ConsultEarth
OpportunitiesExpertsPricingLearning HubBlog

ConsultEarth Privacy Policy

Last updated: 9 July 2026 Version: 1.1

1. About this policy

ConsultEarth is a marketplace that connects organisations ("Clients") with independent environmental and sustainability professionals ("Experts"). This policy explains what personal data we collect, why, how long we keep it, who we share it with, and the rights you have over it.

The controller of your personal data is Consultearth Ltd, a company registered in England and Wales (company number 16727374), trading as "ConsultEarth", with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom ("we", "us", "our"). We are registered with the UK Information Commissioner's Office (registration number ZC069712).

This policy covers our processing of personal data where we decide why and how it is processed. It does not cover the processing that Clients and Experts carry out on their own account. When you engage with another user — for example, when an Expert delivers work to a Client — each of you may be a separate, independent controller of the personal data you share with the other. We are not responsible for how another user handles your data once you have shared it with them through the platform. If you want to know how another user processes your data, please contact them directly.

If you have any questions about this policy or your data, contact us at privacy@consultearth.com.


2. What information we collect

We collect personal data in three ways: information you give us, information we collect automatically, and information we receive from third parties.

2.1 Information you give us

CategoryExamples
Account and identityName, email address, password (stored only as a secure hash by our authentication provider), account role (Expert or Client), and the sign-in method you choose (email, Google, or LinkedIn)
Expert profilePhoto, headline, biography, areas of expertise, work experience, education, qualifications, past projects, languages, rates, website and LinkedIn links, and any other content you choose to publish
Client profile and organisationName, work email, company or organisation name, role/job title, and team-member details where you invite colleagues
Engagement contentJob posts, proposals, applications, messages, service inquiries, shortlists, milestones, deliverables, amendments, and files you upload in the course of hiring or being hired
Booking contentAdvisory-call scheduling details (name, email, chosen time) and any notes you provide
Payment informationBilling name and address. Card details are entered directly with our payment processor (Stripe) and tokenised; we never see or store your full card number
Support and reportsThe content of any message you send our support or Trust & Safety teams, including any reports you file about other users or content, and any evidence files you attach

2.2 Information we collect automatically

CategoryExamples
Device and connectionIP address, browser type, device type, and similar technical data needed to deliver and secure the service
UsagePages viewed, tools opened, actions taken, and timestamps — used to operate and secure the platform and to understand and improve how it is used. This in-product usage record covers which pages and features you use, not the content of what you write
Cookies and similar technologiesSee Section 10. We use strictly necessary cookies, plus optional analytics cookies that we set only if you consent
Security and abuse-prevention signalsData generated by our sign-up protections, including an automated bot-detection check at sign-up

2.3 Information we receive from third parties

SourceWhat we receive
Sign-in providers (Google, LinkedIn)If you choose to sign in with Google or LinkedIn, we receive a stable account identifier and basic profile information (such as your name and email) from that provider, in line with your settings with them
Payment processor (Stripe)Confirmation of payment, payout, and subscription status, and limited transaction metadata. We do not receive full card numbers

2.4 Special category and criminal-offence data

We do not ask for, and do not want, special category data (such as data revealing health, race, religion, sexual orientation, or political views) or criminal-offence data. Some free-text areas, including the Trust & Safety report form, warn you not to include this kind of data about yourself or others. If special category data reaches us incidentally — for example, in a CV you upload or in free text you write — we minimise it, protect it under the same security controls as all other personal data, and delete it when it is no longer needed.

We do not currently carry out criminal background checks or collect identity documents for vetting. If that ever changes, we will update this policy first.


3. How we use your information and our lawful basis

We use your personal data for the purposes below. For each purpose, UK GDPR requires us to have a lawful basis; we set out the basis we rely on.

