Appearance
Privacy law compliance ​
Privacy laws differ across the world. Cabin attempts to abide by all known applicable laws as a result of our privacy-first data storage model.
GDPR (Europe & UK) ​
General Data Protection Regulation (GDPR) demands that data subjects may not be identifiable unless authorized.
"The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons."
NOTE
Cabin does not allow personal identification, directly or indirectly. Cabin does not allow its data to "express the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons."
UK GDPR Compliance ​
Since Brexit, the UK has implemented its own version of GDPR (UK GDPR). Cabin's data model complies with both EU GDPR and UK GDPR requirements by:
- Not collecting or processing personal data that could identify individuals
- Not using cookies, tracking technologies, or online identifiers
- Only storing aggregated, non-personal statistical data (domain-level tallies)
- Not enabling the creation of user profiles or behavioral tracking
For more information on UK GDPR, see the ICO's guidance.
PECR Compliance ​
The Privacy and Electronic Communications Regulations (PECR) sits alongside the UK GDPR and provides specific privacy rules for electronic communications, including:
- Rules about cookies and similar technologies
- Requirements for electronic marketing communications
- Security requirements for public electronic communications services
Cabin complies with PECR by:
- Not using cookies or similar tracking technologies
- Not collecting personal data for marketing purposes
- Ensuring all data collection is anonymous and non-identifiable
CCPA/CPRA (California) ​
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides California consumers with specific rights regarding their personal information. Under the CCPA, California consumers have the following rights:
The right to know what personal information is collected about them
NOTE
Cabin does not collect personally identifiable information
The right to know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale or sharing
NOTE
Cabin does not sell or share data with anyone
The right to access their personal information that has been collected
NOTE
Cabin is not capable of identifying information related to a person
The right to request deletion of their personal information
NOTE
Cabin is not capable of identifying information related to a person. All data can be deleted by a Cabin user
The right to correct inaccurate personal information
NOTE
Cabin does not collect personally identifiable information that would need correction
The right to limit the use and disclosure of sensitive personal information
NOTE
Cabin does not collect sensitive personal information as defined by the CCPA/CPRA
The right to not be discriminated against for exercising their rights under the Act
NOTE
Cabin is not capable of identifying information related to a person therefore business owners cannot target individuals for discrimination
The CCPA/CPRA defines personal information as:
Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.
NOTE
Cabin's data model does not allow inferences to be made from personal information. Cabin does not use identifiers or fingerprints. Cabin does store country-level IP geolocation, but this is not related to any other data points and cannot be used to identify individuals.
DPA (France) ​
The French Data Protection Act (Loi Informatique et Libertés), first enacted in 1978 and subsequently amended to implement GDPR, establishes France's data protection framework. The Act is enforced by the Commission Nationale de l'Informatique et des Libertés (CNIL).
Regarding the use of trackers and cookies:
Users must provide free, informed, specific and unequivocal consent.
NOTE
While trackers intended to generate traffic statistics are exempt from the DPA, Cabin does not use cookies, therefore does not require consent.
Cookie walls and consent requirements
The CNIL guidelines specify that continuing to browse a website, scrolling a page, or using a mobile application does not constitute valid consent for cookies. Additionally, the validity of "cookie walls" (blocking access to a website if cookies are not accepted) must be assessed on a case-by-case basis.
NOTE
Cabin does not implement cookie walls or use any tracking technologies that would require user consent.
Exemptions for technical cookies
Prior information and consent requirements do not apply to cookies whose sole purpose is to enable or facilitate communication or are strictly necessary to provide an online service requested by the user.
NOTE
Cabin only uses essential technical cookies necessary for the functioning of the service, which are exempt from consent requirements.
Data minimization and security
The French DPA requires implementing appropriate technical and organizational measures to protect personal data and ensure that only the minimum amount of data necessary is collected, stored, and processed.
NOTE
Cabin's privacy-first data model ensures minimal data collection, with no personal identifiers that could be used to identify individuals.
More information on the French DPA
PIPEDA (Canada) ​
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information in commercial activities.
PIPEDA requires organizations to:
- Obtain meaningful consent for the collection, use, and disclosure of personal information
- Collect only information necessary for identified purposes
- Protect personal information with appropriate security measures
- Provide individuals access to their personal information
- Be transparent about privacy practices
NOTE
Cabin does not collect personal information as defined by PIPEDA. Our privacy-first data model ensures no personally identifiable information is stored.
Additionally, Canada's Anti-Spam Legislation (CASL) requires express consent for the installation of cookies and similar technologies.
