Privacy Policy

1. Who we are

Remotery (the “Service”, “we”, “us”) operates the remote-job aggregator at remotery.co. We’re the data controller for the information described below. For everything in this policy, the contact point is info@remotery.co.

2. What we collect

We try to collect the minimum data needed to run the Service. Concretely:

Account data (when you sign up)

• Your email address, your name, and a bcrypt hash of your password (never the password itself).
• If you sign in via GitHub or Google instead: the basic profile info those providers share with us (email, display name, avatar, provider account ID). We do not see your provider password.
• The date you created your account and whether you’ve verified an email change.

Public profile (only what you choose to add)

• Username, headline, bio, country, social links, skills, tech-stack tags, and an “available for work” flag.
• Optional resume, experience, and education entries that you add from your profile dashboard.
• Visibility setting — public, unlisted, or private. We honour this on the rendered profile, search-engine indexing, and our sitemap.

Job activity (private to your account)

• Jobs you save and applications you track on the kanban board, including the status you set (applied, interviewing, offer, rejected) and your private notes.

Automatic technical data

• Your IP addresswhen you sign in or change security-sensitive account fields — used for rate limiting, security alerts (we tell you the IP in the “your password was changed” email), and abuse prevention. Held for at most a few months.
• Standard web-server logs (browser type, requested URL, timestamp). Rotated and discarded automatically.
• A session cookie that keeps you signed in. It contains a signed token, not your password.

3. What we don't collect

• We don’t use third-party advertising trackers or analytics scripts that build a behavioural profile on you.
• We don’t see the contents of job applications you submit — when you click “Apply” you go directly to the employer’s site.
• We don’t collect special-category data (health, biometrics, political opinions, etc.). Don’t put any in your profile.

4. Why we use it (legal bases)

• To provide the Service — sign-in, saving jobs, application tracker, public profiles. Legal basis: performance of our agreement with you.
• To keep accounts secure — rate-limiting, password-reset emails, security alerts about email or password changes. Legal basis: legitimate interest in keeping accounts safe.
• To communicate with you transactionally — a welcome email at sign-up, password resets, email-change confirmation, and security alerts. Legal basis: performance of agreement.
• To comply with the law when required.

We do not send marketing email today, and we don’t profile users for targeted advertising.

5. Who we share it with

We don’t sell your data. We share it with a small set of service providers needed to run Remotery:

• Resend (resend.com) — sends our transactional emails. They process your email address, name, and the email body in transit. Resend is in the EU (Ireland region).
• GitHub and Google— only if you choose to sign in via one of them. They share your basic profile with us; we don’t share anything back.
• Our hosting and database providers, who store the data on infrastructure we control (encrypted at rest where the platform supports it, encrypted in transit via HTTPS to and from your browser).

Public information you choose to publish on your profile is visible to anyone with the link, and may be indexed by search engines (unless you set visibility to unlisted or private).

6. Cookies and similar technologies

We use a small number of strictly-necessary cookies:

• A signed session cookie (issued by NextAuth) that keeps you signed in for up to 30 days.
• An optional CSRF token cookie used during the sign-in / sign-up form submission.

We don’t use cookies to track you across other sites or for advertising. Because all cookies we set are strictly necessary for the Service to work, we don’t show a cookie banner.

7. Where your data is stored

Our primary database and application server are hosted in Europe. Resend processes our outbound email in the EU (Ireland). Some sub-processors operated by our hosting providers may transfer data to other regions; when that happens, transfers are covered by Standard Contractual Clauses or an equivalent legal mechanism.

8. How long we keep your data

• While your account is active: we keep the account data described above for as long as you have a Remotery account.
• Password reset and email-change tokens: auto-expire (1 hour and 24 hours respectively) and are deleted on use. We never store password-reset links in plaintext — the database only sees a hash.
• Server logs and rate-limit records: short retention (at most a few months) for abuse prevention.
• After you delete your account: we delete your account data on a rolling basis. Backups can hold copies for up to 30 days before they roll off.

9. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correctdata that’s wrong or incomplete — most fields are editable directly in your account settings.
• Delete your account (and the data with it). You can do this from /account or by emailing us.
• Export a copy of your data in a portable format.
• Object to processing based on our legitimate interest, or restrict it.
• Lodge a complaint with your local data-protection authorityif you believe we’ve mishandled your data.

To exercise any of these rights, email info@remotery.co. We’ll respond within 30 days.

10. How we keep it safe

• Passwords are hashed with bcrypt at cost 12 — never stored in plaintext.
• All traffic to remotery.co is served over HTTPS.
• Password-reset and email-change tokens are stored as SHA-256 hashes; the plaintext token only exists in the email we send.
• We rate-limit sign-in attempts and surface security alerts when sensitive account fields change.
• Access to our infrastructure is restricted to a small set of maintainers using SSH key authentication.

11. Children

Remotery is intended for adults and senior teenagers in the job-hunting market. We don’t knowingly collect data from anyone under 16. If you’re a parent or guardian and believe a child has created an account, email us at info@remotery.co and we’ll delete it.

12. Changes to this policy

When we make a material change, we’ll update the “Last updated” date at the top of this page and, where appropriate, notify you by email. Continued use of the Service after a change means you accept the updated policy.

13. Contact

Questions, requests, or just want to know more? Email us at info@remotery.co. For the rules governing your use of the Service, see our Terms of Service.