Privacy Policy

This Privacy Policy explains how Grab My Scrap ("we", "our", "us") collects, uses, and protects your information when you use our website grabmyscrap.co.uk (the "Website"). Grab My Scrap is operated in the United Kingdom by its founder.

By using this Website, you agree to the terms of this Privacy Policy.

1. Information We Collect

We collect and store only the information necessary to operate the Website and provide our service. This includes:

• Scrap Collector Account Information: when you create a scrap collector account, we collect your name, email address, phone number, postal address, password, and profile description.
• License Verification Data: for scrap collectors, we collect and verify your scrap metal dealer licence number and optional business name against the Environment Agency Public Register. We store the licence number, business name (if provided), verification status, verification timestamp, and licence expiry date (if available from the register).
• Customer Details (No Account Required): customers posting scrap for collection can use the Website without creating an account. When creating a post, we collect the name and contact details you choose to provide (typically phone number and/or email), together with the collection address and details of the scrap.
• Address Details: house name or number, street, town, county, and postcode (for scrap pickup listings and for scrap collector profiles).
• User Posts: descriptions and photos of scrap items you post for pickup, along with preferred collection time slots.
• Subscription and Billing Metadata (Scrap Collectors): for scrap collectors with a paid subscription, we store limited billing metadata such as your Stripe customer ID, subscription plan, status, and renewal dates. We do not store full payment card numbers; payment processing is handled by Stripe.
• Location Data: if you choose to enable it, we collect your precise geographic location (latitude/longitude) from your browser to help you find nearby scrap posts. This location data is only used during your browsing session and is not permanently stored. You can decline or disable location access at any time.
• Technical Data: IP address, browser information, device type, and general location data (automatically collected for security and analytics).
• Usage Data and Analytics: how you interact with the Website, including pages visited, features used, buttons clicked, and time spent on pages. This is collected using a privacy-focused, first-party analytics tool (One Dollar Stats) which may associate events with your account if you are signed in as a scrap collector.

We verify scrap metal dealer licences against the Environment Agency Public Register to ensure all collectors are properly licensed. This verification is performed using official government data sources and helps maintain the integrity of our platform.

2. How We Use Your Information

We use your data to:

• Create and manage your scrap collector account (where applicable).
• Verify your email address and handle password resets.
• Verify scrap metal dealer licences against the Environment Agency Public Register to ensure all collectors are properly licensed and operating legally.
• Display your posts and contact details within the platform.
• Facilitate connections between customers (who may use the Website without an account) and scrap collectors (who require an account and, for full access, a subscription).
• Calculate distances between your location and scrap posts when you enable location access, allowing you to sort and filter posts by proximity.
• Maintain and improve the Website's functionality.
• Analyse how users interact with the Website to identify bugs, improve user experience, and develop new features.
• Collect feedback through optional surveys to improve our service.
• Manage and administer paid subscriptions for scrap collectors, including eligibility for free trials, renewals, cancellations, and enforcement of subscription rules.
• Comply with any applicable legal obligations.

We use One Dollar Stats, a privacy-focused, first-party analytics tool, to understand how users interact with our Website. When you sign up or sign in as a scrap collector, some analytics events may be associated with your account (for example, to understand how subscribed scrap collectors use key features). For customers using the Website without an account, analytics are collected using pseudonymous identifiers. Analytics data includes pages visited, buttons clicked, device information, and general usage patterns. This allows us to understand user behaviour and improve the Website.

3. Legal Basis for Processing

We process your information under the following lawful bases:

• Contractual necessity (to operate your account and the Website).
• Legitimate interests (to improve our services and ensure security).
• Legal obligations (if required to cooperate with UK authorities).

4. Data Retention

We retain your information only for as long as necessary to provide the service.

• Posts and photos are deleted when a listing is marked complete or deleted by the user.
• If you delete your account, all associated data is permanently removed from our database.
• Some minimal technical data may be retained for short periods in secure backups before automated deletion.

5. Security

We use reasonable technical and organisational measures to protect your information, including:

• Encrypted HTTPS connections.
• Secure password hashing.
• Restricted database access.

However, no system is completely secure, and you use the Website at your own risk.

6. Data Sharing

We do not sell, rent, or trade personal information.

