Privacy policy.
Privacy-first private feeds
This policy explains how Readcast ("we", "our", "us") collects, uses, and protects personal information, including private RSS and audio bearer links.
Data controller
Readcast
Email: privacy@readcast.com
Data Protection Officer: privacy@readcast.com
Information we collect
Personal information you provide
- Account information: email address, username, password (encrypted)
- Profile data: voice preferences, playback speed settings
- Content: text content you submit for podcast generation
- Payment information: processed securely by Stripe (we don't store card details)
- Private feed/audio tokens: bearer credentials used by podcast apps to fetch private feeds and audio
Information we collect automatically
- Usage data: episodes created, character counts, download statistics
- Technical data: IP address, browser type, device information
- Cookies: session cookies for authentication, preference cookies for settings
- Log data: error logs, performance metrics (anonymized where possible)
Legal basis for processing
GDPR Article 6 — lawfulness of processing
- Contract performance (Art. 6.1.b): account management, episode generation, payment processing
- Legitimate interest (Art. 6.1.f): service improvement, security, fraud prevention
- Legal obligation (Art. 6.1.c): tax records, legal compliance
- Consent (Art. 6.1.a): marketing communications, optional analytics
How we use your information
- Service provision: generate podcasts, manage your account, process payments
- Communication: send service-related emails, respond to support requests
- Improvement: analyze usage patterns to improve the service
- Security: detect fraud, prevent abuse, maintain platform security
- Legal compliance: meet legal obligations, respond to legal requests
Data sharing and third parties
Third-party processors
- ElevenLabs: text-to-speech processing
- Google (Gemini API): text-to-speech processing when the Gemini voice provider is selected, and image-description processing when enabled
- OpenAI: title, narration, summary, and performance processing when enabled
- Anthropic: Autopilot briefing/research agent processing when enabled
- Google OAuth: sign-in for accounts that choose Google authentication
- Stripe: payment processing and billing portal
- Cloudflare: CDN, Workers, and R2 storage for generated audio
- Grafana Cloud: monitoring and operational logs when configured
We use contractual, security, and configuration controls appropriate to each processor. We do not sell personal information.
We do not sell your data
We never sell, rent, or trade your personal information to third parties for marketing purposes.
Data retention
- Active accounts: retained while your account is active
- Cancelled subscriptions: kept 12 months for potential reactivation
- Deleted accounts: generated episodes, local/R2 audio, feed subscriptions, API keys, OAuth tokens, RSS tokens, and private audio tokens are deleted or revoked during account deletion, subject to limited legal, tax, billing, security, and backup retention
- Legal requirements: some data retained longer for tax/legal compliance (up to 7 years)
- Logs and analytics: anonymized data may be retained for up to 2 years
Your privacy rights
Under GDPR, you have the right to:
- Access: request a copy of all personal data we hold about you
- Rectification: correct any inaccurate or incomplete data
- Erasure: request deletion of your personal data ("right to be forgotten")
- Portability: receive your data in a machine-readable format
- Restriction: limit how we process your data
- Object: opt out of processing based on legitimate interest
- Withdraw consent: revoke consent for consent-based processing
To exercise these rights, contact privacy@readcast.com. We aim to respond promptly and within timeframes required by applicable law.
Data security
- Encryption: HTTPS/TLS in transit and provider-managed storage protections where applicable
- Access control: account authentication, CSRF protection, private feed tokens, private audio tokens, and owner checks
- Password security: passwords hashed using bcrypt with salt
- Regular audits: ongoing security assessments and vulnerability testing
- Data minimization: we only collect and store necessary data
- Incident response: breach notification procedures in place
Private RSS and audio links
Podcast apps need direct links to fetch episodes. Readcast uses unguessable RSS and audio tokens for that purpose. These links work like passwords: anyone with the exact URL may be able to fetch the private feed or audio until you rotate or revoke the relevant token.
Cookies and tracking
Essential cookies (no consent required)
- Session cookies: keep you logged in and maintain security
- CSRF protection: prevent cross-site request forgery attacks
- Preference cookies: remember your voice and speed settings
Optional cookies (consent required)
- Analytics: understand how the service is used (anonymized)
- Performance: monitor service performance and errors
Manage cookie preferences via the consent banner or your browser settings.
International data transfers
Some service providers are located outside the EU. We ensure adequate protection through:
- Adequacy decisions: transfers to countries with EU adequacy decisions
- Standard contractual clauses: EU-approved contractual protections
- Data processing agreements: contractual commitments to GDPR compliance
Children's privacy
Our service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we discover such data, we delete it promptly.
Changes to this policy
We may update this policy to reflect changes in our practices or legal requirements. We will notify you of material changes by email or through the service. The updated policy is effective immediately upon posting.
Contact us
For privacy-related questions, data requests, or to exercise your GDPR rights:
- Data Protection Officer: privacy@readcast.com
- General support: support@readcast.com
- Response time: within applicable legal timeframes
Right to lodge a complaint
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. EU residents can find their authority at edpb.europa.eu.