Cairn — Privacy Policy

Effective date: 3 June 2026 Last updated: 3 June 2026

This Privacy Policy explains how Life's Echo Ltd, a company registered in England and Wales (company number 15901980, registered office 1 Pargate Chase, Rochdale, England, OL11 5DZ), trading as Cairn ("Cairn", "we", "us", "our"), collects, uses, shares and protects information when you use ourcairn.com and the Cairn service.

This policy sits alongside our Terms & Conditions. If you do not agree with this policy, please do not use Cairn.

You can contact us about anything in this policy at hello@ourcairn.com.

1. The information we collect

Account and contact information. When you create an account, we collect your name, email address, a password (stored as a one-way hash, never in plain text), and your country. When you subscribe, our payment processor collects your payment card details (we never see or store the full card number ourselves).

Voice recordings. When you (or someone you have authorised) record a story on Cairn, we collect and store the audio recording. This is the core of the service. Voice recordings are personal data, and in some jurisdictions they may be treated as sensitive data. We treat them with that level of care.

Transcripts. We automatically transcribe your voice recordings into text and store the transcripts in your account.

Phone numbers and call metadata. Because Cairn works by phone, we collect the phone numbers used to make recordings, and basic call metadata (date, time, duration). This is necessary to deliver the service.

Information about the people you record. When you record someone else's voice, the recording contains personal data about that person — their voice, what they say about themselves and others, and sometimes other identifying details. You are responsible for having the right consents (see Section 7 below and our Terms).

Usage and device data. When you use ourcairn.com we automatically collect basic technical information: IP address, browser type, device type, operating system, pages visited, dates and times of visits, referring site, and similar standard web-server logs.

Customer support information. If you contact us, we keep a record of that correspondence to help us help you.

We do not use facial recognition, voice-print biometric identification, or any technology designed to identify individuals from their voice. We do not derive biometric identifiers from your recordings.

2. How we use your information

We use your information to:

Provide the service. Take your calls, record your stories, transcribe them, store them, and let you (and the people you authorise) listen to and read them.
Run your subscription. Bill you, process renewals, handle cancellations and refunds, and confirm transactions.
Communicate with you. Send account, transactional, and service emails (e.g. payment receipts, password resets, important changes to the service). Marketing emails are sent only if you opt in, and you can opt out at any time.
Support and improve the service. Respond to your questions, fix bugs, debug problems, and make the product better. We do not use your recordings or transcripts to train AI models. We do not use them for advertising or marketing.
Keep the service secure. Detect and prevent fraud, abuse, and unauthorised access.
Meet our legal obligations. Tax, accounting, regulatory, and lawful requests from authorities.

3. Our legal basis for processing (UK GDPR)

For users in the UK, EU, or anywhere UK or EU data protection law applies to your use of Cairn, we rely on the following legal bases:

Performance of a contract — for processing necessary to provide the service you have signed up for (recording, transcribing, storing, billing).
Consent — for processing voice recordings of identifiable people (including yourself), and for any marketing communications. You can withdraw consent at any time. Withdrawing consent for recording processing means we can no longer provide the recording features of the service, and your existing recordings can be deleted on your request.
Legitimate interests — for security, fraud prevention, basic analytics about how Cairn is used, and routine business administration. We have considered your rights and interests against ours and believe these uses are proportionate.
Legal obligation — for things like tax records and responses to lawful authority requests.

4. Who we share your information with

We share your data only with the third parties we genuinely need to run Cairn. We do not sell your personal information to anyone.

The third parties who process your data on our behalf are:

Provider	What they do for Cairn	Where they process data
Twilio	Telephony — handles the phone calls that you use to record stories.	United States
Vapi	Voice AI infrastructure — runs the conversational layer that prompts you through your story call.	United States
Vercel	Hosting and edge delivery for ourcairn.com and the Cairn web application.	United States
Supabase	Backend database and storage — where your account, recordings and transcripts are stored.	United States
Stripe	Processes your subscription payments.	United States
Resend	Sends transactional and account emails.	United States

In addition, we may share your information:

with professional advisers (lawyers, accountants, auditors) under confidentiality, where genuinely necessary;
with authorities where required by law, court order, or to protect our rights, your safety, or the safety of others;
with a buyer or successor if Cairn or Life's Echo Ltd is sold, merged or restructured, in which case we will let you know and your data continues to be protected by this policy or one no less protective;
as aggregated or anonymised data that cannot reasonably be used to identify you.

5. International data transfers

If you are in the UK or EU, your personal data is transferred to and processed in the United States by the providers listed above.

