Back to home

Privacy Notice

Last updated: July 2026

This Privacy Notice explains how Cairn — Practice training for UK general practice ("Cairn", "we", "us") collects, uses and looks after personal data when you use the Cairn training platform. We take your privacy seriously and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Cairn is a training platform created by Grant Cameron Anthony for GP practice teams across the UK. For the purposes of UK GDPR, the data controller is:

When your practice invites you to Cairn using a practice invite code, your Practice Manager acts as the primary data controller for progress and completion records related to your employment; Cairn acts as processor for that content and as controller for the platform account itself.

2. What personal data we collect

  • Account data: your name, work email address, hashed password, role (learner / Practice Manager / super admin), and the practice you belong to.
  • Learning data: which courses and lessons you have opened, quiz scores, flashcard spaced-repetition state, completion timestamps, and downloaded certificates.
  • Tutor interactions: the questions you type to the Aegis AI tutor and the responses generated. These are used to display the conversation to you and are retained for a limited period to improve service quality; they are not used to train third-party AI models.
  • Billing data (Practice Managers only): where a practice subscribes to paid features (e.g. Aegis tutor), Stripe processes card details on our behalf. We do not see or store card numbers.
  • Technical data: IP address at login, browser type, and session cookies necessary for authentication.

Special category data: we do not routinely collect health, ethnicity, religion or other special-category data. You should never enter patient-identifiable information into the Aegis tutor or any other Cairn field.

3. Lawful bases (UK GDPR Article 6)

  • Contract (Art. 6(1)(b)): to provide the training platform you or your practice have signed up for.
  • Legitimate interests (Art. 6(1)(f)): to keep the platform secure, improve the learning experience, and communicate essential service updates.
  • Legal obligation (Art. 6(1)(c)): to keep financial records where payments are processed, and to respond to lawful requests from regulators or the courts.
  • Consent (Art. 6(1)(a)): where we ever ask for optional analytics or marketing consent, we will do so explicitly and you can withdraw at any time.

4. Who we share your data with

We use a small number of vetted processors, each bound by a data-processing agreement:

  • MongoDB Atlas / hosting provider — stores the account and learning database in encrypted form. UK / EEA region unless notified.
  • Stripe, Inc. — payment processing for practice subscriptions. Stripe is a PCI-DSS Level 1 provider. See Stripe's privacy policy.
  • Anthropic (via a UK-EU-based aggregator) — powers the Aegis AI tutor. Prompts are processed to generate a response and are not used to train the underlying model. See Anthropic's privacy policy.
  • Your Practice Manager — sees your progress and completion status (not tutor conversations) as part of practice-level oversight of mandatory training.

We do not sell your personal data to anyone, and we do not use it for advertising.

5. International transfers

Some of our sub-processors (notably Stripe and Anthropic) are US-headquartered organisations. Where personal data is transferred outside the UK / EEA, we rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) in accordance with UK GDPR. All transfers are encrypted in transit.

6. How long we keep your data

  • Account and learning records: retained while your practice subscription is active, and for a further 12 months after you leave your practice, so that certificates and progress records remain retrievable for revalidation and appraisal.
  • Tutor conversation logs: up to 90 days for service quality and abuse prevention, then deleted.
  • Financial records: retained for at least 6 years to comply with UK tax law.
  • Backups: encrypted backups are kept on a rolling 30-day cycle and are then overwritten.

7. Your rights under UK GDPR

You have the following rights, free of charge:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate data.
  • Right to erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
  • Right to restrict processing — pause our use of your data while a dispute is resolved.
  • Right to data portability — receive your account and progress data in a portable format.
  • Right to object — object to processing based on legitimate interests.
  • Rights in relation to automated decision-making — we do not use automated decisions with legal effect. The Aegis tutor is a learning aid, not a decision-maker.

To exercise any right, email Grant.Anthony2@nhs.scot. We will respond within one month.

8. Security

Passwords are hashed using bcrypt. All traffic is served over HTTPS/TLS. Access to production databases is restricted to named administrators and logged. We follow industry-standard practices around role-based access control, secret management and vulnerability patching. In the unlikely event of a personal-data breach that meets the reporting threshold, we will notify the Information Commissioner's Office (ICO) within 72 hours and affected users without undue delay, in accordance with UK GDPR Articles 33-34.

9. Cookies

Cairn uses only essential cookies necessary for signing you in and keeping you signed in. We do not use tracking cookies, third-party analytics scripts, or advertising pixels. Because no non-essential cookies are set, no cookie-consent banner is required under UK PECR.

10. Children

Cairn is a professional training platform for adult healthcare staff. It is not directed at children under 18. If you believe a child has registered an account, please contact us at once so we can remove it.

11. Aegis AI tutor — specific guidance

The Aegis tutor is an AI-powered learning aid. To use it safely and lawfully:

  • Never enter patient-identifiable information — no names, dates of birth, addresses, CHI numbers, NHS numbers, or clinical detail that could identify a specific patient.
  • Aegis is a learning aid, not a clinical decision-support tool. Do not use its answers as the sole basis for a clinical decision.
  • Prompts are processed by our AI provider to generate a response; they are retained for up to 90 days for service quality and abuse prevention and are not used to train third-party AI models.

12. Complaints

If you have a concern about how we handle your personal data, please contact us first at Grant.Anthony2@nhs.scot. If you remain unsatisfied, you have the right to complain to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13. Changes to this notice

We may update this Privacy Notice from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be notified to you by email or an in-app notice.

This notice is written for the whole practice team — reception, admin, HCAs, nurses, ANPs, GPs and Practice Managers. If any section is unclear, tell us — a policy that isn't understood does no one any good.

Cairn — practice training for UK general practice
Created by Grant Cameron Anthony · British English · © 2026Privacy