Privacy Policy

This Privacy Policy explains how Cairn Advisory (“we”, “us”, “our”) collects, uses, stores, and discloses personal information when you use the Cairn diagnostic platform (the “Platform”). The Platform provides AI-facilitated conversation-based diagnostic assessments for individuals and organisations.

Cairn Advisory is operated by Geoff Mallinson as a registered business in Australia. Although small businesses with annual turnover under $3 million are generally exempt from the Australian Privacy Act 1988 (Cth), we have voluntarily adopted the Australian Privacy Principles (APPs) as our standard of practice because we believe responsible data handling is fundamental to the trust our users place in us.

We are committed to protecting your privacy and handling your personal information transparently and securely.

We collect the following categories of personal information when you use the Platform:

2.1 Conversation data

When you participate in a diagnostic conversation, we collect the full text of the conversation between you and our AI assistant. This may include information you voluntarily disclose about your work, your experiences, your attitudes, and your organisation. The conversation is used to generate your diagnostic results and is stored in association with your session.

2.2 Diagnostic scores and outputs

The Platform generates dimension scores, pattern analyses, archetype classifications, and interpretive summaries based on your conversation. These outputs are derived from your conversation data using AI processing.

2.3 Demographic information

Some demographic information is collected during the conversation (your industry/sector and role type) and some is collected via an optional post-conversation form. The form may ask for your gender, age range, seniority level, organisation size, country, and highest education level.

2.4 Technical and usage data

We may collect standard technical information including your IP address, browser type, device type, operating system, referring URL, pages visited, session duration, and interaction patterns. This data is collected through cookies and similar technologies as described in Section 7.

2.5 Account information

When you create an account on the Platform, we collect your name, email address, and any other information required for registration. Your account is associated with your diagnostic sessions and results, allowing you to access your history and manage your data.

2.6 Contact information

If you contact us directly or subscribe to communications, we may collect your name, email address, and any other information you provide.

Providing the diagnostic service. Your conversation data is processed by AI to generate your diagnostic scores, archetype, and interpretive report. This is the primary purpose for which your data is collected.

Aggregate research and insights. We use anonymised and aggregated data to identify patterns, generate sector-level or demographic-level insights, and produce research reports. Individual responses are never identified in aggregate reporting. Anonymisation means removing or altering information so that it cannot reasonably be linked back to you.

Improving the Platform. We use interaction data to improve the quality of our diagnostic conversations, scoring accuracy, and user experience.

Communication. If you provide contact information, we may use it to send you your diagnostic results, respond to enquiries, or (with your consent) send information about Cairn Advisory services.

Legal and regulatory compliance. We may use or disclose information where required by law, regulation, or legal process.

The Platform uses third-party artificial intelligence services to facilitate diagnostic conversations and generate scores. This means your conversation data is transmitted to and processed by third-party AI model providers.

Our AI processing is provided by Anthropic (Claude). Under our commercial agreement with Anthropic, your conversation data is not used to train AI models. Anthropic processes data in accordance with their privacy policy and data processing terms, which include data encryption, access controls, and defined retention limits.

We will update this section if our AI processing partners change.

Important: Because AI processing involves a third-party service, your conversation data is transmitted to Anthropic's infrastructure during processing. Anthropic's servers are located in the United States. We have confirmed that Anthropic does not use commercial API data for model training, and data is handled under their enterprise data processing terms.

We store your personal information using commercially reasonable security measures, including encryption in transit and at rest, access controls, and secure hosting infrastructure.

Your data is primarily stored on servers managed through Vercel and associated infrastructure providers. Where data is transferred to or processed in jurisdictions outside Australia (including through Anthropic, whose servers are located in the United States), we take reasonable steps to ensure that the overseas recipients handle your information consistently with the Australian Privacy Principles.

We retain your personal information for as long as necessary to fulfil the purposes described in this policy:

Conversation transcripts and diagnostic outputs are retained for 24 months from the date of the conversation, or until you request deletion, whichever is sooner.

Anonymised and aggregated data may be retained indefinitely, as it cannot be linked back to you.

Demographic data is retained alongside your conversation data and is subject to the same retention period.

Technical and usage data is retained for up to 12 months.

You may request deletion of your personal information at any time by contacting us (see Section 10).

The Platform uses cookies and similar technologies to support basic functionality, remember your preferences, and collect usage analytics.

We use Vercel Analytics to understand how users interact with the Platform. Vercel Analytics is a privacy-friendly analytics service that collects aggregated, anonymised usage data. It does not use cookies for tracking purposes and does not collect personally identifiable information through the analytics service. Data collected includes page views, visitor counts, and performance metrics.

The Platform may use cookies for essential functionality such as maintaining your authenticated session. You can control cookies through your browser settings. Disabling session cookies may prevent you from logging in or using the Platform.

We do not sell your personal information.

We may share your information in the following limited circumstances:

AI processing partners as described in Section 4.

Service providers who assist with hosting, analytics, email delivery, or other operational functions, under appropriate data processing agreements.

Organisational clients. If you access the Platform through an organisation (e.g., your employer engages Cairn Advisory to run diagnostics), your diagnostic results may be shared with that organisation in aggregated form only. Individual-level results are never shared with organisational clients without your explicit, informed consent.

Legal requirements. We may disclose information where required by law, court order, or regulatory obligation.

Regardless of your location, we provide the following rights in relation to your personal information:

Access. You may request access to the personal information we hold about you.

Correction. You may request correction of personal information that is inaccurate, incomplete, or out of date.

Deletion. You may request deletion of your personal information. We will comply unless we are required to retain it by law or for legitimate business purposes.

Withdrawal of consent. Where we rely on your consent for a specific processing activity, you may withdraw that consent at any time.

Complaint. If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

To exercise any of these rights, contact us using the details in Section 10.

For users in the European Economic Area (EEA) or United Kingdom: If you are located in the EEA or UK, you may have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to data portability and the right to restrict processing. Our lawful basis for processing is consent (for diagnostic participation) and legitimate interest (for anonymised research). Contact us to exercise these rights.

If you have questions about this Privacy Policy or wish to exercise any of your rights, contact us at:

Geoff Mallinson
Cairn Advisory
Email: geoff@cairnadvisory.com.au
Website: cairnadvisory.com.au

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform with a revised “Last updated” date. Where changes are significant, we will make reasonable efforts to notify you directly (e.g., by email if you have provided one).

Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.