Privacy Policy

CastNova (“we”, “us”, “our”) operates the website castnova.app (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are based in Germany and comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the UK General Data Protection Regulation (UK GDPR).

Data Controller: Kevin Sander
Contact: contact@castnova.app

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (if provided)
• Password (stored as a secure hash, never in plain text)
• Google account ID (if you sign in via Google OAuth)

2.2 Payment Information

When you subscribe to a paid plan, payment is processed by Stripe. We do not store your credit card number or full payment details. Stripe handles all payment data in accordance with PCI-DSS standards. We receive only a transaction ID, subscription status, and billing email from Stripe.

2.3 Uploaded Content

When you use the Service, you may upload audio or video files. These files are:

• Temporarily stored on our servers for processing
• Processed using OpenAI's Whisper API for transcription
• Processed using OpenAI's GPT-4o API for content generation
• Deleted from temporary storage after processing is complete

2.4 Generated Content

The text content generated from your uploads (transcriptions, social media posts, blog drafts, etc.) is stored in our database and associated with your account until you delete it.

2.5 Automatically Collected Data

When you visit our website, our servers automatically collect:

• IP address
• Browser type and version
• Operating system
• Date and time of access
• Pages visited

Server logs are retained for 7 days and then automatically deleted.

2.6 Cookies and local storage

We use only technically necessary cookies and local storage:

• Session cookie (necessary): Required for authentication and keeping you logged in. This cookie is HTTP-only and expires after 24 hours.
• Theme preference (local storage): Stores your display theme choice (light or dark mode) in your browser's local storage so it persists between visits. This is a functional setting you actively choose.

We use Umami, a self-hosted, cookie-free, privacy-focused web analytics tool. Umami does not collect personal data, does not use cookies, does not track users across websites, and all data stays on our own servers. No consent banner is required because Umami does not access or store any information on your device (Section 25(2) No. 2 TDDDG).

We do not use tracking cookies, marketing cookies, or any other non-essential storage technologies.

We process personal data on the following legal bases:

Art. 6(1)(b) GDPR – Performance of a contract / pre-contractual steps

We process personal data where necessary to create and manage user accounts, provide the CastNova service, process uploads, generate transcripts and AI outputs, manage subscriptions, and provide customer support related to the Service.

Art. 6(1)(c) GDPR – Compliance with a legal obligation

We process personal data where necessary to comply with legal obligations, in particular accounting, tax, record-keeping, and other statutory compliance obligations.

Art. 6(1)(f) GDPR – Legitimate interests

We process personal data where necessary for our legitimate interests, provided these are not overridden by the data subject's interests or fundamental rights. These legitimate interests include:

• Ensuring the security, integrity, and availability of the Service
• Preventing fraud, abuse, and misuse
• Maintaining server logs and troubleshooting technical issues
• Enforcing our legal rights, defending claims, and documenting compliance
• Making limited operational improvements to the Service

Art. 6(1)(a) GDPR – Consent

Where we rely on consent, we will do so only for specific optional purposes, such as optional marketing communications or other processing that legally requires consent. Consent can be withdrawn at any time with effect for the future.

We keep personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law.

In particular:

• Account data are kept for the duration of the user account and generally deleted or anonymised after account deletion, subject to a soft-delete / grace period of up to 30 days.
• Uploaded content, transcripts, and generated outputs are kept until deleted by the user or until the account is deleted, subject to a soft-delete / grace period of up to 30 days.
• Server logs are generally retained for up to 7 days, unless a longer retention is necessary for security incident investigation, abuse prevention, or legal enforcement.
• Billing, invoice, and tax-relevant records are retained for the period required by applicable commercial and tax law. In Germany, this is generally 8 years for booking records and 6 years for certain business correspondence; where a longer statutory retention period applies, data may be retained for up to 10 years.
• Support and compliance-related communications may be retained for as long as necessary to handle the request, document the matter, prevent abuse, or defend legal claims.

After expiry of the applicable retention period, the relevant data will be deleted or anonymised, unless further storage is legally required or the data must be retained for the establishment, exercise, or defence of legal claims. Residual copies may remain in secure backups for a limited period until overwritten in the ordinary backup cycle.

We use your information to:

• Provide and maintain the Service
• Process your uploaded audio/video content
• Generate text content from your uploads
• Process payments and manage subscriptions
• Send transactional emails (account verification, password resets)
• Ensure security and prevent fraud

We do not use your data for:

• Advertising or marketing profiling
• Selling to third parties
• Training AI models (see Section 6)

We share data with the following third-party services, solely for the purpose of providing the Service:

Under GDPR (EU/EEA residents)

You have the right to access your personal data, rectify inaccurate data, erase your data, restrict processing, data portability, object to processing, withdraw consent at any time, and lodge a complaint with a supervisory authority.

Under CCPA (California residents)

You have the right to know what personal information is collected, delete your personal information, opt-out of the sale of personal information (we do not sell your data), and non-discrimination for exercising your rights.

Under PIPEDA (Canadian residents)

You have the right to access your personal information, challenge the accuracy and completeness of your data, and withdraw consent for data collection.

Under UK GDPR (UK residents)

You have equivalent rights to those listed under GDPR above.

To exercise any of these rights, contact us at: contact@castnova.app. We will respond to your request within 30 days.

We implement appropriate technical and organizational measures to protect your data, including:

• TLS/SSL encrypted connections (HTTPS)
• Industry-standard password hashing
• SSH key authentication and firewall-restricted server access
• PCI-DSS compliant payment processing through Stripe
• Self-hosted file storage not shared with third parties

Your data may be transferred to and processed in countries outside the EU/EEA, specifically the United States (for OpenAI, Stripe, Resend, and Google services). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and the service providers' compliance with applicable data protection frameworks.

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last updated” date.

For any questions about this Privacy Policy or to exercise your data rights:

Email: contact@castnova.app

Imprint: castnova.app/imprint

German Privacy Policy (Datenschutzerklärung): castnova.app/datenschutz