This policy explains what personal data SupaWaste collects, how we use it, and your rights under UK GDPR. We've written it to be read — not just to exist.
SupaWaste is a waste collection management platform for UK local authorities. We operate the SupaWaste Authority Portal, the My Bin Day resident lookup tool, and the embeddable bin day widget used on authority websites.
For the purposes of UK GDPR, SupaWaste is the data controller for personal data collected through this website and the resident-facing tools. For data processed on behalf of local authorities through the portal, SupaWaste acts as a data processor, with the relevant authority as the data controller.
To contact us about privacy matters: privacy@supawaste.com
We do not use tracking cookies or analytics scripts that collect personal data. We collect only what you choose to submit:
We collect only the postcode entered to perform the lookup. This is used solely to return the correct collection schedule. It is not stored, not linked to any individual, and not used for any other purpose.
| Data | Purpose |
|---|---|
| Demo / enquiry form submissions | To respond to your request and, where relevant, follow up about SupaWaste products. We will not add you to a marketing list without your consent. |
| Portal staff accounts | To provide access to the Authority Portal, authenticate users, and maintain the audit trail required for GDPR compliance. |
| Resident postcodes | To return the correct bin collection schedule for that postcode. Not stored or used for any other purpose. |
| Audit log data | To maintain a record of changes made within the portal for compliance, accountability, and GDPR subject access request purposes. |
| Processing activity | Lawful basis |
|---|---|
| Responding to demo and enquiry form submissions | Legitimate interests — responding to a direct request from you |
| Portal staff account management | Contract — necessary to provide the contracted service to your authority |
| Audit trail maintenance | Legal obligation — required for GDPR compliance and accountability |
| Resident postcode lookups | No personal data is processed — postcodes alone are not personal data under UK GDPR |
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We share data only with sub-processors necessary to deliver the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU / UK |
| Vercel | Application hosting and delivery | EU / UK |
| Resend | Transactional email delivery | EU |
| Twilio | SMS reminder delivery (where enabled) | EU |
No personal data is transferred outside the UK or EEA. A full sub-processor list is available on request.
| Data | Retention period |
|---|---|
| Demo / enquiry form submissions | Up to 12 months, or until the enquiry is resolved |
| Portal staff accounts | For the duration of the contract, plus 30 days following termination |
| Audit log entries | 7 years — required for compliance purposes |
| Resident postcodes | Not retained — used only to serve the lookup response |
You have the following rights in relation to personal data we hold about you:
To exercise any of these rights, contact us at privacy@supawaste.com. We will respond within one calendar month.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
This website does not use advertising cookies, tracking cookies, or third-party analytics. We use only the cookies strictly necessary to operate the service:
Residents using the bin day widget: No cookies are set when a resident uses the embedded widget on a council website or on my-bin-day.co.uk. No tracking, no session storage, no persistent data of any kind.
If you have a question about this policy, want to exercise your data rights, or need a copy of our Data Processing Agreement, get in touch.