PurposeWhat this involvesLawful basis (UK GDPR Art. 6)
Creating and securing your accountRegistering you, authenticating sign-in, enforcing role separation, protecting accounts from abusePerformance of a contract (Art. 6(1)(b)); our legitimate interests in preventing abuse and in confirming users are old enough to form a binding contract (Art. 6(1)(f))
Publishing Expert profilesMaking Expert profiles discoverable so Clients can find themPerformance of a contract (Art. 6(1)(b)); our legitimate interests in operating a discoverable marketplace (Art. 6(1)(f))
Running the marketplaceManaging job posts, applications, proposals, shortlists, hiring pipelines, service inquiries, messages, engagements, milestones, deliverables, and filesPerformance of a contract (Art. 6(1)(b))
Booking and delivering advisory callsScheduling and supporting calls between users, and sending call remindersPerformance of a contract (Art. 6(1)(b)); our legitimate interests in reducing missed calls (Art. 6(1)(f))
Processing payments and payoutsTaking subscription, credit, token, and advisory-call payments, and paying Experts through Stripe ConnectPerformance of a contract (Art. 6(1)(b)); legal obligation for tax and accounting records (Art. 6(1)(c))
Sending service messagesTransactional and lifecycle emails and in-app notifications about your account and activityPerformance of a contract (Art. 6(1)(b)); our legitimate interests in keeping you informed (Art. 6(1)(f))
Keeping the platform safeReceiving and acting on reports, moderating content, investigating abuse, and suspending accounts where necessaryOur legitimate interests in a safe platform (Art. 6(1)(f)); legal obligation, including under the Online Safety Act 2023 (Art. 6(1)(c))
Improving the productUnderstanding how the service is used — both in aggregate through optional analytics cookies, and by recording which pages and tools our signed-in users use (never the content of what you write) so we can see what to improveConsent for any non-essential analytics cookies (Art. 6(1)(a)); our legitimate interests in understanding in-product usage and improving the service (Art. 6(1)(f))
AI-assisted featuresHelping import a profile, draft content, summarise applicant fit, and explain matches (see Section 9)Performance of a contract (Art. 6(1)(b)); our legitimate interests in useful features (Art. 6(1)(f))
Meeting legal and regulatory dutiesTax, accounting, responding to lawful requests, and establishing or defending legal claimsLegal obligation (Art. 6(1)(c)); our legitimate interests in defending legal claims (Art. 6(1)(f))

Where special category data reaches us incidentally (see Section 2.4), we rely on the condition that it has been made public by you (UK GDPR Art. 9(2)(e)) or, for safety and moderation, on substantial public interest (Art. 9(2)(g), supported by Schedule 1 of the Data Protection Act 2018).

Where we rely on legitimate interests, we have weighed our interests against your rights and concluded that our processing does not override them. You can ask us for more detail about that assessment, or object to it, using the contact details in Section 14.


4. Who we share your information with

We are not in the business of selling your personal data, and we do not sell it. We share it only as described below.

With the other side of your engagement. The purpose of a marketplace is to connect people. When you take part in the marketplace, the relevant parts of your information are shared with the user on the other side — for example, an Expert's profile and proposal are visible to the Client, and the Client's brief and messages are visible to the Expert. Once shared, each of you handles that data as an independent controller.

With our service providers (sub-processors). We use carefully selected third parties to run the service. They process personal data only on our instructions and under contract. The current list is below, and an up-to-date version is published at consultearth.com/legal/sub-processors.

Sub-processorWhat they do for usLocationTransfer safeguard
SupabaseDatabase, authentication, and file storageEU (Ireland)UK adequacy
StripePayments, subscriptions, and payoutsEU (Ireland) / United StatesUK adequacy; UK Addendum to EU SCCs
ResendSending transactional emailUnited StatesUK Addendum to EU SCCs
Cal.comScheduling advisory callsUnited StatesUK Addendum to EU SCCs
Google (Gemini API)AI-assisted featuresUnited StatesUK Addendum to EU SCCs
Google WorkspaceHosting our @consultearth.com mailboxesEU / globalUK Addendum to EU SCCs
VercelHosting and infrastructure logsGlobal (edge)UK Addendum to EU SCCs
CloudflareBot-detection at sign-upGlobal (edge)UK Addendum to EU SCCs
PostHogProduct analytics — only if you consent to optional cookiesEUUK adequacy
SentryError and performance monitoringEUUK adequacy

