Legal
Last updated: 12 March 2026 · Effective: 12 March 2026
Contents
WhealBit, trading as QWTN ("we", "us", "our") is the data controller responsible for your personal data collected through the Quick Waste Note (QWTN) platform ("Service"). ICO registration pending.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the controller of personal data we process in connection with the Service. Where you enter personal data about your own employees, clients, contractors, or other third parties into the Service, we act as a data processor on your behalf in relation to that data.
If you have questions, concerns, or requests regarding this Policy or the processing of your personal data, please contact us at privacy@qwtn.co.uk.
We collect the following categories of personal data, depending on how you interact with the Service:
When you create an account, we collect:
If you verify your EA waste carrier registration through the Service:
For paid subscriptions, our payment processor collects and processes payment details. We receive and store:
We do not store your card number, CVV, or expiry date. These are handled exclusively by our payment processor.
If you choose to store BACS payment details for invoice purposes, we also collect and store:
See Section 3 for important information about this data as special-care financial data.
Data you enter when generating Waste Transfer Notes, including:
When you use the Health & Safety Module, we collect:
See Section 15 for full details of cookies and tracking technologies we use.
When you use the accident book feature within the Health & Safety Module, you record personal data including the injured person's name, date of birth, injury details, and treatment records. This data constitutes special category health data under Article 9 UK GDPR.
Your legal basis. As the data controller for your employees' and workers' personal data, you must have an appropriate Article 9(2) lawful basis to process this data. Relevant bases may include:
You are solely responsible for identifying and documenting your lawful basis for processing special category data through the Service.
Our role. We process accident record data only as your data processor, strictly to provide the Service. We do not use accident record data for our own purposes.
Access controls. The Service restricts access to accident records to users with the "Senior Safety Officer" or "Admin" health and safety role. These controls are a technical aid only. You are responsible for implementing appropriate organisational access controls independently.
BACS financial data. While not special category data under UK GDPR, bank account details (sort code and account number) stored in the Service require heightened care. We implement enhanced security measures for this data and recommend that you do not store BACS details in the Service unless strictly necessary for invoice generation purposes.
Location data. GPS coordinates captured in near-miss reports may constitute sensitive data depending on context. We process this data only as your data processor. You are responsible for ensuring that location capture is lawful and that affected individuals are informed of this processing.
We collect personal data through the following means:
We process your personal data only where we have a valid legal basis under UK GDPR. The legal bases we rely on are:
Contract Performance
Processing necessary to provide the Service, manage your account, process subscriptions, and fulfil our contractual obligations to you — including delivering all modules of the Service (waste notes, H&S, fleet, permits, invoicing, scheduling).
Legitimate Interests
Processing for our legitimate business interests, including improving the Service, preventing fraud, ensuring security, delivering email communications about the Service, and monitoring usage patterns — where these interests are not overridden by your rights and freedoms.
Legal Obligation
Processing required to comply with our legal obligations, including tax records, anti-money laundering requirements, data protection law compliance, and responses to lawful regulatory requests.
Consent
Where you have given your explicit consent, such as for marketing communications or non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Where we rely on legitimate interests, you have the right to object. See Section 13 for details of your rights.
For special category health data processed through the accident book, we rely on Article 9(2)(b) (employment and social security obligations) in our capacity as your data processor. You, as controller, must have your own Article 9(2) basis — see Section 3.
We use your personal data for the following purposes:
We will not use your personal data for purposes incompatible with those listed above without providing you with prior notice.
You are solely responsible for:
Where required by law, we will assist you in responding to data subject requests made in connection with data you have submitted to the Service, subject to any applicable data processing agreement.
Data you store in the Service — including Waste Transfer Notes, H&S records, fleet records, permits, and invoices — is retained in accordance with Section 11. You acknowledge that we may delete this data upon account termination or service discontinuation without independent obligation to export or migrate it to you.
We do not sell your personal data. We share your data only in the following circumstances:
We engage carefully selected third-party service providers who process personal data on our behalf. See Section 9 for a full list of our current sub-processors.
All service providers are bound by data processing agreements and are required to process data only on our instructions and in accordance with applicable law.
