Privacy Policy

Last updated: 6th February 2026 | Last reviewed: 6th February 2026

This privacy policy explains how Freeconomy Today ("we", "us", "our") collects, uses, discloses, and safeguards your information when you use our recycling, logistics, and service platform. This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Overview and Who We Are

Who we are: Freeconomy Today Ltd is a UK-based company registered in England and Wales. We provide a comprehensive platform connecting customers with recycling, waste management, logistics, and contractor services.

Our platform services include:

• Recycling and Waste Collection: Household and commercial waste collection, recycling services, and disposal
• Vehicle Fleet Management: Tracking and management of service vehicles
• Contractor Marketplace: Platform connecting customers with independent contractors
• Job Tracking and Management: Real-time job status updates and scheduling
• Customer Portal: Account management, quotes, and service requests
• Contractor Portal: Job acceptance, availability management, and fleet coordination
• Admin Dashboard: Platform oversight and user management

Data Protection Officer: We have appointed a Data Protection Officer (DPO) to oversee our compliance with data protection laws. You can contact our DPO at info@freeconomytoday.uk with the subject line "FAO: Data Protection Officer".

2. Information We Collect

We collect different types of information depending on how you use our platform. Below is a breakdown by user type and service.

2.1 Information Provided by You

Customer Accounts

When you register as a customer, we collect:

• Identity data: Full name, date of birth (for verification)
• Contact data: Email address, phone number, postal address
• Account credentials: Username, password (encrypted)
• Payment data: Payment card details (processed securely via Square - we do not store full card numbers)

Contractor Accounts

When you register as a contractor, we collect:

• Identity data: Full name, date of birth, National Insurance number (for compliance)
• Contact data: Email address, phone number, postal address
• Business data: Business name, VAT number (if applicable), company registration number
• Vehicle data: Vehicle registration, make, model, year, insurance details
• Qualifications: Licences, certificates, accreditations
• Availability data: Calendar availability, preferred working hours

Service Requests and Jobs

When you request services, we collect:

• Service details: Service type, quantity, description, photos/videos
• Location data: Pickup/delivery addresses, access instructions
• Scheduling data: Preferred dates and times
• Special requirements: Accessibility needs, hazardous materials, special handling

2.2 Information Collected Automatically

When you use our platform, we automatically collect:

• Device data: IP address, browser type, operating system, device type
• Usage data: Pages visited, time spent, features used, click patterns
• Location data: Approximate location derived from IP address (for security and routing)
• Log data: Login history, authentication attempts, error logs

2.3 Information from Third Parties

We may receive information about you from:

• Payment processors: Transaction confirmation and fraud prevention data
• Identity verification services: Background checks and licence verification
• References: Character or professional references (for contractors)
• Public sources: Companies House, electoral roll (for verification)

3. Legal Basis for Processing

Under UK GDPR, we must have a legal basis for processing your personal data. Below are the legal bases we rely on for different processing activities:

Processing Activity	Legal Basis	Explanation
Providing services you've requested	Contract Performance	We need your data to fulfil our service contract with you
Payment processing	Contract Performance	Required to complete payment for services
Communicating about your orders	Contract Performance	Service updates, job status, scheduling
Background checks for contractors	Legal Obligation	Required to comply with UK employment and safety regulations
Record keeping and accounting	Legal Obligation	Tax, company law, and regulatory requirements
Marketing communications	Consent	Only with your explicit consent (can be withdrawn)
Platform improvements and analytics	Legitimate Interests	To improve and develop our services
Fraud prevention and security	Legitimate Interests	To protect our platform and users from fraud

Where we rely on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. How We Use Your Information

We use your information for the specific purposes outlined below. Each purpose is linked to the legal basis described in Section 3.

4.1 Service Delivery

• Process and fulfil your service requests
• Match you with suitable contractors
• Schedule and coordinate jobs
• Provide real-time tracking and updates
• Process payments and issue invoices
• Example: When you request a waste collection, we use your address to route the nearest available contractor and provide you with an estimated arrival time.

4.2 Platform Operations

• Create and manage your account
• Authenticate your identity and prevent unauthorised access
• Provide customer support
• Conduct background checks on contractors
• Manage contractor availability and fleet scheduling
• Example: We use your login history to detect suspicious activity and protect your account from unauthorised access.

4.3 Legal and Regulatory Compliance

• Comply with tax and accounting regulations
• Meet health and safety requirements
• Fulfil waste carrier licensing obligations
• Prevent fraud and money laundering
• Example: We verify contractor licences to ensure compliance with UK waste carrier regulations.

4.4 Marketing (With Consent)

• Send promotional emails (only with your consent)
• Personalise your experience based on preferences
• Recommend relevant services
• Example: If you consent, we may send you offers about recycling services in your area based on your location.