With authorities and for legal reasons. We may disclose personal data where we are legally required to (for example, to HMRC for tax, or in response to a valid legal or law-enforcement request), or where it is necessary to establish, exercise, or defend legal claims, or to protect the rights, safety, and property of our users, the public, or us.

In a business transfer. If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will tell you before your data becomes subject to a different privacy policy.


5. International transfers

Some of our service providers are based outside the UK. When we transfer your personal data abroad, we make sure it is protected by an appropriate safeguard recognised under UK data protection law:

  • EU (adequacy). Transfers to providers that process in the EU (such as Supabase, which hosts our data in Ireland; Stripe's European entity; PostHog, configured for the EU region; and Sentry, our error-monitoring provider, also configured for the EU region) rely on the UK's finding that the EU offers an adequate level of protection.
  • United States and other countries. Transfers to providers in the United States or other countries without a UK adequacy decision rely on the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any additional measures needed following a transfer risk assessment.

You can ask us for a copy of the transfer mechanism we use for a particular provider by contacting privacy@consultearth.com.


6. How long we keep it

We keep personal data only for as long as we need it for the purpose we collected it, plus any period required by law (such as tax and accounting rules and the time limits for bringing legal claims). The periods below are maximums; where we no longer need data sooner, we delete or anonymise it earlier. Some retention is enforced manually today and is being automated; either way, we apply the schedule below.

DataHow long we keep itWhy
Account (authentication and profile)Life of the account, then up to 30 daysContract; a short grace period in case deletion was accidental
Expert public profileLife of the accountContract; legitimate interests. Search engines may keep cached copies for a period after deletion (see Section 8)
Client profile and organisationLife of the account, then up to 30 daysContract
Engagement records (jobs, applications, proposals, milestones, deliverables, amendments, engagement messages, closure records)6 years after the engagement or record concludesTime limit for contract claims (Limitation Act 1980); UK GDPR Art. 17(3)(e)
Direct messages6 years from the last message in a threadLimitation Act 1980; supports safety investigations
Service inquiries (concluded)3 years from conclusionLower commercial-claim risk than completed engagements
Payment, billing, credit, and token records6 years from the transactionTax and accounting law; UK GDPR Art. 17(3)(b)
Advisory-call records6 years from the bookingTime limit for claims; tax
ReviewsWhile the Expert's account is active; 6 years after account deletion (in anonymised form)Reputation system; legitimate interests
Trust & Safety reports12 months (dismissed), 3 years (warning), or 6 years (suspension) from resolutionLegitimate interests; Online Safety Act 2023; legal defence
Account-deletion request record3 years from closureAccountability and complaint-handling defence
Server, access, and error-monitoring logs (including Sentry)Up to 90 daysSecurity; legitimate interests
Analytics events (PostHog)Up to 1 year (PostHog Free default)Consent
In-product usage analytics (which pages and tools signed-in users use; no message content)Up to 12 monthsLegitimate interests
AI processing inputsNot retained for training — processed transiently (see Section 9)We do not train models on your data

Records subject to a legal hold (live or anticipated litigation, a regulatory investigation, or a law-enforcement request) are kept until that matter concludes, regardless of the periods above.


