Privacy Policy.

What information Cairn Learning collects, why we collect it, who we share it with, and the choices you have. Written for the parents and guardians who use Cairn, in plain language, because the people reading it are responsible for a child.

Effective: [FILL: effective date]Version: 1.0Last updated: [FILL: date]

1. About this policy

This policy explains what information Cairn Learning collects, why we collect it, who we share it with, and the choices you have. It is written for the parents and guardians who use Cairn, in plain language, because the people reading it are responsible for a child.

Cairn Learning (“Cairn”, “we”, “us”) is operated by [FILL: legal entity name and registered form], registered at [FILL: registered address], reachable at [FILL: contact email, e.g. privacy@cairnlearning.com]. Our website is cairnlearning.com.

Cairn is a service that helps a parent build a weekly learning plan for their child. A parent answers a short conversational intake, completes a light behavioral assessment, and optionally a math skill check. We then produce a plan that combines two or three learning providers from a curated database, with an explanation of why each one fits.

2. Children's data and the parent's role

This is the part that matters most, so we state it first.

Cairn is operated for parents and legal guardians, not for direct use by children. The account holder and the person we treat as our user is the adult. The information you give us is mostly about your child: their age band, the subjects they are working on, their interests, and how they tend to learn. We treat that information as children's personal data and apply the protections that come with it.

Because the data is about a child, the parent or guardian is the person who provides consent, reviews what we hold, and can ask us to delete it. We describe how to do all of that below.

We do not knowingly let children create accounts or use Cairn without a parent. If you believe a child has used Cairn without a parent's involvement, contact us at [FILL: contact email] and we will remove the information.

3. What we collect

Information you give us during intake. Your answers to the conversational intake, the behavioral assessment, and, if you choose to take it, the math skill check. We collect your child's first name only (so we can address them by name in the plan), their age, grade and curriculum track, the city and country of school and home, and the languages spoken at home. We do not ask for a last name, photo, school name, street address, or precise (GPS-level) location, and we ask you not to enter them.

Account information, when you save a plan. You can use most of Cairn without an account. When you choose to save a plan, we collect [FILL: the account fields you actually collect, e.g. a parent email address and a password or a sign-in identifier]. This links a plan to you so you can return to it.

The plans we generate. The weekly plans we produce for you, and the structured profile our software builds from your answers.

Technical and session information. A session identifier that lets the service work while you are using it, your IP address, browser and device type, and basic usage information. Some of this is collected automatically. See our Cookie Policy for detail.

We do not collect payment information at this time. Cairn is currently free to use. If that changes, we will update this policy before collecting any payment data.

4. How we use your information

We use the information you give us for a single core purpose: to build a learning plan for your child and explain it to you. Concretely, that means we use your intake answers and assessment results to:

  • read them into a structured profile of how your child learns,
  • filter and score providers in our database against that profile,
  • compose a weekly plan from the best-fitting providers, and
  • write a plain-language explanation of why each provider was chosen.

We also use technical information to operate the site, keep it secure, fix problems, and understand in aggregate how the service is used so we can improve it.

We do not use your child's information to build advertising profiles, and we do not sell it.

5. How automated processing and AI are used

We want to be precise here, because “AI-powered” usually hides more than it reveals.

The recommendation itself is produced by deterministic software. Our engine filters and ranks providers using fixed rules and scores. An AI language model is used in only two narrow places: to read your written intake answers into a structured profile, and to write the plain-language explanation of a plan that has already been decided. The model does not choose which providers you see, and it cannot change the ranking.

For those two tasks, we send the relevant text to OpenAI, which processes it on our behalf as a service provider. [FILL: confirm your OpenAI API data terms, then state them plainly here, e.g. “OpenAI does not use data submitted through its API to train its models, and retains it only for a limited period for abuse monitoring.”] We send the minimum needed for the task and avoid identifying details about your child.

You have the right to ask for human review of any plan and to contest how a profile was built. Contact us at [FILL: contact email].

6. Who we share information with

We share information only with the service providers who help us run Cairn, and only as needed:

  • OpenAI, to read intake answers and write explanations, as described above.
  • Supabase, which hosts our database and stores your plans and account information.
  • Vercel, which hosts and serves the website. [FILL: confirm whether you use Vercel Analytics; if so, name it here.]
  • [FILL: any analytics provider you actually use, or state “We do not use third-party analytics.”]

We do not sell personal information, and we do not share it with advertisers.

