Privacy Policy.
What information Cairn Learning collects, why we collect it, who we share it with, and the choices you have. Written for the parents and guardians who use Cairn, in plain language, because the people reading it are responsible for a child.
1. About this policy
This policy explains what information Cairn Learning collects, why we collect it, who we share it with, and the choices you have. It is written for the parents and guardians who use Cairn, in plain language, because the people reading it are responsible for a child.
Cairn Learning (“Cairn”, “we”, “us”) is operated by Cairn (Hugo Galarreta), registered at Av. Monte de los Olivos 291, Lima, Peru, reachable at legal@cairnplan.com. Our website is cairnplan.com.
Cairn is a software subscription that helps a parent build a weekly learning plan for their child. A parent answers a short conversational intake and completes a light behavioral assessment. We then produce a plan that combines two or three learning providers from a curated database, with an explanation of why each one fits.
2. Children's data and the parent's role
This is the part that matters most, so we state it first.
Cairn is operated for parents and legal guardians, not for direct use by children. The account holder and the person we treat as our user is the adult. The information you give us is mostly about your child: their age band, the subjects they are working on, their interests, and how they tend to learn. We treat that information as children's personal data and apply the protections that come with it.
Because the data is about a child, the parent or guardian is the person who provides consent, reviews what we hold, and can ask us to delete it. We describe how to do all of that below.
We do not knowingly let children create accounts or use Cairn without a parent. If you believe a child has used Cairn without a parent's involvement, contact us at legal@cairnplan.com and we will remove the information.
3. What we collect
Information you give us during intake. Your answers to the conversational intake and the behavioral assessment. We collect your child's first name only (so we can address them by name in the plan), their age, grade and curriculum track, the city and country of school and home, and the languages spoken at home. We do not ask for a last name, photo, school name, street address, or precise (GPS-level) location, and we ask you not to enter them.
Account information, when you save a plan. You can use most of Cairn without an account. When you choose to save a plan, we collect a parent email address and a password. This links a plan to you so you can return to it.
The plans we generate. The weekly plans we produce for you, and the structured profile our software builds from your answers.
Technical and session information. A session identifier that lets the service work while you are using it, your IP address, browser and device type, and basic usage information. Some of this is collected automatically. See our Cookie Policy for detail.
Payment information, if you subscribe. Cairn offers paid subscription tiers. Payments are processed by Polar, which acts as the merchant of record and handles your card details on its own systems. Cairn does not collect or store your full card number. We receive only the subscription and billing status we need to give you access to your tier.
4. How we use your information
We use the information you give us for a single core purpose: to build a learning plan for your child and explain it to you. Concretely, that means we use your intake answers and assessment results to:
- read them into a structured profile of how your child learns,
- filter and score providers in our database against that profile,
- compose a weekly plan from the best-fitting providers, and
- write a plain-language explanation of why each provider was chosen.
We also use technical information to operate the site, keep it secure, fix problems, and understand in aggregate how the service is used so we can improve it.
We do not use your child's information to build advertising profiles, and we do not sell it.
5. How automated processing and AI are used
We want to be precise here, because “AI-powered” usually hides more than it reveals.
The recommendation itself is produced by deterministic software. Our engine filters and ranks providers using fixed rules and scores. An AI language model is used in only two narrow places: to read your written intake answers into a structured profile, and to write the plain-language explanation of a plan that has already been decided. The model does not choose which providers you see, and it cannot change the ranking.
For those two tasks, we send the relevant text to OpenAI, which processes it on our behalf as a service provider. OpenAI does not use data submitted through its API to train its models, and retains it only for a limited period for abuse monitoring before deleting it. We send the minimum needed for the task and avoid identifying details about your child.
You have the right to ask for human review of any plan and to contest how a profile was built. Contact us at legal@cairnplan.com.
6. Who we share information with
We share information only with the service providers who help us run Cairn, and only as needed:
- OpenAI, to read intake answers and write explanations, as described above.
- Supabase, which hosts our database and stores your plans and account information.
- Vercel, which hosts and serves the website.
- PostHog, which provides aggregate product analytics. We send it only a short, whitelisted set of usage events that never include your child's name, free text, or profile details.
- Sentry, which collects error reports when something breaks so we can fix it.
- Polar, which processes subscription payments as the merchant of record and handles your card details on its own systems.
- Resend, which delivers transactional email such as your sign-up confirmation and receives the parent email address.
- Upstash Redis, which we use for rate limiting, keyed to your IP address, to protect the service from abuse.
- Cloudflare Turnstile, which protects our contact form from spam.
We do not sell personal information, and we do not share it with advertisers.
