Caern
Initial draft. We may update this as Caern develops. Questions: privacy@caern.ai.

Caern Rota – Privacy Notice

Effective date: 14 May 2026 Last updated: 21 May 2026 (v2.9)

Who we are

Caern Ltd ("Caern", "we", "us") is the data controller for the personal data described in this notice.

  • Registered office: The Long Barn, Frome Road, East Horrington, Wells, BA5 3DP, England
  • Companies House number: 17147744
  • ICO registration: ZC119952
  • Privacy contact: privacy@caern.ai
  • General contact: info@caern.ai

We are not required to appoint a Data Protection Officer under Article 37 UK GDPR. Privacy queries are handled by Caern Ltd's director.

Personal data we hold

Caern collects personal data that you provide to us, and personal data generated by your use of Caern.

Categories of data we may hold include your name, phone number, professional registration number, email address, information about your professional role, information you upload or input when using Caern, and messages you send Caern. Some of this data may relate to other people you identify when using Caern.

We use this data to set you up as a user, to operate the service, to keep it reliable, and to communicate with you. The legal bases we rely on are contract, legitimate interests, and (where applicable) compliance with our legal obligations.

We do not use cookies or cross-site tracking. We do not process special category personal data under Article 9 UK GDPR. Caern is being built so that any message content identifying a patient is detected at intake and discarded – never stored, never sent for processing.

Other people's data

Personal data you provide to Caern may include people other than you. We may contact those people on your behalf to facilitate your use of Caern. When we do, the first message tells them who we are, why they're being contacted, and how to opt out.

Anyone — user or non-user — can email privacy@caern.ai to be excluded. We retain non-user data for 90 days without engagement, or 12 months from last interaction if they engage.

Who we share data with

We share data with the service providers we use to operate Caern, each bound by a Data Processing Agreement. Categories include: messaging providers, AI service providers, cloud infrastructure providers, and error-monitoring providers.

Some data may be processed outside the UK in the EU or the US, under UK adequacy regulations (UK→EU) or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (UK→US).

We never sell your data. We do not run advertising. We do not share data for unrelated purposes.

How long we keep data

  • Active account data: while your account is active, plus 12 months after deletion.
  • Information you upload or input: while needed to operate the service, then deleted.
  • Communications: 12 months rolling.
  • Non-user data: 90 days with no engagement, 12 months from last interaction if engaged.
  • Anonymised data: indefinite (no longer personal data).

Data security

Encryption in transit (TLS 1.2 or higher) and at rest (AES-256). Access controls scope every read and write to the relevant user. Authentication is passwordless. Service providers are bound by Data Processing Agreements.

Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you (Article 15)
  • Rectify inaccurate data (Article 16)
  • Erase your data, subject to limited exceptions (Article 17)
  • Restrict processing in certain circumstances (Article 18)
  • Port your data in a structured format (Article 20)
  • Object to processing based on legitimate interests (Article 21)
  • Not be subject to solely automated decision-making that produces legal or similarly significant effects (Article 22). Caern does not make such decisions.

To exercise any of these rights, email privacy@caern.ai. We will respond within 30 days. Non-users have the same rights.

Children

You must be 18 or over to use Caern. We do not knowingly collect data from anyone under 18.

Changes to this notice

We update this notice when our processing changes. Material changes are notified before they take effect. The current version is always at caern.ai/privacy.

Complaints

If you have a concern, email privacy@caern.ai first.

If you remain unhappy, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF ico.org.uk · 0303 123 1113