PRIVACY POLICY

Last Updated: 23 April 2026

Utopia Plates Ltd ("we", "us", "our") operates the www.utopiaplates.co.uk website (the "Service"). We are the data controller responsible for your personal data.

This Privacy Policy explains what personal data we collect about you, how and why we use it, who we share it with, how long we keep it, and your rights under UK data protection law. It applies to all visitors to our website and to all customers who place an Order with us.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. References in this policy to "data protection law" are to those laws together with the Privacy and Electronic Communications Regulations 2003 (PECR) and any other applicable UK privacy legislation.

Unless otherwise defined in this policy, capitalised terms have the meanings given in our Terms & Conditions.

1. Who We Are

Data controller: Utopia Plates Ltd

Registered office:

Unit 1, Dragonville Industrial Park Dragon Lane Durham DH1 2XJ United Kingdom

Company number: 11660392 VAT number: GB 327 6279 79

For privacy questions, data subject requests or complaints about how we handle your data, please contact:

Email: [email protected] Phone: 0800 689 4795 Post: Data Privacy, Utopia Plates Ltd, Unit 1, Dragonville Industrial Park, Dragon Lane, Durham, DH1 2XJ

We are not legally required to appoint a Data Protection Officer and have not done so; privacy matters are handled by our nominated Privacy Lead, reachable via the contact details above.

2. Definitions

• Service — the www.utopiaplates.co.uk website operated by Utopia Plates Ltd.
• Personal Data — any information relating to an identified or identifiable living individual.
• Special Category Data — the more sensitive categories of personal data described in Article 9 UK GDPR (e.g. health, racial or ethnic origin, biometric data).
• Usage Data — data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, page view duration).
• Cookies — small files stored on your device (computer or mobile device).
• Data Controller — the person or entity who determines the purposes and means of processing personal data. Utopia Plates Ltd is the Data Controller of your Personal Data under this policy.
• Data Processor (or Service Provider) — any person or entity that processes data on behalf of the Data Controller.
• Data Subject (or User) — the living individual who is the subject of Personal Data.
• DVLA — the Driver and Vehicle Licensing Agency.
• RNPS — Registered Number Plate Supplier, regulated under the Vehicles (Crime) Act 2001.

3. Personal Data We Collect

We collect different categories of personal data depending on how you interact with us.

3.1 Information you give us

• Identity and contact data: first and last name, title, email address, postal address, telephone number.
• Account data: your customer account username, password (stored in hashed form) and stored preferences.
• Order data: your vehicle registration number(s), Order history and communications relating to your Order.
• Entitlement and identity documentation: your V5C logbook, V750 Certificate of Entitlement, V778 Retention Document, driving licence, passport or other proof of identity that you provide to satisfy RNPS requirements. We retain a serial number from each document.
• Payment data: we do not store full payment card details. We receive a transaction reference and limited card metadata (e.g. last four digits, card type, billing postcode) from our payment processors.
• Marketing data: your marketing preferences, subscription and unsubscribe history.
• Correspondence data: the content of emails, chat messages, calls and reviews you send to us.

3.2 Information collected automatically

• Usage Data: including IP address, browser type and version, device identifiers, operating system, pages viewed, referring URL, searches run, clicks, scrolls, time spent on pages and timestamps.
• Cookies and similar technologies: see section 7 below.

3.3 Information we receive from third parties

• DVLA: data confirming or declining registration assignments, transfer status and Certificate issue.
• Payment processors (Stripe, PayPal/Braintree): transaction status, fraud signals and limited card metadata.
• Fraud prevention, identity verification and credit providers where you apply for finance or where risk signals require verification.
• Couriers (e.g. Royal Mail, DPD): tracking and delivery information.
• Analytics and marketing partners: aggregated and pseudonymised traffic and conversion data.

We do not intentionally collect Special Category Data. Please do not submit any such data to us unless we specifically ask for it.

4. Sources of Your Data

We collect personal data:

• directly from you when you place an Order, create an account, subscribe to marketing, contact us, send documents, or interact with our Service;
• automatically when you use our website (via cookies and similar technologies);
• from third parties listed in section 3.3 above; and
• from publicly available sources where necessary (e.g. Companies House for business customers, DVLA records for registration verification).