7. Your rights and how to use them

Under UK GDPR you have the following rights over your personal data:

  • Access — ask for a copy of the personal data we hold about you (Art. 15). You can also download a copy of the most-requested account data yourself from Settings.
  • Rectification — ask us to correct inaccurate or incomplete data (Art. 16). You can edit most profile data yourself.
  • Erasure — ask us to delete your data (Art. 17). See "Deleting your account" below.
  • Restriction — ask us to pause certain processing (Art. 18).
  • Portability — ask for a copy of certain data in a structured, machine-readable format (Art. 20).
  • Objection — object to processing based on our legitimate interests, and to direct marketing at any time (Art. 21).
  • Automated decisions — we do not make decisions that produce legal or similarly significant effects about you using solely automated means. Our matching and AI features are decision-support tools; a human always decides whether to hire, propose, or engage (Art. 22).

To exercise any of these rights, email privacy@consultearth.com. We will respond within one month. If your request is complex or you have made several requests, we may extend this by up to two further months, and we will tell you within the first month if we do. We may need to confirm your identity first, so that we do not disclose your data to someone else. If we cannot act on your request, we will explain why and tell you about your right to complain to the ICO.

Some rights, including erasure, are subject to legal limits. For example, we may need to keep certain records to meet a legal obligation (such as tax records) or to establish or defend legal claims (such as engagement records). Where that applies, we will tell you which records we have kept and why.

Deleting your account

You can delete your account at any time from Settings → Account. Confirming the action records a deletion request and signs you out across all devices.

When you delete your account:

  1. Immediately, your account is deactivated and you can no longer sign in. Open commitments that have no contractual obligation attached are cancelled automatically — open job applications are withdrawn, open job posts are closed, open service inquiries are declined, and any future advisory-call bookings are cancelled and refunded in full.
  2. Active engagements already under way are not cancelled. They are flagged so the other party can complete or formally close the work on their own timeline, preserving their contractual rights. The other party is notified that you have asked to close your account.
  3. Within one month, we anonymise your personal data: your name and contact details on the platform are replaced with "[deleted user]", your profile fields are cleared, and the content of messages you sent is redacted. This happens automatically through a daily process, and at the latest one month after your request even if an engagement is still open.

Some records are kept beyond deletion, in anonymised form, where the law requires it (for example, billing records for tax, and engagement records for the period in which a legal claim could be brought). See Section 6 and "Records that remain after deletion" in Section 8.

If you delete your account by accident, email privacy@consultearth.com before the request is processed and we will try to cancel it.


8. Marketplace-specific behaviour you should know about

Because ConsultEarth is a two-sided marketplace, some processing works in ways specific to how the platform operates. We set these out plainly here.

Public profiles and public content. Expert profiles, published reviews, listed services, and bench (firm and team) information are designed to be public and discoverable. When you choose to make information public, it may be indexed by search engines, viewed by other users, and reused within features that help connect Clients and Experts. Information you make public can be accessed, copied, or used by others in ways we cannot control. If you later delete or change public information, search engines and other third parties may keep cached copies for a period (often around a month) before their own systems catch up; we cannot control how quickly that happens.

Private content. Messages, drafts, billing details, engagement files, Trust & Safety reports, and our internal audit records are not public and are only shared as described in Section 4.

Records that remain after deletion. Engagements involve two parties. If you delete your account, the engagement records the other party relies on — deliverables, milestones, billing, files, and chat history — are retained for the legal period set out in Section 6, but your identifying details within them are anonymised. Where your name would otherwise appear (for example, as the author of a message, a review, or a past engagement), it is replaced with "[deleted user]". Reviews you have given or received remain visible in anonymised form.

Advisory-call refunds. Our cancellation and refund rules for advisory calls — including the cancellation window — are set out in our Refund Policy and shown on the platform. One point matters for your data rights: if a call is cancelled because an account is being deleted, a full refund is always issued regardless of the standard cancellation window, so you are not penalised for exercising your deletion rights. Advisory-call payments are processed through Stripe Connect, with the Expert receiving the fee for the call and ConsultEarth retaining a platform fee.

Notifying counterparties of account closure. Where an account is closed and another user has an open engagement or commitment with it, we let that user know the account is closing, so they can take any steps they need to. We share only what is necessary for that purpose.


