ResearchCast
ResearchCast

Privacy Policy

Effective: September 23, 2025

This Privacy Policy applies to the ResearchCast website and web application (the "Services"). It explains how we collect, use, share, and protect personal data and describes your rights under the GDPR/DSGVO and other applicable laws.

1) Controller

Controller: Sebastian Vauth

Address: Angerstraße 12, 85354 Freising

Email: support@research-cast.com

We have not appointed a Data Protection Officer. For any privacy questions or requests, contact us using the details above.

2) Categories of Data We Process

Account & authentication data. Email address, password hash (never your plaintext password), optional display name, verification status, and account metadata (for example, created or updated timestamps). Authentication is handled by our managed identity components.

Sessions & device metadata. Session cookies or tokens, truncated IP address, user agent, referrer, timestamps, and basic device or HTTP headers used for security, session continuity, and troubleshooting.

Preferences & consent. Email or marketing opt-in, Weekly Digest topics, Explore feed settings (for example, the non-profiling or chronological toggle), audio or playback settings, and consent metadata (banner version, timestamp, and—where legally permitted—truncated IP).

Content you provide. Uploads and links (for example, to publicly accessible preprints) used to generate scripts or audio, plus resulting outputs and related metadata (for example, episode title, duration, attribution). You are responsible for ensuring you have a lawful basis to provide any third-party personal data that may be contained in such content.

Source & licensing metadata. Where available, we record source identifiers and license information (for example, DOI, arXiv ID or URL, Creative Commons license type, arXiv non-exclusive flag) to enforce visibility or licensing rules and to display attribution.

Usage & security logs. Limited server logs (truncated IP, request IDs, HTTP status, timestamps) for security, rate-limiting, capacity planning, and abuse prevention. We do not run third-party marketing analytics by default.

Cookies & similar tech. Essential authentication or session cookies and a first-party consent cookie. Non-essential cookies or SDKs are off by default and activated only with consent. See our Cookie Policy for details.

Payments (if applicable). If you purchase a paid plan, basic billing information is processed by our payment processor; we do not store full card numbers. We retain invoices as required by tax law.

Support communications. Messages you send us (for example, email or in-app support) and related metadata.

We do not intentionally collect special categories of data (Art. 9 GDPR). Please avoid providing health, biometric, or other sensitive data in free-text inputs.

3) Purposes & Legal Bases

We process personal data only where a legal basis applies:

PurposeExamplesLegal basis
Provide and operate the ServicesAuthentication, session management, generation, storage or streaming, playlists, customer supportContract (Art. 6(1)(b))
Security & abuse preventionFraud or abuse detection, rate-limiting, incident response, service integrityLegitimate interests (Art. 6(1)(f))
Service communicationsAccount, security, transactional emailsContract (Art. 6(1)(b))
Optional emailsWeekly digest or marketing (if enabled)Consent (Art. 6(1)(a))—withdraw anytime
ComplianceAccounting, tax, legal requestsLegal obligation (Art. 6(1)(c))
Product improvement (non-marketing)Debugging, quality, de-identified statistics, measurement of aggregate clicks via server-side redirectsLegitimate interests (Art. 6(1)(f)) with safeguards

Right to object. Where we rely on legitimate interests, you may object at any time on grounds relating to your situation.

4) Generative AI Use

We use model providers to help draft episode scripts and produce text-to-speech. We send only the minimal content necessary to perform the requested generation. Where supported, we disable provider data-retention and training on customer content and configure privacy controls accordingly. We do not use your content to train our own models. You can opt out by not using generation features.

5) Content Sourcing, TDM & Licensing (Privacy-relevant aspects)

We respect robots.txt and machine-readable Text-and-Data-Mining (TDM) reservations signaled by sources. If a source signals TDM opt-out, we do not crawl or analyze it. We create temporary working copies strictly for automated analysis and delete them after the processing purpose is fulfilled (subject to minimal disaster-recovery backups). We use arXiv metadata via official interfaces where available and link full texts back to arXiv; we do not mirror full-text content.

