1. Introduction
WasteLocate ("we," "our," or "us") operates the EWC Waste Management System platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
Contact: info@wastelocate.co.uk
2. Information We Collect
2.1 Personal Information You Provide
- Account Information: Email address, password (encrypted using industry-standard hashing)
- Profile Data: Company name, contact details (if voluntarily provided)
- Payment Information: Processed securely through Stripe. We do not store complete card details on our servers
- Communications: Messages, support requests, feedback you send to us
2.2 Information Collected Automatically
- Usage Data: Search queries, EWC codes searched, facilities viewed, timestamps
- Log Data: IP address, browser type and version, device type, operating system
- Location Data: Postcode information when entered for distance calculations (not stored permanently)
- Cookies and Tracking: See Section 5 for detailed cookie policy
- Device Information: Unique device identifiers, mobile network information
2.3 Information from Third Parties
- Payment Processors: Transaction confirmations and payment status from Stripe
- Authentication Services: Email verification status from Supabase
3. How We Use Your Information
We process your personal data under the following legal bases and for these purposes:
Legal Basis: Contract Performance
To provide access to our EWC search tool, facility database, and premium features you've purchased
Legal Basis: Contract Performance
To process subscriptions, one-time payments, and issue invoices
Legal Basis: Contract Performance
To create and maintain your account, manage subscriptions, and provide customer support
Legal Basis: Legitimate Interest
To send service updates, respond to inquiries, and provide important notices
Legal Basis: Legitimate Interest
To analyze usage patterns, improve functionality, and develop new features
Legal Basis: Legitimate Interest
To protect against unauthorized access, fraud, and abuse of our platform
Legal Basis: Legal Obligation
To comply with UK tax laws, environmental regulations, and other legal requirements
Legal Basis: Consent
To send promotional emails about new features (you can opt out anytime)
4. Data Sharing and Disclosure
We may share your information with the following third parties:
4.1 Service Providers (Data Processors)
- Supabase: Database hosting and authentication (GDPR compliant, ISO 27001 certified)
- Stripe: Payment processing (PCI DSS Level 1 certified, GDPR compliant)
- Netlify: Website hosting and CDN services (GDPR compliant)
- Email Service Providers: For transactional and service emails
All processors are bound by Data Processing Agreements (DPAs) and contractually obligated to protect your data.
4.2 Waste Facilities
When you contact a facility through our platform or express interest in their services, they may receive limited contact information you choose to share. We are not responsible for how facilities use your information once shared.
4.3 Legal Requirements
We may disclose your information if required by law, court order, or to:
- Comply with legal processes or governmental requests
- Enforce our Terms of Service
- Protect the rights, property, or safety of WasteLocate, users, or the public
- Investigate fraud or security issues
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. You will be notified via email and/or prominent notice on our site before your data is transferred and becomes subject to a different privacy policy.
We will NEVER:
- Sell your personal data to third parties for marketing purposes
- Share your data with advertisers without explicit consent
- Use your search history for purposes beyond service improvement
5. Cookie Policy
We use cookies and similar tracking technologies to enhance your experience. When you first visit our site, you'll see a cookie consent banner allowing you to accept or decline non-essential cookies.
5.1 Types of Cookies We Use
| Cookie Type | Purpose | Duration | Can You Decline? |
|---|---|---|---|
| Essential/Necessary | Authentication, security, session management, site functionality | Session / Up to 1 year | No - Required for site operation |
| Analytics/Performance | Usage statistics, page views, error tracking, performance monitoring | Up to 2 years | Yes |
| Functional | Remember preferences, language settings, customization | Up to 1 year | Yes |
| Marketing/Advertising | Personalized ads, campaign tracking, remarketing | Up to 1 year | Yes |
5.2 Managing Cookies
You can control cookies through:
- Cookie Banner: Adjust preferences when you first visit (or click "Cookie Settings" in footer)
- Browser Settings: Most browsers allow you to refuse cookies. Note that disabling essential cookies may limit functionality
- Opt-Out Tools: Use browser extensions like Privacy Badger or Ghostery
5.3 Third-Party Cookies
Some cookies are set by third-party services we use (e.g., analytics providers). These are governed by the respective third party's privacy policy.
6. Your Data Protection Rights (UK GDPR)
Under UK GDPR, you have the following rights regarding your personal data:
Request copies of your personal data. We'll provide it within 30 days in a portable format.
Correct inaccurate or incomplete data. You can update most information in your account settings.
Request deletion of your personal data when no longer necessary for original purpose.
Limit how we use your data while we investigate accuracy or resolve disputes.
Receive your data in a structured, commonly used format (e.g., CSV, JSON).
Object to processing based on legitimate interests, direct marketing, or research.
We don't use automated decision-making or profiling that significantly affects you.
Where processing is based on consent, you can withdraw it at any time.
How to Exercise Your Rights
To exercise any of these rights, contact us at:
- Email: info@wastelocate.co.uk (include "Data Rights Request" in subject)
- Response Time: We'll respond within 30 days (may extend by 60 days for complex requests)
- Verification: We may request identification to verify your identity
- No Fee: We don't charge for most requests unless manifestly unfounded or excessive
7. Data Security
We implement comprehensive security measures to protect your personal data:
7.1 Technical Safeguards
- Encryption in Transit: All data transmitted via HTTPS/TLS 1.3
- Encryption at Rest: Database encryption using AES-256
- Password Security: Bcrypt hashing with salting (never stored in plain text)
- Secure Infrastructure: ISO 27001 certified hosting providers
- Firewalls & DDoS Protection: Multi-layered network security
- Regular Backups: Automated daily backups with 30-day retention
7.2 Organizational Safeguards
- Access Controls: Role-based access, minimum necessary principle
- Staff Training: Regular data protection and security training
- Security Audits: Periodic vulnerability assessments and penetration testing
- Incident Response: Documented procedures for data breach management
7.3 Data Breach Notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours as required by UK GDPR.
Your Responsibility:
- Keep your password secure and don't share it
- Use strong, unique passwords
- Enable two-factor authentication when available
- Log out from shared devices
- Report suspicious activity immediately
8. Data Retention
We retain your personal data for as long as necessary for the purposes stated in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information (Active) | Duration of account + 6 years | UK tax and accounting requirements |
| Account Information (Closed) | 30 days for recovery period, then deleted | Allow account reactivation |
| Search History | 2 years | Service improvement and analytics |
| Payment Records | 7 years | HMRC tax requirements |
| Support Communications | 3 years | Quality assurance and legal defense |
| Marketing Consent | Until withdrawn, reviewed every 2 years | Email marketing regulations |
| Server Logs | 90 days | Security monitoring and troubleshooting |
After retention periods expire, we securely delete or anonymize your data so it can no longer identify you.
10. Children's Privacy
Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at info@wastelocate.co.uk. We will take steps to remove such information from our systems.
11. Third-Party Links
Our site may contain links to third-party websites (e.g., waste facility websites, regulatory guidance documents). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. We will notify you of significant changes by:
- Email to your registered address
- Prominent notice on our website
- Updated "Last Updated" date at the top of this policy
Continued use of our service after changes constitutes acceptance of the updated policy. If you disagree with changes, please discontinue use and contact us to close your account.
13. Contact Us & Complaints
For privacy-related inquiries, to exercise your rights, or submit a complaint:
📧 Email: info@wastelocate.co.uk
Response Time: We aim to respond within 48 hours for urgent requests, 7 days for standard inquiries.
14. Definitions
- Personal Data: Information relating to an identified or identifiable individual
- Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
- Consent: Freely given, specific, informed agreement to data processing
- Data Subject: Individual to whom personal data relates (you)