This Privacy Policy explains how CPC Express LTD ("we", "us", "our") collects, uses, shares and protects your personal data when you visit our website, book Driver CPC training, or otherwise interact with us. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

The data controller for the personal data we collect is:

• Company name: CPC Express LTD
• Company number: 15901941 (registered in England and Wales)
• Registered address: Rylance Farm Industrial Estate, Walton Lane, Barton Under Needwood, Staffordshire, DE13 8EJ
• Email: bookings@cpcexpress.co.uk
• Phone: 01283 895777

2. Personal data we collect

We collect different types of personal data depending on how you interact with us:

When you book a course

• Full name
• Email address
• Phone number
• Driving licence number (required for DVSA upload)
• Postal address (for billing where applicable)
• Course preferences (date, type, format)

When you make a payment

Card payments are processed by Stripe. We do not see, store or have access to your full card number, CVV, or expiry date. We only receive a payment confirmation, the last 4 digits of the card, and the cardholder's billing details.

When you join a course

• Photo identification (driving licence) shown on camera at the start of the session for DVSA verification
• Live attendance and engagement data captured by the trainer
• Audio and video data via Zoom during the session (used only for live delivery, not recorded by us unless explicitly stated)

When you contact us

• Email content, contact form submissions, phone enquiries
• Any details you choose to share

When you visit our website

• IP address, browser type, device type, operating system
• Pages viewed, time on site, referring website
• Cookie data (see section 10)

3. How we use your data

We use your personal data for:

• Delivering your training course — issuing joining instructions, verifying ID, uploading completed hours to DVSA
• Processing payments — through our payment partners
• Customer support — answering questions, resolving issues, providing booking confirmations and receipts
• Legal and regulatory compliance — keeping records for tax, audit, and DVSA requirements
• Marketing — sending you relevant offers, course updates and renewal reminders (you can opt out at any time)
• Improving our services — analysing how customers use our website to make it better
• Fraud prevention — protecting against unauthorised use of payment systems

4. Our lawful basis for processing

Under UK GDPR, we must have a lawful basis to process your data. We rely on:

• Contract performance — to deliver the training course you've booked
• Legal obligation — to upload your training to DVSA, keep tax records, and comply with operator regulations
• Legitimate interest — to send renewal reminders, prevent fraud, and improve our services in ways you'd reasonably expect
• Consent — for marketing emails and non-essential cookies (you can withdraw consent at any time)

5. Who we share your data with

We share data only with trusted third parties who help us deliver our service:

• DVSA via the NLTC consortium (AC00591) — for mandatory upload of training hours to your CPC record
• Stripe — for processing card payments
• Resend — for sending transactional emails (booking confirmations, course joining instructions)
• Zoom — for delivering live online courses
• Hosting and IT providers — who store our website and customer database (within the UK or EU)
• HMRC and other regulators — where legally required

We never sell your personal data to anyone.

6. How long we keep your data

We keep different types of data for different periods:

• Booking and training records: at least 6 years (HMRC and audit requirement)
• Financial records: 7 years (UK tax law)
• Marketing data: until you unsubscribe, or 3 years of inactivity (whichever is sooner)
• Customer support communications: up to 3 years for service quality and dispute resolution
• Website analytics: up to 26 months (anonymised)

7. How we keep your data secure

We use industry-standard security measures to protect your data:

• SSL/TLS encryption on all data in transit
• Secure password and access controls
• Regular software and security updates
• PCI-DSS compliant payment processing via Stripe
• Access to personal data limited to staff who need it for their role

No system is 100% secure. If we ever experience a data breach affecting your personal data, we'll notify you and the ICO as required by law.

8. Your rights

Under UK GDPR, you have the right to:

• Be informed — about how we use your data (this policy)
• Access — request a copy of the data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (subject to legal retention rules)
• Restrict processing — limit how we use your data
• Data portability — receive your data in a structured, machine-readable format
• Object — to processing based on legitimate interest, including marketing
• Withdraw consent — at any time where we rely on consent

To exercise any of these rights, email bookings@cpcexpress.co.uk. We'll respond within 30 days. There's no charge for most requests.

If you're unhappy with how we've handled your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

9. Marketing communications

We may send you marketing emails about Driver CPC training, renewal reminders, and relevant offers if you have:

• Bought a course from us (legitimate interest, "soft opt-in")
• Explicitly subscribed to our marketing emails

Every marketing email includes an unsubscribe link. Click it once to stop receiving marketing from us. You can also email us directly at bookings@cpcexpress.co.uk to opt out.

Opting out of marketing doesn't stop transactional emails (course joining instructions, receipts, etc.) — those are part of the service you've bought.

10. Cookies and tracking

We use cookies to make the site work and to understand how visitors use it. For full details — including which cookies, why we use them, and how to control them — see our Cookie Policy.

11. International transfers

Most of our data stays within the UK or European Economic Area (EEA). Some of our service providers (e.g. Stripe, Zoom, Resend) may process data in the United States. When this happens, we rely on:

• The UK's adequacy decisions (where applicable)
• Standard Contractual Clauses (SCCs) approved by the ICO
• Other appropriate safeguards as required by UK GDPR

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will reflect any changes. For significant changes, we'll notify you by email or through a notice on the website. We recommend reviewing this page periodically.