ResearchCast
ResearchCast

Security & Compliance

Effective: September 23, 2025

We take the security and privacy of your data seriously. This page summarizes how ResearchCast is hosted, how we protect your data, and which compliance measures and user controls we provide.

Hosting

Our application is hosted on reputable cloud infrastructure.

Current core providers: Vercel (application hosting/edge) and Supabase (managed Postgres, authentication, object storage).

Providers may change as our architecture evolves; material updates will be reflected here.

Authentication & Session Management

  • Primary sign‑in: passwordless email (magic link); password fallback available.
  • Sessions use secure, HTTP‑only cookies with automatic refresh/rotation.
  • 2‑Factor Authentication (2FA) is not yet supported.
  • Server‑side middleware enforces authentication on each request and applies security headers.

Data Protection

  • Access control: least‑privilege principles; Row‑Level Security (RLS) restricts access to user‑owned data.
  • Private media: served via signed URLs with short expirations.
  • Encryption: TLS in transit; at‑rest encryption is provided by our managed platforms.
  • Secrets: stored as environment variables with restricted access.
  • Headers: security headers are applied globally.

Generative AI Use

We use LLMs to help draft episode scripts and produce text‑to‑speech output.

Only the minimal content necessary for generation is transmitted to model providers.

Where supported, we disable provider data retention and model‑training on customer content and configure privacy controls accordingly. We do not use customer content to train our own models.

We review provider terms and will update this page if practices materially change.

Compliance & User Controls

We rely on providers that maintain industry‑standard security programs. ResearchCast provides GDPR/DSGVO controls for end users:

  • Cookie consent banner (essential only by default; other categories are opt‑in).
  • Consent tracking for marketing emails (version, timestamp, and—where legally permitted—IP).
  • Data export: available via the product interface.
  • Account deletion: removes the profile and initiates deletion of user‑owned storage; residual copies may persist in provider backups for a limited period as part of disaster recovery.

Content Sourcing & IP Compliance

We source materials via openly accessible links (e.g., public repositories, author websites, open‑access publishers).

Episodes are original summaries and commentary produced by ResearchCast; we do not include substantial verbatim readings of third‑party text or embed third‑party copyrighted figures in subscriber content.

When we intend to include longer quotations, text‑to‑speech renderings of third‑party prose, or third‑party figures, we either (i) confirm that the source licence permits commercial reuse and comply with any conditions (e.g., attribution, share‑alike, no‑DRM) or (ii) obtain written permission from the rightsholder.

"Openly accessible" is not the same as open‑licensed; licence checks are performed where needed.

We provide clear source attribution and links in episode notes.

Backups & Retention

Supabase maintains managed backups for our database and storage per its platform policies.

When you delete your account, we delete your profile and request purge of user‑owned storage. Residual provider backups may persist for a limited time solely for disaster‑recovery purposes.

Reporting Security Issues

If you believe you've found a vulnerability, contact sebastianvauth@gmail.com. We review and respond to good‑faith reports.