AppCast
Legal

Privacy policy

Last updated: June 28, 2026

Draft template. This document is a starting point only. It is not legal advice — replace with counsel-reviewed language before public launch.

This Privacy Policy explains how AppCast ("AppCast", "we", "our") collects, uses, and protects information when you use our website, dashboard, embeddable widget, and SDKs (collectively, the "Service"). It applies to information about visitors, registered users (administrators of Financial Institutions and other host applications), and the end-users who view content rendered by AppCast inside our customers' apps.

1. Information we collect

1.1 Information you provide

  • Account data. When you (or your organisation's admin) sign up, we collect your name, email, organisation name, and OAuth identifier provided by Google.
  • Brand data. Logos, brand colors, taglines, tenant slug, and any text or media you upload into the Studio.
  • Content. Videos you upload or generate, scripts you write or that the AI generates, and any comments you or your users moderate.
  • Billing data. Where applicable, billing contact, address, tax id, and payment instrument (handled by our payments provider).

1.2 Information collected automatically

  • Engagement events. When an end-user watches a video rendered by AppCast inside a host application, we record view, complete, like, share, and click events. These events are linked to a pseudonymous session identifier — not to a real-world identity unless your host app passes one to us explicitly.
  • Device & technical data. IP address (used for geographic aggregates and rate-limiting, then truncated), user-agent, OS, browser language, screen size.
  • Cookies & local storage. See Section 4.

1.3 Information from third parties

  • Authentication identifiers from Google when you choose Google sign-in.
  • Aggregated diagnostics from our hosting and CDN providers.

2. How we use information

  • To provide and operate the Service (host the dashboard, generate AI videos, serve the public feed, compute analytics).
  • To improve performance and reliability (error monitoring, load balancing, anomaly detection).
  • To bill customers and meter AI-credit usage.
  • To communicate operationally (downtime notices, security advisories, product changes).
  • To comply with legal obligations (tax, anti-fraud, lawful requests).

We do not train AI models on customer content. Prompts you submit to the Studio are forwarded to third-party AI providers (LLM, voice, avatar) for the sole purpose of fulfilling that request, and we contractually require those providers not to retain or train on the data.

3. Legal bases (GDPR)

If you are in the EEA, UK, or Switzerland, we process personal information under one or more of:

  • Contract — to deliver the Service to you or your organisation.
  • Legitimate interests — for product analytics, security, and fraud prevention, balanced against your rights.
  • Consent — for non-essential cookies and any marketing communications.
  • Legal obligation — tax, accounting, lawful access requests.

4. Cookies & similar technologies

We use a small number of essential cookies (session cookie for sign-in, CSRF token, a balancing cookie) and local storage to remember layout preferences and A/B variant assignments. Analytics cookies are only set with your consent in jurisdictions where consent is required.

  • session_token — keeps you signed in (HttpOnly, Secure, 7 days).
  • appcast_variant — pseudonymous A/B test variant assignment (1 year, no PII).
  • appcast_csrf — request anti-forgery token (session).

5. Data sharing

We share information only with: (a) sub-processors strictly needed to operate the Service (hosting, AI providers, payment processing, customer support), (b) your own organisation's administrators within the same tenant, (c) lawful authorities when required by court order or applicable law. We never sell personal information.

6. Data retention

  • Account & billing data: retained while your account is active and up to 7 years thereafter where required for tax.
  • Content (videos, scripts, comments): retained until you delete it. Deletion is honored within 30 days across primary storage and backups.
  • Engagement events: aggregated after 13 months; raw events purged.
  • Operational logs: 90 days.

7. Your rights

Depending on your jurisdiction, you have the right to:

  • Access the personal information we hold about you.
  • Correct or update inaccurate information.
  • Delete your information (right to be forgotten).
  • Export your information in a portable format.
  • Opt out of non-essential cookies and marketing.
  • Lodge a complaint with a supervisory authority (in the EEA / UK).

To exercise any of these rights, email hello@appcaststudio.com. We respond within 30 days.

8. International transfers

Our primary infrastructure is in the United States. Where data is transferred from the EEA / UK to the US, we rely on Standard Contractual Clauses and supplementary measures.

9. Security

We use TLS 1.3 for all traffic, AES-256 for data at rest, scoped access controls, audit logging, automated backups, and routine vulnerability scanning. No system is perfectly secure — we encourage you to use a unique strong password (or Google SSO) and to enable two-factor authentication where available.

10. Children

The Service is not directed at children under 16, and we do not knowingly collect their personal information.

11. Changes to this policy

We'll update the "Last updated" date at the top of this page when we change anything material, and we'll also notify active customers by email at least 30 days before substantive changes take effect.

12. Contact

Privacy questions, data requests, or anything legal:

hello@appcaststudio.com