Cookie Policy
Last updated: 21 May 2026 Effective from: [LAUNCH DATE — update at go-live]
DRAFT — assumptions to confirm before publishing
- Legal entity: BOB O JOB LTD, England and Wales. Replace placeholders.
- Compliance framework: UK GDPR, Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR) — which is the rule that actually requires consent for non-essential cookies.
- Cookie banner already live (react-cookie-consent). PostHog is currently the only analytics provider and is gated behind opt-in. If you add more analytics, advertising, or third-party cookies later, update Sections 4 and 5.
- Cookie names and durations listed below are based on the stack from the primer (Auth.js, Vercel, Stripe, PostHog, Cloudflare via Vercel edge). Confirm by inspecting
document.cookieon a live session before publishing — actual cookie names occasionally differ from defaults.- We do NOT use cookies for behavioural advertising, cross-site tracking, or third-party marketing. If that ever changes, this Policy needs significant rework.
1. About this Policy
This Cookie Policy explains how BOB O JOB LTD ("bob-o-job", "we", "us", "our") uses cookies and similar technologies on our website at www.bob-o-job.com and in our mobile apps.
It sits alongside our Privacy Policy, which explains how we handle personal data more generally. Where this Cookie Policy and the Privacy Policy differ, this Cookie Policy is the more specific document for matters about cookies.
By using our website or apps, you consent to our use of strictly necessary cookies. You can choose whether to allow non-essential cookies via our cookie banner or your browser settings.
2. What cookies are
A cookie is a small text file that a website places on your device (computer, phone, tablet) when you visit. Cookies let websites remember things about you — that you're logged in, what you've put in a cart, what language you prefer.
This Policy also covers similar technologies that work the same way:
- Local storage and session storage — built into your browser; we use these to keep your session running between pages
- Pixels and tracking tags — tiny embedded images or scripts that record a page view
- Software development kits (SDKs) — in our mobile apps, code components that perform similar tracking functions
- Device identifiers — in our mobile apps, advertising IDs and similar device-level identifiers (we currently use these only for push notifications, not for tracking)
When we say "cookies" in this Policy, we mean all of the above unless we specify otherwise.
3. Why we use cookies
We use cookies to:
- keep you logged in as you move between pages
- remember your preferences (e.g. cookie consent choices, language)
- process payments safely through Stripe
- protect against fraud and abuse
- understand how people use the Platform so we can improve it (only if you opt in)
We do not use cookies for:
- behavioural advertising
- cross-site tracking
- selling your data to third parties
- profiling you for any purpose unrelated to the Platform
4. The cookies we use
We group cookies into three categories.
4.1 Strictly necessary cookies
These are required for the Platform to work. They cannot be switched off through the cookie banner — without them, the site doesn't function. We rely on the strictly necessary exemption under PECR (Regulation 6(4)) for these; no consent is needed.
| Cookie | Purpose | Set by | Duration |
|---|---|---|---|
authjs.session-token (or similar Auth.js naming) | Keeps you logged in | bob-o-job (Auth.js) | Session, or up to 30 days if "stay logged in" |
authjs.csrf-token | Protects against cross-site request forgery (CSRF) attacks | bob-o-job (Auth.js) | Session |
authjs.callback-url | Remembers where to send you after you log in | bob-o-job (Auth.js) | Session |
__Host-authjs.csrf-token | Secure variant of the CSRF token | bob-o-job (Auth.js) | Session |
bob-o-job-consent | Records your cookie consent choices | bob-o-job | 1 year |
__cf_bm | Bot management and DDoS protection | Cloudflare (via Vercel edge) | 30 minutes |
_cfuvid | Bot detection — distinguishes humans from bots | Cloudflare (via Vercel edge) | Session |
Stripe cookies (__stripe_mid, __stripe_sid) | Fraud prevention during payment, set when you reach a checkout page | Stripe | __stripe_mid 1 year; __stripe_sid 30 minutes |
We also use session storage and local storage to hold short-lived UI state (current step in a job-posting form, an open chat thread, etc.). These are wiped when you close the tab or after a short period; they do not contain personal data beyond what's needed to keep the UI working.
4.2 Functional cookies (only with your consent)
These cookies remember preferences and settings that aren't strictly necessary but make the experience better. We only set them if you opt in via the cookie banner.
| Cookie | Purpose | Set by | Duration |
|---|---|---|---|
bob-o-job-prefs | Remembers UI preferences (theme, sidebar collapsed, etc.) | bob-o-job | 1 year |
bob-o-job-recent-search | Remembers your recent job-category searches | bob-o-job | 30 days |
4.3 Analytics cookies (only with your consent)
These help us understand how the Platform is being used so we can improve it. We only set them if you opt in via the cookie banner. We use PostHog as our analytics provider; data is processed in PostHog's EU region (eu.posthog.com).
| Cookie | Purpose | Set by | Duration |
|---|---|---|---|
ph_<project-id>_posthog | PostHog session and user identifier | PostHog | 1 year |
ph_<project-id>_window_id | PostHog session-window identifier | PostHog | 30 minutes |
PostHog data is pseudonymous — it's tied to a generated identifier, not to your name or email. We may link your PostHog ID to your account if you're logged in, so we can analyse behaviour for logged-in users. You can request deletion of your PostHog data at any time via privacy@bob-o-job.com.
