Privacy policy

Last updated: 2026-04-24

Who we are

Cairn is operated as a unified customer data layer service. We are based in the United Kingdom and host all customer data in AWS eu-west-2 (London) for UK GDPR / DPA 2018 compliance.

Two roles, two policies

Cairn handles personal data in two distinct capacities:

  • Controller for our direct users — workspace owners, operators, and viewers signing into the Cairn application.
  • Processor for the contact records our customers ingest into their workspace. We act on the customer's documented instructions under our Data Processing Agreement.

Data we collect as controller (operator accounts)

  • Microsoft Entra ID claims: sub, email, display name, tenant ID.
  • Workspace memberships and role assignments.
  • Audit log of administrative actions you perform (who, what, when).
  • Session cookies (HMAC-signed, strictly necessary).
  • Rate-limit fingerprints (IP or user ID) for abuse prevention.

Lawful basis: contract performance (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) for security logging.

Data we process on behalf of customers (contacts)

Our customers ingest CRM, marketing-automation, and event data into their workspace. Cairn is the processor — we don't determine the purpose of that processing; the customer does. Personal data we may handle includes names, work emails, job titles, employer, engagement events, consent records, and any custom fields the customer configures.

For data-subject rights requests (access, erasure, portability), please contact the controller (the Cairn customer) directly. If you don't know who that is, contact us and we'll help you identify them.

Retention

  • Engagement events: 24 months by default (configurable per workspace).
  • Campaign send logs: 24 months.
  • Audit events: 24 months.
  • Ingestion run history (terminal): 12 months.
  • Suppressions: indefinite (must persist to honour unsubscribes).
  • Consent records: lifetime of the contact + 6 months evidence retention.

Retention sweeps run daily. See lib/retention.ts for the controlling thresholds.

Sub-processors

We list every sub-processor at /legal/sub-processors. Material changes are notified to controllers at least 30 days in advance.

Your rights

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restrict processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

To exercise any of these against us as controller, email privacy@getcairn.co.uk. We respond within 30 days. Against a Cairn customer (controller), contact them.

You also have the right to complain to the Information Commissioner's Office (ico.org.uk).

Cookies

We use only strictly-necessary cookies (the session cookie set after sign-in). We don't set tracking, advertising, or analytics cookies. See /legal/cookies.

International transfers

Customer data resides in AWS eu-west-2 (London). Sub-processors located outside the UK process under UK adequacy decisions or the UK International Data Transfer Addendum. No data leaves the UK without an appropriate safeguard.

Contact

Privacy queries: privacy@getcairn.co.uk
Security incidents: security@getcairn.co.uk