Privacy Policy

Last updated: 14 October 2025
Effective date: 14 October 2025

This Privacy Notice for Internal Cast LLC (doing business as Internal Cast) ("we," "us," or "our") describes how and why we collect, store, use, and share ("process") your personal information when you:

  • Visit our website at https://www.internalcast.com or any linked site
  • Use the Internal Cast platform — an audio communication tool that converts text into AI-generated private podcast updates, with role-based access and user engagement analytics
  • Download and use our mobile applications (iOS/Android)
  • Interact with us via marketing, events, or other communications

If you disagree with our policies or practices, please do not use our Services. For questions or concerns, contact us at team@internalcast.com.

1. Data Controller

Internal Cast LLC acts as the Data Controller for all personal data we process. This means we determine the purposes and means of processing personal information.

2. Information We Collect

2.1 Personal Information You Provide

We may collect personal details you voluntarily provide, such as:

  • Name, email address, organization
  • Account registration details and team membership
  • Content you submit (e.g. text for podcast generation)
  • Payment information (processed securely by Stripe)
  • Support requests, surveys, event participation

2.2 Information Collected Automatically

When you use our Services, we may automatically collect:

  • IP address (anonymized where applicable)
  • Browser type and version
  • Device type, operating system, and app version
  • Pages viewed, in-app screens visited, and timestamps
  • Playback events: play, pause, seek, completion, listening duration
  • Error and crash logs (for debugging and reliability)

2.3 Special Categories of Data

We do not intentionally collect or process any special categories of personal data, such as information about health, political opinions, religious beliefs, trade union membership, sexual orientation, or biometric/genetic data. If you voluntarily provide such information within content uploaded or generated using our Services, you do so at your own discretion, and such data will be processed only as technically necessary to operate the Service. We strongly discourage users from uploading or including such information.

3. How We Use Your Information

We process information to:

  • Provide, operate, and maintain our Services
  • Authenticate users and manage secure access
  • Track playback progress and show episode analytics
  • Improve performance and user experience
  • Detect, prevent, and address technical issues or fraud
  • Communicate important updates, announcements, and respond to inquiries
  • Comply with legal obligations

3.1 Automated Decision-Making and AI Processing

Some features of Internal Cast rely on automated processing, including AI-based voice synthesis, transcription, and language understanding. These processes are not used to make decisions that produce legal or similarly significant effects on users. The AI systems operate under human oversight and are designed solely to deliver core service functionality, such as generating voice or transcribing content.

We do not perform profiling for advertising, scoring, or behavioral analysis purposes. Any future introduction of automated decision-making affecting user rights will be subject to explicit user consent and transparent disclosure.

4. Legal Basis for Processing (GDPR)

We process personal information under the following legal bases:

  • Performance of a contract — account creation, authentication, service delivery
  • Legitimate interest — analytics, service improvement, capacity planning, and security monitoring
  • Consent — when you opt-in to marketing communications or provide optional data

5. Analytics & Tracking Technologies

  • Vercel Analytics: collects anonymous, aggregated usage statistics (page views, region, device type)
  • Playback Analytics: events like play/pause/seek/progress are logged to understand engagement and improve UX
  • Crash Reporting: if Sentry or equivalent is enabled, device info, OS version, and stack traces may be collected to diagnose issues

We do not engage in behavioral advertising or cross-site tracking.

5.1 Analytics and Listening Metrics

We collect limited and anonymous analytics data related to how invited users interact with audio content within the Internal Cast platform. This includes playback actions (such as play, pause, progress milestones, completion, and seek events), device type, and basic session information.

This data is processed solely for the purpose of providing playback statistics and engagement insights to the workspace administrators who manage internal content. No personally identifiable information (such as names, email addresses, or IP addresses) is stored or shared with third parties.

The analytics functionality is powered by Google Analytics 4, configured in a privacy-friendly mode (with anonymized IPs and without user tracking across sites). These analytics are used exclusively for internal reporting, product improvement, and service reliability purposes.

Each workspace administrator or user who creates audio content on the Internal Cast platform is responsible for managing access to their published episodes. If an episode link is shared publicly outside the intended private group, playback analytics will still be collected for technical and statistical purposes, but Internal Cast is not responsible for the distribution or public availability of that content.

Analytics data for publicly shared or distributed episodes remains anonymous and is processed solely for aggregate reporting, platform reliability, and technical performance monitoring.

Internal Cast does not use analytics for advertising or audience profiling, even when episodes are publicly available. All analytics data, including anonymized IP information, is processed in accordance with applicable privacy regulations (such as GDPR).

5.2 Google Analytics Configuration

We use Google Analytics 4 in a privacy-friendly configuration without cookies, ad personalization, or client storage. All IP addresses are anonymized before processing and Google Signals are disabled. This setup allows us to measure basic website performance without tracking or identifying visitors.

5.3 Firebase Analytics (App Telemetry)

Internal Cast mobile apps use Firebase Analytics (Google LLC) to collect anonymous playback and engagement metrics. All analytics are configured in non-personalized mode — ad personalization, Google Signals, and IDFA tracking are disabled.

We explicitly set:

Analytics.setConsent([
    .adStorage: .denied,
    .adUserData: .denied,
    .adPersonalization: .denied
])

Data collected includes:

  • playback events (audio_start, audio_pause, audio_seek, audio_progress, audio_complete)
  • episode ID, playback position, and duration
  • app version, OS version, and device type
  • anonymous session timestamp (no IP or user ID)

This telemetry is used solely to improve playback performance and reliability. No behavioral profiling, cross-app tracking, or advertising use occurs. Users can disable analytics anytime in the app settings under “Send Anonymous Analytics.” Firebase processes this data under Google’s Data Processing and Security Terms and Standard Contractual Clauses (SCCs).