Learning providers. When you choose to act on a recommendation, you may follow a link to a provider's own website and sign up there directly. At that point you are dealing with that provider under their own terms and privacy policy. We do not pass your child's profile to providers.

We may also disclose information if required by law, or to protect the safety of a person, and in connection with a sale or reorganization of the business, in which case this policy continues to apply.

7. Our commercial relationship with providers

We earn a commission when you choose some providers through links on Cairn. We disclose this because you should know it.

This commission has no effect on which providers we recommend or how they are ranked. Our ranking software has no access to commission data of any kind. We designed it that way on purpose, so the engine cannot optimize for our revenue. The recommendation you see is the one our scoring produced, not the one that pays us most.

Where the law requires a legal basis to process personal data, we rely on the following:

  • Consent, which you give as the parent when you choose to use the service and provide your child's information. You can withdraw consent at any time, which we explain in Section 11.
  • Performance of our service to you, to deliver the plan you asked for.
  • Our legitimate interests, to keep the service secure and working, balanced against your rights.

Because the data concerns a child, we treat your consent as the consent of the holder of parental responsibility. For users in regions with a specific minimum age of digital consent, that consent threshold varies, and parental consent is required below it.

9. Children's privacy: COPPA, GDPR-K, and equivalent protections

Cairn collects information about children, so the following apply depending on where you and your child are.

United States (COPPA)

For children under 13, we obtain parental consent before collecting personal information, limit collection to what the service needs, and give you the right to review the information we hold about your child, refuse further collection, and have it deleted. [FILL: describe the verifiable parental consent method you use, or state the consent flow you have implemented.]

European Economic Area (GDPR, including Article 8)

Children's data receives specific protection. The minimum age at which a child can consent on their own to online services ranges from 13 to 16 across member states. Below that age, we rely on the consent of a parent or guardian, which is the model Cairn uses by default.

United Kingdom

We aim to follow the principles of the Age Appropriate Design Code, including data minimization, clear language, and high-privacy defaults.

California

Children's data is treated as sensitive. We do not sell or share the personal information of users we know to be under 16 without opt-in consent.

United Arab Emirates

We process personal data in line with the UAE Personal Data Protection Law, including the rules on consent and cross-border transfers.

As a parent, you can at any time review what we hold about your child, correct it, withdraw your consent, and ask us to delete it. See Section 11.

10. How long we keep information

We keep information only as long as we need it for the purposes in this policy.

  • Intake answers and the profile built from them: [FILL: retention period, e.g. deleted after X months of inactivity].
  • Saved plans and account information: [FILL: retention period, e.g. until you delete your account, then removed within X days].
  • Technical and session logs: [FILL: retention period].

When a retention period ends, or when you ask us to delete information, we remove it from our active systems and from backups within a reasonable period.

11. Your rights and how to use them

Depending on where you are, you have some or all of the following rights, which you can exercise on your child's behalf:

  • to access the information we hold,
  • to correct information that is wrong,
  • to delete information,
  • to receive a copy of information in a portable form,
  • to restrict or object to certain processing,
  • to withdraw consent you previously gave, and
  • to ask for human review of an automated profile or plan.

To use any of these, contact us at [FILL: contact email]. We will respond within [FILL: response window, e.g. 30 days]. We will not charge you for a reasonable request, and we will not penalize you for making one.

If you are in the EEA, the UK, or the UAE and you are not satisfied with how we handle a request, you have the right to complain to your local data protection authority.

12. International data transfers

Cairn is operated from the United Arab Emirates and uses service providers located in other countries, including the United States. This means your information may be transferred to and processed in countries other than your own. Where we transfer personal data internationally, we use appropriate safeguards, such as standard contractual clauses, where the law requires them.

13. Security

We protect your information with technical and organizational measures appropriate to its sensitivity, including encryption in transit, access controls, and limiting who on our side can see it. No system is perfectly secure, and we cannot guarantee absolute security, but we take the responsibility seriously because the data is about children.

14. Cookies

We use a small number of cookies and similar technologies to run the service and, where you allow it, to understand usage. Our Cookie Policy explains each one and how to control them.

15. Changes to this policy

We will update this policy when our practices change. When we make a material change, we will update the version and date at the top and, where appropriate, tell you directly. Continuing to use Cairn after a change means you accept the updated policy.

16. Contact us

For any question about this policy or your information, contact us at:

Privacy contact

[FILL: contact name or role]
[FILL: contact email]
[FILL: postal address]