Who We Are
WASTRAQ is an intelligent waste management software platform developed and operated by WASTRAQ Ltd ("WASTRAQ", "we", "us", or "our"). Our platform — including TraqCore™, RouteTraq™, the Driver App, the Customer Self-Service Portal, and all associated APIs — is purpose-built for waste management operators, municipal authorities, commercial collectors, and their customers worldwide.
For the purposes of applicable data protection legislation, WASTRAQ Ltd acts as the data controller for personal data collected through our website and marketing activities, and as a data processor for operational data processed on behalf of our platform clients.
🌍 Our registered office is in the United Kingdom. We operate globally and process data in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable privacy laws.
Data We Collect
We collect only the data necessary to deliver, improve, and secure the WASTRAQ platform. The types of data we process depend on your relationship with us.
Account & Identity Data
Full name, job title, email address, phone number, and login credentials for platform users and administrators.
Billing & Payment Data
Organisation name, billing address, VAT/tax number, and payment method tokens. Card numbers are never stored — processed by PCI-DSS compliant providers.
Location & Route Data
GPS coordinates, vehicle positions, route paths, and stop data generated by drivers using the TraqCore™ platform and mobile app.
Usage & Technical Data
Log files, session identifiers, browser/device information, IP addresses, feature usage patterns, and error reports collected to improve platform stability.
Operational Data
Customer records, service contracts, collection schedules, waste fraction data, invoices, and communications created by platform operators.
Communications Data
Emails, support tickets, live chat transcripts, survey responses, and any messages sent via our contact forms or through the platform's built-in communication tools.
We do not collect sensitive categories of personal data (such as health, racial origin, or religious beliefs) unless explicitly required for a lawful purpose and with appropriate safeguards in place. We also do not buy, sell, or rent personal data to third parties for marketing purposes.
How We Use Your Data
We use data collected about you for specific, documented purposes only. Below is a comprehensive breakdown:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Platform delivery & account management | Account data, operational data | Contract performance |
| Billing & invoicing | Billing data, account data | Contract performance |
| Driver navigation & route optimisation | Location data, route data | Contract performance / Legitimate interest |
| Security monitoring & fraud prevention | Usage data, technical data | Legitimate interest |
| Platform analytics & improvement | Usage data (anonymised) | Legitimate interest |
| Customer support | Account data, communications data | Contract performance |
| Marketing communications | Account data, email | Consent / Legitimate interest |
| Legal & regulatory compliance | All applicable data | Legal obligation |
We will never use your data for automated individual decision-making that produces legal or significant effects without human review and your explicit consent.
Legal Basis for Processing
Under GDPR and UK GDPR, we rely on the following lawful bases for processing personal data:
- Contract Performance: Processing necessary to deliver the WASTRAQ platform and services you have subscribed to, including driver tracking, billing, and customer management functions.
- Legitimate Interests: Processing for our business purposes where these do not override your fundamental rights — such as platform security monitoring, aggregate analytics, and improving our product.
- Legal Obligation: Processing required to comply with applicable laws, such as financial record retention, HMRC obligations, and responding to lawful enforcement requests.
- Consent: Where we rely on consent (e.g. for marketing emails or optional analytics cookies), you may withdraw it at any time without affecting prior lawful processing.
For California residents (CCPA): We do not "sell" or "share" personal information for cross-context behavioural advertising. You have the right to know, delete, correct, and opt out. See Section 9 for how to exercise your rights.
Data Sharing & Third Parties
We do not share personal data with third parties except in the following circumstances, and only with partners who meet our data protection standards:
- Infrastructure & Cloud Providers: Hosting, database, and backup services (e.g. AWS, Azure) operating under strict data processing agreements and EU Standard Contractual Clauses.
- Payment Processors: PCI-DSS certified payment providers (e.g. Stripe) who handle card data directly. WASTRAQ never stores raw card numbers.
- Mapping & Routing APIs: Third-party mapping services used to power our route optimisation engine. Location data is transmitted securely and not retained by these providers for advertising.
- Analytics & Monitoring Tools: Platform stability and performance monitoring tools operating under anonymisation and data minimisation protocols.
- Email & Communications Platforms: Transactional and marketing email services bound by data processing agreements.
- Legal & Regulatory Authorities: Where required by law, court order, or to prevent harm — we will notify affected parties where legally permissible.
- Business Transfers: In the event of a merger, acquisition, or asset sale, data may transfer to a successor entity with equivalent privacy protections and advance notice to users.
All third-party sub-processors are listed in our Sub-Processor Register, available to enterprise customers on request via privacy@wastraq.io.