4.5 Service Improvements

• Analyse usage patterns to improve our platform
• Develop new features and services
• Conduct A/B testing to optimise user experience
• Example: We analyse which features are most used to prioritise development and improve the user interface.

5. Data Sharing and Disclosures

We respect your privacy and will not sell your personal information. We may share your data only in the specific circumstances described below.

5.1 Service Providers

We work with trusted third-party service providers who help us operate our platform. These include:

• Payment processors: Square UK Ltd processes all payments. We do not store your full card details.
• Hosting providers: Data stored on secure UK-based servers.
• Communication services: Email and SMS delivery services for notifications.
• Analytics services: Tools that help us understand how our platform is used.

These service providers process your data only on our instructions and under strict confidentiality agreements.

5.2 Contractors

When you book a service, we share relevant details with the assigned contractor:

• Name and contact information
• Service requirements and location
• Scheduling details
• Payment confirmation (not full card details)

We share only the information necessary for the contractor to complete the job.

5.3 Professional Advisers

We may share data with professional advisers when necessary:

• Legal advisers for disputes or regulatory matters
• Accountants for tax and financial reporting
• Auditors for compliance verification

5.4 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Court orders or warrants
• Law enforcement investigations
• Regulatory inquiries
• Protection of our rights, property, or safety
• Prevention of fraud or illegal activity

5.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred to the new owner. We will notify you of any such change.

6. International Data Transfers

UK Data Storage: Your personal data is primarily stored and processed within the United Kingdom. We use UK-based data centres for our primary storage.

Limited International Transfers: Some of our service providers may process data outside the UK. This includes:

• Email delivery services (may route through EU/US servers)
• Analytics services (may process data in the US)

Safeguards: When data is transferred internationally, we ensure appropriate safeguards are in place:

• Using services certified under the EU-US Data Privacy Framework (or successor schemes)
• Requiring contractors to provide adequate protection under UK GDPR standards
• Using Standard Contractual Clauses (SCCs) approved by the ICO

Your Rights: You have the right to object to international data transfers. Contact us at info@freeconomytoday.uk to discuss alternatives.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, as required by law, or as permitted by applicable regulations.

Data Category	Retention Period	Reason
Account information	While account is active + 7 years after closure	Legal and tax requirements
Transaction records	7 years from transaction date	Tax and accounting regulations
Job/service records	7 years from service completion	Legal and warranty requirements
Contractor documents	7 years after contractor relationship ends	Employment and safety regulations
Marketing preferences	Until consent withdrawn or account deleted	Consent-based processing
Website analytics	26 months	Industry standard for analytics
IP addresses and log data	12 months	Security and fraud prevention

Data Deletion: After the retention period expires, we securely delete or anonymise your data. For certain records required by law (e.g., tax records), we retain only the minimum necessary information.

8. Your Data Rights

Under UK GDPR, you have several rights regarding your personal information. These rights are designed to give you control over your data.

8.1 Right to Access (Subject Access Request)

What it means: You have the right to request a copy of all personal information we hold about you.

How to exercise: Email info@freeconomytoday.uk with the subject "Subject Access Request". We will provide your information within 30 days.

What you'll receive: A comprehensive report including all your data, the purposes of processing, who we share it with, and how long we keep it.

8.2 Right to Rectification

What it means: You can request correction of inaccurate or incomplete information.

How to exercise: Log into your account and edit your profile, or contact us at info@freeconomytoday.uk. We will correct inaccuracies within 30 days.

8.3 Right to Erasure (Right to be Forgotten)

What it means: You can request deletion of your personal information, subject to certain legal obligations.

How to exercise: Contact us at info@freeconomytoday.uk with the subject "Data Deletion Request".

Limitations: We may not be able to delete all data if required by law (e.g., tax records) or for ongoing contractual obligations. In such cases, we will explain what we can and cannot delete.

8.4 Right to Restrict Processing

What it means: You can request that we limit how we use your data while a dispute is resolved.

When you can use this: If you contest the accuracy of your data, object to processing, or claim our processing is unlawful.

How to exercise: Contact us at info@freeconomytoday.uk.

8.5 Right to Data Portability

What it means: You can request your data in a machine-readable format to transfer to another service.

How to exercise: Contact us at info@freeconomytoday.uk. We will provide your data in CSV or JSON format within 30 days.

8.6 Right to Object

What it means: You can object to certain types of processing, particularly those based on legitimate interests.

How to exercise: Contact us at info@freeconomytoday.uk specifying which processing you object to and why.

8.7 Rights Related to Automated Decision Making

Our position: We do not make decisions about you solely based on automated processing. However, we may use automated systems for:

• Fraud detection and prevention
• Matching customers with contractors based on location and availability

You have the right to request human intervention and to challenge these decisions. Contact us at info@freeconomytoday.uk.

