Privacy Policy

This Privacy Policy explains how Grab My Scrap ("we", "our", "us") collects, uses, and protects your information when you use our website grabmyscrap.co.uk (the "Website"). Grab My Scrap is operated in the United Kingdom by its founder.

By using this Website, you agree to the terms of this Privacy Policy.

1. Information We Collect

We collect and store only the information necessary to operate the Website and provide our service. This includes:

• Account Information: name, email address, phone number, and password.
• Address Details: house name or number, street, town, county, and postcode (for scrap pickup listings).
• Account Type: customer or scrap collector.
• User Posts: descriptions and photos of scrap items you post for pickup.
• Location Data: if you choose to enable it, we collect your precise geographic location (latitude/longitude) from your browser to help you find nearby scrap posts. This location data is only used during your browsing session and is not permanently stored. You can decline or disable location access at any time.
• Technical Data: IP address, browser information, device type, and general location data (automatically collected for security and analytics).
• Usage Data: how you interact with the Website, including pages visited, features used, buttons clicked, and time spent on pages (collected via PostHog analytics).

We do not collect or store scrap licence IDs or photographs of licences. Scrap collectors instead acknowledge that they hold a valid licence.

2. How We Use Your Information

We use your data to:

• Create and manage your user account.
• Verify your email address and handle password resets.
• Display your posts and contact details within the platform.
• Facilitate connections between customers and scrap collectors.
• Calculate distances between your location and scrap posts when you enable location access, allowing you to sort and filter posts by proximity.
• Maintain and improve the Website's functionality.
• Analyse how users interact with the Website to identify bugs, improve user experience, and develop new features.
• Collect feedback through optional surveys to improve our service.
• Comply with any applicable legal obligations.

We use PostHog, a privacy-focused analytics platform, to understand how users interact with our Website. When you sign up or sign in, we identify you to PostHog using your email address, name, account type, and postcode. PostHog then tracks your usage data including pages visited, buttons clicked, device information, and general usage patterns. This allows us to understand user behavior and improve the Website.

3. Legal Basis for Processing

We process your information under the following lawful bases:

• Contractual necessity (to operate your account and the Website).
• Legitimate interests (to improve our services and ensure security).
• Legal obligations (if required to cooperate with UK authorities).

4. Data Retention

We retain your information only for as long as necessary to provide the service.

• Posts and photos are deleted when a listing is marked complete or deleted by the user.
• If you delete your account, all associated data is permanently removed from our database.
• Some minimal technical data may be retained for short periods in secure backups before automated deletion.

5. Security

We use reasonable technical and organisational measures to protect your information, including:

• Encrypted HTTPS connections.
• Secure password hashing.
• Restricted database access.

However, no system is completely secure, and you use the Website at your own risk.

6. Data Sharing

We do not sell, rent, or trade personal information.

Data may be shared with:

• Hosting providers (Vercel) solely for operating the Website.
• Email delivery services (Resend) for verification and password reset messages.
• Analytics services (PostHog) for usage analytics and feedback collection. PostHog receives your email address, name, account type, and postcode to identify you, along with your usage data (pages visited, buttons clicked, etc.). PostHog is a privacy-focused platform that stores data on EU/US servers with appropriate safeguards. PostHog data is used exclusively for improving the Website and is not sold or shared with third parties for advertising purposes.
• Backend services (Convex) for database operations and real-time functionality.

All third-party service providers are carefully selected and contractually required to protect your data and use it only for the purposes we specify.

7. Analytics and Cookies

We use PostHog to collect and analyse usage data linked to your account. When you create an account or sign in, we send your email address, name, account type, and postcode to PostHog to identify you. PostHog then tracks your interactions with the Website. This helps us:

• Identify and fix technical issues and bugs.
• Understand which features are most valuable to users.
• Improve navigation and user experience.
• Prioritise development of new features.
• Collect voluntary feedback through surveys (only shown to signed-in users).
• Track user journey from sign-up through post creation and pickup completion.

PostHog uses cookies and similar technologies to track your usage. For more details, please see our Cookie Policy. While PostHog does not use your data for advertising, it does maintain a profile of your activity on the Website linked to your personal information.

8. International Data Transfers

Our hosting provider may store data on servers located outside the UK or EU. In such cases, we ensure that appropriate safeguards and legal mechanisms (such as Standard Contractual Clauses) are in place to protect your information.

9. Your Rights

You have the right to:

• Access a copy of the data we hold about you.
• Request correction or deletion of your data.
• Withdraw consent (where applicable).
• Lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your data appropriately. You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

You can delete your account at any time via your profile page, provided there are no active posts or pickups.

As a registered data controller with the ICO (Registration Reference: ZC040168), we are committed to maintaining the highest standards of data protection and complying with all relevant UK data protection legislation.

10. Automated Decision-Making and Profiling

We use limited automated decision-making on the Website, which includes:

• No-Show Ratings: If a user fails to appear for a scheduled pickup without proper notice, the system automatically assigns a 1-star rating. This is based on the no-show policy outlined in our Terms of Service and helps maintain accountability within the community.
• Account Restrictions: The system may automatically prevent certain actions (such as removing posts within 24 hours of pickup) based on predefined rules.

These automated processes do not produce legal effects or similarly significantly affect you in a way that would trigger additional GDPR protections. However, you have the right to:

• Request human review of any automated decision by contacting us at support@grabmyscrap.co.uk.
• Contest ratings you believe were assigned in error, particularly in cases of emergency or miscommunication.
• Receive an explanation of how the automated decision was reached.

Beyond the above, we do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

11. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we are committed to handling the situation transparently and in compliance with UK GDPR requirements.

Notification to the ICO

If a breach poses a risk to your rights and freedoms, we will report it to the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of it.

Notification to You

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay. We will contact you via the email address associated with your account.

What We Will Tell You

Our notification will include:

• A description of the nature of the data breach, including the types of personal data affected.
• The likely consequences of the breach.
• The measures we have taken or propose to take to address the breach and mitigate potential harm.
• Practical steps you can take to protect yourself (e.g., changing passwords, monitoring accounts).
• Contact information for our support team where you can obtain more information.

Our Response

In the event of a breach, we will:

• Immediately investigate the extent and cause of the breach.
• Take steps to contain and remedy the breach.
• Assess the risk to affected individuals.
• Implement additional security measures to prevent future incidents.
• Cooperate fully with the ICO and any other relevant authorities.

12. Age Requirement

This Website is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18.

13. Updates to This Policy

We may update this Privacy Policy from time to time. The most recent version will always be available on this Website.

14. Contact Us