ConsultEarth Privacy Policy
Last updated: 9 July 2026 Version: 1.1
1. About this policy
ConsultEarth is a marketplace that connects organisations ("Clients") with independent environmental and sustainability professionals ("Experts"). This policy explains what personal data we collect, why, how long we keep it, who we share it with, and the rights you have over it.
The controller of your personal data is Consultearth Ltd, a company registered in England and Wales (company number 16727374), trading as "ConsultEarth", with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom ("we", "us", "our"). We are registered with the UK Information Commissioner's Office (registration number ZC069712).
This policy covers our processing of personal data where we decide why and how it is processed. It does not cover the processing that Clients and Experts carry out on their own account. When you engage with another user — for example, when an Expert delivers work to a Client — each of you may be a separate, independent controller of the personal data you share with the other. We are not responsible for how another user handles your data once you have shared it with them through the platform. If you want to know how another user processes your data, please contact them directly.
If you have any questions about this policy or your data, contact us at privacy@consultearth.com.
2. What information we collect
We collect personal data in three ways: information you give us, information we collect automatically, and information we receive from third parties.
2.1 Information you give us
| Category | Examples |
|---|---|
| Account and identity | Name, email address, password (stored only as a secure hash by our authentication provider), account role (Expert or Client), and the sign-in method you choose (email, Google, or LinkedIn) |
| Expert profile | Photo, headline, biography, areas of expertise, work experience, education, qualifications, past projects, languages, rates, website and LinkedIn links, and any other content you choose to publish |
| Client profile and organisation | Name, work email, company or organisation name, role/job title, and team-member details where you invite colleagues |
| Engagement content | Job posts, proposals, applications, messages, service inquiries, shortlists, milestones, deliverables, amendments, and files you upload in the course of hiring or being hired |
| Booking content | Advisory-call scheduling details (name, email, chosen time) and any notes you provide |
| Payment information | Billing name and address. Card details are entered directly with our payment processor (Stripe) and tokenised; we never see or store your full card number |
| Support and reports | The content of any message you send our support or Trust & Safety teams, including any reports you file about other users or content, and any evidence files you attach |
2.2 Information we collect automatically
| Category | Examples |
|---|---|
| Device and connection | IP address, browser type, device type, and similar technical data needed to deliver and secure the service |
| Usage | Pages viewed, tools opened, actions taken, and timestamps — used to operate and secure the platform and to understand and improve how it is used. This in-product usage record covers which pages and features you use, not the content of what you write |
| Cookies and similar technologies | See Section 10. We use strictly necessary cookies, plus optional analytics cookies that we set only if you consent |
| Security and abuse-prevention signals | Data generated by our sign-up protections, including an automated bot-detection check at sign-up |
2.3 Information we receive from third parties
| Source | What we receive |
|---|---|
| Sign-in providers (Google, LinkedIn) | If you choose to sign in with Google or LinkedIn, we receive a stable account identifier and basic profile information (such as your name and email) from that provider, in line with your settings with them |
| Payment processor (Stripe) | Confirmation of payment, payout, and subscription status, and limited transaction metadata. We do not receive full card numbers |
2.4 Special category and criminal-offence data
We do not ask for, and do not want, special category data (such as data revealing health, race, religion, sexual orientation, or political views) or criminal-offence data. Some free-text areas, including the Trust & Safety report form, warn you not to include this kind of data about yourself or others. If special category data reaches us incidentally — for example, in a CV you upload or in free text you write — we minimise it, protect it under the same security controls as all other personal data, and delete it when it is no longer needed.
We do not currently carry out criminal background checks or collect identity documents for vetting. If that ever changes, we will update this policy first.
