Privacy Policy
Cairn ("the Service") respects your privacy. This Policy describes what personal data we collect, how we use it, and your rights. This is a draft requiring cross-jurisdictional review (GDPR, Japan APPI, CCPA, LGPD) before final launch.
1. Data We Collect
1.1 From Writers
- Self-attested name
- Self-attested year of birth and country of residence
- Email address
- Payment information (handled by payment providers; we do not store card numbers)
- Entry text
- IP address and user agent at submission
- Identity documents (passport, driver's license, national ID): collected only when the Operator later requests them under Terms §3.3 and the User chooses to provide them.
1.2 From Readers
- Page views and timestamps (aggregated, anonymous)
- IP address (retained for 30 days, DDoS protection only)
Reading requires no account. No personal data is collected from readers.
2. How We Use Data
| Data | Purpose |
|---|---|
| ID documents | Verify real person; prevent duplicate registration |
| Name, year of birth | Identity verification; extract year-of-birth for public display |
| Country | Public meta; regional pricing |
| Service-related communication | |
| Entry text | Public display (core purpose) |
| IP / UA | Fraud prevention; regional pricing |
3. What Is Made Public
Public
- Entry text
- Year of birth (4 digits only; month/day never public)
- Country
- Date of writing
- Display name (your choice: real name / pen name / anonymous)
- Content hash
Not Public
- ID document contents
- Full name (unless you choose to display it)
- Month and day of birth
- Email address
- Payment information
- IP address and access logs
4. Third-Party Sharing
We share personal data only with:
- Payment providers (Stripe, etc.) for transactions
- Cloud infrastructure (Cloudflare, etc.) for encrypted storage/delivery
- KYC providers (Onfido, Persona, etc.): under current operations, identity verification is not delegated to a third party. If we delegate in future, this Policy will be amended in advance, and only the minimum necessary data will be shared.
- Legal disclosure in response to valid court orders or law enforcement requests
- With your explicit consent
All processors operate under GDPR-compliant Data Processing Agreements (DPAs).
5. International Data Transfers
Data is stored redundantly across multiple regions, which may include Japan, the US, and the EU. We rely on Standard Contractual Clauses (SCCs) under GDPR Article 44 et seq. for international transfers.
6. Retention
| Data | Retention |
|---|---|
| Entry text and public meta | Permanent |
| ID documents (when voluntarily submitted) | Deleted within 90 days of resolving the matter that prompted collection. Up to 7 years if required by Japanese tax/legal record-keeping (per the Income Tax Act bookkeeping retention rules). |
| Real name, email, card fingerprint (for duplicate detection) | Retained while the corresponding entry remains active. Deleted within 30 days if the entry is retracted. |
| Payment records | As required by law (Japan: 7 years) |
| Access logs (IP/UA) | 30 days |
| Email address (contact) | For the lifetime of the account |
Permanent retention of Entries is the core value of the Service. We delete only under Terms §11.
In normal operation we do not collect ID documents. They are requested only in specific cases of suspected fraud or duplicate registration. Submission is voluntary, and any submitted document is physically deleted from encrypted storage as soon as the retention period above elapses.
7. Your Rights
Under GDPR and equivalent laws, you have the right to:
- Access your personal data
- Rectification of inaccurate data (Entry text is not rectifiable)
- Erasure ("right to be forgotten") under specific conditions per Terms §11
- Data portability — receive your data in machine-readable form
- Withdraw consent for KYC processing going forward
Contact the operator (see Section 12) to exercise these rights.
8. Security
- ID documents encrypted at rest with AES-256
- Encryption keys protected by Hardware Security Modules (HSM)
- Access requires multi-factor authentication and separation of duties
- Annual third-party security audit
- TLS 1.3 in transit
9. Cookies
We use cookies only to maintain your session during writing. No tracking cookies. No advertising cookies. No third-party analytics (no Google Analytics, etc.).
10. Children's Privacy
- We do not collect data directly from children under 16 (proxy registration by guardians excepted).
- Proxy registration requires the guardian's confirmation of legal authority over the child.
- Upon reaching adulthood, the child may exercise full data access and deletion rights over their data.
11. Changes to This Policy
This Policy may be updated. Material changes are notified to registered email addresses.
12. Contact
- Trading name: Cairn
- Form of operation: Sole proprietor (individual operator)
- Contact: privacy@c4irn.net
The operator's legal name and registered address are not publicly displayed. They will be disclosed without undue delay, in writing or by email, upon request under Japan's Act on Specified Commercial Transactions or other applicable law (a "disclosure-upon-request" model). Please send such requests to the contact address above.
Requests to access, correct, or restrict the use of your personal data, and any other privacy-related enquiries, should also be sent to the address above.