8.8 Right to Withdraw Consent

What it means: If we process your data based on consent, you can withdraw that consent at any time.

How to exercise:

• Email preferences: Unsubscribe link in all marketing emails
• Account settings: Manage your consent in your profile
• Contact us: Email info@freeconomytoday.uk

8.9 Right to Complain

What it means: If you believe we have violated your data protection rights, you have the right to complain to a supervisory authority.

Our commitment: We take all complaints seriously. Please contact us first at info@freeconomytoday.uk, and we will do our best to resolve the issue.

ICO Contact: If you remain unsatisfied, you can contact the Information Commissioner's Office (ICO):

• Website: ico.org.uk/concerns/
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Children's Privacy

Our services are not intended for children under 18. We do not knowingly collect information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at info@freeconomytoday.uk.

For young people aged 16-17: If you are between 16 and 17, you can use our services with parental consent. Please ensure you have your parent or guardian's permission before creating an account or providing personal information.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience, analyse usage, and provide personalised content.

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences and understand how you use our platform.

10.2 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential Cookies	Authentication, security, keeping you logged in	Session or 30 days
Preference Cookies	Remember your settings (language, location)	1 year
Analytics Cookies	Understand how our platform is used	2 years
Marketing Cookies	Personalise content and ads (with consent)	90 days

10.3 Your Cookie Choices

You have several options for managing cookies:

• Consent banner: When you first visit, you can accept or reject non-essential cookies
• Browser settings: Configure your browser to reject all or some cookies
• Cookie preferences: Manage your preferences in Privacy Settings

Please note: If you reject essential cookies, some features of our platform may not function properly.

10.4 Do Not Track

We respect Do Not Track (DNT) browser settings. If your browser is set to send DNT signals, we will not use tracking cookies for analytics purposes, subject to our legal obligations.

11. Security Logging

To protect your account and maintain platform security, we log security-related events in our audit system. This helps us detect, prevent, and investigate unauthorised access, fraud, and security threats.

11.1 What Security Events We Log

We log the following security events to our user_activity_log system:

Authentication Events

• Account lockouts: Automatic lockouts due to repeated failed login attempts
• Account unlocks: Manual account unlocks performed by administrators
• Failed login attempts: Unsuccessful login attempts with reasons (e.g., invalid password, account not found)
• Successful logins: Completed authentication events
• Logout events: When you explicitly log out of your account

Account Management Events

• Password reset requests: When you request a password reset link
• Password reset completions: When you complete a password reset
• Password changes: When you change your password (forced or voluntary)
• Account suspensions: When an account is suspended
• Account reactivations: When a suspended account is reactivated
• User approvals: When a pending user is approved
• User rejections: When a pending user is rejected

Authorization Events

• Role assignments: When a role is assigned to a user
• Role removals: When a role is removed from a user
• Permission grants: When a direct permission is granted to a user
• Permission revocations: When a direct permission is revoked from a user

Multi-Factor Authentication (MFA)

• MFA enabled: When you enable MFA on your account
• MFA disabled: When MFA is disabled on your account

Security Threat Detection

• Suspicious activity: Generic suspicious activity detected
• Brute force attempts: Patterns indicating brute force attacks
• Session hijack attempts: Potential session hijacking detected
• Rate limit exceeded: API or route rate limits exceeded

11.2 Data We Log

For each security event, we record the following information:

• Event type: The category of security event (e.g., "login_failed", "account_locked")
• Timestamp: Date and time when the event occurred (UTC)
• IP address: The IP address from which the event originated
• User agent: Browser or application information (device, OS, browser version)
• Result: Whether the event resulted in success, failure, partial success, or error
• Additional context: Event-specific details (e.g., lockout duration, reason for failure, administrator who performed action)

Data redaction: Sensitive data such as passwords, authentication tokens, and full payment card numbers are automatically redacted from security logs and never stored in plain text.

11.3 Legal Basis for Security Logging

Our security logging practices are based on multiple legal grounds under UK GDPR:

Logging Purpose	Legal Basis	Explanation
Account security monitoring	Legitimate Interest	Protecting accounts from unauthorised access is a legitimate interest necessary for service security
Fraud prevention	Legitimate Interest	Preventing fraudulent activity protects us and our users from financial harm
Incident response	Legitimate Interest	Responding to security incidents requires access to event logs
Regulatory compliance	Legal Obligation	Various UK regulations require maintaining security audit trails
Service provision	Contract Necessity	Providing a secure platform requires monitoring security events

11.4 Security Log Retention

We retain security event logs for the following periods:

Log Type	Retention Period	Reason
Authentication events (logins, logouts)	12 months	Security monitoring and incident investigation
Account security events (lockouts, password resets)	24 months	Extended retention for account abuse prevention
Administrative actions (role changes, suspensions)	7 years	Administrative audit trail and regulatory compliance
Security threat events (brute force, hijack attempts)	36 months	Extended retention for threat analysis and pattern detection
IP addresses and user agents	As per associated event	Retained as part of security event records

Automated cleanup: We implement automated cleanup routines to securely delete logs after their retention period expires. Critical security events may be retained longer when required for ongoing investigations or legal proceedings.

