Legal
Privacy Policy
How to read this policy
This policy is long because privacy is complicated. Three ways to read it:
The 1-minute version: The "In plain English" box below.
The 5-minute version: Read only the plain English summary plus the two notices that follow.
The full version: Everything. Use the contents sidebar to jump to the sections that matter to you.
In plain English
WasteGrid is a recruitment platform for the UK waste sector. We match candidates with employers and verify qualifications.
We do not sell your data to advertisers or data brokers. Sensitive data is held only with your explicit consent.
You choose what to share with employers. You can mark profile fields public, private, or reveal-on-match.
Our matching engine uses automated processing. You can request human review at any time.
WasteGrid is currently available to candidates and employers located in the United Kingdom. We do not offer the platform to residents of the European Economic Area or other jurisdictions at this time. This allows us to focus exclusively on UK regulatory requirements as we launch. We will expand to additional jurisdictions in future once the relevant regulatory frameworks (including the EU AI Act where applicable) have been fully assessed and complied with.
Unless otherwise specified, notifications sent under this policy (including breach notifications, sub-processor updates, re-engagement emails, and responses to rights requests) are sent to the email address associated with your account. Material notifications may also appear in-platform.
Glossary
A short explanation of terms used in this policy.
- UK GDPR: The UK General Data Protection Regulation, the UK's primary data protection law.
- DPA 2018: The Data Protection Act 2018, which supplements UK GDPR and defines the broad data categories used in this policy.
- DUAA 2024: The Data (Use and Access) Act 2024, which amends UK data protection law in specific areas.
- PECR: The Privacy and Electronic Communications Regulations 2003, which govern cookies, email marketing, and electronic communications.
- Sensitive Data: Informal term used in this policy for Special Category Data (Article 9), Criminal Offence Data (Article 10), and Right-to-Work Documentation.
- Controller: The organisation that decides why and how personal data is processed.
- Processor: An organisation that processes personal data on behalf of a controller.
- Lawful Basis: Consent, Contract, Legal Obligation, Vital Interests, Public Task, or Legitimate Interests.
- SAR: Subject Access Request.
- DPIA: Data Protection Impact Assessment.
- LIA: Legitimate Interest Assessment.
- ROPA: Record of Processing Activities.
- OCR: Optical Character Recognition.
- CSRF: Cross-Site Request Forgery.
- TLS: Transport Layer Security.
1. Who We Are
WasteGrid Ltd (referred to in this policy as "WasteGrid", "we", "us", or "our") operates the platform at wastegrid.co.uk, a specialist recruitment and industry infrastructure service for the UK waste, recycling, and environmental services sector.
A formal Data Protection Officer is not required at launch based on our processing profile. This position will be reviewed as the platform scales. A DPO necessity assessment and our Record of Processing Activities are held on file and available to the ICO on request.
2. Who This Policy Applies To
This Privacy Policy applies to candidates, employers, recruitment agencies and labour providers, website visitors, and individuals on our waitlist or pre-launch communication lists.
2.1 Geographic Scope
WasteGrid is currently available only to candidates and employers located in the United Kingdom. Residents of the European Economic Area, Crown Dependencies, and other jurisdictions are not currently able to register. This is a deliberate launch scope decision and will be expanded in future releases.
2.2 Minimum Age
WasteGrid is not intended for use by anyone under the age of 16. Candidates aged 16 or 17 may register but may not upload special category data or criminal offence data without additional verified consent from a parent or guardian. Accounts identified as belonging to users under 16 will be deleted.
2.3 Vulnerable Users
The waste sector includes workers with learning differences, low literacy, or English as an additional language. We are committed to plain-English consent language and support for users who need help understanding this policy.
2.4 Consumer Rights
Nothing in this policy or our platform terms limits statutory rights under the Consumer Rights Act 2015 or any other UK consumer protection legislation.
3. What Data We Collect
We collect personal data, and where relevant sensitive data, criminal offence data, and right-to-work documentation as described by UK GDPR and the Data Protection Act 2018.
3.1 Personal Data
Contact Information
- Full name and preferred name
- Email address and telephone number
- Home or correspondence address
- Date of birth, where required for licence or compliance verification
Employment Information
- Salary expectations and preferred working patterns
- CV, cover letters, and supporting documents
- Employment history, job titles, and employer names
- Qualifications, certifications, and licence numbers
- Geographic availability and preferred roles
- Professional references, where provided
- Profile photos, where uploaded voluntarily
Technical Information
- Device type, operating system, and browser
- IP address and approximate geographic location based on IP
- Pages visited, time on site, and navigation paths
- Referral source
- Data stored through cookies
Communications Data
- Platform messages between candidates and employers
- Email correspondence with WasteGrid
- Email engagement data (opens and clicks)
- Feedback, surveys, and support requests
Third-Party Sign-In Data
If sign-in with third-party providers is introduced, imported profile fields may be processed in line with this policy.