3. How we use your information and our lawful basis
We use your personal data for the purposes below. For each purpose, UK GDPR requires us to have a lawful basis; we set out the basis we rely on.
| Purpose | What this involves | Lawful basis (UK GDPR Art. 6) |
|---|---|---|
| Creating and securing your account | Registering you, authenticating sign-in, enforcing role separation, protecting accounts from abuse | Performance of a contract (Art. 6(1)(b)); our legitimate interests in preventing abuse and in confirming users are old enough to form a binding contract (Art. 6(1)(f)) |
| Publishing Expert profiles | Making Expert profiles discoverable so Clients can find them | Performance of a contract (Art. 6(1)(b)); our legitimate interests in operating a discoverable marketplace (Art. 6(1)(f)) |
| Running the marketplace | Managing job posts, applications, proposals, shortlists, hiring pipelines, service inquiries, messages, engagements, milestones, deliverables, and files | Performance of a contract (Art. 6(1)(b)) |
| Booking and delivering advisory calls | Scheduling and supporting calls between users, and sending call reminders | Performance of a contract (Art. 6(1)(b)); our legitimate interests in reducing missed calls (Art. 6(1)(f)) |
| Processing payments and payouts | Taking subscription, credit, token, and advisory-call payments, and paying Experts through Stripe Connect | Performance of a contract (Art. 6(1)(b)); legal obligation for tax and accounting records (Art. 6(1)(c)) |
| Sending service messages | Transactional and lifecycle emails and in-app notifications about your account and activity | Performance of a contract (Art. 6(1)(b)); our legitimate interests in keeping you informed (Art. 6(1)(f)) |
| Keeping the platform safe | Receiving and acting on reports, moderating content, investigating abuse, and suspending accounts where necessary | Our legitimate interests in a safe platform (Art. 6(1)(f)); legal obligation, including under the Online Safety Act 2023 (Art. 6(1)(c)) |
| Improving the product | Understanding how the service is used — both in aggregate through optional analytics cookies, and by recording which pages and tools our signed-in users use (never the content of what you write) so we can see what to improve | Consent for any non-essential analytics cookies (Art. 6(1)(a)); our legitimate interests in understanding in-product usage and improving the service (Art. 6(1)(f)) |
| AI-assisted features | Helping import a profile, draft content, summarise applicant fit, and explain matches (see Section 9) | Performance of a contract (Art. 6(1)(b)); our legitimate interests in useful features (Art. 6(1)(f)) |
| Meeting legal and regulatory duties | Tax, accounting, responding to lawful requests, and establishing or defending legal claims | Legal obligation (Art. 6(1)(c)); our legitimate interests in defending legal claims (Art. 6(1)(f)) |
Where special category data reaches us incidentally (see Section 2.4), we rely on the condition that it has been made public by you (UK GDPR Art. 9(2)(e)) or, for safety and moderation, on substantial public interest (Art. 9(2)(g), supported by Schedule 1 of the Data Protection Act 2018).
Where we rely on legitimate interests, we have weighed our interests against your rights and concluded that our processing does not override them. You can ask us for more detail about that assessment, or object to it, using the contact details in Section 14.
4. Who we share your information with
We are not in the business of selling your personal data, and we do not sell it. We share it only as described below.
With the other side of your engagement. The purpose of a marketplace is to connect people. When you take part in the marketplace, the relevant parts of your information are shared with the user on the other side — for example, an Expert's profile and proposal are visible to the Client, and the Client's brief and messages are visible to the Expert. Once shared, each of you handles that data as an independent controller.
With our service providers (sub-processors). We use carefully selected third parties to run the service. They process personal data only on our instructions and under contract. The current list is below, and an up-to-date version is published at consultearth.com/legal/sub-processors.