For these transfers we rely on the safeguards required by UK GDPR. Specifically, we put in place the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum with each provider. Where a provider is certified under the EU-US Data Privacy Framework and its UK Extension, we rely on that as an additional safeguard.

You can ask us for more information about these transfer arrangements at hello@ourcairn.com.

6. How long we keep your information

Active accounts. We keep your account information, recordings and transcripts for as long as your account is active and you have a subscription.
After you cancel. Your recordings and transcripts remain accessible for a 30-day post-cancellation window so you can listen, read, and export. After 30 days they are deleted from our active systems.
Backups. Deleted content may persist in our routine backups for up to a further 90 days before being overwritten in normal backup rotation.
Account profile. Your basic account record (name, email, country) is deleted with your content unless we are required to keep it (e.g. for fraud prevention).
Billing and tax records. We keep transactional records (invoices, payment receipts, billing history) for 6 years to meet UK accounting and tax requirements. These records do not contain your recordings or transcripts.
Support correspondence. We keep customer support messages for up to 2 years after the issue is resolved.

You can ask us to delete your data sooner — see Section 8.

7. The people you record

When you record someone other than yourself on Cairn, you must have their permission (or, if they are a child, the permission of their parent or guardian). This is your responsibility under our Terms.

We collect and store information about the people you record only because you have brought it onto the service. We process that information on the same legal bases set out in Section 3, in reliance on your warranty that you have the necessary consent. If a person whose voice has been recorded on Cairn contacts us directly to ask us to delete their recording, we will work with you to handle that request appropriately.

8. Your rights

Depending on where you live, you have legal rights over the personal data we hold about you. We honour these rights for everyone, regardless of where you live, unless the law specifically prohibits us.

You have the right to:

Access the personal data we hold about you, and get a copy of it.
Correct information that is wrong.
Delete your personal data (sometimes called the "right to be forgotten"). Note that this may end your ability to use Cairn.
Object to or restrict certain processing.
Portability — receive your recordings and transcripts in a usable format so you can take them elsewhere.
Withdraw consent at any time where we rely on consent.
Opt out of marketing at any time, using the unsubscribe link in our emails or by contacting us.
Complain to a data protection authority — in the UK that is the Information Commissioner's Office.

To exercise any of these rights, email us at hello@ourcairn.com. We will respond within the time required by law (one month under UK GDPR; sometimes longer for complex requests, in which case we will tell you).

Specific notices for residents of certain US states

California (CCPA / CPRA). California residents have specific rights: the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" (we do not sell or share your personal information in the sense the law uses these terms), the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights. We do not "sell" personal information for money, and we do not "share" it for cross-context behavioural advertising.

Other US states (Virginia, Colorado, Connecticut, Texas, Utah, and others). Residents of states with comparable privacy laws have similar rights, including access, deletion, correction, portability, and opt-out of targeted advertising. We do not engage in targeted advertising using your Cairn data.

To exercise any US state right, email hello@ourcairn.com with "Privacy Rights Request" in the subject line. We may need to verify your identity before acting on the request.

9. Cookies

We use cookies and similar technologies for two reasons:

Strictly necessary cookies that make ourcairn.com work — for example, to keep you logged in.
Analytics cookies that help us understand how Cairn is used so we can improve it. These are limited to basic, privacy-respecting usage measurement; we do not use advertising cookies.

You can control cookies through your browser settings and through the cookie banner on ourcairn.com.

10. Security

We protect your data with technical and organisational measures appropriate to its sensitivity: encryption in transit, encrypted storage of recordings at rest, strict access controls, separation of duties, and regular review of security practices. No internet service can promise perfect security, and we cannot guarantee absolute security — but we work to make Cairn a safe place for your stories.

You can help by choosing a strong, unique password and keeping your login secure.

11. Children

Cairn is not for children to use as account holders. You must be at least 18 to hold an account. We do not knowingly create accounts for children. If we discover a child has created an account, we will delete it.

Children of any age may appear in recordings made by an adult account holder — for example, a parent recording stories with their child. Where this happens, the account holder is responsible for having the parent or guardian's permission (in their own case, their own permission), and for handling that recording appropriately.

12. Changes to this policy

We may update this policy from time to time as our service evolves or the law changes. If we make material changes, we will give you reasonable notice — for example, by email or a notice in the service. The "Last updated" date at the top of the policy will always tell you when the current version took effect.

13. Contact us

If you have any questions about this policy or how we use your data, email us at hello@ourcairn.com. The data controller for the purposes of UK GDPR is Life's Echo Ltd at the registered office address above.