5. How We Use Your Data and Our Legal Bases

Under UK GDPR we must have a lawful basis for each purpose for which we process your personal data. The table below sets out our purposes and the legal basis we rely on for each.

Purpose Categories of data Legal basis (UK GDPR Art 6) Taking, processing and fulfilling your Order (including manufacture, DVLA assignment and delivery) Identity, contact, order, entitlement/identity documentation, payment Contract (Art 6(1)(b)) Verifying identity and entitlement under RNPS rules Identity documentation, order Legal obligation (Art 6(1)(c) — Vehicles (Crime) Act 2001; Road Vehicles (Display of Registration Marks) Regulations 2001) Providing customer support, handling complaints and managing disputes Identity, contact, order, correspondence Legitimate interests (Art 6(1)(f)) — running our business and supporting customers Processing payments and preventing fraud and chargeback abuse Payment, identity, order, usage Contract (Art 6(1)(b)); legal obligation; legitimate interests in fraud prevention Record-keeping required by HMRC, Companies House, anti-money-laundering rules and other statutory obligations Identity, order, payment Legal obligation (Art 6(1)(c)) Sending service-related communications (order confirmations, transfer updates, delivery notifications) Identity, contact, order Contract (Art 6(1)(b)) Sending marketing communications about our own products and services to existing customers Identity, contact, marketing Legitimate interests (Art 6(1)(f)) supported by the "soft opt-in" in Regulation 22(3) PECR; with an unsubscribe option in every message Sending marketing communications to prospects and non-customers Identity, contact, marketing Consent (Art 6(1)(a)) Operating and improving the Service, analytics and website security Usage, identity, order Legitimate interests (Art 6(1)(f)); consent for non-essential cookies under PECR Sending abandoned-cart reminder emails Identity, contact, usage Consent where required; otherwise legitimate interests in completing a sale you have started Responding to lawful requests from the DVLA, police, courts or other public authorities As requested Legal obligation (Art 6(1)(c)); legitimate interests in supporting law enforcement Defending or bringing legal claims As relevant Legitimate interests (Art 6(1)(f)); legal claims (Art 9(2)(f) if special category) Supporting a merger, acquisition, business reorganisation or asset sale As relevant Legitimate interests (Art 6(1)(f))

Where we rely on legitimate interests we have assessed that our interests are not overridden by your rights and freedoms. You can contact us to request details of that assessment.

Where we rely on consent (for example, for marketing to non-customers or for non-essential cookies), you may withdraw that consent at any time.

6. Marketing Communications

We only send you marketing communications where we are permitted to do so under UK GDPR and PECR.

• Existing customers: we rely on the "soft opt-in" under Regulation 22(3) PECR to send you marketing about our own similar products and services, with a simple unsubscribe mechanism in every message.
• Prospects and non-customers: we send marketing only where you have given us consent.
• SMS and telephone marketing: we do not send marketing SMS or make marketing calls without your prior consent; and we check the Telephone Preference Service (TPS) where required.

You can opt out of marketing at any time by:

• clicking "unsubscribe" in any marketing email;
• replying STOP to any marketing SMS;
• emailing [email protected]; or
• updating your preferences in your account.

Opting out of marketing does not affect service-related messages about your Order.

6.1 Abandoned-cart emails

If you begin an Order but do not complete it, we may send you an automated reminder email within 24 hours of abandonment, only where all of the following apply:

• you entered your email address at checkout or were logged into your customer account;
• you added a product that is in stock to your cart; and
• you closed your browser or left the Service without completing your purchase.

Abandoned-cart emails always include an unsubscribe link. You can also opt out at any time by contacting us.

7. Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate, secure and improve our Service and to market to you.

Examples of the cookies we use:

• Strictly necessary cookies — required to operate the Service (e.g. session, checkout, security). These do not require consent.
• Preference cookies — remember your preferences and settings.
• Analytics cookies — help us understand how the Service is used (Google Analytics, BigCommerce analytics, Microsoft Clarity). Dropped only with your consent.
• Marketing and remarketing cookies — used to serve targeted advertising (Meta/Facebook, Google Ads). Dropped only with your consent.