NOTE
Cabin does not use cookies or similar tracking technologies, so no consent is required under CASL.
APP (Australia) ​
The Australian Privacy Principles (APP) establish Australia's privacy framework, enforced by the Office of the Australian Information Commissioner (OAIC). The APPs require organizations to:
Implement practices for privacy compliance
Organizations must take reasonable steps to implement practices, procedures, and systems that ensure compliance with the APPs and enable handling of privacy inquiries and complaints.
NOTE
Cabin's privacy-first approach is designed to comply with APP requirements through minimal data collection and transparent practices.
Maintain a clear and accessible privacy policy
Organizations must have a clearly expressed and up-to-date privacy policy explaining how personal information is managed, including collection methods, purposes, and disclosure practices.
NOTE
Cabin's privacy policy clearly outlines our limited data collection practices and how we protect user information.
Notify individuals about data collection
When collecting personal information, organizations must take reasonable steps to notify individuals about the collection, its purpose, and how the information will be used and disclosed.
NOTE
Cabin collects minimal data and is transparent about its collection practices. Since Cabin does not collect personal information that could identify individuals, many notification requirements are not applicable.
Provide choice and control
While Australia doesn't have explicit cookie consent requirements like the EU, the OAIC emphasizes transparency about tracking technologies and data collection.
NOTE
Brazil's LGPD (Lei Geral de Proteção de Dados)
Brazil's General Data Protection Law (LGPD) came into effect in September 2020 and is enforced by the Brazilian Data Protection Authority (ANPD). The law applies to any organization processing personal data of Brazilian residents, regardless of where the organization is located.
Key requirements include:
- Obtaining valid consent that is "free, informed and unequivocal"
- Providing one of ten legal bases for processing personal data
- Appointing a Data Protection Officer (DPO)
- Respecting data subject rights (access, correction, deletion, etc.)
- Notifying authorities and affected individuals of data breaches
- Special protections for children's data requiring parental consent
Penalties for non-compliance include fines of up to 2% of annual revenue in Brazil (capped at 50 million reals, approximately $10 million USD per violation), as well as potential data processing suspensions or bans.
More information on Australian Privacy Principles
LGPD (Brazil) ​
Brazil's General Data Protection Law (Lei Geral de Proteção de Dados or LGPD) came into effect in September 2020 and is enforced by the Brazilian Data Protection Authority (ANPD). The law applies to any organization processing personal data of Brazilian residents, regardless of where the organization is located.
Key requirements of the LGPD include:
- Obtaining valid consent that is "free, informed and unequivocal"
- Providing one of ten legal bases for processing personal data
- Appointing a Data Protection Officer (DPO)
- Respecting data subject rights (access, correction, deletion, etc.)
- Notifying authorities and affected individuals of data breaches
- Special protections for children's data requiring parental consent
Penalties for non-compliance include fines of up to 2% of annual revenue in Brazil (capped at 50 million reals per violation), as well as potential data processing suspensions or bans.
NOTE
Cabin does not collect personal data as defined by Brazil's LGPD. Since Cabin does not use cookies or collect identifiable information, many LGPD requirements do not apply to our service.
For more information on Brazil's data protection framework, see the official LGPD documentation.
PDPA (Argentina) ​
Argentina's Personal Data Protection Law (PDPA) regulates the treatment of personal data by both government agencies and private organizations. While the law doesn't specifically mention cookies, the principles of data protection apply to all forms of personal data collection.
Key aspects of Argentina's PDPA include:
Consent requirements: Organizations must obtain explicit, informed consent before collecting or processing personal data
Data minimization: Only data necessary for the specified purpose should be collected
Purpose limitation: Data should only be used for the purposes for which it was collected
Data subject rights: Individuals have rights to access, correct, and delete their personal data
NOTE
Cabin does not collect personal data as defined by Argentina's PDPA. Since Cabin does not use cookies or collect identifiable information, consent requirements under the PDPA do not apply to our service.
For more information on Argentina's data protection framework, see the official PDPA documentation.
POPIA (South Africa) ​
South Africa's Protection of Personal Information Act (POPIA) came into full effect on July 1, 2021, and is enforced by the Information Regulator. While POPIA doesn't explicitly mention cookies, it does regulate the processing of personal information, which includes data collected through cookies and online identifiers.
Key aspects of POPIA relevant to data collection:
Personal information definition: POPIA defines personal information broadly to include "online identifiers" and "information relating to an identifiable, living, natural person," which can encompass cookie identifiers.
