Privacy Policy

Last updated: April 2026

Who we are

Carn is a product of Vindico Labs, a company registered in Scotland, United Kingdom. We operate the memorial platform at carn.life.

When we say "Carn", "we", "us", or "our" in this policy, we mean Vindico Labs. When we say "you", we mean anyone who visits or uses carn.life.

Questions about this policy: [email protected]

What data we collect

Account data

When you sign in with Google OAuth, we receive your name, email address, and profile photo from Google. We store this to identify your account. We do not receive your Google password.

Memorial content

Memorial owners upload names, photographs, and memorial details. Memory contributors submit written text, photographs, and video files. We store this content to operate the memorial service.

Contributor data

People who contribute memories to a memorial do not need to create an account. We collect the name they choose to display and any content they submit. We do not collect email addresses from contributors unless they choose to provide one.

Payment data

Payments are processed by Stripe. We do not store card numbers or full payment details. Stripe provides us with a transaction record and billing information.

Technical data

We collect standard web server logs including IP addresses, browser type, and pages visited. This is used for security and performance monitoring only.

Why we collect it

  • To operate the memorial platform and provide the service you've signed up for
  • To process payments and maintain subscription records
  • To send transactional emails (new memories submitted, moderation alerts)
  • To moderate memorial content via automated AI review
  • To protect the platform from abuse and ensure security
  • To comply with legal obligations under UK law

We do not use your data for advertising. We do not sell your data. We do not use memorial content to train AI models beyond the automated moderation of that specific content.

How we store it

All data is stored in UK data centres. We use DigitalOcean infrastructure located in London. We do not transfer personal data outside the UK or European Economic Area unless required to operate services listed below.

Data is encrypted in transit (HTTPS) and at rest. Access to production data is restricted to authorised members of the Vindico Labs team.

Cookies

We use a small number of cookies strictly necessary for the service to function:

  • Session cookie: keeps you signed in across page loads. Expires when you close your browser or sign out.
  • CSRF token: protects forms from cross-site request forgery. No personal data.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics.

Third parties

We share data with third-party services only where necessary to operate Carn. These are:

Stripe

Payment processing. Your card details go directly to Stripe and never pass through our servers. Stripe Privacy Policy

Google OAuth

Authentication. We use Google Sign-In to verify your identity. We request only your name, email, and profile photo. Google Privacy Policy

DigitalOcean

Hosting and file storage. Our servers and uploaded files are hosted on DigitalOcean infrastructure in London. DigitalOcean Privacy Policy

Anthropic

AI moderation. Memory content is sent to Anthropic's API for automated moderation review before going live. Content is processed but not used to train Anthropic's models under our API agreement. Anthropic Privacy Policy

Resend

Transactional email delivery. We use Resend to send notification emails. Your email address is shared with Resend for this purpose only. Resend Privacy Policy

Your rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you
  • Correction: ask us to correct inaccurate data
  • Deletion: request deletion of your account and personal data
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing of your data in certain circumstances

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Data retention

Account data is retained for as long as your account is active. If you delete your account, your personal account data (name, email) is deleted within 30 days.

Memorial data is never deleted when a subscription lapses. If you stop paying, your memorial reverts to the free tier. The memories, photos, and videos contributed to a memorial remain intact permanently. We will never delete memorial content because a subscription ended.

If you wish to permanently delete a memorial and all its content, you can do so from your dashboard at any time. This action is irreversible.

Contact

For any privacy-related questions or requests:

Email: [email protected]

Vindico Labs, Scotland, United Kingdom