Privacy Policy

Your privacy matters to us. Learn how we protect and handle your data.

Last updated November 2025 Β· Effective November 2025

Privacy at a Glance

  • GDPR compliant Full compliance with EU data protection regulations.
  • EU data storage All customer data is hosted on infrastructure located in Germany/EU.
  • Your rights Exercise access, rectification, deletion, and portability at any time.

1. Introduction

CastHubOne Ltd. ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services, including our B2B SaaS podcast-based learning platform.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our services. By accessing and using CastHubOne, you acknowledge that you have read and understand this Privacy Policy.

2. Data Controller Information

Company Name: CastHubOne Ltd.
Registered Address: Auf der Bojewiese 59b, 21033 Hamburg, Germany
Email Address: privacy@casthubone.com
Data Protection Officer: To be appointed. Contact details will be updated upon appointment.
Supervisory Authority: Der Bundesbeauftragte fΓΌr den Datenschutz und die Informationsfreiheit (BfDI), https://www.bfdi.bund.de

3. Personal Data We Collect

3.1 User Account Data

When you create an account on CastHubOne, we collect:

  • Email address
  • Full name (first and last name)
  • Profile image (optional)
  • User ID (system-generated)
  • Account creation timestamp
  • Email verification status
  • Account status (active/inactive)
3.2 User Preferences and Settings
  • Theme preference (light, dark, or system)
  • Language preference (English, Spanish, French, German, Dutch, or Portuguese)
  • Selected organization ID
  • Notification preferences
3.3 Role and Permission Data
  • User role (owner, success manager, admin, or user)
  • Organization membership information
  • Group memberships
  • Organization-specific role assignments
3.4 Learning Activity Data
  • Podcast listening progress (seconds listened)
  • Quiz attempts and results (scores ranging from 0-100)
  • Quiz completion status (not started, in progress, or completed)
  • Learning progress tracking
  • Completion timestamps
3.5 User-Generated Content
  • Feedback and comments
  • Uploaded files and attachments
  • Learning Experience Request (LXR) data
  • File metadata
3.6 Technical and System Data
  • Session tokens and authentication credentials (managed by authentication provider)
  • Request logs (method, path, response status, duration)
  • Error logs and stack traces (server-side only)
  • Audit trail data (created by, updated by, created at, updated at timestamps)
  • IP addresses (for rate limiting and security)
  • Device information (browser, operating system)
3.7 Notification Data
  • Notification records (type, title, message, link)
  • Read status
  • Notification context (admin console or customer portal)
  • Notification timestamps
3.8 Data Collected Through Authentication Provider

Through our authentication provider (Clerk), we receive:

  • Email address
  • Full name
  • OAuth provider IDs (Google, Microsoft)
  • Profile image URL from OAuth provider
  • Session information

4. Legal Basis for Processing Personal Data

We process your personal data based on the following legal grounds under GDPR Article 6:

Article 6(1)(b) Contract Performance

We process your personal data to perform our contract with you and deliver our services:

  • User authentication and account management
  • Podcast content delivery and access
  • Quiz creation and management
  • Progress tracking and analytics
  • Access control and permissions management
  • File storage and retrieval
  • Notification delivery

Article 6(1)(f) Legitimate Interests

We process your personal data for our legitimate business interests:

  • Security and Fraud Prevention: Rate limiting, authentication logs, audit trails
  • Service Improvement: Error logs, performance monitoring, request tracing
  • System Administration: Database backups, file cleanup, log rotation
  • Legal Compliance: Tax and accounting records

Article 6(1)(a) Consent

Where required, we obtain your explicit consent for:

  • AI-powered content generation (optional, can be disabled)
  • Email notifications (can be disabled at organization level)
  • Marketing communications (separate from transactional emails)

Article 6(1)(c) Legal Obligation

We process your personal data to comply with legal obligations:

  • Data retention for tax and accounting (German law)
  • Security incident reporting (GDPR Articles 33-34)
  • Response to lawful requests from authorities

5. Purposes of Data Processing

We use the collected personal data for the following purposes:

1
Service Delivery:

Provide, maintain, and improve the platform

2
User Authentication:

Verify identity and manage account access

3
Content Management:

Create and distribute podcast-based learning

4
Progress Tracking:

Monitor learning progress and quiz performance

5
Communication:

Send notifications, updates, and responses

6
Security:

Protect against fraud and unauthorized access

7
System Administration:

Maintain platform and manage infrastructure

8
Analytics:

Understand user interaction and improve UX

9
Legal Compliance:

Comply with applicable laws and regulations

10
AI Content Generation:

Assist in creating titles and objectives (optional)

6. Data Storage and Infrastructure

EU Data Residency
All personal data is stored on servers located within the European Union (Germany/EU regions)

Data Storage Providers

Service Purpose Location Data Stored
Supabase Primary database EU (Germany) All user data, organizations, groups, podcasts, quizzes, progress, notifications, audit trails
Cloudflare R2 File storage EU (configurable) Podcast audio files, learning materials, user-uploaded attachments
Vercel Frontend hosting EU (configurable) Admin console and customer portal, static assets

Data Backup: We maintain backups for 30-90 days in accordance with German legal requirements. Backup data is stored with the same security measures as primary data.

