Privacy Policy
Last updated: 2026-05-25
CASTWORD LLC ("CastVerb", "we", "us") operates the CastVerb desktop application for macOS and the website at castverb.com. This page explains what data we collect, why we collect it, how we share it, and the rights you have over it.
1. Data we collect
1.1 Account data
When you sign in with Google, we receive your email address, display name, and profile picture URL from Google's OAuth response. We store these in our database to identify your account.
1.2 Entitlement data
Your subscription tier (Basic or Pro), expiration date, redemption code history, and admin flag.
1.3 Personalization data (optional)
If you enable personalization, we sync a small profile of vocabulary and command patterns across your devices so dictation accuracy and action-mode suggestions improve over time. This profile is stored against your account and is never shared.
1.4 Usage telemetry (opt-in)
If you opt in, we record per-session metadata: which mode you used (dictation or action), session duration, byte counts, the provider and model that served the request, and your tier at the time. We do not record the contents of your transcriptions or your spoken commands in this telemetry.
1.5 Feedback you submit
Thumbs-up / down ratings on a session, free-form feedback posts, replies, and votes. These are linked to your account so you can see and edit your own posts.
1.6 Diagnostic logs (opt-in)
If you enable remote diagnostics, technical logs (error messages, timing information, app version, OS version) are sent to our log-shipping subprocessor (Axiom). These logs are scrubbed of transcription content before transmission.
1.7 Billing data (only if you subscribe)
If you start a paid subscription, Stripe collects your name, billing email, country, and (where applicable) tax identifier directly through its hosted checkout. CastVerb receives a Stripe customer ID, the product and price you selected, subscription status, and renewal dates so we can grant the correct entitlement. We never receive or store your full card number or CVC โ those stay with Stripe.
2. Data we do not collect
- Audio recordings. Your microphone audio is streamed directly from your device to your selected transcription provider (OpenAI Whisper, Groq, or others). CastVerb does not store or relay the audio.
- Transcription content. The text produced by transcription stays on your device. We never receive or store the actual text you dictate.
- Clipboard or paste contents. CastVerb saves and restores your clipboard locally as part of the paste flow. Clipboard contents never leave your device.
- API keys. If you supply your own API keys (BYO),
they are stored on your device only โ in the macOS Keychain via
Electron
safeStorageโ and are sent only to the corresponding upstream provider. We never receive your keys. - Screen contents. Action mode may take screenshots for the computer-use agent; those screenshots are sent directly to the chosen vision model and are not retained by CastVerb.
3. Why we collect it (legal basis under GDPR)
For EU and UK residents, GDPR Article 6 requires that we identify a lawful basis for each category of processing. Our bases are:
| Data category | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account data (ยง1.1) | Authenticate you, operate the Service | Contract โ Art. 6(1)(b) |
| Entitlement data (ยง1.2) | Enforce tier-based access, deliver paid features | Contract โ Art. 6(1)(b) |
| Personalization (ยง1.3) | Improve dictation and command suggestions | Consent โ Art. 6(1)(a), withdrawable in Settings |
| Usage telemetry (ยง1.4) | Understand aggregate product behaviour | Consent โ Art. 6(1)(a), default off, opt-in |
| Feedback (ยง1.5) | Show your posts back to you and to other users | Contract โ Art. 6(1)(b), submission is voluntary |
| Diagnostic logs (ยง1.6) | Debug crashes and improve reliability | Consent โ Art. 6(1)(a), default off, opt-in |
| Billing data (ยง1.7) | Process payments, comply with tax law | Contract โ Art. 6(1)(b) and legal obligation โ Art. 6(1)(c) |
4. Subprocessors
We share data with the following service providers as needed to operate the service:
| Provider | Purpose | Data received |
|---|---|---|
| Supabase (US) | Authentication, database, edge functions | Account, entitlement, personalization, usage, feedback |
| OpenAI (US) | Transcription, Realtime API for experimental mode | Audio you record while using the app |
| Groq (US) | Transcription | Audio you record while using the app |
| Stripe (US) | Payments (when paid tiers are available) | Billing email, name, country, card details (handled by Stripe directly) |
| Axiom (US) | Diagnostic log ingestion (opt-in) | Scrubbed technical logs |
| Cloudflare (US/global) | Website hosting, DNS, email routing | Website traffic metadata |
| Resend (US) | Transactional email (e.g. waitlist confirmations) | Email address, message content |
Each subprocessor has its own privacy policy. Audio and transcription data flow directly from your device to the transcription provider under their terms; CastVerb is not an intermediary for that traffic.
