The ethics

Why we do not collect any data, even the boring kind

By Ryan King · Updated June 2026 · Plain answer.

Most kids apps say they care about privacy. Most kids apps then send a steady stream of identifiers, device info, gameplay metrics, and ad-network signals to a long list of third parties. Honest privacy looks different.

What the average kids app sends home

A 2018 study by the International Computer Science Institute audited 5,855 child-directed Android apps and found that 57 percent were potentially in violation of COPPA. The most common violations: SDKs that collect persistent device identifiers, location, and behavioral data, often without parental consent, often shipped from the app developer's own decision to monetize.

The 2019 FTC settlement with TikTok was over kids data. The 2019 settlement with YouTube was over kids data. The 2022 Epic Games settlement was over kids data. The pattern is consistent: the bigger the kids app, the more data has been quietly collected and the larger the eventual fine.

What Cairn collects

Nothing. There are no analytics SDKs in our apps. There is no telemetry sent home. There are no accounts. There is no signup. There is no email collection. There are no third-party trackers. There is no IP address logged on our side because there is no server side.

Your child's name, age, the world they picked, their progress on each stage, any photo avatar, and any audio recordings of letter sounds you made for them live only on the iPad they were created on. Deleting the app deletes them. We could not show you a usage chart of your child's play even if you asked us to, because we do not have that data.

Why this is the right posture, not the marketing posture

Children cannot meaningfully consent to data collection. They cannot read a privacy policy, they cannot evaluate whether a third-party SDK shares with brokers, and they cannot weigh the long-term consequences of having a behavioral profile built about them before they enter kindergarten. The serious answer to that is not a more readable policy. It is to not collect anything in the first place.

We also genuinely do not need it. The apps work. The boys learn. We do not need to A/B test which button color produces a longer session because we are not optimizing for session length.

What you can verify

Open the iPad's Network Privacy Report after a session of Cairn Read. The list of contacted domains is empty after the first download. Run the app in airplane mode. It still works. Inspect the bundle. The audio files are the largest things in it, not analytics code.

The honest brand is the one that does not have to ask you to trust the policy because the architecture is the policy.

Sources: Reyes et al., USENIX Security 2018, Won't Somebody Think of the Children?; FTC actions against TikTok (2019), Google/YouTube (2019), Epic Games (2022).