When you use features that send data to third parties — such as sharing a Waste Transfer Note via email, sending a signature request, sending an invoice, or inviting a team member — you direct us to transmit your data to the specified recipient. You are responsible for ensuring you are authorised to share that data with the recipient.
When you perform a Companies House search or EA carrier register lookup through the Service, we query those external APIs on your behalf. The data returned is stored in your account. These queries are subject to the terms and privacy policies of Companies House and the Environment Agency respectively.
We may disclose your data where required to do so by law, court order, or regulatory authority (including the Environment Agency, HSE, ICO, DVSA, or HMRC), or where disclosure is necessary to protect our legal rights, investigate fraud, or protect the safety of any person.
In the event of a merger, acquisition, sale of assets, or other corporate transaction involving the Company, your personal data may be transferred to the successor entity. We will notify you of any such transfer as required by law.
We may share your data with third parties in other circumstances where you have given your explicit consent.
We do not share your personal data with third parties for their own marketing purposes without your explicit consent.
The following third-party sub-processors currently process personal data on our behalf in connection with the Service. We maintain data processing agreements with each.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, and file storage (all account data, document data, H&S records, fleet records) | EU / US (AWS) |
| Twilio SendGrid | Transactional email delivery (waste note sharing, signature requests, invoices, team invitations, incident alerts, reminders) | US |
| Cloudflare, Inc. | CAPTCHA verification (Turnstile), network security, and CDN | US |
| Upstash, Inc. | Redis-based rate limiting and request throttling | EU / US |
| Vercel, Inc. | Application hosting, edge functions, and analytics | US |
| Companies House (HM Government) | Company name and registration lookup (queried only when you initiate a search) | UK |
| Environment Agency (HM Government) | Waste carrier register lookup (queried only when you initiate a verification) | UK |
We may update this list from time to time as our sub-processors change. Material changes will be reflected in this Policy. You may request the current sub-processor list at any time by contacting us at privacy@qwtn.co.uk.
The Service is operated from England and Wales. However, some of our sub-processors (including Supabase, SendGrid, Cloudflare, Upstash, and Vercel) may process your data in the United States or other countries outside the UK or EEA.
Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:
You may request further information about international transfers and the safeguards in place by contacting us at privacy@qwtn.co.uk.
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, and to resolve disputes or enforce our agreements.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 6 years | Legal, contractual, and tax obligations |
| Billing & payment records | 7 years from transaction | HMRC and legal requirements |
| Waste Transfer Notes (Pro/Business) | 2 years from creation (minimum) | Statutory Duty of Care retention |
| Waste Transfer Notes (Free) | 90 days from creation | Service delivery |
| Hazardous waste consignment notes | 3 years from creation | Hazardous Waste Regulations 2005 |
| H&S records (RAMS, near-miss) | 3 years from creation | RIDDOR and HSE record-keeping guidance |
| Accident records | 3 years from date of last entry | Social Security (Claims and Payments) Regulations 1979 / RIDDOR |
| Fleet walkaround records | 15 months from creation | O-licence operator compliance guidance |
| Fleet maintenance records | Duration of vehicle ownership + 2 years | Operator compliance and contractual |
| Permit documents | Duration of permit + 3 years | Regulatory compliance |
| BACS payment details | Duration of account (deleted on request) | Invoice generation; deleted upon account closure |
| GPS/location data (near-miss) | Same as associated H&S record | H&S record-keeping |
| Photo uploads (H&S/fleet) | Same as associated record | H&S and fleet record-keeping |
| Usage & analytics data | 26 months from collection | Service improvement |
| Support communications | 3 years from last contact | Dispute resolution |
| Marketing consent records | Duration of consent + 3 years | Consent management |
| Security & fraud logs | 12 months from creation | Security and compliance |
After the applicable retention period expires, we will securely delete or anonymise your personal data. Anonymised data (which cannot be used to identify you) may be retained indefinitely for analytical purposes.
If your account is closed — whether by you or by us — we may retain certain data for the periods set out above, even after account closure, to comply with our legal obligations.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:
If you believe your account has been compromised, please contact us immediately at privacy@qwtn.co.uk.
