1. Who we are
BinPing Ltd ("BinPing", "we", "us", "our") is a private limited company registered in England and Wales (company number 14829112) with a registered office at 4 Kelham Riverside, Sheffield, S3 8RR.
For the purposes of UK GDPR and the Data Protection Act 2018, BinPing is the data controller of personal information collected through our website, mobile site, and reminder service.
Our Data Protection Officer is reachable at dpo@binping.co.uk.
2. What we collect
We deliberately collect the minimum amount of personal data we need to send you accurate bin reminders. In practice, this means:
| Data | Status | Purpose |
|---|---|---|
| Address & postcode | Required | To match you to a council collection schedule |
| Email or phone | Required | To send the reminder itself |
| Bin types selected | Required | So we only ping for the bins you put out |
| Reminder timing preferences | Optional | Lets you change "evening before" to morning-of, etc. |
| IP address & device type | Automatic | Standard server logs for security & abuse prevention |
| Account password (hashed) | Optional | Only if you create a full account |
We do not collect: location data, browsing history, advertising IDs, social-media identifiers, payment card details (we use Stripe — see "Who we share with"), or any "special category" data (health, beliefs, sexuality, etc.).
3. Why we collect it
Three reasons. That's all.
- To deliver the reminder service you actively signed up for.
- To improve the product — for example, to detect when a council schedule has changed unexpectedly.
- To meet legal obligations — for example, retaining transaction records for HMRC, or responding to a lawful court order.
4. Lawful basis
Under UK GDPR, we rely on the following lawful bases:
- Contract (Article 6(1)(b)) — we need your address and contact details in order to provide the reminder service you've requested.
- Legitimate interests (Article 6(1)(f)) — for limited operational uses such as fraud prevention, service security, and aggregated analytics. We've completed a Legitimate Interests Assessment for each of these.
- Consent (Article 6(1)(a)) — for our optional product newsletter. You can withdraw consent at any time via the unsubscribe link in any email.
- Legal obligation (Article 6(1)(c)) — for tax records, lawful disclosure requests, etc.
5. Who we share with
We share data with a small, carefully chosen set of processors who help us run the service. Every one of them is contractually bound to UK GDPR-equivalent terms.
| Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (eu-west-2) | Hosting & database | London, UK |
| Postmark | Transactional email delivery | Frankfurt, EU |
| Twilio | SMS delivery | Dublin, EU |
| Stripe | Payment processing (paid plans only) | Dublin, EU |
| Plausible Analytics | Cookieless website analytics | Frankfurt, EU |
We do not share or sell your data to councils, advertisers, marketing networks, or data brokers.
6. How long we keep it
- Active accounts: for as long as your account is active.
- Closed accounts: deleted within 7 days of closure, except for items we're legally required to retain.
- Server logs: 30 days, then automatically purged.
- Billing & tax records: 6 years (UK statutory minimum).
- Marketing list: until you unsubscribe, plus a small "do not contact" record we retain to respect your unsubscribe.
7. Your rights
Under UK GDPR, you have the right to:
- Be informed about how we use your data (this page).
- Access a copy of your data — request via your dashboard or email.
- Rectify inaccurate data — most fields are editable in-app.
- Erase your data ("right to be forgotten") — one click in your dashboard.
- Restrict processing — pause reminders without deleting the account.
- Data portability — export your data as JSON or CSV.
- Object to processing based on legitimate interests.
- Lodge a complaint with the Information Commissioner's Office (ico.org.uk) — though we'd love a chance to put it right first.
8. Cookies & tracking
We use exactly two cookies:
- session — strictly necessary, signs you into your account, expires when you close the browser.
- preferences — strictly necessary, remembers your reminder time preferences and theme. 12 months.
We do not use third-party cookies, advertising pixels, behavioural tracking, fingerprinting or session-replay tooling. Our analytics provider (Plausible) is fully cookieless and aggregates everything at the page level.
9. Security
All traffic is encrypted in transit using TLS 1.3. Personal data is encrypted at rest using AES-256. Passwords are stored as Argon2id hashes — even we cannot read them.
Access to production data is limited to a small number of named engineers, gated behind hardware security keys and reviewed quarterly.
10. Children
BinPing is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact our DPO and we will delete it.
11. Changes to this policy
If we make material changes to this policy, we will notify all active users by email at least 30 days before the changes take effect. Minor edits will be reflected here with a new "last updated" date.
12. Contact us
For any data-protection question, request, or complaint, please use the contact details below.