Privacy Policy

This Privacy Policy describes how Deviantce, the operator of Cairni ("Cairni", "we", "us", "our"), collects, uses, shares, and safeguards personal data when you use our website and services (the "Service"). We are the controller of the personal data described here. Please read it together with our Terms of Service and Refund Policy.

1. Who we are

The Service is operated by Deviantce, Business Registration No. 355-15-01636, located at #1415, 129 Bongeunsa-ro, Gangnam-gu, Seoul, Republic of Korea. For any privacy question or to exercise your rights, contact us at support@cairni.com.

2. Scope

This policy applies to personal data we process about visitors, account holders, and the authorized users of team workspaces. It does not apply to third-party websites or services that we link to or integrate with, which have their own privacy policies.

3. Information we collect

3.1 Information you provide

Account information: your name, email address, a securely hashed password, country, and language preference.
Single sign-on data: if you sign in with Google or GitHub, we receive your email address, name, and profile picture from that provider.
Content and inputs ("Your Content"): the sources you add — uploaded files, links/URLs, pasted text, imports from Notion and Obsidian, and audio recordings — together with the prompts and chat/Q&A messages you send, and the wiki pages the Service generates from them.
Support and communications: messages you send us, and the contents of correspondence.
Billing information: processed by our payment provider; see Section 6. We receive limited transaction details, not your full card number.

3.2 Information we collect automatically

Device and connection data: IP address, browser and device type, operating system, and approximate location derived from IP.
Usage data: time zone, the pages and wikis you view, features used, credit consumption, and timestamps.
Log and diagnostic data: server logs and error reports used to operate, secure, and improve the Service.
Cookies and local storage: see Section 7.

3.3 Information from third parties

Authentication providers (Google, GitHub) when you choose social sign-in.
Our payment provider (Paddle), which confirms your subscription status and limited transaction metadata.

4. Legal bases for processing

Where the EU/UK GDPR or similar laws apply, we rely on the following legal bases:

Purpose	Legal basis
Creating and operating your account; providing the Service; processing Your Content; billing	Performance of a contract
Securing the Service, preventing fraud and abuse, product analytics and improvement	Legitimate interests
Optional features that require it (e.g., certain integrations), and marketing where applicable	Consent (which you may withdraw at any time)
Tax, accounting, and responding to lawful requests	Legal obligation

5. How we use your information

To deliver core features — compiling your sources into interlinked wikis and answering questions with citations.
To authenticate you, manage your account, workspace, subscription, and credits.
To provide customer support and respond to your requests.
To maintain security, prevent fraud and abuse, and enforce our Terms.
To operate, analyze, and improve the Service (using operational and aggregated data — we do not use the content of Your Content to serve advertising).
To send transactional messages (e.g., sign-in, receipts, important service notices). We send marketing only where permitted, and you can opt out.
To comply with legal obligations and exercise or defend legal claims.

6. AI processing and sub-processors

To provide the Service we use trusted third-party providers ("sub-processors") that process personal data on our behalf under contractual data-protection obligations. To perform a request, we transmit the content necessary to fulfill it to the AI providers below.

Sub-processor	Purpose	Region
Anthropic (Claude API)	Compiling sources and answering questions	United States
Google (Gemini API & Cloud Speech-to-Text)	AI generation and audio transcription	United States / global
Paddle.com Market Limited	Payment processing as Merchant of Record	United Kingdom / EU
Google Analytics	Website usage analytics — only with your consent (see Section 7)	United States
Email delivery provider (Hiworks)	Transactional email (sign-in, receipts)	Republic of Korea
Cloud hosting & infrastructure	Hosting, storage, and content delivery	Varies by region

AI training: under the commercial/API terms of Anthropic and Google, content we submit through their APIs is not used to train their foundation models. We do not sell your personal data and do not use the content of Your Content to build advertising profiles. We may update this list as the Service evolves and will reflect changes here.

7. Cookies, analytics, and consent

We use the following cookies and local storage:

Strictly necessary: an HTTP-only session cookie that keeps you signed in and secures requests.
Preferences: a cookie that remembers your language, and local storage used to remember UI choices.
Analytics (consent-based): with your consent, Google Analytics sets cookies (for example, _ga and _ga_*) to help us understand how the Service is used. We use Google Consent Mode: analytics storage is disabled by default, and no analytics cookies are set until you accept via our cookie banner.

We do not use third-party advertising or cross-site behavioral-tracking cookies. You can decline analytics in our cookie banner, withdraw your choice at any time by clearing your browser's site data, or install Google's Analytics opt-out browser add-on. Disabling strictly necessary cookies will break sign-in.

8. How we share information

We share personal data only:

with the sub-processors listed in Section 6, under contract and only to provide the Service;
at your direction — for example, when you publish a wiki publicly, that content becomes accessible to anyone;
within your team workspace, with other authorized members and the workspace administrator;
to comply with law, respond to lawful requests, or protect the rights, property, or safety of Cairni, our users, or the public;
in connection with a merger, acquisition, or sale of assets, in which case we will notify you and any successor will be bound by this policy.

We do not sell your personal data, and we do not "share" it for cross-context behavioral advertising.

9. International data transfers

We operate from the Republic of Korea, and our sub-processors may process personal data in other countries, including the United States and the European Union. Where required, we use appropriate safeguards for such transfers, such as the European Commission's Standard Contractual Clauses and equivalent mechanisms.

10. Data retention

We retain your account data and Your Content for as long as your account is active. When you delete content or close your account, we delete or irreversibly anonymize the associated personal data within a reasonable period (typically within 30 days), except for: (a) residual copies in routine backups, which are overwritten on a rolling basis; and (b) data we must keep to meet legal, tax, accounting, or security obligations or to resolve disputes. Aggregated or de-identified data that no longer identifies you may be retained.

11. Security

We implement technical and organizational measures appropriate to the risk, including encryption of data in transit (TLS), password hashing, access controls and least-privilege principles, network and application safeguards, and logging and monitoring. No system is perfectly secure; if we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities as required by law.

12. Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal data:

Access — obtain a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion of your data ("right to be forgotten").
Restriction and objection — limit or object to certain processing, including processing based on legitimate interests.
Portability — receive your data in a structured, machine-readable format.
Withdraw consent — where processing is based on consent, withdraw it at any time.
Non-discrimination — we will not discriminate against you for exercising your rights.

These rights are provided under laws including the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and Korea's Personal Information Protection Act (PIPA). Under the CCPA, we do not sell or share personal information as those terms are defined. To exercise any right, email support@cairni.com; we will verify your request and respond within the time required by applicable law. You also have the right to lodge a complaint with your local data-protection authority (in Korea, the Personal Information Protection Commission).

13. Children's privacy

The Service is not directed to, and we do not knowingly collect personal data from, children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

14. Third-party links and services

The Service may link to or integrate with third-party services (e.g., Notion, Obsidian, sign-in providers, and the payment provider). We are not responsible for their privacy practices; review their policies separately.

15. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version with a new "Last updated" date and, for material changes, provide reasonable advance notice (for example, by email or in-product notice).

16. Contact

For any privacy question, request, or complaint, contact us at support@cairni.com or by mail at the address above.