Privacy Pledge · v1.0 · published 2026-05-17

Things Cairn refuses to do.

No fine print. No asterisks. No "by accepting these terms." This page restates Cairn's design promises in writing so they can be held to account. The matching formal terms are in the Privacy Policy.

Cairn will not:

1. Send your screenshots to a server. Anybody's server. The macOS app contains no networking code. Captures stay on your Mac.
2. Transcribe your voice in someone else's data center. Whisper runs on your Mac. The audio file never leaves it.
3. Run image understanding on someone else's GPU. The vision model (Qwen2-VL) runs on your Mac. The image never leaves it.
4. Sync to your phone, your watch, your fridge. Cairn is single-device. There is no iCloud sync, no Dropbox export, no companion app.
5. Run on Windows, Linux, or your sister's Chromebook. macOS, Apple Silicon, on your machine, full stop.
6. Sit there listening, "just in case." The microphone records only after you press the capture hotkey, and only for as long as you hold it (up to 10 seconds).
7. Ask you to log in. Or sign up. Or sign anything. No account, no email, no license-key activation. Open the app, use the app.
8. Train a model on you. Or near you. Or about you. Your captures are not used to fine-tune anything we ship to anyone else. There is no opt-in / opt-out toggle for this because the answer is always no.
9. Call itself a "second brain." Yours is doing fine.

Why this is a separate page

The promises above are also in the Privacy Policy, in lawyer-friendly language. We keep this page because the Pledge is the version we can hold to as a product: a short, dated, public commitment to specific behavior. If Cairn's behavior ever changes in a way that would invalidate any item above, we must:

1. Bump the Pledge version (v1.1, v2.0, etc.) and date it.
2. Archive the previous version at /pledge/v1.0 (or equivalent) so the history is auditable.
3. Surface a one-time in-app notice before the new behavior ships, not after.
4. Update the matching paragraphs in the Privacy Policy in the same release.

This is enforced internally by the project's CLAUDE.md Kill Switches and by code review on every PR that touches networking, telemetry, ML training, sync, or login.

How to verify each promise yourself

You should not have to take our word for it. Here is how to check:

• Network activity: with Cairn running, open Little Snitch / LuLu / nettop -p $(pgrep Cairn). Capture, transcribe, search — observe zero outbound traffic from the app process. (macOS may show traffic from system-level processes for App Store updates; that is not from Cairn.)
• Microphone activity: macOS shows an orange dot in the menu-bar status area whenever any process is recording. Cairn turns it on only during the brief moments you hold the capture hotkey, never otherwise.
• Screen recording activity: macOS shows a purple screen-recording indicator. Same observation — only on during your capture.
• Source review: search the app binary for http://, https://, URLSession, URLRequest. The result should be zero hits in Cairn's own code paths.

v1.0 · 2026-05-17 · authored by Anton Platonov.