logs: typically 30 days, longer where we are investigating a security incident.

10. Security

We protect your data with appropriate technical and organisational measures: HTTPS/TLS in transit, hashed and salted password storage, principle-of-least-privilege access controls, regular software updates, and CSRF and rate-limiting protections on authentication endpoints. No system is ever 100% secure, but we treat the security of your data as a priority and notify both you and the Information Commissioner's Office (ICO) where we are required to do so in the event of a personal-data breach.

11. Your rights

Under the UK GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify data that is inaccurate or incomplete;
  • erase your data ("right to be forgotten") in certain circumstances;
  • restrict our processing of your data;
  • object to processing based on our legitimate interests or for direct-marketing;
  • portability — receive your data in a commonly used machine-readable format; and
  • withdraw consent where we rely on it, at any time.

To exercise any of these rights please contact us. We aim to respond within one month, as required by law.

12. Children's data

The Website and our Products are not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. Material changes will be flagged on the Website and the "last updated" date at the top of the page will be revised. Your continued use of the Website after a change constitutes acceptance of the updated policy.

14. Complaints

If you are unhappy with the way we handle your personal data, please raise it with us in the first instance — we'd like the chance to put it right. You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office, at ico.org.uk.

15. Contact

Privacy questions, data-subject requests and security disclosures: contact us. We aim to respond within two working days, and to substantive data-rights requests within one month.