Privacy Policy
Last updated: 30 May 2026 · Compliant with UK GDPR and the Data Protection Act 2018
1. Who We Are
WasteLinks (“WasteLinks”, “we”, “us”) is a platform operated by Wizmedia (wizmedia.co.uk) and is the data controller for personal data collected through the WasteLinks Platform. For any data-protection enquiry contact us at privacy@wastelinks.co.uk.
2. What Data We Collect
We collect the following categories of personal data:
- Identity data — first name, last name, company name (for business accounts).
- Contact data — email address, phone number, postal address, postcode.
- Account data — username, hashed password, account type (Customer, Vendor, Driver), account status.
- Booking and transaction data — bookings, quotes, invoices, payment references (Stripe transaction IDs), amounts paid.
- Location data — GPS coordinates collected from Driver devices during active jobs only, with explicit consent. Customer postcode is used for service matching.
- Device data — device type, operating system, push-notification token (for the mobile app).
- Usage data — pages visited, search queries, timestamps of key actions.
- Communications — support messages, dispute correspondence, email logs.
- Compliance documents — uploaded certificates (EA registrations, waste-carrier licences) for Vendors.
- Public-register data (Vendors only) — when a Vendor supplies a Companies House number we retrieve the registered company name, company number, status, company type, incorporation date, and registered office address from the Companies House Public Data API. When a Vendor supplies a waste-carrier registration number we retrieve the registered company name, tier, and expiry date from the Environment Agency Public Register. Both sources are publicly available datasets published under open licences.
- Biometric authentication (mobile, optional) — if you enable Face ID / Touch ID sign-in on the WasteLinks mobile app, your email and password are stored in the iOS Keychain / Android Keystore on your device, protected by your device biometrics. WasteLinks never receives, stores, or transmits your fingerprint or face data; biometric matching happens entirely on your device. You can disable biometric sign-in by signing out, and the stored credentials are wiped automatically if your password becomes stale.
- Push notification tokens (mobile) — when you install the mobile app and accept notifications, your device generates an anonymous Expo Push token that we store against your account so we can send you transactional alerts (driver on the way, ticket reply, booking confirmation). The token is rotated by the operating system and revoked when you uninstall the app or disable notifications.
- Dispute correspondence — when you or a Vendor raise a dispute on a booking we collect the reason, written description, amount disputed, supporting evidence (photos / WTNs / GPS log already on file), and admin resolution notes. Used to investigate the dispute and form an outcome.
3. How We Collect Data
We collect data when you: register an account; place or fulfil a booking; upload documents; contact support; use the mobile app. We also collect limited technical data automatically via server logs and analytics.
We do not collect data from third-party data brokers. Payment data is processed entirely by Stripe — we receive only a payment reference and the status of the transaction.
For Vendor accounts only, we also query two UK public registers at the time of onboarding and periodically thereafter: the Companies House Public Data API (operated by Companies House, an executive agency of the Department for Business and Trade) and the Environment Agency Public Register. The data returned by both registers is in the public domain. We retrieve it solely to verify the Vendor’s legal identity and waste-carrier status; we do not transmit any personal data to these registers other than the public identifiers the Vendor has supplied (company number, carrier registration number).
4. Legal Bases for Processing
We rely on the following lawful bases under UK GDPR Article 6:
- Contract — processing necessary to fulfil a booking or operate your account.
- Legal obligation — retaining financial records, waste-transfer records, and audit logs required by law.
- Legitimate interests — fraud prevention, platform security, service-quality monitoring, and automated verification of Vendors against the Companies House and Environment Agency public registers.
- Consent — marketing emails (opt-in at registration, withdrawable at any time); Driver GPS tracking (separate consent screen in the Driver App).
5. Driver Location Tracking
Location data from Driver devices is collected only when a Driver has an active job and has given explicit consent via the Driver App. Location data is used to: provide live ETAs to Customers; record a verifiable audit trail of service fulfilment; and detect anomalies (e.g., a Driver who has not arrived at a site).
Location data is retained for 90 days after the job date, then permanently deleted unless it forms part of a dispute record.
Customer-side live view. During an active job the Customer who booked the collection can see the Driver’s current position on a Google Map at wastelinks.co.uk/dashboard/bookings/[id]/track. The position is the same data the Driver consented to share, displayed only to the booking owner via an authenticated Socket.IO connection and only while the job status is “driver en route” or “in progress”. Once the job is marked complete, the live view stops and is no longer accessible. The Google Maps tiles are loaded from Google’s servers under their Privacy Policy; no personal data is transmitted to Google other than the rendered coordinates.