9. AI features and our position on training

Some features use artificial intelligence to make the platform more useful — for example, helping Experts import a profile from a CV, drafting proposals, summarising an applicant's fit for a Client, and explaining why a match was suggested. To provide these features, the information you submit while using them is sent to our AI provider, Google (Gemini API), to generate the result. The generated output is then saved back into ConsultEarth where relevant (for example, a draft proposal or a populated profile field).

Our position on AI:

  • We do not train AI models on your personal data. Inputs to AI features are processed to produce a result; they are not used by us to train models, and our paid arrangement with our AI provider contractually prevents your inputs being used to train its models.
  • AI is decision-support, not decision-making. AI features help people find and present information; a human always makes the final decision about hiring, proposing, or engaging.
  • Opt-in, by design. If we ever introduce any use of your content to train or improve AI models, we will not do so by default. We would ask for your explicit, opt-in consent and update this policy before any such use begins.

10. Cookies and similar technologies

ConsultEarth uses cookies that are strictly necessary to run the service — for example, to keep you signed in and to keep the platform secure. These do not require consent under the Privacy and Electronic Communications Regulations (PECR).

We also use optional analytics cookies (provided by PostHog, configured for the EU region) to understand how the service is used and improve it. We set these only if you agree: we show a consent banner, keep the analytics cookies switched off until you accept, honour browser opt-out signals such as Global Privacy Control, and let you change your choice at any time using the "Manage cookies" link in our footer. We do not use advertising or targeting cookies. Our full Cookie Policy, describing each cookie, is available at consultearth.com/legal/cookies.


11. Children

ConsultEarth is a service for professionals and organisations, intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18.

We support this in practice: sign-up requires you to confirm you are 18 or over, includes an automated bot-detection check, and requires email verification. If we learn that we hold personal data from someone under 18, we will delete it.


12. Security

We take appropriate technical and organisational measures to protect your personal data, including:

  • access controls at the database level (row-level security), so users and staff only see what they are entitled to;
  • encryption of data in transit (TLS) and at rest;
  • password hashing through our authentication provider, so we never hold your password;
  • tokenisation of card data through our payment processor, so we never hold full card numbers;
  • two-factor authentication on the administrative accounts that can access user data;
  • error and security monitoring, and a documented breach-response plan.

No system is ever completely secure, so we cannot guarantee absolute security. Where a personal data breach is likely to result in a risk to your rights, we will report it to the ICO within 72 hours of becoming aware of it, and where the risk is high, we will tell you without undue delay.

You also have a part to play: keep your password confidential, use a strong and unique password, and tell us promptly if you think your account has been compromised. You can report a security vulnerability to security@consultearth.com.


13. Changes to this policy

We may update this policy from time to time. Where we make a significant change — one that materially affects your rights or how we use your data — we will give you reasonable notice, by email or through the service, before it takes effect. Minor changes (such as clarifications or contact-detail updates) take effect when we post them, and the "Last updated" date at the top of this policy always reflects the current version.


14. Contact and complaints

For any privacy question or to exercise your rights:

  • Email: privacy@consultearth.com
  • Trust & Safety reports: safety@consultearth.com
  • Security / vulnerability disclosure: security@consultearth.com
  • Post: Consultearth Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

If you are not satisfied with how we have handled your data, you have the right to complain to the UK's data protection regulator:

  • Information Commissioner's Office (ICO) — ico.org.uk — helpline 0303 123 1113

We would, however, appreciate the chance to address your concern first.


ConsultEarth

ConsultEarth connects climate and sustainable-development work with the right expertise, anywhere on the planet. It also helps newcomers train, build a network, and break into the field.

For experts

  • Find opportunities
  • Join as an expert

For clients

  • Find an expert
  • Pricing

Resources

  • Blog
  • Help
  • Contact
  • Knowledge HubSoon

Legal

  • Privacy
  • Terms
  • Cookies

© 2026 ConsultEarth Ltd. · Registered in England and Wales No. 16727374. All rights reserved.