Last updated: March 2026
Work References is a stateless cryptographic tool for issuing and verifying employment references. All signing operations happen in your browser. We do not have user accounts, a database, or an email system. This policy explains what limited data we process and your rights in relation to it.
The Work References Foundation ("we", "us", "our"), a Charitable Incorporated Organisation registered in England, is the data controller for any personal data processed through workreferences.org. You can contact us at support@workreferences.org.
When someone verifies a reference, the reference data (candidate name, role, dates, reference text, and digital signature) is sent to our verification API. This data is processed in memory only to check the signature against a DNS public key. Nothing is stored.
Our server queries public DNS TXT records to retrieve the public key associated with a domain. These are publicly available records and no personal data is involved.
We use PostHog (EU-hosted) for website analytics. PostHog is only activated if you explicitly opt in via our cookie consent banner. Until you consent, no analytics data is collected. PostHog stores data using localStorage rather than cookies.
Our hosting provider (Vercel) automatically collects standard server logs including IP addresses and request timestamps. These are retained according to Vercel's own data retention policy and are used for security and debugging purposes.
Work References is designed so that sensitive operations never leave your device:
We rely on the following legal bases under UK GDPR:
No essential cookies are currently required. The site functions without setting any cookies.
PostHog (EU-hosted) is used for analytics and is only activated with your explicit consent. When enabled, it collects anonymised usage data such as pages visited, referral source, browser type, and general location (country level). We do not use advertising cookies or any other third-party tracking.
You can change your analytics preference at any time by clicking "Cookie Settings" in the website footer. Your preference is stored in your browser's localStorage under the key cookie-consent. Clearing your browser data will reset your preference, and you will see the consent banner again on your next visit.
We use the following third-party services:
Under UK GDPR, you have the right to:
To exercise any of these rights, email us at support@workreferences.org. We will respond within 30 days.
Because Work References does not have user accounts or a database, the personal data we hold about you is limited to server logs and, if you opted in, anonymised analytics data.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Work References uses a client-side cryptographic architecture. Your Ed25519 private signing key is generated in your browser and never sent to our servers. All reference signing happens locally. Verification relies on public keys published in DNS TXT records that you control.
We may update this policy from time to time. The "last updated" date at the top of this page indicates when the policy was last revised.
For any questions about this privacy policy or our data practices, contact us at support@workreferences.org.