6. How We Use Your Data
We use personal data to: operate and improve the Platform; process and fulfil Bookings; send transactional emails (booking confirmations, job sheets, invoices); resolve disputes; detect and prevent fraud; comply with legal obligations; send marketing communications (with consent).
7. Data Sharing
We share personal data only as necessary:
- Vendors — receive Customer name, contact details, and collection address for Bookings they are fulfilling.
- Customers — see basic Vendor profile information (company name, rating, bio).
- Stripe — payment processing. Stripe is PCI-DSS Level 1 certified. See Stripe’s Privacy Policy.
- Supabase — database and file storage hosted in AWS eu-west-2 (London).
- Resend — transactional email delivery.
- Expo Push Service (mobile only) — relays push notifications from our servers to Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM). Only the device push token, notification title and body are transmitted. See Expo’s Privacy Policy.
- Google Maps (web tracking page only) — when a Customer opens the live driver-tracking page, Google serves the map tiles and processes the rendered coordinates. See Google’s Privacy Policy.
- Companies House (UK) — when a Vendor supplies a company number, we send that number to the Companies House Public Data API to retrieve the corresponding public-register entry. No personal data of Customers or end users is shared.
- Environment Agency (UK) — when a Vendor supplies a waste-carrier registration number, we send that number to the EA Public Register to retrieve the corresponding entry.
- Apple App Store + Google Play (mobile distribution) — when you install the mobile app you accept Apple and Google’s standard distribution terms. WasteLinks receives only the install events Apple/Google share with us; we do not receive your Apple ID or Google account.
- Authorities — if required by law, court order, or regulation.
The full, up-to-date register of every sub-processor and other recipient — including the legal entity, processing location, categories of data, and the international-transfer mechanism used — is maintained at /sub-processors. We will give at least thirty (30) days’ notice on that page before adding any new sub-processor.
We do not sell personal data to third parties.
8. International Transfers
All data is stored on servers within the UK or European Economic Area. Where sub-processors are based outside the EEA, we ensure adequate safeguards are in place (UK Standard Contractual Clauses or equivalent).
9. Data Retention
We retain personal data for the following periods:
- Account data — for the life of the account plus 2 years after deletion.
- Booking and financial records — 7 years (legal / tax obligation).
- Job sheets and proof-of-service photos — 7 years and 3 years respectively (regulatory requirement).
- Driver location snapshots — 90 days.
- Support ticket messages — 3 years from ticket close.
- Disputes — 7 years (alongside the underlying booking and financial records, for legal/tax obligations).
- Push notification tokens — until you uninstall the app, disable notifications, or sign out (whichever happens first).
- Biometric-protected credentials (mobile) — stored on your device only, never on our servers. Removed when you sign out or disable biometric login.
- Marketing consent records — 3 years after consent withdrawn.
10. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of your personal data (Subject Access Request).
- Rectification — correct inaccurate data.
- Erasure — “right to be forgotten”, subject to legal-retention obligations.
- Restriction — limit how we process your data in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests or for direct marketing.
- Withdraw consent — withdraw marketing or location-tracking consent at any time.
To exercise any right, email privacy@wastelinks.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.
11. Security
We implement industry-standard security measures including: bcrypt-hashed passwords (cost factor 12); JWT access tokens with 15-minute expiry and rotating refresh tokens; TLS 1.2+ for all data in transit; encrypted storage for sensitive documents (job photos, signatures, WTNs, certificates); role-based access controls; account lockout after five failed login attempts; row-level security on the database; daily off-site backups; and regular security audits.
On the mobile app, your access and refresh tokens are stored in the iOS Keychain / Android Keystore via expo-secure-store. If you enable biometric sign-in, your email and password are additionally stored in the device’s secure enclave via react-native-keychain with the BIOMETRY_CURRENT_SET access-control flag — meaning even WasteLinks code on the device cannot read them without your live Face ID / Touch ID approval.
12. Cookies
We use strictly necessary cookies to maintain session state. We do not use advertising or cross-site tracking cookies. See our Cookie Policy for full details.
13. Changes to This Policy
We will notify users by email at least 14 days before any material change takes effect. The current version is always available at wastelinks.co.uk/privacy.
14. Contact
Data Controller: WasteLinks, a Wizmedia platform · privacy@wastelinks.co.uk
Designed and developed by Wizmedia