Consent requirements: When collecting personal information (including via cookies), responsible parties must:
- Take reasonably practicable steps to ensure data subjects are aware of the collection
- Obtain consent for the processing of personal information, particularly for direct marketing purposes
- Provide clear information about what data is being collected and how it will be used
Cookie notices and policies: Under POPIA, websites using cookies that collect personal information should implement:
- A cookie notice informing users about cookie usage
- A comprehensive cookie policy explaining what cookies are used and their purposes
- Consent mechanisms for non-essential cookies, especially those used for direct marketing
Direct marketing restrictions: POPIA requires explicit opt-in consent for direct marketing to non-customers via electronic communications, which includes marketing facilitated by cookies.
NOTE
Cabin does not use cookies or online identifiers. Cabin's privacy-first data model ensures no personal information is collected or processed as defined by POPIA, making many of the act's requirements not applicable to our service.
For more information on South Africa's data protection framework, see the Information Regulator's website.
Swiss Federal Data Protection Act (Switzerland) ​
Switzerland's revised Federal Act on Data Protection (FADP/DSG) came into effect on September 1, 2023. While not an EU member state, Switzerland has updated its data protection law to align more closely with the GDPR while maintaining some unique Swiss provisions.
Key aspects of the Swiss FADP include:
- Requiring a legal basis for processing personal data
- Providing data subjects with rights to access, correct, delete their data, and data portability
- Implementing "privacy by design" and "privacy by default" principles
- Requiring data breach notifications without delay when high risks to personal data exist
- Conducting risk assessments for high-risk data processing activities
- Maintaining detailed records of all data processing activities
- Imposing penalties of up to CHF 250,000 (approximately $280,000 USD) for intentional violations
Unlike the previous version, the revised FADP no longer protects data of legal persons (companies), but still protects natural persons' data, including employees of companies.
NOTE
Cabin does not collect personal data as defined by Switzerland's FADP. Since Cabin does not use cookies or collect identifiable information, many FADP requirements do not apply to our service. Our privacy-by-design approach aligns with the FADP's requirements.
For more information on Switzerland's data protection framework, see the Federal Data Protection and Information Commissioner's website.
Norwegian Personal Data Act (Norway) ​
Norway, while not an EU member state, has implemented the GDPR through its Personal Data Act (Personopplysningsloven). The Norwegian Data Protection Authority (Datatilsynet) enforces this law, which came into effect in July 2018.
While largely aligned with the GDPR, Norway's implementation includes specific provisions related to:
- Processing of children's personal data (with age of consent set at 13 years)
- Processing in employment contexts
- Credit information processing
- Camera surveillance
- Data protection by design and default requirements
As a member of the European Economic Area (EEA), Norway follows the European Data Protection Board (EDPB) guidelines on data protection impact assessments, certification mechanisms, and codes of conduct.
NOTE
Cabin complies with Norway's Personal Data Act through our privacy-first data model that ensures no personally identifiable information is collected or processed. Since Cabin does not use cookies or collect identifiable information, many specific requirements under Norwegian law do not apply to our service.
For more information on Norway's data protection framework, see the Norwegian Data Protection Authority's website and the EDPB's guidance for SMEs.
Spanish Organic Law on Data Protection (Spain) ​
Spain implemented the GDPR through the Organic Law on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), which came into effect in December 2018. While aligned with the GDPR, the Spanish law includes additional provisions on:
- Digital rights in employment relationships
- Right to digital disconnection
- Protection of minors online
- Right to be forgotten in social networks and equivalent services
- Right to digital education
Spain's Data Protection Authority (AEPD) has issued specific guidelines on cookie consent that were updated in July 2023 and enforced since January 11, 2024.
NOTE
Cabin complies with Spain's LOPDGDD through our privacy-first data model that ensures no personally identifiable information is collected or processed. Since Cabin does not use cookies, Spain's specific cookie consent requirements do not apply to our service.
For more information on Spain's data protection framework, see the Spanish Data Protection Authority's website.
Italian Personal Data Protection Code (Italy) ​
Italy implemented the GDPR through amendments to its existing Personal Data Protection Code. The Italian Data Protection Authority (Garante per la protezione dei dati personali) is known for its strict enforcement and has issued specific guidelines on:
- Cookie usage and consent requirements
- Data processing in employment contexts
- Biometric data processing
- Video surveillance
NOTE
Cabin complies with Italy's Personal Data Protection Code through our privacy-first data model that ensures no personally identifiable information is collected or processed. Since Cabin does not use cookies, Italy's specific cookie consent requirements do not apply to our service.
For more information on Italy's data protection framework, see the Italian Data Protection Authority's website.