Effective Date: [INSERT DATE] | Last Updated: [INSERT DATE]
Summary: Novium Labs LLC ("Novium Labs," "we," "us," "our"), operator of the Cairn website compliance assessment tool, collects limited personal data to operate the service. We do not sell your data. We do not use your data for advertising. We process only what is necessary to deliver the service you requested. This policy explains exactly what we collect, why, how long we keep it, and what rights you have.
The data controller responsible for processing your personal data is:
Novium Labs LLC
[YOUR BUSINESS ADDRESS]
Email: [email protected]
If you have questions about this policy or wish to exercise your data protection rights, contact us at the email address above.
We collect different categories of data depending on how you interact with our service:
| Data Category | Specific Data | Purpose | Lawful Basis (GDPR) |
|---|---|---|---|
| Contact information | Name, email address | To deliver your audit report and contact you regarding findings | Consent (Art. 6(1)(a)) and Legitimate Interest (Art. 6(1)(f)) |
| Website URL | The URL you submit for scanning | To perform the website compliance audit | Contract performance (Art. 6(1)(b)) |
| Account credentials | Email and password (if account created) | To authenticate you and provide access to your scan history | Contract performance (Art. 6(1)(b)) |
| Scope acknowledgment | Confirmation that you understand this is a browser-side technical assessment | To document that you acknowledged the scope limitations before receiving results | Legitimate Interest (Art. 6(1)(f)) |
| Data Category | Specific Data | Purpose | Lawful Basis |
|---|---|---|---|
| Server logs | IP address, browser type, access timestamps, pages visited | Security monitoring, abuse prevention, and service operation | Legitimate Interest (Art. 6(1)(f)) |
| Essential cookies | Session identifiers, CSRF tokens, consent state | Required for the website to function correctly and to remember your cookie preferences | Strictly necessary — no consent required (ePrivacy Art. 5(3)) |
| Analytics cookies (if enabled) | Anonymized usage data (pages viewed, session duration) | To understand how the service is used and improve it | Consent (Art. 6(1)(a)) — only set after you consent |
| Data Category | Description | Purpose | Retention |
|---|---|---|---|
| Scan results | Cookies across five scan phases (pre-consent, post-accept, post-reject, GPC-active, internal routes), trackers, network requests, consent banner behavior and dark pattern CSS measurements, reject-path test results, GPC signal compliance results, privacy policy adequacy analysis, company domicile detection signals, multi-jurisdiction scoring data, and compliance findings discovered on the scanned website | To generate your audit report | 90 days from scan date, then automatically deleted |
| Screenshots | Timestamped page screenshots captured at pre-consent, post-accept, and post-reject consent phases | To provide visual evidence of consent banner behavior in audit reports | 90 days from scan date, then automatically deleted |
| Generated reports | HTML audit reports (summary and full) | To deliver the audit findings to you | 90 days from generation, then automatically deleted |
We use your personal data exclusively for the following purposes:
What we do NOT do: We do not sell your personal data to third parties. We do not use your data for advertising or ad targeting. We do not share your data with data brokers. We do not use your scan results to train machine learning or AI models.
Cairn uses automated processing to analyze websites and classify cookies. This section provides transparency about how that processing works, consistent with GDPR Articles 13-14 and the NIST AI Risk Management Framework principles.
Cairn's cookie classification engine uses deterministic pattern matching against a curated database of known cookies and tracking domains. Specifically:
_ga_* matches any Google Analytics 4 cookie).Cairn does not make decisions that produce legal effects or similarly significant effects on individuals, as defined under GDPR Article 22. The audit report is an informational tool. No automated action is taken based on the results — all remediation decisions are made by the site owner or their advisors.
All audit reports are designed to be reviewed by a human professional before any compliance decisions are made. Cairn recommends that scan results be interpreted by a qualified data privacy or compliance professional.
We share personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Hosting provider (Hetzner Cloud) | Infrastructure for running the service | Data Processing Agreement in place; EU Standard Contractual Clauses where applicable |
| Email service provider (e.g., SendGrid) | Delivering audit reports via email (if enabled) | Data Processing Agreement in place; data minimized to email address and report content only |
We do not share data with advertising networks, data brokers, social media platforms, or any other third parties not listed above.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, and our hosting infrastructure is located in the United States, your data may be transferred to the US. We ensure adequate protection through:
| Data Type | Retention Period | What Happens After |
|---|---|---|
| Scan results and reports | 90 days from scan date | Automatically deleted from server |
| Lead data (name, email, URL) | 12 months from collection, or until deletion requested | Deleted from all systems |
| Server logs (IP, access data) | 30 days | Automatically purged |
| Cookie consent records | Duration of consent + 3 years | Deleted after retention period |
| Account data (if applicable) | Duration of account + 30 days | Deleted upon account closure |
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
If you are a resident of Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Nebraska, or Nevada, you may have similar rights under your state's privacy law, including rights to access, delete, correct, and opt out of certain processing. Contact us to exercise these rights.
To exercise any of the rights described above, contact us at:
Email: [email protected]
Subject line: "Data Subject Request — [Your Request Type]"
We will respond within 30 days (GDPR) or 45 days (CCPA). We may ask you to verify your identity before processing your request. We will not charge a fee for reasonable requests.
For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.
Cairn is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 16 without parental consent, we will delete that data promptly. If you believe we have collected data from a child, contact us immediately.
We implement appropriate technical and organizational measures to protect your personal data, including:
No system is 100% secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and notify affected individuals as required by Article 34.
We may update this privacy policy to reflect changes in our practices, legal requirements, or service features. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on the service.
For questions, concerns, or data subject requests:
Novium Labs LLC
Email: [email protected]
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.