Legal
Privacy Policy
Last updated: March 9, 2026
How cadin handles account data, usage data, payment records, and personal data in legal documents.
1. Controller
Cadin (“we,” “us”) operates the cadin product.
Privacy contact: privacy@cadin.ai
EU representative (GDPR Art. 27): Petra Azhdari, Hamburg, Germany — privacy@cadin.ai
2. Data We Collect
We collect data from the following sources: (a) directly from you when you use the service or contact us, (b) from third-party authentication providers when you sign in, and (c) automatically through your use of the service. We do not collect data from publicly accessible sources.
- Account data. Name and email address, provided directly by you when using email magic-link sign-in, or received from your OAuth provider (Google, GitHub, or Microsoft) when you sign in.
- Usage data. Pages visited, search queries, feature interactions, timestamps, browser type, device information, IP address, and request counts associated with your account or API keys.
- Payment data. Name, email, billing address, and subscription transaction details, processed by our payment provider. We do not store full payment card numbers.
- Plan verification data. Documents you upload to verify student or non-commercial researcher status for discounted pricing. You may redact unrelated details before uploading.
- API key metadata. Key name, prefix, scopes, creation date, and last-used timestamp for API keys you create.
- Communications. Content of messages you send us via email or support channels.
Providing your name and email — whether via OAuth or email sign-up — is necessary to create an account. Without it, you cannot use cadin. Payment data is required only for paid plans. Plan verification data is required only when you request discounted Research pricing.
3. Purposes and Legal Bases
| Purpose | Legal basis (GDPR / UK GDPR) |
|---|---|
| Provide, operate, and authenticate the service | Contract performance |
| Process payments | Contract performance |
| Verify eligibility for discounted plans | Contract performance |
| Understand how the service is used and improve it | Legitimate interest (improving product quality and user experience) |
| Detect and prevent fraud, abuse, and security incidents | Legitimate interest (protecting users and the platform) |
| Measure request volume for rate limiting and abuse prevention | Contract performance and legitimate interest (preventing abuse and protecting service quality) |
| Transactional communications | Contract performance |
| Legal and regulatory compliance | Legal obligation |
We do not use automated decision-making, including profiling, that produces legal or similarly significant effects concerning you.
4. Data Sharing
We do not sell personal data or share it for behavioral advertising.
We disclose data only to the following categories of service providers, each bound by a data processing agreement where required by law:
Our current providers include Hetzner (hosting), Stripe (payments), Resend (email), Axiom (logging and observability), Cloudflare (DNS, CDN, and uptime monitoring), Slack and Google Workspace (internal operations), and Tailscale (infrastructure access security).
| Category of recipient | Data disclosed |
|---|---|
| Cloud infrastructure and hosting providers | All categories (data is stored on their servers) |
| Authentication providers | Account data (name, email) |
| Payment processors | Account and payment data |
| Email delivery providers | Account data and communications metadata needed to send transactional emails |
| Internal communication and productivity tools | Account identifiers and operational communications |
| Logging and observability providers | Usage data, account identifiers, IP addresses, and request metadata for operational monitoring |
| DNS, CDN, and uptime monitoring providers | IP addresses and request metadata |
| Network access and security tools | Administrator account identifiers and device/network metadata for secure infrastructure access |
We may also disclose data when required by law, court order, or to protect the rights and safety of our users. In the event of a merger, acquisition, or asset sale, data may transfer to the successor entity.
5. International Transfers
Your primary data is stored in the European Economic Area (“EEA”), Switzerland, and the United Kingdom. Some service providers are based in the United States. For transfers to the United States, we rely on the EU–US Data Privacy Framework (including its UK Extension and the Swiss–US Data Privacy Framework), Standard Contractual Clauses (SCCs), and the UK International Data Transfer Agreement (IDTA) as applicable. You may request a copy of the applicable safeguards by contacting us.
6. Retention
| Data type | Retention |
|---|---|
| Account data | While active, plus 30 days after deletion |
| Usage data | 24 months |
| Payment records | As required by tax and financial law (up to 7 years) |
| Support communications | Duration of relationship plus 2 years |
Data no longer needed is deleted or anonymized.
7. Security
We use encryption in transit, access controls, and restricted infrastructure access. No system is completely secure. Report vulnerabilities to security@cadin.ai.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent data protection authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
8. Your Rights
All users may request access to, correction of, or deletion of their data free of charge by emailing privacy@cadin.ai. We respond within 30 days, with an extension as permitted by applicable law where requests are complex or numerous.
EEA residents (GDPR)
Under the General Data Protection Regulation, you additionally have the right to:
- Restrict or object to processing based on legitimate interest
- Data portability
- Withdraw consent at any time
- Lodge a complaint with your local supervisory authority (in Germany: your state’s Landesdatenschutzbeauftragte)
UK residents (UK GDPR)
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the same rights as EEA residents listed above. You may lodge a complaint with the Information Commissioner’s Office (ICO).
Swiss residents (FADP)
Under the Swiss Federal Act on Data Protection (FADP), you have the right to access, correct, and request deletion of your data, as well as the right to data portability and to object to processing. You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).
10. Personal Data in Legal Documents
Legal documents accessible through the Service, including court decisions, may contain the personal data of third parties (such as party names, addresses, or other identifying information). This data originates from official Government Databases and is published in the public interest under applicable law, including the exceptions set out in GDPR Article 17(3).
We do not modify the content of legal documents sourced from Government Databases. If you believe that a legal document accessible through the Service contains your personal data and you wish to exercise your rights, please contact us at privacy@cadin.ai. We will assess your request in light of the applicable legal framework, including the public interest in the availability of legal information and the open justice principle.
11. Children
cadin is not directed at individuals under 16. We do not knowingly collect their data. If you believe we have collected data from a child, contact us and we will delete it.
12. Changes
If we process your data for a new purpose not described here, we will notify you before doing so. Material changes to this policy will be communicated by email or notice on the service before taking effect.
13. Contact
Cadin
1111B S Governors Ave #29990, Dover, DE 19904, USA
privacy@cadin.ai