We do not currently use third-party advertising cookies, retargeting cookies, or social media tracking pixels. If we add any in the future, we will update this Policy and re-prompt for consent.
5. Mobile apps
In our customer and jobber mobile apps, we use similar technologies:
- Authentication tokens (similar to session cookies) — strictly necessary
- Device identifiers for push notifications — used only to deliver notifications you have agreed to receive
- PostHog Mobile SDK for analytics — only active if you've consented
- Crash reporting via our hosting providers — strictly necessary for keeping the apps working
App permissions (location, notifications, camera) are governed separately by your device's permission system; you can change them at any time in your device settings.
6. How to manage your cookies
6.1 On bob-o-job
When you first visit the Platform, our cookie banner asks you to choose between:
- Accept all — strictly necessary, functional, and analytics cookies
- Reject non-essential — only strictly necessary cookies
- Customise — choose individually
You can change your choice at any time:
- click Cookie settings in the footer of any page
- or go to Account settings → Privacy → Cookies
Changing your choice takes effect immediately for new sessions; existing analytics data already collected is not deleted unless you ask us to delete it (contact privacy@bob-o-job.com).
6.2 In your browser
You can block or delete cookies through your browser settings. Most browsers also offer a "private" or "incognito" mode that doesn't keep cookies after you close the window.
Help pages for common browsers:
- Chrome: https://support.google.com/chrome/answer/95647
- Safari (Mac): https://support.apple.com/en-gb/HT201265
- Safari (iOS): https://support.apple.com/en-gb/HT201265
- Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
- Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
Blocking strictly necessary cookies will break the Platform — you won't be able to log in or pay. Blocking non-essential cookies has no effect on functionality.
6.3 Do Not Track
Some browsers offer a "Do Not Track" (DNT) setting. There is no industry standard for how DNT signals should be honoured, and we currently do not respond to DNT signals beyond the controls described above. Our cookie banner provides equivalent control.
6.4 Global Privacy Control (GPC)
Some browsers and extensions send a Global Privacy Control signal to indicate you don't want your data sold or shared. We do not sell or share data covered by such laws, so GPC does not currently change our behaviour. We will revisit if our practices change.
7. Legal basis
We process the data collected via cookies under the following lawful bases:
- Strictly necessary cookies: PECR Regulation 6(4) exemption; UK GDPR legitimate interest (Article 6(1)(f)) for the underlying data processing — specifically, our legitimate interest in providing a working, secure service
- Functional and analytics cookies: consent (UK GDPR Article 6(1)(a) and PECR Regulation 6)
You can withdraw consent for functional or analytics cookies at any time via the controls in Section 6.1.
8. International data transfers
Some of the cookie providers we use are based outside the UK:
- Stripe processes some data in the United States and Ireland under Standard Contractual Clauses
- Cloudflare (via Vercel) is US-based with EU-located edge servers; data transfers covered by SCCs
- PostHog processes data in the EU region (Frankfurt) under the UK adequacy regulations for the EU
See our Privacy Policy Section 8 for more detail on international transfers and the safeguards in place.
9. Retention
Cookie data is retained for the duration listed in Section 4. After expiry, cookies are automatically deleted by your browser (or our server stops accepting them as valid).
Analytics data inside PostHog is retained for 12 months by default, after which it is automatically deleted. You can request earlier deletion by emailing privacy@bob-o-job.com.
10. Children
The Platform is not directed to anyone under 18. We do not knowingly use cookies to collect data from children. If we become aware that we have done so, we will delete the data.
11. Your rights
You have the following rights in respect of personal data collected through cookies:
- Access — request a copy of the data we hold
- Rectification — correct inaccurate data
- Erasure — ask us to delete the data
- Restriction — pause processing
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — at any time, with effect from withdrawal onwards
To exercise any of these rights, email privacy@bob-o-job.com. We will respond within one calendar month.
You also have the right to lodge a complaint with the UK Information Commissioner's Office:
- Web: https://ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
12. Changes to this Policy
We may update this Policy from time to time — particularly if we add new cookie providers, change analytics tools, or change how we use cookies. When we do, we will:
- update the "Last updated" date at the top
- re-prompt for consent if we add cookies that require it
- notify account holders by email if changes are material
We keep an archive of previous versions; if you'd like to see an older version, email privacy@bob-o-job.com.
13. Contact
- Privacy and cookie questions: privacy@bob-o-job.com
- Post: BOB O JOB LTD, [Registered office address]
- ICO: https://ico.org.uk | 0303 123 1113
This Cookie Policy is provided in English. If there is any conflict between this version and a translation, the English version prevails.