7. Security Measures

πŸ” Authentication & Access

  • JWT-Based: Secure tokens in HttpOnly cookies
  • No Password Storage: Managed by Clerk (OAuth, passwordless)
  • RBAC: Role-based permissions (Owner, Admin, User)
  • Multi-Tenant: Organization-scoped data isolation

πŸ”’ Encryption

  • In Transit: TLS 1.2+ encryption
  • At Rest: Industry-standard encryption protocols

πŸ›‘οΈ Vulnerability Prevention

  • SQL Injection: Parameterized queries, SQLAlchemy ORM
  • XSS Prevention: Input sanitization, output escaping
  • CSRF Prevention: SameSite cookies, CORS restrictions

πŸ“Š Security Monitoring

  • Request Logging: Method, path, status, duration
  • Error Logging: Server-side only (never sent to clients)
  • Rate Limiting: 1,000 requests/60s per IP
  • Audit Trails: Track all data modifications

8. Third-Party Services and Data Sharing

No Third-Party Marketing
We do not sell, rent, or share your personal data with third parties for marketing purposes

Data Processors

We share your personal data with the following service providers who process data on our behalf under strict contractual obligations:

Service Purpose Location Safeguards
Clerk Authentication US/EU option DPA, SCCs, EU data residency available
Cloudflare R2 File storage EU configurable DPA, EU region available
OpenAI AI content generation US DPA, SCCs, 30-day data retention
Vercel Frontend hosting EU configurable DPA, EU deployment option available
Resend Email delivery US/EU DPA, SCCs available

Data Processing Agreements: We have entered into DPAs with all third-party processors in accordance with GDPR Article 28.

International Data Transfers
For US-based services (Clerk, OpenAI, Resend), we use Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework, and EU data residency options where available. Contact privacy@casthubone.com for safeguard details.

9. Cookies and Tracking Technologies

πŸͺ Essential Cookies

We use only essential cookies that do not require consent:

access_token

Authentication and session management (HttpOnly, Secure, SameSite)

🚫 No Tracking

We do NOT use:

  • Google Analytics or similar services
  • Third-party tracking cookies
  • Advertising cookies
  • Behavioral tracking technologies

10. Data Retention

Active Data Account Lifecycle

User profile, preferences, roles, learning progress, and quiz results retained while your account is active.

Deleted Accounts 30-Day Grace Period
Account soft-deleted (deactivated)
30-day recovery period
Hard deletion (permanent erasure)

11. Your Rights as a Data Subject

Under GDPR and German data protection law, you have the following rights:

Art. 15 Right of Access

Obtain confirmation and a copy of your data (JSON format)

How: Email privacy@casthubone.com with subject "Data Access Request"

Art. 16 Right to Rectification

Correct inaccurate or incomplete data

How: Update in account settings or contact privacy@casthubone.com

Art. 17 Right to Erasure

Request deletion of your personal data

How: Email privacy@casthubone.com with subject "Data Deletion Request"

Art. 18 Right to Restrict

Request restriction of processing

How: Email privacy@casthubone.com

Art. 20 Data Portability

Receive your data in machine-readable format

How: Email privacy@casthubone.com with subject "Data Portability Request"

Art. 21 Right to Object

Object to processing based on legitimate interests

How: Email privacy@casthubone.com

Right to Lodge a Complaint
Contact the German Federal Data Protection Authority (BfDI) at www.bfdi.bund.de

12. Marketing and Communications

πŸ“§ Transactional Emails

Necessary for service delivery (no consent required):

  • Password reset requests
  • Account verification
  • Security alerts
  • Service updates

πŸ“¬ Marketing Emails

Opt-in only. Unsubscribe anytime:

  • Click "Unsubscribe" in any email
  • Update preferences in account settings
  • Email privacy@casthubone.com

13. Children's Data

Age Restriction: 16+
CastHubOne is not intended for children under 16. We do not knowingly collect data from children under 16. If we become aware of such data, we will delete it immediately.

14. Automated Decision-Making and Profiling

No Automated Decisions
We do not use automated decision-making or profiling that produces legal or significant effects. Our AI features are used only for content generation assistance and do not analyze or make decisions about users.

15. Data Breach Notification

🚨 To Authorities

Timeline: Within 72 hours

We notify the German Federal Data Protection Authority (BfDI) of any breach posing risk to your rights and freedoms.

πŸ“’ To You

Timeline: Without undue delay

Direct email communication with nature of breach, consequences, and protective measures.

16. Privacy Policy Updates

We'll Keep You Informed
Material changes will be communicated via email at least 30 days before taking effect, plus a prominent website notice.

17. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Email: privacy@casthubone.com
Postal Address:
CastHubOne Ltd.
Auf der Bojewiese 59b
21033 Hamburg
Germany
Response Time: We will respond to all inquiries within 10 business days.

18. Acknowledgment

By using CastHubOne, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with any part of this policy, please do not use our services.

This Privacy Policy is effective as of the date specified above and supersedes all previous privacy policies.

Document Information

Version 1.0 β€’ Last Updated: November 2025 β€’ Next Review: November 2026