Offline — saving locally
DigitalWTN logo
DigitalWTNLegal

Privacy Policy

Last reviewed: 25 May 2026.

1. Who we are

DigitalWTN is a Software-as-a-Service product that helps UK waste carriers, receivers, and producers create and share digital Waste Transfer Notes (WTNs). The data controller for the purposes of UK GDPR is the operator of digitalwtn.co.uk. You can contact us at privacy@digitalwtn.co.uk.

2. What we collect

Account data

  • Email address (for sign-in).
  • Business / organisation name.
  • Your role: carrier, receiver, or producer (chosen at signup).
  • A role-specific public-register identifier:
    • Carriers: your Environment Agency Waste Carriers registration (CBDU/CBDL).
    • Receivers: your environmental permit number.
    • Producers: your premises code.

Verification data

We check the identifier you supply against free UK public registers (Environment Agency Waste Carriers Public Register; Companies House Public Data API) and cache the result so the app can show your verified status to your counterparties. This data is already public on those registers; we only ever cache what those registers already publish.

Waste Transfer Note (WTN) data

For every WTN you create or that names your organisation we store:

  • Producer name and address (entered by the carrier).
  • Waste classification (EWC codes, descriptions, hazardous flags, quantities).
  • Container type and count.
  • Transport details (vehicle registration, driver name).
  • Photos captured at the point of pickup.
  • Approximate GPS coordinates of pickup (with carrier consent).
  • Signatures captured on the carrier’s device.
  • Receiver actions (accept / reject / received weight).
  • Producer actions (confirm / flag).

This data is required to produce a regulatory-compliant Waste Transfer Note and to satisfy the recordkeeping obligations of the Environmental Protection Act 1990 and the Waste (England and Wales) Regulations 2011.

Operational data

  • A tamper-evident audit log of every mutation against your records (who did what, when).
  • Server-side error logs to debug problems.
  • Cloudflare connection metadata (your IP address may appear in our hosting provider’s logs for up to 30 days).

3. Why we collect it (lawful basis)

  • Contract. Most of the data above is necessary for us to provide the service you signed up for.
  • Legal obligation. WTN records are kept for a statutory recordkeeping period (see retention below).
  • Legitimate interests. Audit logs and error logs are kept to secure the service against tampering and to debug operational issues.
  • Consent. GPS capture and photos are only stored when you take the explicit action to capture them in the wizard.

4. Who we share it with

Within DigitalWTN, your WTNs are visible only to the parties named on them (the carrier, the receiver matching the permit, and the producer matching the premises code). We do not sell your data, ever.

We use the following sub-processors, who process data on our behalf:

  • Cloudflare, Inc. — hosting (Workers, R2 if used). Data is processed in the EU/UK region.
  • Supabase, Inc. — database and file storage. Data is stored in the EU-West (London) region.
  • Clerk, Inc. — authentication. Email + Clerk session identifier only.
  • Resend, Inc.— transactional email delivery (e.g. “your WTN has been received”). Email address only.

5. Where your data is stored

All primary databases and file storage are in the United Kingdom or the European Economic Area. Some sub-processors (e.g. Clerk) may transfer data to the United States under appropriate safeguards (UK International Data Transfer Agreement / EU Standard Contractual Clauses).

6. How long we keep it

  • WTN records: at least 3 years from the date of the waste transfer, to meet UK statutory recordkeeping requirements.
  • Account data: for as long as you have an active account, then up to 12 months after closure for legal compliance, then deleted.
  • Audit log: retained for the life of the account (and at least 6 years beyond, for evidentiary purposes).
  • Error logs: 30 days.

7. Your rights

Under UK GDPR you can:

  • Request a copy of the personal data we hold about you.
  • Ask us to correct inaccurate data.
  • Ask us to delete your data (we may need to retain WTN records to comply with statutory obligations; we will explain what we can and cannot delete).
  • Object to processing based on legitimate interests.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk.

To exercise any of these rights, email privacy@digitalwtn.co.uk. We aim to respond within 30 days.

8. Security

Data is encrypted in transit (HTTPS / TLS 1.2+). Database and storage at rest are encrypted by our sub-processors. Mutations to your records are append-only and chained into a tamper-evident audit ledger that is externally anchored daily.

9. Changes to this policy

If we make material changes we will email account holders at least 14 days before the change takes effect. The current version is always at app.digitalwtn.co.uk/legal/privacy.