You can manage your preferences at any time through our cookie consent banner or via your browser settings. If you refuse non-essential cookies, some parts of the Service may not function as intended. For more detail see our Cookie Policy.

8. Who We Share Your Data With

We share personal data only where we have a lawful reason to do so, and only with recipients who are contractually bound to keep your data secure.

Recipients include:

• The DVLA — for registration assignment, retention, Certificate issue and RNPS compliance.
• Couriers and logistics providers — Royal Mail, DPD and similar — to deliver your Order.
• Payment processors — Stripe, PayPal/Braintree and any finance provider you use to pay.
• Fraud prevention, identity verification and credit reference agencies — to prevent fraud and comply with financial-services rules where you apply for finance.
• Website and IT service providers — including BigCommerce (our e-commerce platform), hosting providers, email and CRM providers, analytics providers (Google, Microsoft Clarity), and marketing platforms (Meta).
• Professional advisers — lawyers, accountants, auditors and insurers under duties of confidentiality.
• Regulators, courts and law enforcement — where we are legally required or permitted to disclose, including Action Fraud, police, HMRC and the ICO.
• Acquirers, merger partners or successor entities — in connection with a business reorganisation, merger, acquisition or asset sale. We will give you notice before your data becomes subject to a different privacy policy.

We do not sell your personal data.

9. International Transfers

Some of our service providers and group partners are based outside the United Kingdom, particularly in the United States and the European Economic Area (EEA). Where we transfer personal data outside the UK, we ensure an appropriate safeguard is in place under Articles 45–49 UK GDPR, which may include:

• transfers to countries covered by a UK adequacy decision (including the EEA);
• the UK-US Data Bridge extension to the EU-US Data Privacy Framework for recipients certified under that framework;
• the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK Addendum; or
• a specific derogation under Article 49 (e.g. your explicit consent, or transfers necessary to perform a contract with you).

You can ask us for details of the safeguards we rely on for a specific transfer by emailing [email protected].

10. How Long We Keep Your Data

We keep personal data only for as long as we need it for the purposes set out in this policy. The table below sets out our standard retention periods.

Category Retention period RNPS records (vehicle registration, customer name and address, document serial numbers) 3 years from the Order date (as required by the DVLA) Order and transaction records (for tax and accounting) 6 years from the end of the tax year in which the transaction occurred (HMRC requirement) Customer account data While your account is active and for up to 3 years of inactivity thereafter Customer support correspondence 3 years from the date of the most recent contact Marketing preferences and unsubscribe records Indefinitely, to ensure we respect your choices Abandoned-cart data 30 days Website analytics data Up to 26 months (Google Analytics default) or as set in the analytics provider's retention settings CCTV footage at our Durham premises 30 days Call recordings 12 months Data relevant to actual or anticipated legal claims Until the limitation period has expired (typically 6 years, 12 years for deeds)

Where possible we delete, anonymise or aggregate personal data once the relevant retention period has ended.

11. Security of Your Data

We take the security of your data seriously and maintain appropriate technical and organisational measures to protect it against unauthorised access, loss, alteration or disclosure. These measures include:

• encryption of personal data in transit using TLS;
• access controls and role-based permissions for staff;
• secure, access-controlled storage of paper documents at our Durham premises;
• PCI-DSS-compliant payment processing via our payment providers (we do not store full card details);
• regular backups and tested recovery procedures;
• staff training on data protection and information security;
• secure destruction of paper records when no longer needed.

No method of internet transmission or electronic storage is 100% secure. While we use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

We will notify the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to your rights and freedoms, and we will notify you directly where required by law.

12. CCTV at Our Premises

Our Durham premises are monitored by CCTV for the prevention and detection of crime, the protection of our staff, customers and property, and to support DVLA compliance. CCTV footage is retained for 30 days save where footage is required as evidence for a longer period.