| Sub-processor | What they do for us | Location | Transfer safeguard |
|---|---|---|---|
| Supabase | Database, authentication, and file storage | EU (Ireland) | UK adequacy |
| Stripe | Payments, subscriptions, and payouts | EU (Ireland) / United States | UK adequacy; UK Addendum to EU SCCs |
| Resend | Sending transactional email | United States | UK Addendum to EU SCCs |
| Cal.com | Scheduling advisory calls | United States | UK Addendum to EU SCCs |
| Google (Gemini API) | AI-assisted features | United States | UK Addendum to EU SCCs |
| Google Workspace | Hosting our @consultearth.com mailboxes | EU / global | UK Addendum to EU SCCs |
| Vercel | Hosting and infrastructure logs | Global (edge) | UK Addendum to EU SCCs |
| Cloudflare | Bot-detection at sign-up | Global (edge) | UK Addendum to EU SCCs |
| PostHog | Product analytics — only if you consent to optional cookies | EU | UK adequacy |
| Sentry | Error and performance monitoring | EU | UK adequacy |
With authorities and for legal reasons. We may disclose personal data where we are legally required to (for example, to HMRC for tax, or in response to a valid legal or law-enforcement request), or where it is necessary to establish, exercise, or defend legal claims, or to protect the rights, safety, and property of our users, the public, or us.
In a business transfer. If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will tell you before your data becomes subject to a different privacy policy.
5. International transfers
Some of our service providers are based outside the UK. When we transfer your personal data abroad, we make sure it is protected by an appropriate safeguard recognised under UK data protection law:
- EU (adequacy). Transfers to providers that process in the EU (such as Supabase, which hosts our data in Ireland; Stripe's European entity; PostHog, configured for the EU region; and Sentry, our error-monitoring provider, also configured for the EU region) rely on the UK's finding that the EU offers an adequate level of protection.
- United States and other countries. Transfers to providers in the United States or other countries without a UK adequacy decision rely on the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any additional measures needed following a transfer risk assessment.
You can ask us for a copy of the transfer mechanism we use for a particular provider by contacting privacy@consultearth.com.
6. How long we keep it
We keep personal data only for as long as we need it for the purpose we collected it, plus any period required by law (such as tax and accounting rules and the time limits for bringing legal claims). The periods below are maximums; where we no longer need data sooner, we delete or anonymise it earlier. Some retention is enforced manually today and is being automated; either way, we apply the schedule below.
| Data | How long we keep it | Why |
|---|---|---|
| Account (authentication and profile) | Life of the account, then up to 30 days | Contract; a short grace period in case deletion was accidental |
| Expert public profile | Life of the account | Contract; legitimate interests. Search engines may keep cached copies for a period after deletion (see Section 8) |
| Client profile and organisation | Life of the account, then up to 30 days | Contract |
| Engagement records (jobs, applications, proposals, milestones, deliverables, amendments, engagement messages, closure records) | 6 years after the engagement or record concludes | Time limit for contract claims (Limitation Act 1980); UK GDPR Art. 17(3)(e) |
| Direct messages | 6 years from the last message in a thread | Limitation Act 1980; supports safety investigations |
| Service inquiries (concluded) | 3 years from conclusion | Lower commercial-claim risk than completed engagements |
| Payment, billing, credit, and token records | 6 years from the transaction | Tax and accounting law; UK GDPR Art. 17(3)(b) |
| Advisory-call records | 6 years from the booking | Time limit for claims; tax |
| Reviews | While the Expert's account is active; 6 years after account deletion (in anonymised form) | Reputation system; legitimate interests |
| Trust & Safety reports | 12 months (dismissed), 3 years (warning), or 6 years (suspension) from resolution | Legitimate interests; Online Safety Act 2023; legal defence |
| Account-deletion request record | 3 years from closure | Accountability and complaint-handling defence |
| Server, access, and error-monitoring logs (including Sentry) | Up to 90 days | Security; legitimate interests |
| Analytics events (PostHog) | Up to 1 year (PostHog Free default) | Consent |
| In-product usage analytics (which pages and tools signed-in users use; no message content) | Up to 12 months | Legitimate interests |
| AI processing inputs | Not retained for training — processed transiently (see Section 9) | We do not train models on your data |
Records subject to a legal hold (live or anticipated litigation, a regulatory investigation, or a law-enforcement request) are kept until that matter concludes, regardless of the periods above.
7. Your rights and how to use them
Under UK GDPR you have the following rights over your personal data:
- Access — ask for a copy of the personal data we hold about you (Art. 15). You can also download a copy of the most-requested account data yourself from Settings.
- Rectification — ask us to correct inaccurate or incomplete data (Art. 16). You can edit most profile data yourself.
- Erasure — ask us to delete your data (Art. 17). See "Deleting your account" below.
- Restriction — ask us to pause certain processing (Art. 18).
- Portability — ask for a copy of certain data in a structured, machine-readable format (Art. 20).
- Objection — object to processing based on our legitimate interests, and to direct marketing at any time (Art. 21).
- Automated decisions — we do not make decisions that produce legal or similarly significant effects about you using solely automated means. Our matching and AI features are decision-support tools; a human always decides whether to hire, propose, or engage (Art. 22).
To exercise any of these rights, email privacy@consultearth.com. We will respond within one month. If your request is complex or you have made several requests, we may extend this by up to two further months, and we will tell you within the first month if we do. We may need to confirm your identity first, so that we do not disclose your data to someone else. If we cannot act on your request, we will explain why and tell you about your right to complain to the ICO.
Some rights, including erasure, are subject to legal limits. For example, we may need to keep certain records to meet a legal obligation (such as tax records) or to establish or defend legal claims (such as engagement records). Where that applies, we will tell you which records we have kept and why.
Deleting your account
You can delete your account at any time from Settings → Account. Confirming the action records a deletion request and signs you out across all devices.
When you delete your account:
- Immediately, your account is deactivated and you can no longer sign in. Open commitments that have no contractual obligation attached are cancelled automatically — open job applications are withdrawn, open job posts are closed, open service inquiries are declined, and any future advisory-call bookings are cancelled and refunded in full.
- Active engagements already under way are not cancelled. They are flagged so the other party can complete or formally close the work on their own timeline, preserving their contractual rights. The other party is notified that you have asked to close your account.
- Within one month, we anonymise your personal data: your name and contact details on the platform are replaced with "[deleted user]", your profile fields are cleared, and the content of messages you sent is redacted. This happens automatically through a daily process, and at the latest one month after your request even if an engagement is still open.
Some records are kept beyond deletion, in anonymised form, where the law requires it (for example, billing records for tax, and engagement records for the period in which a legal claim could be brought). See Section 6 and "Records that remain after deletion" in Section 8.
If you delete your account by accident, email privacy@consultearth.com before the request is processed and we will try to cancel it.
8. Marketplace-specific behaviour you should know about
Because ConsultEarth is a two-sided marketplace, some processing works in ways specific to how the platform operates. We set these out plainly here.
Public profiles and public content. Expert profiles, published reviews, listed services, and bench (firm and team) information are designed to be public and discoverable. When you choose to make information public, it may be indexed by search engines, viewed by other users, and reused within features that help connect Clients and Experts. Information you make public can be accessed, copied, or used by others in ways we cannot control. If you later delete or change public information, search engines and other third parties may keep cached copies for a period (often around a month) before their own systems catch up; we cannot control how quickly that happens.
Private content. Messages, drafts, billing details, engagement files, Trust & Safety reports, and our internal audit records are not public and are only shared as described in Section 4.
Records that remain after deletion. Engagements involve two parties. If you delete your account, the engagement records the other party relies on — deliverables, milestones, billing, files, and chat history — are retained for the legal period set out in Section 6, but your identifying details within them are anonymised. Where your name would otherwise appear (for example, as the author of a message, a review, or a past engagement), it is replaced with "[deleted user]". Reviews you have given or received remain visible in anonymised form.
Advisory-call refunds. Our cancellation and refund rules for advisory calls — including the cancellation window — are set out in our Refund Policy and shown on the platform. One point matters for your data rights: if a call is cancelled because an account is being deleted, a full refund is always issued regardless of the standard cancellation window, so you are not penalised for exercising your deletion rights. Advisory-call payments are processed through Stripe Connect, with the Expert receiving the fee for the call and ConsultEarth retaining a platform fee.
Notifying counterparties of account closure. Where an account is closed and another user has an open engagement or commitment with it, we let that user know the account is closing, so they can take any steps they need to. We share only what is necessary for that purpose.
9. AI features and our position on training
Some features use artificial intelligence to make the platform more useful — for example, helping Experts import a profile from a CV, drafting proposals, summarising an applicant's fit for a Client, and explaining why a match was suggested. To provide these features, the information you submit while using them is sent to our AI provider, Google (Gemini API), to generate the result. The generated output is then saved back into ConsultEarth where relevant (for example, a draft proposal or a populated profile field).
Our position on AI:
- We do not train AI models on your personal data. Inputs to AI features are processed to produce a result; they are not used by us to train models, and our paid arrangement with our AI provider contractually prevents your inputs being used to train its models.
- AI is decision-support, not decision-making. AI features help people find and present information; a human always makes the final decision about hiring, proposing, or engaging.
- Opt-in, by design. If we ever introduce any use of your content to train or improve AI models, we will not do so by default. We would ask for your explicit, opt-in consent and update this policy before any such use begins.
10. Cookies and similar technologies
ConsultEarth uses cookies that are strictly necessary to run the service — for example, to keep you signed in and to keep the platform secure. These do not require consent under the Privacy and Electronic Communications Regulations (PECR).
We also use optional analytics cookies (provided by PostHog, configured for the EU region) to understand how the service is used and improve it. We set these only if you agree: we show a consent banner, keep the analytics cookies switched off until you accept, honour browser opt-out signals such as Global Privacy Control, and let you change your choice at any time using the "Manage cookies" link in our footer. We do not use advertising or targeting cookies. Our full Cookie Policy, describing each cookie, is available at consultearth.com/legal/cookies.
11. Children
ConsultEarth is a service for professionals and organisations, intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18.
We support this in practice: sign-up requires you to confirm you are 18 or over, includes an automated bot-detection check, and requires email verification. If we learn that we hold personal data from someone under 18, we will delete it.
12. Security
We take appropriate technical and organisational measures to protect your personal data, including:
- access controls at the database level (row-level security), so users and staff only see what they are entitled to;
- encryption of data in transit (TLS) and at rest;
- password hashing through our authentication provider, so we never hold your password;
- tokenisation of card data through our payment processor, so we never hold full card numbers;
- two-factor authentication on the administrative accounts that can access user data;
- error and security monitoring, and a documented breach-response plan.
No system is ever completely secure, so we cannot guarantee absolute security. Where a personal data breach is likely to result in a risk to your rights, we will report it to the ICO within 72 hours of becoming aware of it, and where the risk is high, we will tell you without undue delay.
You also have a part to play: keep your password confidential, use a strong and unique password, and tell us promptly if you think your account has been compromised. You can report a security vulnerability to security@consultearth.com.
13. Changes to this policy
We may update this policy from time to time. Where we make a significant change — one that materially affects your rights or how we use your data — we will give you reasonable notice, by email or through the service, before it takes effect. Minor changes (such as clarifications or contact-detail updates) take effect when we post them, and the "Last updated" date at the top of this policy always reflects the current version.
14. Contact and complaints
For any privacy question or to exercise your rights:
- Email: privacy@consultearth.com
- Trust & Safety reports: safety@consultearth.com
- Security / vulnerability disclosure: security@consultearth.com
- Post: Consultearth Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
If you are not satisfied with how we have handled your data, you have the right to complain to the UK's data protection regulator:
- Information Commissioner's Office (ICO) — ico.org.uk — helpline 0303 123 1113
We would, however, appreciate the chance to address your concern first.