Data may be shared with:

• Hosting providers (such as Vercel) solely for operating the Website.
• Email delivery services (such as Resend) for verification, password reset, subscription and account-related messages.
• Analytics services (One Dollar Stats) for usage analytics and feedback collection. This tool may receive pseudonymous identifiers, and for signed-in scrap collectors may be able to associate events with your account in order to understand how the service is used. Analytics data is used exclusively for improving the Website and is not sold or shared with third parties for advertising or profiling purposes.
• Payment processors (Stripe) to handle subscription payments for scrap collectors. Stripe processes your payment card details on our behalf. We do not store full card numbers or security codes; instead, we store limited billing metadata such as your Stripe customer ID and subscription status.
• Backend services (Convex) for database operations and real-time functionality.
• Government data sources (Environment Agency Public Register API) for verifying scrap metal dealer licences. When you provide your licence number during registration, we query the official Environment Agency register to verify your licence status, expiry date, and other relevant details. This is a read-only verification process using publicly available government data.

All third-party service providers are carefully selected and contractually required to protect your data and use it only for the purposes we specify.

7. Analytics and Cookies

We use One Dollar Stats to collect and analyse usage data. When you create a scrap collector account or sign in, we may associate certain analytics events with your account to understand how subscribed users interact with the Website. For customers using the Website without an account, analytics are collected using pseudonymous identifiers (for example, a cookie-based or similar ID) rather than your name or email. This helps us:

• Identify and fix technical issues and bugs.
• Understand which features are most valuable to users.
• Improve navigation and user experience.
• Prioritise development of new features.
• Collect voluntary feedback through surveys (only shown to signed-in users).
• Track user journey from sign-up through post creation and pickup completion.

One Dollar Stats uses cookies or similar technologies to track usage. For more details, please see our Cookie Policy. We do not use analytics data for advertising or sell this data to third parties.

8. International Data Transfers

Our hosting provider may store data on servers located outside the UK or EU. In such cases, we ensure that appropriate safeguards and legal mechanisms (such as Standard Contractual Clauses) are in place to protect your information.

9. Your Rights

You have the right to:

• Access a copy of the data we hold about you.
• Request correction or deletion of your data.
• Withdraw consent (where applicable).
• Lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your data appropriately. You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

You can delete your account at any time via your profile page, provided there are no active posts or pickups.

As a registered data controller with the ICO (Registration Reference: ZC040168), we are committed to maintaining the highest standards of data protection and complying with all relevant UK data protection legislation.

10. Automated Decision-Making and Profiling

We use limited automated decision-making on the Website, which includes:

• No-Show Ratings: If a user fails to appear for a scheduled pickup without proper notice, the system automatically assigns a 1-star rating. This is based on the no-show policy outlined in our Terms of Service and helps maintain accountability within the community.
• Account Restrictions: The system may automatically prevent certain actions (such as removing posts within 24 hours of pickup) based on predefined rules.

These automated processes do not produce legal effects or similarly significantly affect you in a way that would trigger additional GDPR protections. However, you have the right to:

• Request human review of any automated decision by contacting us at support@grabmyscrap.co.uk.
• Contest ratings you believe were assigned in error, particularly in cases of emergency or miscommunication.
• Receive an explanation of how the automated decision was reached.

Beyond the above, we do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

11. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we are committed to handling the situation transparently and in compliance with UK GDPR requirements.

Notification to the ICO

If a breach poses a risk to your rights and freedoms, we will report it to the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of it.

Notification to You

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay. We will contact you via the email address associated with your account.

What We Will Tell You

Our notification will include:

• A description of the nature of the data breach, including the types of personal data affected.
• The likely consequences of the breach.
• The measures we have taken or propose to take to address the breach and mitigate potential harm.
• Practical steps you can take to protect yourself (e.g., changing passwords, monitoring accounts).
• Contact information for our support team where you can obtain more information.

Our Response

In the event of a breach, we will:

• Immediately investigate the extent and cause of the breach.
• Take steps to contain and remedy the breach.
• Assess the risk to affected individuals.
• Implement additional security measures to prevent future incidents.
• Cooperate fully with the ICO and any other relevant authorities.

12. Age Requirement

This Website is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18.

13. Updates to This Policy

We may update this Privacy Policy from time to time. The most recent version will always be available on this Website.

14. Contact Us