13. Call Recording

Telephone calls to and from Utopia Plates Ltd may be recorded for training, quality-assurance, dispute-resolution and fraud-prevention purposes. We rely on legitimate interests for these recordings. By calling us you are informed of this recording; you may ask for an unrecorded call where appropriate.

14. Your Rights Under UK Data Protection Law

You have the following rights in respect of your personal data:

• The right to be informed about how we use your data (this policy).
• The right of access — to obtain a copy of the personal data we hold about you.
• The right to rectification — to have inaccurate or incomplete data corrected.
• The right to erasure ("right to be forgotten") — to have your data deleted where the legal grounds in Article 17 UK GDPR apply.
• The right to restrict processing — to ask us to limit how we use your data in certain circumstances.
• The right to data portability — to receive your data in a structured, commonly used, machine-readable format and to have it transferred to another controller, where the processing is based on consent or contract and is carried out by automated means.
• The right to object — to processing based on legitimate interests or for direct marketing.
• Rights relating to automated decision-making and profiling under Article 22 UK GDPR.
• The right to withdraw consent where we rely on consent, at any time.

14.1 How to exercise your rights

To exercise any of these rights, please contact us using the details in section 1 or at [email protected].

We may ask you to verify your identity before responding. We will respond within one month of receiving your request, although this period may be extended by a further two months where the request is complex or where we have received a number of requests from you. We will tell you if this happens and explain why.

There is normally no charge for exercising your rights. We may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive.

14.2 Automated decision-making and profiling

We do not carry out any automated decision-making producing legal or similarly significant effects about you without human involvement. Where we use limited profiling for fraud prevention or marketing, you can object to this by contacting us.

15. Third-Party Services

We use carefully selected third-party services to deliver and improve our Service. Key third parties are set out below, with links to their privacy policies.

15.1 Analytics

• Google Analytics — provided by Google. Opt out using the Google Analytics opt-out browser add-on. See Google's Privacy Policy.
• BigCommerce analytics — our e-commerce platform collects limited browser, device and network data to help us operate the Service.
• Microsoft Clarity and Microsoft Advertising — session replay, heatmaps and behavioural metrics to improve the Service and for marketing. See the Microsoft Privacy Statement.

15.2 Behavioural Remarketing

• Meta (Facebook) — we may serve remarketing ads on Meta platforms based on your past interactions with the Service. See Meta's Privacy Policy. Opt out via your Meta ad preferences, your mobile device settings, or industry opt-out tools at youronlinechoices.com.

15.3 Payments

We do not store full payment card details. Payment information is provided directly to our PCI-DSS-compliant payment processors whose use of your data is governed by their own privacy policies:

• Stripe Privacy Policy
• PayPal Privacy Statement

16. Links to Other Sites

Our Service may contain links to other sites that are not operated by us. If you follow a third-party link you will be taken to a third-party site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

17. Children's Privacy

Our Service is directed at adults and is not intended for children.

We do not knowingly collect personal data from anyone under the age of 13 (the age of digital consent in the UK). Because you must be at least 17 to hold a UK driving licence and to order number plates, we do not knowingly sell to anyone under 17.

If you are a parent or guardian and you believe your child has provided us with personal data, please contact us and we will take steps to delete that data.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post any changes on this page and update the "Last Updated" date at the top.

Where a change is material, we will, where reasonably practicable, notify you by email or via a prominent notice on the Service before the change takes effect.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

19. Complaints and the Information Commissioner's Office

If you are not satisfied with how we have handled your personal data or responded to a data protection request, we would like the opportunity to put it right — please contact us first using the details in section 1.

You also have the right to lodge a complaint with the UK's data protection regulator, the Information Commissioner's Office (ICO):

• Online: ico.org.uk/make-a-complaint
• Helpline: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you are a resident of the EEA, you also have the right to complain to your local data protection authority.

20. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: [email protected] General enquiries: [email protected] Phone: 0800 689 4795 Post:

Data Privacy Utopia Plates Ltd Unit 1, Dragonville Industrial Park Dragon Lane Durham DH1 2XJ

Company number: 11660392 VAT registration number: GB 327 6279 79

Last Updated: 23 April 2026