Learning providers. When you choose to act on a recommendation, you may follow a link to a provider's own website and sign up there directly. At that point you are dealing with that provider under their own terms and privacy policy. We do not pass your child's profile to providers.
We may also disclose information if required by law, or to protect the safety of a person, and in connection with a sale or reorganization of the business, in which case this policy continues to apply.
7. Our commercial relationship with providers
We earn a commission when you choose some providers through links on Cairn. We disclose this because you should know it.
This commission has no effect on which providers we recommend or how they are ranked. Our ranking software has no access to commission data of any kind. We designed it that way on purpose, so the engine cannot optimize for our revenue. The recommendation you see is the one our scoring produced, not the one that pays us most.
8. Legal bases and consent
Where the law requires a legal basis to process personal data, we rely on the following:
- Consent, which you give as the parent when you choose to use the service and provide your child's information. You can withdraw consent at any time, which we explain in Section 11.
- Performance of our service to you, to deliver the plan you asked for.
- Our legitimate interests, to keep the service secure and working, balanced against your rights.
Because the data concerns a child, we treat your consent as the consent of the holder of parental responsibility. For users in regions with a specific minimum age of digital consent, that consent threshold varies, and parental consent is required below it.
9. Children's privacy: COPPA, GDPR-K, and equivalent protections
Cairn collects information about children, so the following apply depending on where you and your child are.
United States (COPPA)
For children under 13, we obtain parental consent before collecting personal information, limit collection to what the service needs, and give you the right to review the information we hold about your child, refuse further collection, and have it deleted. Cairn is built so that the parent is the user: the parent completes the intake themselves, provides the information directly, and holds the account, and we confirm account creation through the parent's own email address. We do not collect information from a child directly.
European Economic Area (GDPR, including Article 8)
Children's data receives specific protection. The minimum age at which a child can consent on their own to online services ranges from 13 to 16 across member states. Below that age, we rely on the consent of a parent or guardian, which is the model Cairn uses by default.
United Kingdom
We aim to follow the principles of the Age Appropriate Design Code, including data minimization, clear language, and high-privacy defaults.
California
Children's data is treated as sensitive. We do not sell or share the personal information of users we know to be under 16 without opt-in consent.
United Arab Emirates
We process personal data in line with the UAE Personal Data Protection Law, including the rules on consent and cross-border transfers.
As a parent, you can at any time review what we hold about your child, correct it, withdraw your consent, and ask us to delete it. See Section 11.
10. How long we keep information
We keep information only as long as we need it for the purposes in this policy.
- We retain your account data for as long as your account is active. You can delete your account and all associated data at any time from your settings, and we remove it from our live systems immediately.
- Saved plans and account information: kept until you delete your account, then removed from our active systems immediately.
- Anonymous child profiles that were never linked to an account: deleted automatically after roughly 90 days of inactivity.
- Technical and session logs: kept for up to 12 months.
Deletion from our live database takes effect immediately. Where we keep database backups for reliability, any residual copy of deleted data ages out on our normal backup rotation. We do not use backups to bring back individual data you have deleted, other than as part of restoring the whole service after a failure.
11. Your rights and how to use them
Depending on where you are, you have some or all of the following rights, which you can exercise on your child's behalf:
- to access the information we hold,
- to correct information that is wrong,
- to delete information,
- to receive a copy of information in a portable form,
- to restrict or object to certain processing,
- to withdraw consent you previously gave, and
- to ask for human review of an automated profile or plan.
To use any of these, contact us at legal@cairnplan.com. We will respond within 30 days. We will not charge you for a reasonable request, and we will not penalize you for making one.
If you are in the EEA, the UK, or the UAE and you are not satisfied with how we handle a request, you have the right to complain to your local data protection authority.
12. International data transfers
Cairn is operated from Peru and uses service providers located in other countries, including the United States. This means your information may be transferred to and processed in countries other than your own. Where we transfer personal data internationally, we use appropriate safeguards, such as standard contractual clauses, where the law requires them.
13. Security
We protect your information with technical and organizational measures appropriate to its sensitivity, including encryption in transit, access controls, and limiting who on our side can see it. No system is perfectly secure, and we cannot guarantee absolute security, but we take the responsibility seriously because the data is about children.
14. Cookies
We use a small number of cookies and similar technologies to run the service and, where you allow it, to understand usage. Our Cookie Policy explains each one and how to control them.
15. Changes to this policy
We will update this policy when our practices change. When we make a material change, we will update the version and date at the top and, where appropriate, tell you directly. Continuing to use Cairn after a change means you accept the updated policy.
16. Contact us
For any question about this policy or your information, contact us at:
Hugo Galarreta
legal@cairnplan.com
Av. Monte de los Olivos 291, Lima, Peru