Our Commitment
Clear Waste Route Ltd (Company No. 17168009), registered in England and Wales, is committed to handling personal data responsibly and in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take a privacy-by-design approach, meaning data protection is built into our products and processes from the outset, not added as an afterthought.
This statement explains how we meet our obligations as both a data controller (for data collected through our website and for managing our own business relationships) and as a data processor (when processing personal data on behalf of our Customers through the Clear Waste Route platform).
1. Data Controller Identity
Organisation: Clear Waste Route Ltd
Company No.: 17168009 (England & Wales)
Registered address: England and Wales
Contact: contact@clearwasteroute.co.uk
ICO Registration: ZC174222
As a small company, we are not required to appoint a formal Data Protection Officer (DPO) under UK GDPR. Data protection queries are handled directly by company management and can be directed to the email address above.
2. Dual Role: Controller and Processor
Clear Waste Route operates in two distinct data protection roles depending on the context:
- As a Data Controller: We determine the purposes and means of processing personal data collected through our marketing website, enquiry forms, and our own business relationships. Our Privacy Policy covers this context in full.
- As a Data Processor: When Customer organisations use the Clear Waste Route platform to manage their own operational data — including records relating to their employees, drivers, site contacts, or third parties — Clear Waste Route acts as a data processor, processing that data on the Customer's instructions. In this context, the Customer organisation is the data controller and bears primary responsibility for lawful processing of that data.
3. Lawful Basis for Processing (as Controller)
Where we act as data controller, we rely on the following lawful bases under UK GDPR Article 6:
- Legitimate interests (Article 6(1)(f)) — responding to business enquiries, communicating about our platform, account management, and fraud prevention. We have conducted and can provide a Legitimate Interests Assessment on request.
- Contract performance (Article 6(1)(b)) — providing services under Early Access agreements and commercial subscriptions, and managing user accounts.
- Legal obligation (Article 6(1)(c)) — complying with applicable legal requirements including tax, company law, and regulatory obligations.
- Consent (Article 6(1)(a)) — placing non-essential analytics cookies. Consent can be withdrawn at any time via browser settings.
4. Data We Process (as Controller)
In our role as data controller, we process:
- Contact and enquiry data from website forms (names, email, phone, company, message)
- Platform account data (names, email addresses, role assignments)
- Activity and security logs (access timestamps, actions taken within the platform)
- Communications with our team (emails, support requests)
- Anonymous website analytics data via Google Analytics 4
5. Data We Process (as Processor)
When acting as a data processor on behalf of Customer organisations, we process personal data according to the Customer's instructions. The types of data processed may include:
- Employee and driver records (names, contact details, licence information, role data)
- Site contact and customer records held within the platform
- Operational records including waste movement data that may be linked to named individuals
- Any other personal data uploaded by the Customer to the platform
Customers are responsible for ensuring their use of the platform to process personal data has a lawful basis and complies with UK GDPR. We do not use Customer data for any purpose other than delivering the platform services as instructed.
6. Data Processing Agreements
Where Clear Waste Route acts as a data processor, a Data Processing Agreement (DPA) is required under UK GDPR Article 28. Our standard DPA is available on request and includes:
- The subject matter, nature, and purpose of processing
- The type of personal data and categories of data subjects
- Our obligations and rights as processor
- Sub-processor provisions and notification requirements
- Data subject rights assistance commitments
- Breach notification obligations
- Data deletion or return on contract termination
To request a DPA, contact contact@clearwasteroute.co.uk.
7. Sub-Processors
We use the following sub-processors to assist in delivering our services. We maintain written contracts with each sub-processor that impose equivalent data protection obligations:
- Microsoft Azure (Microsoft Corporation) — cloud infrastructure, hosting, and data storage. Data is processed in UK/EU Azure regions. Microsoft complies with UK GDPR through its Data Protection Addendum.
- Web3Forms (web3forms.com) — marketing website form submissions. Data is transmitted to our inbox and not retained.
- Google LLC (Google Analytics 4) — anonymous website analytics. Google processes data under the UK-US data bridge framework.
We will notify Customers of any intended changes to our sub-processor list (additions or replacements) with reasonable advance notice, allowing Customers to object if appropriate.
8. International Data Transfers
Personal data may be transferred outside the UK in the following circumstances:
- Google Analytics — Google LLC processes analytics data in the United States under the UK-US data bridge adequacy framework.
- Microsoft Azure — We use UK and EU Azure regions as the primary data residency. Certain Microsoft support functions may involve access from other regions, covered by Microsoft's Standard Contractual Clauses.
Where no adequacy decision applies, we ensure appropriate safeguards are in place in accordance with UK GDPR Article 46 (Standard Contractual Clauses or equivalent mechanisms).
9. Security Measures
We implement appropriate technical and organisational measures (TOMs) to protect personal data, including:
- Encryption — data encrypted in transit using TLS 1.2+ and at rest using AES-256 or equivalent
- Access controls — role-based access to data within the platform, with least-privilege principles applied
- Authentication — secure login mechanisms with support for multi-factor authentication
- Audit logging — comprehensive access and activity logs for security monitoring
- Vulnerability management — regular security reviews and updates
- Staff training — all staff with access to personal data are trained on data protection obligations
- Incident response — documented breach response procedures
10. Data Breach Notification
In the event of a personal data breach:
- Where Clear Waste Route is the data controller, we will notify the ICO within 72 hours of becoming aware of a breach likely to result in a risk to individuals' rights and freedoms. Affected individuals will be notified without undue delay where the breach is likely to result in high risk.
- Where Clear Waste Route is the data processor, we will notify the affected Customer without undue delay after becoming aware of a personal data breach, providing sufficient information to allow the Customer (as data controller) to fulfil their own notification obligations.
11. Data Retention
We retain personal data only for as long as necessary for the purpose it was collected:
- Website enquiry data: up to 2 years
- Platform account and operational data: for the duration of the subscription plus a 30-day post-termination export window, then securely deleted
- Security and audit logs: up to 12 months
- Legal, contractual, and financial records: as required by law (typically 6£7 years for financial records)
12. Data Subject Rights
Under UK GDPR, individuals have the following rights over their personal data:
- Right of access (SAR) — to receive a copy of personal data we hold
- Right to rectification — to correct inaccurate or incomplete data
- Right to erasure — to request deletion where no overriding lawful basis applies
- Right to restriction — to limit how we process data in certain circumstances
- Right to object — to object to processing based on legitimate interests
- Right to data portability — to receive data in a structured, machine-readable format where applicable
- Right to withdraw consent — where processing is consent-based, to withdraw at any time
To exercise any of these rights, email contact@clearwasteroute.co.uk with "Data Rights Request" in the subject line. We will respond within 30 days. We may request proof of identity before processing the request.
Note for platform users: If you are an employee or contact of an organisation using the Clear Waste Route platform, that organisation is the data controller for your personal data held within the platform. Please contact your employer or system administrator in the first instance.
13. Privacy by Design
We embed data protection into the design and development of the Clear Waste Route platform from the earliest stages. This includes:
- Data minimisation — collecting only the data necessary for each specific purpose
- Default privacy settings that protect user data without requiring action
- Regular data protection impact assessments (DPIAs) for high-risk processing activities
- Secure development practices including code review and security testing
14. Complaints
We take data protection concerns seriously. If you are unhappy with how we have handled your personal data, we ask that you contact us first so we can try to resolve your concern:
contact@clearwasteroute.co.uk
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
15. Updates to This Statement
We may update this GDPR Statement from time to time to reflect changes in our services, legal requirements, or data processing activities. The "last updated" date on this page will reflect any revisions. We encourage you to review this page periodically.