5. Cookies and analytics
The CastVerb website (castverb.com) does not use
third-party analytics, advertising trackers, or marketing cookies.
We use a single first-party browser storage key
(castverb-theme) to remember your light/dark theme
preference. This is essential for the UI and does not require consent
under the EU ePrivacy Directive.
When you sign in, Supabase Auth sets a session cookie (and a refresh cookie) so you stay logged in. These are strictly necessary for the Service. Cloudflare may set short-lived security cookies to mitigate abuse; these are also strictly necessary and not used for tracking.
The desktop app does not use web cookies. It stores its session token, settings, and (optionally) API keys locally on your Mac.
6. Retention
Account and entitlement data are retained for as long as your account is active. When you delete your account, all data with a foreign-key reference to your user record is removed via database cascade within 30 days. Logs shipped to Axiom are retained per Axiom's retention policy (currently 30 days for the active dataset). Stripe retains transaction records for as long as required by US and EU tax and accounting law (typically 7โ10 years).
7. Your rights
Depending on your jurisdiction, you may have the following rights:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate data. Profile fields are managed by your Google account; for other fields contact us.
- Deletion (right to erasure): delete your account, which removes your personal data from our systems (subject to subprocessor retention windows and legal-retention obligations on billing records). To request deletion, email support@castverb.com from the address associated with your account.
- Portability: request your personalization profile, feedback posts, and entitlement history as a JSON export by emailing us.
- Restriction and objection: ask us to restrict processing or object to processing based on legitimate interest.
- Withdraw consent: turn off usage telemetry, diagnostic logging, and personalization in app Settings at any time. Withdrawal does not affect the lawfulness of prior processing.
- Do Not Sell or Share (California): CastVerb does not sell or share your personal information as defined by the CCPA.
- Lodge a complaint: EU/EEA and UK residents have the right to lodge a complaint with their national data protection authority. A list of EU authorities is available at edpb.europa.eu/about-edpb/about-edpb/members.
Email support@castverb.com to exercise any of these rights. We respond within 30 days as required by GDPR; for complex requests we may extend by a further two months and will tell you within the first 30 days.
8. International data transfers
Our subprocessors are based primarily in the United States. If you access CastVerb from outside the US, your data will be transferred to and processed in the US. For EU, EEA, and UK residents, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum) with subprocessors that support them. You can request copies of the relevant clauses by emailing us.
9. Security and breach notification
We use industry-standard safeguards including TLS for data in transit, encryption at rest in our databases, the macOS Keychain for local API-key storage, and least-privilege access controls for our production systems. No system is perfectly secure.
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We will also notify supervisory authorities where the law requires.
10. DPO and EU representative
CastVerb has not appointed a Data Protection Officer; our processing does not meet the GDPR Article 37 thresholds that would require one. For all privacy enquiries please email support@castverb.com.
CastVerb does not currently maintain an EU representative under GDPR Article 27. Our processing of EU personal data is occasional and low-risk; we will appoint a representative if and when our processing materially increases. EU residents retain all rights described in Section 7 and may contact us directly.
11. Children
CastVerb is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be announced in the app and on this page. The "Last updated" date at the top reflects the most recent revision.
13. Contact
CASTWORD LLC
support@castverb.com