Firebase telemetry retention. Firebase telemetry is retained in aggregated form for up to 14 months, consistent with Google’s default retention settings, after which data is automatically deleted or aggregated. No identifiable user data is stored.

6. Cookies and Similar Technologies

We do not use cookies for analytics or advertising.

Session data and authentication tokens may be stored locally (browser sessionStorage, localStorage, or secure storage on device) to maintain login sessions.

7. Mobile App Permissions

Our iOS and Android apps may request access to:

  • Network – to stream audio and sync data
  • Local storage – to temporarily cache episode artwork or metadata
  • Push notifications – optional, used to notify about new episodes or updates

You can control or revoke these permissions in your device settings at any time.

8. Data Security

We apply appropriate technical and organizational measures to protect personal data, including:

  • Hosting on secure servers provided by DigitalOcean
  • HTTPS/TLS encryption in transit
  • Encrypted storage where applicable
  • Role-based access control and optional two-factor authentication
  • Signed or tokenized audio URLs with limited validity

9. Sharing Your Information

We do not sell or rent personal information to third parties.

We may share data with:

  • Service providers (Vercel, DigitalOcean, OpenAI, Stripe, email providers, CDN) under contractual agreements with data processing terms
  • Legal authorities when required by law

Payment Processing (Stripe):
Stripe processes payments as an independent data controller under their own Privacy Policy. We never store full credit card numbers.

10. Public Links & Tokenized Access

When you share an episode, a signed or tokenized URL may be generated.

These links have limited validity and can be revoked by administrators to protect privacy.

11. Data Retention and Deletion

  • Account data: retained until you request deletion or close your account
  • Playback analytics / usage data: typically retained 90 days in aggregated form
  • Crash logs: retained only as long as needed for troubleshooting
  • Backups: securely maintained for disaster recovery and expire automatically per our backup rotation schedule

We retain your personal data only for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our agreements.

When you delete your account or request deletion:

  • Your personal data and content are deleted or anonymized from active databases within a reasonable time frame, usually within 30 days.
  • Certain data (such as financial records, billing details, or tax information) may be retained for up to 7 years as required by applicable law.
  • Backup copies may remain in our encrypted archives for up to 90 days after deletion, after which they are automatically and permanently erased or anonymized.

During the retention period, any preserved data is protected under the same security and confidentiality measures described in this Policy.

Support tickets and email correspondence are retained for up to 12 months unless required longer for dispute resolution.

Please note that data deletion from all systems is not instantaneous due to technical limitations and the presence of distributed backups.

12. Your Rights

If you are located in the EEA, UK, or California, you have the right to:

  • Access, correct, delete, or restrict processing of your personal data
  • Withdraw consent where processing is based on consent
  • Request data portability
  • Opt-out of sale of personal data (we do not sell personal data)
  • Not face discrimination for exercising these rights

Requests can be sent to team@internalcast.com.

Our Data Processing Agreement is available at https://www.internalcast.com/data-processing-agreement/.

Response Times and Identity Verification

We will respond to all valid requests to access, correct, delete, or otherwise exercise data subject rights within 30 calendar days of receipt. If we need more time to process a request due to its complexity or volume, we may extend this period by up to an additional 30 days, and we will inform you of the extension and its reasons in advance.

To protect your privacy and prevent unauthorized access, we may request additional information to verify your identity before fulfilling your request (for example, confirmation via your registered email address or account credentials). Requests that cannot be verified or that would compromise the privacy of others may be rejected, but we will always explain our reasoning.

Data That Cannot Be Deleted

Certain categories of data cannot be deleted immediately, including:

  • Financial transaction records and invoices required for accounting and tax compliance;
  • System and security logs maintained to ensure integrity and prevent abuse;
  • Backup or archival data, which is automatically deleted within defined retention periods.

Where deletion is not possible due to legal or technical reasons, we will instead anonymize such data so that it can no longer be associated with any identifiable user.

13. Children's Privacy

Our Services are not intended for individuals under 18.

If we discover that we have inadvertently collected personal data from a minor under 18, we will delete it as soon as possible.

14. International Transfers

Where data is transferred outside your region, we rely on Standard Contractual Clauses or equivalent safeguards.

We continue to rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms for international data transfers outside the EEA or UK. Copies of the relevant transfer safeguards may be requested by contacting us. Where transfers are made to providers in countries with different data protection standards (e.g., the United States), we ensure that appropriate contractual and technical safeguards are in place to maintain an equivalent level of protection.

15. Changes to This Policy

We may update this Privacy Policy from time to time.

For material changes, we will notify users by email, in-app notice, or website announcement at least 30 days prior to changes taking effect.

16. Contact Us

For privacy-related questions or to exercise your rights, contact:
Email: team@internalcast.com
Address: Internal Cast LLC, Wyoming, USA

If you have questions, concerns, or complaints regarding how we handle your data, you may contact us at team@internalcast.com.

If you reside in the European Economic Area (EEA) or the United Kingdom and believe that our processing of your personal data infringes applicable law, you have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first, and we will do our best to resolve the issue promptly.

Supervisory Authority contacts for EU/UK residents are listed at: