Privacy Notice

Summary of Key Points

This summary provides key points from our Privacy Notice. You can find more details about any of these topics in the relevant section below.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

Do we process any sensitive personal information? No. We do not process sensitive personal information.

Do we collect any information from third parties? No. We collect information only directly from users and automatically through our website; we do not collect information from public databases, marketing partners, social media platforms, or other outside sources.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

In what situations and with which parties do we share personal information? We share information only with specific third-party service providers who support our business operations (see the Subprocessor List in Section 3).

How do we keep your information safe? We have reasonable organizational and technical processes and procedures in place to protect your personal information.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. Learn more in Section 8.

How do you exercise your rights? The easiest way is by emailing privacy@cairnandflint.com. We will consider and act upon any request in accordance with applicable data protection laws.

1. What Information Do We Collect?

Personal information you disclose to us

In short: We collect personal information that you provide to us voluntarily.

We collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us or our products and Services, when you participate in activities on our Services, or otherwise when you contact us.

Personal information provided by you may include the following, depending on how you interact with us:

• Name
• Email address
• Phone number (optional, where provided)
• Information you choose to include in inquiries, messages, or appointment booking forms
• Business information you provide during client engagements (company name, role, industry)

Sensitive information. We do not process sensitive personal information. This includes information that may be considered “special” or “sensitive” under applicable law, such as racial or ethnic origin, sexual orientation, religious beliefs, health data, biometric data, precise geolocation, or financial account numbers.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In short: Some information — such as your Internet Protocol (IP) address and browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, and general information about how and when you use our Services. This information is primarily needed to maintain the security and operation of our Services and for our internal operational purposes.

Information NOT collected

For clarity, we do NOT collect:

• Information from public databases or data brokers
• Information from marketing partners or advertising networks
• Information from social media platforms through pixel tracking or similar mechanisms
• Precise geolocation data
• Biometric data
• Children’s data (see Section 7)
• Payment card information (Stripe handles payment data directly; we do not store card numbers)

2. How Do We Process Your Information?

In short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for the following reasons:

• To provide and manage services you request. Responding to inquiries, scheduling calls, delivering contracted work, managing ongoing client engagements.
• To communicate with you. Confirming appointments, sending project updates, handling support requests, sending transactional emails related to your engagement.
• For administrative and operational purposes. Invoicing, account management, record-keeping for legal compliance, tax records.
• For security and fraud prevention. Detecting abusive traffic patterns, protecting against unauthorized access, maintaining the integrity of our systems.
• To comply with legal obligations. Tax records, regulatory compliance, responding to lawful government requests, enforcing our rights and agreements.
• To notify you of material updates to this Privacy Notice or our other legal policies (see Section 15).

We do NOT use your information for:

• Targeted advertising or retargeting
• Selling or renting your personal information
• Building behavioral profiles or marketing segments
• Sharing with data brokers or marketing platforms
• Unsolicited marketing communications

3. When and With Whom Do We Share Your Personal Information?

In short: We share information only with specific third-party service providers necessary to operate our business.

We may share your personal information in the following specific situations:

• With our subprocessors listed below, who process data on our behalf for operational purposes
• For business transfers. In connection with any merger, sale of company assets, financing, or acquisition. Any successor entity will be bound by the terms of this Privacy Notice.
• To comply with legal obligations, including responding to lawful subpoenas, court orders, or government investigations.
• To protect our rights, including to enforce our engagement agreements, protect against fraud, or defend our legal interests.

Subprocessor List

The following third parties process personal data on our behalf in support of our Services. Each operates under their own privacy policies and has its own security commitments.

We do NOT share data with:

• Advertising networks or retargeting services
• Analytics platforms (we do not use Google Analytics, Facebook Pixel, or similar)
• Data brokers or marketing aggregators
• Social media platforms (we do not embed social login or tracking pixels)

We will review and update this subprocessor list as our operational practices change. Material additions to this list will be communicated as described in Section 15.

4. Is Your Information Transferred Internationally?

In short: Our primary operations are in the United States, though certain service providers may transfer data internationally.

Our servers and business operations are primarily located in the United States. However, certain subprocessors listed in Section 3 (particularly Vercel for content delivery and Google Workspace for email) may route data through servers in other countries as part of their normal operations.

If you are accessing our Services from outside the United States, your information may be transferred to, stored by, and processed in the United States and other countries where our subprocessors operate. These countries may not necessarily have data protection laws as comprehensive as those in your country.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we will take appropriate measures — including, where applicable, standard contractual clauses approved by the European Commission — to protect your personal information in accordance with this Privacy Notice and applicable law.

5. How Long Do We Keep Your Information?

In short: We keep your information for as long as necessary to fulfill the purposes described in this Privacy Notice, unless a longer period is required or permitted by law.

We retain personal information only as long as necessary for the purposes outlined in this Privacy Notice. Specific retention periods include:

• Contact and inquiry data (from prospective clients who did not engage): 12 months from last contact
• Engagement data (for active clients): duration of the engagement plus the retention periods below
• Transactional records (invoices, contracts, payment records): 7 years, aligned with tax and contract statute-of-limitations requirements
• Communication records (emails, meeting notes, project correspondence): 7 years
• Security and access logs: typically 90 days to 2 years, depending on category and investigatory need
• Aggregated or anonymized data: retained indefinitely as it no longer identifies individuals

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information. If this is not possible (for example, because your personal information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible.

6. How Do We Keep Your Information Safe?

In short: We aim to protect your personal information through a system of reasonable organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. These measures include:

• Encryption in transit. All pages served over HTTPS using current TLS standards.
• Encryption at rest. Subprocessor platforms encrypt stored data by default.
• Access controls. Two-factor authentication enabled on all business systems where supported.
• Need-to-know access. As a single-operator business, access to your information is inherently limited.
• Security monitoring. Logging and anomaly- detection systems as described in Section 12.
• Regular software updates. Operating systems, development frameworks, and third-party dependencies kept current to minimize known vulnerabilities.

However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. Transmission of personal information to and from our Services is at your own risk.

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected individuals within the timeframes required by applicable law. This typically means:

• Under the GDPR: notification within 72 hours to relevant supervisory authorities where feasible, and to affected data subjects when the breach is likely to result in high risk to their rights and freedoms
• Under state U.S. laws (California, Colorado, Connecticut, Texas, Virginia, Oregon, Utah, and others): notification to affected individuals within 30 to 60 days depending on jurisdiction, typically by email and where required by direct mail or public posting
• Where feasible, we will provide a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address the breach

We maintain an incident response process and will respond to any suspected breach with appropriate urgency and transparency.

7. Do We Collect Information From Minors?

In short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. Our Services are directed to professional practices and their operators; we do not target children.

By using our Services, you represent that you are at least 18 years of age, or that you are the parent or guardian of such a minor and consent to such minor’s use of the Services.

If we learn that personal information from users under 18 years of age has been collected, we will deactivate any associated account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under 18, please contact us at privacy@cairnandflint.com.

8. What Are Your Privacy Rights?

In short: Depending on your location, you may have rights regarding your personal information including access, correction, deletion, and objection to certain processing.

Depending on where you are located, applicable privacy laws may give you rights regarding your personal information. We honor the following rights for all users regardless of jurisdiction where practical:

• Right to know what personal information we collect and how we use it
• Right to access and receive a copy of the personal information we hold about you
• Right to correct inaccurate or incomplete personal information
• Right to delete your personal information, subject to legal retention requirements
• Right to data portability — receive your information in a structured, machine-readable format
• Right to opt out of data sale — though we do not sell personal information, so this right is satisfied automatically
• Right to opt out of targeted advertising — which we do not engage in
• Right to non-discrimination for exercising any of these rights
• Right to withdraw consent where we rely on consent as the basis for processing

Procedures for Exercising Your Rights

To exercise any of these rights, email privacy@cairnandflint.com with the specific right you wish to exercise. We handle these requests as follows:

• Response time. We will respond within 30 days for requests under GDPR, and within 45 days for requests under the California Consumer Privacy Act (CCPA) and similar U.S. state laws. Where the request is particularly complex or we receive a large number of requests, we may extend the response time by an additional period as permitted by applicable law. We will notify you of any such extension.
• Identity verification. To protect your information, we will verify your identity before processing any request. Typically this means confirming your request from the email address on record with us, plus any additional verification proportional to the sensitivity of the request.
• Format of data provided. If you request a copy of your data, we will provide it in a commonly-used, machine-readable format (typically CSV or JSON).
• Denial and appeals. If we deny your request in whole or in part, we will explain the reason. You may appeal any denial by emailing legal@cairnandflint.com with “Privacy Appeal” in the subject line. We will respond to appeals within 60 days.
• No charge. We do not charge for processing privacy requests, except in cases of manifestly unfounded or excessive requests as permitted by law.

Withdrawing Consent

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at privacy@cairnandflint.com. Withdrawal of consent will not affect the lawfulness of processing that occurred before the withdrawal.

Account Information

If you would like to review or change the information in your account or terminate your account, email us at privacy@cairnandflint.com. Upon your request, we will deactivate or delete your account and information from our active systems. We may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our legal terms, or comply with applicable legal requirements.

9. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

10. Our Role as Both Data Controller and Data Processor

Cairn & Flint Studio LLC plays two distinct roles with respect to personal data, depending on the context.

As a Data Controller

We act as data controller for personal data collected directly through our website (cairnandflint.com), through inbound inquiries, and through our engagement and onboarding processes with clients. This includes data from prospects who book calls through our Calendly integration, clients who provide information during engagements, and communications received at our published email addresses.

For this data, we determine the purposes and means of processing and are directly responsible under applicable privacy laws. This Privacy Notice describes how we handle such data.

As a Data Processor

For websites we build and host on behalf of our clients, we act as a data processor under the client’s direction. When visitors to a client’s hosted website provide information through that website (such as through a contact form, appointment request, or consultation booking), that data flows through our infrastructure but is collected under the client’s data controller relationship with their own customers.

We process such data only as necessary to operate the hosted site, under the terms agreed with the client in our engagement agreement. Our client is the primary data controller for such data; they are responsible for providing their own privacy notice and handling their end-users’ privacy rights requests.

End-Users of Client Websites

If you are an end-user of a website hosted by us on behalf of a client, and you wish to exercise your privacy rights regarding data collected through that site, please contact the client business directly as they are the primary data controller for that information.

If you contact us in error (for example, because you cannot determine who hosts the site or because the client business is unresponsive), we will promptly forward your request to the appropriate client business and may assist the client in formulating their response. We do not make independent decisions about end-user data without the client’s direction except where required by law.

11. Information Collected During Engagements

In addition to the information collected through our website, we collect and process certain categories of information specific to the services we provide to clients. This information is subject to confidentiality obligations in our engagement agreements and is processed only for purposes of delivering contracted services.

For Web Design Engagements

We collect copy, images, brand assets, team information, business descriptions, and any other content provided by the client for incorporation into the client’s website. We retain working files during the engagement and for reasonable periods after for support and modification purposes.

For LinkedIn Ghostwriting Engagements

We conduct voice-extraction sessions that produce audio recordings, video recordings (where applicable), and written transcripts of client conversations. We collect professional anecdotes, opinions, case examples, and other personal professional narratives shared by the client. We may incidentally collect information about third parties (such as colleagues, partners, or clients of the client) when such parties are referenced during voice-extraction sessions.

All such recordings and transcripts are treated as strictly confidential and are not shared outside the engagement except as described in this Privacy Notice.

For Knowledge Infrastructure Engagements

We collect access to the client’s internal documentation, processes, systems, and related proprietary information necessary to perform audit, restructuring, or deployment work. This may include confidential business information, employee-related information, customer-related information, and trade secrets. All such access is subject to confidentiality obligations and is used only for purposes of the engagement.

For Local SEO Engagements

We collect access to the client’s Google Business Profile, review data, analytics platforms, and competitor research data. This may include visibility and performance metrics that are non-public.

Retention of Engagement Data

Information collected during engagements is retained during the active engagement and for a period after termination reasonably necessary for support, record-keeping, legal compliance, and potential re-engagement purposes. General retention is seven years to align with tax and contract statute-of-limitations requirements. Engagement data is retained in secure systems with access restricted to studio personnel with a legitimate business need.

12. Monitoring, Security Logging, and Intellectual Property Enforcement

In furtherance of our operational security, data integrity, and intellectual property protection obligations, we maintain monitoring and logging infrastructure across our hosted environments. This monitoring is routine for hosted services and does not target individual users; it is performed in aggregate for legitimate business purposes.

What We Log

• Standard server access logs. IP addresses, request patterns, user agents, timestamps
• Administrative actions. Logins, content modifications, credential changes, configuration updates on websites we host
• Asset access patterns. Downloads, exports, and unusual access patterns
• Anomaly detection. Automated alerting on unusual traffic, access patterns, or potential security events
• Canary markers. Small, non-functional content markers embedded in client websites for the purpose of detecting unauthorized content redistribution

Why We Log This

• To protect our systems from unauthorized access, abuse, and security threats
• To provide audit trails useful for investigating operational issues or disputes
• To enforce intellectual property rights in our custom-built work
• To comply with legal obligations regarding data retention and regulatory oversight
• To detect and respond to attempts to extract, copy, or redistribute our intellectual property in violation of engagement terms

Retention

Operational and security logs are retained for periods reasonably necessary for the above purposes, typically between 90 days and two years depending on the category, and longer when needed for active investigations or legal proceedings.

Data Subject Rights and Enforcement Needs

If a data subject requests deletion of information that is also relevant to an active intellectual property enforcement matter, operational investigation, or legal proceeding, we may retain the necessary portion of that data for the duration of the matter. We will notify the data subject of this retention and its legal justification. We do not use such retention as a routine response to deletion requests; it applies only where there is a specific and documented operational or legal need.

13. Artificial Intelligence and Automated Decision-Making

We use artificial intelligence tools (including large language models) to assist in creating content for our clients, such as drafting LinkedIn posts, website copy, and knowledge base articles. These tools are used as assistants to human work; all final content is reviewed and approved by studio personnel before delivery.

We do not use automated decision-making systems that produce legal or similarly significant effects on individuals. Specifically:

• We do not use AI to automatically approve, deny, or evaluate prospective clients
• We do not use AI to set pricing or determine contract terms algorithmically
• We do not use AI to score, rate, or profile individual users or prospects
• We do not use AI to make determinations about eligibility for any service

Where AI tools are used to assist with content creation, any personal information processed through such tools is handled under the same data protection principles described throughout this Privacy Notice. We do not share client data with AI tool vendors in ways that would violate our confidentiality obligations or this Privacy Notice.

If our use of AI changes in a manner that would constitute automated decision-making with legal or significant effects, we will update this Privacy Notice and provide appropriate disclosures and opt-out mechanisms as required by applicable law.

14. Corporate Structure and Privacy Contact

Cairn and Flint Studio LLC is a limited liability company organized under the laws of the State of New Mexico. The LLC as a legal entity is the data controller for purposes of this Privacy Notice. All privacy-related inquiries, data subject rights requests, and regulatory communications are handled by authorized personnel within the LLC acting under the business name of the studio.

Correspondence regarding privacy matters should be directed to:

We respond to all verified requests within the timelines required by applicable law (see Section 8).

For residents of the European Economic Area or United Kingdom, we have not appointed a formal EU or UK representative. EU and UK data subjects may contact us directly at privacy@cairnandflint.com for any GDPR or UK GDPR inquiries; we handle all such inquiries through our standard privacy request process.

15. Do We Make Updates to This Notice?

In short: Yes, we will update this notice as necessary to stay compliant with relevant laws and to reflect changes in our practices.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Last updated” date at the top of this Privacy Notice.

Material vs. Non-Material Changes

We distinguish between material and non-material changes:

Material changes include new categories of data collected, new third-party recipients of data, changes to how data is used or shared, changes to user rights or how to exercise them, changes to retention periods, and changes to the business entity or primary contact information.

Non-material changes include typo corrections, clarifications of existing language, stylistic rewording that does not change meaning, the addition of illustrative examples to existing sections, and minor formatting updates.

Notification of Changes

For material changes, we will:

• Update the “Last updated” date at the top of this Privacy Notice
• Post a notice of the change on our website
• Send a notification email to all current active clients at the email address on file
• Add an entry to our public change log at cairnandflint.com/legal/updates describing the change and its effective date

For non-material changes, we will update the “Last updated” date and add an entry to our change log. We will not send individual email notifications for non-material changes.

We encourage you to review this Privacy Notice periodically to stay informed of how we are protecting your information. Continued use of our Services after notice of material changes constitutes acceptance of the revised Privacy Notice.

16. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may:

17. How Can You Review, Update, or Delete Your Data?

You have the right to request access to the personal information we collect from you, details about how we have processed it, correction of inaccuracies, or deletion of your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

To request to review, update, or delete your personal information, email privacy@cairnandflint.com with your specific request. We will respond according to the procedures described in Section 8.