3.2 Special Category Data
Special category data is processed only where voluntarily provided with explicit consent, including health/disability data, diversity monitoring data, trade union membership declarations, and nationality/immigration status where relevant to right-to-work checks.
Trade union membership is never shared with employers, never used in matching, and cannot be made visible in profiles. You can withdraw consent at any time.
Sensitive data is stored separately from main profile data, locked by default, and only shared with explicit role-specific consent.
3.3 Criminal Offence Data
Where required for DBS-related processes, data is processed at strict sensitivity levels and shared only with explicit consent where applicable.
3.4 Right-to-Work Documentation
Right-to-work checks are legal requirements for UK employment. Disclosure may occur where required by law, including lawful requests from competent authorities.
3.5 Data About Third Parties
Where references or third-party contacts are provided, only minimum required data is processed and can be removed on request.
3.6 Medical Certificates and DVLA-Regulated Data
Where medical documents are uploaded, they are treated as special category data and retained only for the stated purpose.
4. Data We Collect From Employers
Employer account processing includes personal data of authorised representatives and business data about the employing organisation.
4.1 Personal Data of Employer Representatives
Includes representative name, email, phone, job title, and technical usage data.
4.2 Business Data About the Employer Organisation
- Company details and registration data
- Business contact details
- Relevant waste sector licence/permit identifiers
- Sites, regions, service lines, postings, and billing details
4.3 Employer Identity Verification
Employer legitimacy is verified against available registries or equivalent onboarding checks. Fraudulent accounts are suspended and managed under breach procedures where applicable.
5. Recruitment Agency Accounts
Agency processing may operate under controller or processor roles depending on operational context. End-user employers receiving data via agencies are independent controllers for their own downstream processing.
6. How We Use Your Data
6.1 Candidate Profile and Job Matching
Lawful basis: Contract and Legitimate Interests.
6.2 Profile Visibility Controls
Public
Visible to verified employers browsing candidates.
Private
Hidden from employers.
Reveal on match
Hidden until explicit sharing by the candidate.
Sensitive data is outside this three-level system and remains separately protected.
6.3 Employer Accounts and Job Postings
Lawful basis: Contract and Legitimate Interests.
6.4 Document and Licence Verification
Lawful basis: Legitimate Interests and Explicit Consent where sensitive data is involved. OCR and AI may be used under processor agreements.
6.5 Automated Decision-Making and Profiling
Matching uses automated ranking support. Final hiring decisions are made by employers. Human review rights apply.
6.6 Platform Improvement
Lawful basis: Legitimate Interests.
6.7 Email Marketing and Waitlist Communications
Lawful basis: Consent or Legitimate Interests under PECR soft opt-in where applicable.
6.8 Customer Support
Lawful basis: Contract and Legitimate Interests.
6.9 AI and Machine Learning
AI is used for limited platform functions. User data is not used to train general-purpose models.
6.10 Legal and Compliance Obligations
Lawful basis: Legal Obligation.
7. How We Share Your Data
WasteGrid does not sell personal data. Data sharing is limited to recruitment operations, trusted processors, legal obligations, and business continuity events described in this policy.
7.1 With Employers on the Platform
7.2 Employers as Independent Controllers
7.3 With Service Providers (Sub-Processors)
7.4 With Industry Partners
7.5 Legal Requirements
7.6 Business Transfers
7.7 TUPE Transfers Between Employers
8. Where and How Data Is Stored
Structured and unstructured data are stored with controls aligned to UK GDPR obligations. International transfers, where relevant, rely on lawful transfer mechanisms and documented safeguards.
9. Data Security
We apply technical and organisational measures including encryption, role-based access controls, transport security, audit logging, and documented breach procedures.
10. How Long We Keep Your Data
Retention is based on account status, legal obligations, and operational necessity.
Re-engagement notice
First re-engagement reminder is sent.
Follow-up reminder
Second reminder is sent.
Automatic purge
Account data is purged if inactivity continues.
11. Cookies and Data Stored in Your Browser
At the effective date of this policy, only essential cookies are used for security and session management. Non-essential cookies are not used without consent controls.
12. Your Rights
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to data portability
- Right to object
- Right to withdraw consent
- Rights in relation to automated decision-making
To exercise these rights, contact privacy@wastegrid.co.uk.
13. Messaging and Platform Content
User-generated messaging is governed by this policy and platform terms. Message review occurs in defined safety, legal, and abuse-report contexts.
14. Account Integrity
Accounts are personal and non-transferable. You are responsible for account credential confidentiality and should report compromise immediately.
15. Third-Party Links
External links are provided for convenience; third-party privacy practices are governed by their own policies.
16. Changes to This Policy
Policy updates are made to reflect legal, operational, or product changes. Material updates are communicated to registered users.
17. Accessibility
This policy is published in accessible formats and we continue improving accessibility across the WasteGrid platform.
18. Contact Us
For unresolved complaints, you may contact the ICO at ico.org.uk.