11.5 Your Rights Regarding Security Logs

Right to Access Your Security Logs

You have the right to access security events associated with your account. This includes:

• Your own login history (successful and failed attempts)
• Password reset events
• MFA enable/disable events
• Role and permission changes affecting your account
• Account suspension or reactivation events

How to access: Log into your account and visit the Security Settings page to view your recent security events. For a complete history, submit a Subject Access Request to info@freeconomytoday.uk.

Right to Request Deletion

You can request deletion of your security event logs. However, please note:

• Security exceptions: We may retain certain logs if deletion would compromise security investigations or ongoing legal matters
• Legal obligations: Logs required for legal or regulatory compliance may be retained until those obligations expire
• Contractual necessity: Logs necessary for service provision (e.g., fraud prevention) may be retained

How to request: Contact us at info@freeconomytoday.uk with the subject "Security Log Deletion Request". We will assess your request and confirm what can be deleted within 30 days.

Right to Object

You can object to security logging based on legitimate interests. However, if we can demonstrate compelling legitimate grounds for processing that override your interests, or if processing is for legal claims, we may continue logging.

How to object: Contact us at info@freeconomytoday.uk specifying "Security Logging Objection" in the subject line.

11.6 Who Can Access Security Logs

Access to security audit logs is strictly controlled:

• Administrators: Authorised administrators can view security logs for incident investigation and platform maintenance
• Data Protection Officer: Our DPO has access for compliance monitoring and responding to data rights requests
• Security team: Designated security personnel may access logs for threat analysis and incident response

All access to security audit logs is itself logged, creating an audit trail of who viewed what information and when.

11.7 Automated Security Responses

Our system may automatically take security actions based on logged events:

• Account lockouts: Automatic temporary lockout after multiple failed login attempts
• Rate limiting: Temporary throttling or blocking of IPs exceeding request limits
• Alerts: Notifications to administrators for critical security events

These automated responses help protect your account in real-time. Details of automated actions are logged and can be reviewed.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage.

12.1 Security Measures We Implement

• Encryption: All data in transit is encrypted using HTTPS/TLS
• Password hashing: Passwords are hashed using strong algorithms (bcrypt/Argon2)
• Access controls: Multi-factor authentication, role-based access control
• Regular audits: Periodic security assessments and penetration testing
• Employee training: All staff receive data protection training
• Secure facilities: Our servers are housed in secure, access-controlled data centres

12.2 Your Security Responsibilities

You also play a role in keeping your data secure:

• Use a strong, unique password for your account
• Enable two-factor authentication if available
• Don't share your password with anyone
• Log out when using shared devices
• Keep your contact information up to date so we can reach you about security issues

12.3 No System is 100% Secure

Despite our best efforts, no method of transmission over the internet is completely secure. While we strive to protect your information, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to info@freeconomytoday.uk.

13. Data Breach Notification

If a data breach occurs: We take data breaches very seriously. If your personal information is involved in a breach that poses a risk to your rights and freedoms, we will notify you:

• Without undue delay: Within 72 hours of becoming aware of the breach (where feasible)
• How we'll notify you: By email, and if appropriate, by post or phone
• What we'll tell you: The nature of the breach, categories of data affected, likely consequences, and steps we're taking

We will also notify the Information Commissioner's Office (ICO) as required by law.

14. Changes to This Privacy Policy

When we update this policy: We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or technology.

14.1 How We'll Notify You

For significant changes, we will notify you by:

• Email (to your registered email address)
• Platform notification
• Notice on our website

14.2 Version History

• 6 February 2026: Security Logging Disclosure - Added comprehensive section on security audit logging practices, including logged events, data collected, legal bases, retention periods, and user rights (Task #184)
• 6 February 2026: Major GDPR compliance update - expanded service coverage, added legal bases, data retention periods, and enhanced rights information
• Previous versions: Available on request

Your continued use: If you continue to use our platform after changes are posted, you accept the updated policy.

15. Contact Us

If you have questions, concerns, or requests about this privacy policy or our data practices, please contact us:

This privacy policy was last updated on 6th February 2026 and is reviewed annually to ensure continued compliance with UK GDPR and the Data Protection Act 2018.