Creative4 Ltd is the data controller for personal data collected through PreprintAgent.
We have not appointed a Data Protection Officer (DPO) as we are not required to do so under UK GDPR. For all data protection enquiries, contact us at the email above.
| Data | Required? | Consequence if not provided |
|---|---|---|
| Name and email address | Required | Cannot create an account or use the Service |
| Company name and country | Required | Cannot register a company account |
| Password | Required | Cannot log in; stored as a cryptographic hash only |
| VAT number / company registration | Required for invoicing (B2B) | Cannot issue compliant tax invoices |
| Billing address | Required for paid plans | Cannot process payment or issue invoices |
| Marketing consent | Optional | You will not receive marketing emails |
Billing address and VAT number for invoice purposes. Payment card details are processed directly by Stripe and are never stored by us.
Print files (PDFs, images) you upload are processed to deliver the Service. We treat uploaded files as strictly confidential and do not access them for any purpose other than providing the Service. Do not upload files containing special category personal data (e.g. health information, biometric data, racial or ethnic origin) without a separate written agreement with us.
| Purpose | Lawful Basis (UK GDPR) | Details |
|---|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) | Necessary to provide the Service you have requested |
| Delivering prepress processing services | Contract (Art. 6(1)(b)) | Core service delivery |
| Issuing invoices and managing payments | Legal obligation (Art. 6(1)(c)) | HMRC and Companies Act requirements |
| Sending service notifications (job status, system updates) | Contract (Art. 6(1)(b)) | Necessary to keep you informed about your jobs |
| Sending marketing emails | Consent (Art. 6(1)(a)) | Only if you opted in; you can withdraw consent at any time |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) | Our legitimate interest in protecting our platform and users from unauthorised access, abuse, and fraud outweighs any privacy impact given the limited data used |
| Improving the Service | Legitimate interests (Art. 6(1)(f)) | Aggregated, anonymised usage analysis only; our interest in product improvement outweighs the minimal privacy impact |
| Complying with legal obligations (tax, HMRC, court orders) | Legal obligation (Art. 6(1)(c)) | Statutory requirements |
The PreprintAgent platform processes your uploaded print files automatically (preflight, bleed, imposition). This is automated service delivery, not automated decision-making about you as an individual. It does not produce legal or similarly significant effects about you and therefore falls outside the scope of UK GDPR Article 22. You are always responsible for reviewing the output before use in production.
| Third Party | Purpose | Location | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Cloud server hosting and file storage | Germany (EU) | UK–EU adequacy decision |
| Brevo (Sendinblue SAS) | Transactional and marketing email delivery; stores your email address and consent records | France (EU) | UK–EU adequacy decision |
| Stripe Inc. | Payment processing; processes billing address and payment card data | USA | UK IDTA / Standard Contractual Clauses |
| Cloudflare Inc. | DNS, CDN, DDoS protection, email routing | USA | UK IDTA / Standard Contractual Clauses |
| GitHub Inc. (Microsoft) | Source code hosting and CI/CD deployment pipeline; processes deployment metadata and code | USA | UK IDTA / Standard Contractual Clauses |
We do not sell your personal data to any third party. We do not share personal data with third parties for their own marketing purposes.
Where we transfer personal data to countries outside the UK, we ensure appropriate safeguards are in place. For transfers to the EU we rely on the UK Government's adequacy regulations. For transfers to the USA (Stripe, Cloudflare, GitHub), we rely on the UK International Data Transfer Agreement (IDTA) or equivalent Standard Contractual Clauses. You can request details of the specific safeguards applicable to any transfer by contacting us.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account and company data | Duration of account + 2 years after closure | Legitimate interests (dispute resolution) |
| Uploaded print files | 90 days after job completion, then permanently deleted | Minimum necessary for service delivery |
| Invoices and financial records | 7 years from date of invoice | HMRC statutory requirement |
| Security and access logs | 12 months | Security monitoring |
| Marketing consent records | Until consent withdrawn + 1 year | Accountability under UK GDPR |
| Consent timestamps (ToS, DPA) | Duration of account + 7 years | Contractual and legal accountability |
You have the following rights regarding your personal data, exercisable by contacting us at [email protected]:
We will respond to all rights requests within one calendar month. We do not make solely automated decisions that produce legal or significant effects about you.
If you have consented to receive marketing emails, you can opt out at any time by:
We will process your opt-out within 5 working days. Unsubscribing from marketing does not affect service notifications, which are necessary for the operation of your account.
We use essential cookies and browser storage (localStorage/sessionStorage) to operate the Service. We do not use advertising or analytics cookies. For full details, see our Cookie Policy.
The Service is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.
We implement appropriate technical and organisational measures including: HTTPS/TLS encryption in transit, bcrypt password hashing, JWT authentication, rate limiting on all endpoints, firewall and access controls, and regular security updates. However, no internet transmission is completely secure and we cannot guarantee absolute security.
If you are unhappy with how we handle your data, please contact us first at [email protected]. You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO):
We may update this policy. We will notify you of significant changes by email or through a notice in the portal. The "Last updated" date above reflects the most recent version.