Data Breach Notification. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay, as required by UK GDPR, and will notify the Information Commissioner's Office (ICO) within 72 hours where required.
Subject to applicable law and certain exceptions, you have the following rights in relation to your personal data:
Right of Access
You can request a copy of the personal data we hold about you (a "Subject Access Request" or SAR). We will respond within one month of receipt.
Right to Rectification
You can ask us to correct inaccurate or incomplete personal data we hold about you.
Right to Erasure ("Right to be Forgotten")
You can ask us to delete your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent. This right does not apply where we are required to retain data by law — for example, accident records subject to statutory retention requirements cannot be deleted until the retention period expires.
Right to Restriction of Processing
You can ask us to restrict the processing of your personal data in certain circumstances, for example while you contest its accuracy.
Right to Data Portability
Where processing is based on contract or consent, you can request a machine-readable copy of personal data you have provided to us.
Right to Object
You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Rights in Relation to Automated Decision-Making
You have the right not to be subject to solely automated decisions that significantly affect you. We do not currently make such decisions.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us at privacy@qwtn.co.uk. We may ask you to verify your identity before processing your request. We will respond within one month, which may be extended by a further two months for complex or numerous requests (we will notify you of any extension).
We will not charge a fee for exercising your rights unless a request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act.
Right to Lodge a Complaint. If you are not satisfied with our handling of your personal data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
We would welcome the opportunity to address any concerns directly before you contact the ICO, and encourage you to contact us first.
The Service is not directed at children under the age of 18. We do not knowingly collect or process personal data from children. If you believe that a child under 18 has provided personal data to us, please contact us immediately at privacy@qwtn.co.uk and we will take steps to delete that data.
This restriction does not affect accident or H&S records that may incidentally reference a minor (for example, a member of the public). Such data must be handled in accordance with UK GDPR and you, as the data controller, are responsible for appropriate safeguarding.
We use cookies and similar tracking technologies on the Service. A cookie is a small text file placed on your device when you visit a website.
Strictly Necessary Cookies
Essential for the operation of the Service, including session management, security, authentication, and CAPTCHA verification (Cloudflare Turnstile). These cannot be disabled without significantly affecting the Service.
Functional Cookies
Enable personalised features such as remembering your preferences, theme settings, and UI state. These are not strictly necessary but enhance your experience.
Analytics Cookies
Help us understand how users interact with the Service, which features are most used, and where improvements can be made. We use aggregated and anonymised data wherever possible (via Vercel Analytics).
Marketing Cookies
Used to deliver relevant advertising or to track the effectiveness of marketing campaigns. We will only use these with your explicit consent.
Email Tracking. Emails sent through the Service via our email delivery provider (SendGrid) may include tracking pixels that allow us to record whether an email was opened and whether links were clicked. This data is used solely to monitor deliverability and improve our communications. You can opt out of email tracking by disabling image loading in your email client.
Cookie Consent. When you first visit the Service, you will be presented with a cookie banner. By accepting non-essential cookies, you consent to their use. You can withdraw or update your cookie preferences at any time via the cookie settings link in the footer.
Managing Cookies. You can also control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service. Most browsers allow you to:
For more information about managing cookies, visit allaboutcookies.org.
The Service may contain links to third-party websites or services. These third-party services have their own privacy policies, and we accept no responsibility or liability for their content, privacy practices, or data handling.
Where we use third-party integrations (such as payment processors, Companies House, the EA carrier register, or analytics tools), those providers operate under their own privacy policies. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.
We reserve the right to update this Privacy Policy at any time to reflect changes in our data practices, legal obligations, new Service features, or changes to our sub-processors. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you by email or through a notice within the Service.
We encourage you to review this Policy periodically. Your continued use of the Service after any update constitutes your acceptance of the updated Policy. If you do not agree with any changes, you must stop using the Service and may close your account.
For any questions, requests, or concerns about this Privacy Policy or the way we handle your personal data, please contact our privacy team:
WhealBit — Privacy
Email: privacy@qwtn.co.uk
Response time: Within 30 days
Jurisdiction: England and Wales
If you are dissatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO).