Privacy Policy
Last updated: 18 May 2026
Who we are
Climate Jobs is operated by Sidestep Technology Limited, a company registered in England and Wales (company number 15350889) with its registered office at 86-90 Paul Street, London, United Kingdom, EC2A 4NE. Sidestep Technology Limited is the data controller for this website.
You can reach us at hi@climate.jobs for any privacy-related questions or to exercise the rights set out below.
What we collect and why
Account data (premium subscribers)
When you sign in, we store your email address and premium subscription status. Premium access is tied to your paid subscription to the Remote Climate Jobs newsletter (remoteclimatejobs.co), run on Beehiiv — "one subscription, two platforms". Signing in triggers a check against Beehiiv to confirm your subscription is active, and magic-link emails are sent via Resend.
Saved jobs
Premium subscribers can save jobs to a personal list. We store only your user ID and the job IDs you save.
Anonymous usage counts
We keep aggregate counts of page views and "apply" clicks to understand which categories and countries attract interest. These records contain only the page type, job ID, category, country, and a timestamp — no IP address, no user-agent, no user ID, no cookie, and nothing that could identify you.
Account activity (signed-in users)
When you are signed in, we record which pages you view so we can understand how active our subscribers are and which parts of the site are useful. Each record holds your account ID, the page type, the page path (without any search terms), and a timestamp. This is first-party data, stored in our own database (Supabase). It is not shared with third parties and sets no cookies. Visitors who are not signed in are not tracked this way.
Analytics (Umami)
We use Umami Cloud for website analytics. Umami does not set cookies, does not use localStorage, and does not store IP addresses or personal identifiers. Visitor counts are derived from a daily-rotating, irreversible hash that cannot be linked back to you or across days.
Analytics (PostHog)
Alongside Umami, we run PostHog (EU Cloud, hosted in Frankfurt) for product analytics and UX debugging. How PostHog runs depends on where you visit from.
If you visit from the EU, UK, or EEA (the default for our European audience): PostHog operates without setting any cookies, without writing to localStorage, without autocapture, and without session recording. Pageviews and a small number of manual events (e.g. "saved a job") are captured. An anonymous session identifier is held only in browser memory and discarded when you close the tab. PostHog keeps a server-side anonymous record per visitor containing approximate location (country, region) derived from your IP address at request time; the IP itself is not stored on individual events.
If you visit from outside the EEA/UK
(e.g. United States, Canada, Australia): in addition to the above, we record
anonymised session replays — recordings of how visitors move through the
site, used to diagnose UX issues. All form input fields are masked by default,
your IP address is not retained, and recording is disabled on authentication,
admin, and saved-jobs pages. To maintain session continuity, PostHog sets
first-party ph_*
cookies (see Cookies below). Recordings are retained for 30 days and then deleted.
Region detection uses MaxMind, an IP-geolocation provider acting as a sub-processor to PostHog. We do not perform IP geolocation ourselves.
Security and fraud prevention
We use strictly necessary cookies (below), rate-limiting, and CSRF tokens to protect the site from abuse. These do not track you across sessions or sites.
Cookies
We only set strictly necessary cookies, which are exempt from consent requirements under Article 5(3) of the ePrivacy Directive. We do not use any advertising, marketing, or third-party tracking cookies.
| Cookie | Purpose |
|---|---|
csrf_token |
Protects forms from cross-site request forgery. Session-scoped. |
sb-* |
Set by Supabase. Keeps you signed in. Expires when your session does. |
site_gate |
Remembers that you've entered the pre-launch password. Removed at public launch. |
For visitors outside the EEA/UK we additionally set first-party PostHog cookies
(ph_*) to support
session replay. These are not strictly necessary cookies, but they are set only
in jurisdictions where the ePrivacy Directive does not apply. EU/EEA/UK
visitors are never sent these cookies.
| Cookie | Purpose |
|---|---|
ph_* |
Set only for visitors outside the EEA/UK. Maintains session identifier for replay continuity. First-party, expires per PostHog defaults (typically up to one year). |
Your browser's cookie settings let you refuse or delete cookies at any time.
Blocking csrf_token
or sb-* will prevent login.
Who we share your data with (processors)
We use the following service providers ("processors") who handle personal data on our behalf. Each is bound by a data processing agreement.
- Supabase
- Database and authentication. Stores your account row (email, premium flag, saved jobs).
- Beehiiv
- Newsletter platform. Receives your email address so we can verify your premium subscription at sign-in, and sends real-time webhook updates when your subscription status changes.
- Resend
- Transactional email provider. Receives your email address to deliver sign-in magic links.
- Logo.dev
- Company logo CDN. Serves company logos on job cards. Your browser's IP address is exposed to Logo.dev each time a logo loads; Logo.dev does not profile users.
- Umami Cloud
- Anonymous page-view analytics (no cookies, no IP retention).
- PostHog (EU)
- Anonymous product and web analytics, hosted in Frankfurt (EU). For EU/UK/EEA visitors: no cookies, no localStorage, no IP retention on events; server-side anonymous profile linked to approximate location. For visitors elsewhere: additionally records anonymised session replays with form inputs masked and IP not retained. Region detection uses MaxMind (a PostHog sub-processor).
- unpkg (Cloudflare)
- Open-source JavaScript CDN. Delivers a small animation-player script used for UI flourishes. Your browser's IP address is exposed to Cloudflare when the script loads; no tracking is performed.
- Cloudways /
DigitalOcean - Web hosting. Standard server access logs retained briefly for security and troubleshooting.
We do not sell your data and we do not share it with advertisers.
International transfers
Some of our processors are based in the United States (Beehiiv, Resend, Logo.dev, MaxMind via PostHog) or store data in multiple regions (Supabase, Umami, Cloudways). Where personal data is transferred outside the EU/UK, we rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) to provide an appropriate level of protection.
How long we keep your data
- Account data: kept while your account is active. Deleted within 30 days of a deletion request.
- Saved jobs: deleted with your account.
- Account activity records: kept while your account is active; deleted with your account.
- Anonymous usage counts: retained indefinitely — they contain no personal data.
- PostHog session replays (non-EEA/UK visitors only): 30 days, then automatically deleted.
- PostHog anonymous profiles: retained while the project is active; we do not link them to identifiable individuals.
- Server access logs: short-term, typically under 30 days, at our hosting provider's discretion.
Your rights
Under UK and EU data protection law, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Erase your data ("right to be forgotten")
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw any consent you've given, at any time
- Lodge a complaint with your national supervisory authority (e.g. the UK ICO, or the data protection authority in your EU country of residence)
To exercise any of these rights, email hi@climate.jobs. We'll respond within 30 days.
Children
Climate Jobs is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we'll delete it.
Security
We use HTTPS everywhere, HMAC-signed session cookies, CSRF protection on state-changing actions, and rate-limiting against abuse. No method of transmission over the internet is 100% secure, but we follow industry practice to protect your data.
Changes to this policy
We may update this page from time to time. Material changes will be reflected in the "Last updated" date at the top. For significant changes, we'll also notify signed-in users by email.
Contact
Questions, requests, or complaints: hi@climate.jobs.