Privacy Policy
Effective: September 23, 2025
This Privacy Policy applies to the ResearchCast website and web application (the "Services"). It explains how we collect, use, share, and protect personal data and describes your rights under the GDPR/DSGVO and other applicable laws.
1) Controller
Sebastian Vauth
Angerstraße 12, 85354 Freising, Germany
Email: sebastianvauth@gmail.com
We have not appointed a Data Protection Officer. For any privacy questions or requests, contact us using the details above.
2) Categories of Data We Process
Account data: email address and, if provided, a display name. Authentication is provided by our identity provider.
Preferences: email/marketing opt‑in, weekly‑digest topics, audio/playback settings, and consent metadata (e.g., banner version, timestamp, IP where legally permitted).
Content you provide: uploads and links (e.g., to publicly accessible research) used to generate scripts/audio, plus resulting outputs and related metadata. You are responsible for ensuring you have a lawful basis to provide any third‑party personal data contained in such content.
Usage & security logs: limited server logs (IP address, device/HTTP metadata, timestamps) for security, rate‑limiting, and troubleshooting. We do not run third‑party marketing analytics by default.
Cookies & similar tech: essential authentication/session cookies and a first‑party consent cookie. See our Cookie Policy for details.
Payments (if applicable): if you buy a paid plan, basic billing information is processed by our payment processor; we do not store full card numbers. We retain invoices as required by tax law.
3) Purposes & Legal Bases
We process personal data only where a legal basis applies:
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide and operate the Services | authentication, generation, storage, streaming, playlists, customer support | Contract (Art. 6(1)(b)) |
| Security & abuse prevention | fraud/abuse detection, rate limiting, service integrity | Legitimate interests (Art. 6(1)(f)) |
| Communications | service notices and transactional emails | Contract (Art. 6(1)(b)) |
| Optional emails | weekly digest/marketing (if enabled) | Consent (Art. 6(1)(a)) — withdraw anytime |
| Compliance | accounting, tax, legal requests | Legal obligation (Art. 6(1)(c)) |
| Product improvement (non‑marketing) | debugging, service quality, de‑identified statistics | Legitimate interests (Art. 6(1)(f)) with safeguards |
Right to object: Where we rely on legitimate interests, you may object at any time on grounds relating to your situation.
4) Generative AI Use
We use model providers to help draft episode scripts and produce text‑to‑speech. We send only the minimal content necessary to perform the requested generation.
Where supported, we disable provider data‑retention and training on customer content and configure privacy controls accordingly.
We do not use your content to train our own models.
You can opt out by not using generation features.
5) Recipients (Processors) & International Transfers
We use trusted service providers to operate the Services. Current core providers include application hosting, managed database/authentication/storage, email delivery, payment processing (if enabled), and model providers for generation. We maintain a Subprocessors list and update it when providers change.
Some processing may occur outside the EU/EEA. Where this happens, we rely on appropriate safeguards (e.g., EU Standard Contractual Clauses and supplementary measures) and require our providers to implement security controls consistent with industry practice.
We do not sell personal data or share it for cross‑context behavioral advertising.
6) How We Use Data
We use personal data to:
- provide and maintain the Services;
- communicate with you about your account and the Services (transactional/service emails);
- send optional emails only with your consent;
- secure the Services, prevent abuse, and troubleshoot;
- comply with legal obligations.
7) Retention
We keep personal data only as long as necessary for the purposes above:
Account data: kept while your account is active; deleted after account deletion.
Content & private media: deleted when you delete it or your account; residual copies may persist for a limited period in provider backups used solely for disaster recovery.
Logs: retained for a short period needed for security and troubleshooting.
Consent records: retained to demonstrate compliance.
Billing records (if applicable): retained for periods required by tax and accounting law.
8) Your Rights
Under GDPR/DSGVO, you have the right to:
- Access your personal data;
- Rectify inaccurate data;
- Delete your data (subject to legal exceptions);
- Restrict or object to certain processing;
- Data portability (where technically feasible);
- Withdraw consent at any time (without affecting prior processing);
- Lodge a complaint with a supervisory authority. In the EU, you can contact your local authority; for our German establishment, the competent authority is the data protection authority of the Free State of Bavaria.
How to exercise your rights: Use the in‑product controls (e.g., profile, export, deletion) or contact privacy@[your‑domain]. We may need to verify your identity before acting on a request. We aim to respond within one month as required by law.
9) Security
We implement technical and organizational measures appropriate to risk, including role‑based access, database row‑level security, signed URLs for private media, and encrypted transport. No method of transmission or storage is 100% secure. See our Security & Compliance page for more detail.
10) Children
The Services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will take appropriate steps.
11) External Links
Our Services may link to external sites. Their privacy practices are governed by their own policies.
12) Disclosures for Law Enforcement & Change of Control
We may preserve or disclose information if required by law, court order, or to protect the rights, property, or safety of users, the public, or the Services. If we undergo a reorganization, merger, or sale, personal data may be transferred as part of that transaction in accordance with this Policy.
13) Changes to This Policy
We may update this Policy to reflect changes in our Services or legal requirements. We will post updates here and, where required, provide additional notice. The "Effective" date shows the latest version.
14) Contact
Controller: Sebastian Vauth
Angerstraße 12, 85354 Freising, Germany
Email: sebastianvauth@gmail.com