Who do these rights apply to?
These rights apply to everyone whose personal data we hold — not just EU or UK residents. While GDPR is an EU law and UK GDPR is its UK equivalent, we extend the same rights to all our customers worldwide as a matter of policy.
The specific laws that may apply to you depend on where you live:
- EU residents — GDPR (Regulation (EU) 2016/679)
- UK residents — UK GDPR + Data Protection Act 2018
- UAE residents — Federal Decree-Law No. 45 of 2021 (PDPL)
- California residents — CCPA / CPRA (see our dedicated California Privacy page)
- Everyone else — same rights, by our policy
What rights do you have?
You have eight specific rights over your personal data at JP Sheet:
1. Right of access Article 15
You can ask us for a copy of all personal data we hold about you, plus information about how we use it and who we share it with.
Example: "Send me everything you have on me." → We email you a JSON file with your account details, all verification orders, every chassis number you've searched, IP addresses, and contact history.
2. Right to rectification Article 16
If any data we hold about you is incorrect or incomplete, you can ask us to correct or complete it.
Example: "My email was wrong on order #12345 — please update it." → We update the record and confirm.
3. Right to erasure Article 17
Also called the "right to be forgotten" — you can ask us to delete your personal data. We will, unless we are legally required to keep it (e.g. tax records, fraud-prevention obligations).
Example: "Delete my account and all data associated with it." → We delete your profile, contact records and chassis search history. Order records may remain anonymised for tax and accounting law (6 years in most jurisdictions).
4. Right to restriction Article 18
You can ask us to stop processing your data temporarily — for example while you contest its accuracy or while you decide if you want it deleted.
Example: "Stop using my data for anything except keeping it stored, while I sort this out." → We freeze processing. You can still log in; we just don't analyse or share anything.
5. Right to data portability Article 20
You can request a copy of your data in a structured, commonly-used, machine-readable format (typically JSON or CSV), so you can take it elsewhere.
Example: "Send me my account data as JSON so I can import it elsewhere." → We send a JSON file with your profile, orders, searches and preferences.
6. Right to object Article 21
You can object to our processing of your data for direct marketing at any time — and we must stop immediately. You can also object to other processing based on our legitimate interests, and we will assess your objection.
Example: "Stop sending me marketing emails." → Immediate unsubscribe. You'll still receive transactional emails (order receipts, refund confirmations) because those are necessary to deliver the service you paid for.
7. Right not to be subject to automated decisions Article 22
You have the right not to be subject to decisions made solely by automated processing that significantly affect you, without meaningful human involvement.
Example: If we were ever to use AI to automatically deny a refund, you could demand a human review. (We don't currently do this — refunds are always reviewed by a person.)
8. Right to lodge a complaint Article 77
If you believe we've mishandled your data and we haven't resolved it to your satisfaction, you have the right to complain to your country's data protection authority.
Where to complain: UAE TDRA · UK ICO (
ico.org.uk) · EU member states each have their own — find yours at
edpb.europa.eu · Pakistan and other jurisdictions: contact your national consumer protection or data protection authority.
How do I exercise a right?
The process is the same for all eight rights:
- Email us at [email protected]
- Subject line: "Data Rights Request — [which right]"
- In the body: tell us what you want (e.g. "Please send me a copy of all data you hold about me", or "Please delete my account"). If your request relates to a specific order, include the order number or chassis you searched.
- Identity verification: we may ask you to confirm your identity using the email address you registered with — this is to stop someone else exercising rights on your behalf without authorisation.
- We respond within 30 days (GDPR standard). For complex requests we may extend this to 60 days and will tell you in advance.
Submitting a data rights request is completely free. We do not charge a fee. The only exception is for requests that are excessive or repetitive (GDPR Article 12(5)) — but this is rare and we will explain if it applies.
What personal data does JP Sheet hold about you?
For transparency, here is what we typically hold for an active customer:
- Account information: email address, name (if provided), password hash, country (if provided)
- Order history: all verifications, translations, Deeper Scans, manual searches you've purchased — including chassis numbers, dates, amounts, payment method (tokenised, not actual card)
- Searches: chassis numbers you have looked up (whether or not a result was found)
- Communication: emails, WhatsApp chats, support tickets, chatbot conversations
- Technical data: IP address (for rate limiting and fraud prevention), browser type, approximate location
- Marketing preferences: cookie consent, email subscription status
For a full account of how we collect and use each category, see our Privacy Policy. For where data is processed geographically, see International Data Transfers.