International Data Transfers
WASTRAQ operates globally and your data may be processed in countries outside your home jurisdiction. We ensure all international transfers are safeguarded by:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission for transfers outside the EEA
- UK International Data Transfer Agreements (IDTAs) for transfers under UK GDPR
- Adequacy decisions where the destination country offers equivalent protections
- Binding Corporate Rules or approved certification frameworks where applicable
Primary data residency is in the European Economic Area (EEA). Customers on our Enterprise tier may request regional data residency options. Contact privacy@wastraq.io for more details.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Our standard retention periods are:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & profile data | Duration of contract + 3 years | Legitimate interest / Disputes |
| Operational & route data | Duration of contract + 2 years | Contract / Legal obligation |
| Financial & billing records | 7 years | Legal obligation (HMRC / tax) |
| Support & communications | 3 years from last interaction | Legitimate interest |
| Marketing consent records | Until consent withdrawn + 3 years | Legal obligation (PECR) |
| Access logs & security events | 12 months | Legitimate interest |
| Anonymised analytics data | Indefinite (no longer personal data) | Legitimate interest |
On account closure, we initiate a structured deletion process. Backup copies are purged within 90 days. You may request early deletion subject to our legal retention obligations.
Security Measures
Protecting your data is fundamental to our platform. WASTRAQ implements industry-leading technical and organisational security measures including:
Encryption
AES-256 encryption at rest. TLS 1.3 in transit. All backups are encrypted. Database fields containing PII are separately encrypted.
Access Controls
Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege applied across all systems.
Monitoring
24/7 security monitoring, intrusion detection, anomaly alerts, and automated threat response. Security events logged and reviewed.
Certifications
SOC 2 Type II certified. ISO 27001 aligned. Annual third-party penetration testing. Vulnerability disclosure programme in place.
Staff Training
All WASTRAQ staff complete mandatory data protection and security awareness training on onboarding and annually thereafter.
Incident Response
Documented breach response plan. Personal data breaches reported to relevant supervisory authorities within 72 hours where required. Affected individuals notified promptly.
⚠️ While we implement rigorous security measures, no system can guarantee absolute security. We recommend all users enable two-factor authentication and use strong, unique passwords for their WASTRAQ accounts.
Your Privacy Rights
Depending on your location, you have a range of rights regarding your personal data. We honour these rights promptly and without charge (subject to certain legal exemptions):
Right to Know
Request confirmation of whether and how we process your data.
Right of Access
Obtain a copy of your personal data and information about how it is used.
Right to Rectification
Correct inaccurate or incomplete personal data held about you.
Right to Erasure
Request deletion of your personal data where there is no lawful basis to retain it.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Right to Portability
Receive your data in a structured, machine-readable format and transfer it to another provider.
Right to Restrict
Request that we limit processing of your data in certain circumstances, such as during a dispute.
Withdraw Consent
Withdraw consent at any time for processing based on consent without affecting prior lawful processing.
To exercise any of your rights, email privacy@wastraq.io with "Privacy Request" in the subject line. We will respond within 30 days (or 45 days for complex requests). We may ask you to verify your identity before processing your request.
If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority — such as the ICO (UK), your national Data Protection Authority (EU), or the California Attorney General (CCPA).
Cookies & Tracking Technologies
Our website and platform use cookies and similar technologies to deliver functionality, analyse usage, and (with your consent) personalise your experience. The categories of cookies we use are:
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Session management, security, CSRF protection, load balancing. Required for the platform to function. | No (exempt) |
| Functional | Language preferences, UI settings, saved filters and dashboard configurations. | No (legitimate interest) |
| Analytics | Anonymised usage data to understand how users interact with the platform and improve features. | Yes |
| Marketing | Interest-based content on our website. We do not serve third-party advertising inside the platform. | Yes |
You can manage cookie preferences at any time via the Cookie Preferences link in the website footer, or through your browser settings. Withdrawing analytics or marketing cookies will not affect your access to the WASTRAQ platform.
Children's Privacy
WASTRAQ is a business-to-business platform intended solely for use by organisations and their authorised employees and contractors. Our services are not directed at, and we do not knowingly collect personal data from, individuals under the age of 16 (or the applicable age of digital consent in their jurisdiction).
If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@wastraq.io and we will delete it promptly.
Policy Changes
We review and update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or feedback. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page and in the platform
- Notify platform administrators via in-app notification and email at least 14 days before material changes take effect
- Request fresh consent where the legal basis for processing changes
- Maintain a revision history available on request
Your continued use of WASTRAQ after the effective date of an updated policy constitutes acceptance of those changes. We encourage you to review this page periodically.
Previous versions of this Privacy Policy are available on request. Contact privacy@wastraq.io to request a copy.
Contact Us & Data Protection Officer
For all privacy-related queries, rights requests, or concerns, please reach out using one of the channels below. We are committed to responding within 5 business days and resolving all requests within the timeframes required by applicable law.
🔒 All privacy communications are handled by our dedicated Data Protection team and are treated with strict confidentiality. We never share your privacy request with third parties without your explicit consent.
Built with Privacy by Design
WASTRAQ embeds privacy principles into every feature we build — from SOC 2 certified infrastructure to GDPR-compliant data pipelines. Your trust is our competitive advantage.