6) Explore Recommender Transparency & Profiling

When you enable public discovery (Explore), we present a feed based on factors such as topic match, recency, aggregate interest, and quality signals. We provide a "Why am I seeing this?" panel describing main parameters and user options. We also offer a non-profiling or chronological mode (where applicable). We do not make automated decisions that produce legal effects or similarly significant effects about you. We do not sell personal data or share it for cross-context behavioral advertising.

7) Emails, Weekly Digest & Tracking

  • Consent & opt-in. We send Weekly Digest and other optional emails only with your consent (double opt-in). You can withdraw any time from settings or via the unsubscribe link.
  • Unsubscribe headers. Messages include List-Unsubscribe headers (one-click where supported) and footer links.
  • Open-tracking. We avoid open-tracking pixels by default. If enabled, they are used only with explicit consent.
  • Click measurement. Digest links may route through our own redirect endpoints to compute aggregate interest (without client-side identifiers).

8) Recipients (Processors) & International Transfers

We use trusted service providers to operate the Services. Core providers include application hosting or edge, managed database or authentication or storage, email delivery, payment processing (if enabled), and model providers for generation. We maintain a Sub-processors page and update it when providers change.

Some processing may occur outside the EU or EEA. Where this happens, we rely on appropriate safeguards (for example, EU Standard Contractual Clauses and supplementary measures) and require our providers to implement security controls consistent with industry practice. We do not sell personal data.

9) How We Use Data (summary)

We use personal data to:

  • provide and maintain the Services;
  • communicate with you about your account and the Services (transactional or service emails);
  • send optional emails only with your consent;
  • secure the Services, prevent abuse, and troubleshoot;
  • comply with legal obligations.

10) Retention

We keep personal data only as long as necessary for the purposes above.

  • Account data: kept while your account is active; deleted after account deletion.
  • Content & private media: deleted when you delete it or your account; residual copies may persist for a limited period in provider backups used solely for disaster recovery.
  • Temporary working copies (analysis or TDM): deleted after the processing purpose is fulfilled.
  • Logs: access logs typically around 30 days; processing logs around 7 days (subject to change for security and operations).
  • Consent records: retained to demonstrate compliance.
  • Billing records (if applicable): retained for periods required by tax and accounting law.

11) Your Rights

Under GDPR or DSGVO, you have the right to:

  • access your personal data;
  • rectify inaccurate data;
  • delete your data (subject to legal exceptions);
  • restrict or object to certain processing (including processing based on legitimate interests);
  • data portability (where technically feasible);
  • withdraw consent at any time (without affecting prior processing);
  • lodge a complaint with a supervisory authority. In the EU, you can contact your local authority; for our German establishment, the competent authority is the data protection authority of the Free State of Bavaria.

How to exercise your rights: Use in-product controls (profile, export, deletion) or email privacy@[your-domain]. We may need to verify your identity before acting on a request. We aim to respond within one month as required by law.

12) Security

We implement technical and organizational measures appropriate to risk, including email plus password authentication, strong password hashing, role-based access, database Row-Level Security, short-lived signed URLs for private media, TLS in transit, and at-rest encryption provided by our managed platforms. No method of transmission or storage is 100% secure. See our Security & Compliance page for more detail.

13) Children

The Services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will take appropriate steps.

14) External Links

Our Services may link to external sites. Their privacy practices are governed by their own policies.

15) Disclosures for Law Enforcement & Change of Control

We may preserve or disclose information if required by law, court order, or to protect the rights, property, or safety of users, the public, or the Services. If we undergo a reorganization, merger, or sale, personal data may be transferred as part of that transaction in accordance with this Policy.

16) Changes to This Policy

We may update this Policy to reflect changes in our Services or legal requirements. We will post updates here and, where required, provide additional notice. The "Effective" date shows the latest version.

17) Contact

Controller: Sebastian Vauth

Email: support@research-cast.com

Postal: Angerstraße 12, 85354 Freising

End of Privacy Policy.