Privacy Policy

Last updated: 2026-06-04

CASTWORD LLC ("we", "us", or "our") operates CastVerb, including the CastVerb apps for macOS and iOS and the website at castverb.com. CastVerb is the product and service name; CASTWORD LLC is the legal entity responsible for this policy. This policy explains what data we collect, what stays on your device, what is sent to service providers for processing, and how you can access, export, or delete your data.

1. Data we collect

1.1 Account data

When you sign in with Apple, Google, or email, we receive the account identifiers needed to create and secure your CastVerb account. Depending on the sign-in method, this can include your email address, display name, profile picture URL, provider user ID, and a Supabase-issued user ID.

1.2 Entitlement and billing data

We store your tier, trial status, subscription status, renewal or expiration date, referral and redemption-code history, and administrative flags needed to operate the service. If you subscribe on iOS, Apple processes the In-App Purchase and CastVerb receives StoreKit transaction metadata such as product ID, original transaction ID, purchase date, and expiration date so we can grant the correct entitlement. If you subscribe on the web or desktop, Stripe collects payment details directly through its hosted checkout and billing portal. CastVerb receives Stripe customer, subscription, product, price, tax, and invoice identifiers so we can grant the correct entitlement. We never receive or store your full card number or CVC.

1.3 Service usage and metering data

To enforce free-tier limits, operate Pro access, prevent abuse, and understand reliability, we store limited per-session metadata such as timestamp, platform, app version, mode, duration, audio byte count, word count, provider, model, tier, and cost estimate. We do not store the audio, transcript text, prompts, screenshots, or clipboard contents in this metering data.

1.4 Personalization data (optional)

If you enable personalization or vocabulary sync, we store a small account-scoped profile of words, names, corrections, and preferences so CastVerb can better recognize terms you commonly use. You can edit, export, or delete this data from your account tools.

1.5 Feedback and support data

If you submit feedback, support messages, votes, replies, or comments, we store the content you submit and the account identifiers needed to show it back to you, respond to you, and manage abuse.

1.6 Diagnostic logs (optional)

If you enable remote diagnostics, CastVerb may send technical logs such as error messages, timing information, app version, OS version, and crash context to our diagnostic log provider. These logs are designed to exclude transcript text, audio, API keys, and clipboard contents.

2. Data we do not collect

CastVerb may keep short-lived audio files or session sidecars locally on your Mac or iPhone/iPad for recovery, reprocess, and "never make the user speak twice" workflows. These local files are not uploaded to CastVerb as stored records, and you can remove them from the app's privacy controls.

3. Why we collect it (legal basis under GDPR)

For EU and UK residents, GDPR Article 6 requires that we identify a lawful basis for each category of processing. Our bases are:

Data categoryPurposeLegal basis (GDPR Art. 6)
Account data (ยง1.1)Authenticate you, secure your account, operate the ServiceContract โ€” Art. 6(1)(b)
Entitlement and billing data (ยง1.2)Deliver paid and trial features, process subscriptions, keep tax and accounting recordsContract โ€” Art. 6(1)(b) and legal obligation โ€” Art. 6(1)(c)
Service usage and metering data (ยง1.3)Enforce quotas, prevent abuse, operate referrals, understand reliability and costContract โ€” Art. 6(1)(b) and legitimate interests โ€” Art. 6(1)(f)
Personalization (ยง1.4)Improve recognition of your vocabulary and preferencesConsent โ€” Art. 6(1)(a), withdrawable in Settings
Feedback and support (ยง1.5)Respond to you, manage feedback, prevent abuseContract โ€” Art. 6(1)(b) and legitimate interests โ€” Art. 6(1)(f)
Diagnostic logs (ยง1.6)Debug crashes and improve reliabilityConsent โ€” Art. 6(1)(a), default off, opt-in

4. Subprocessors

We share data with the following service providers as needed to operate the service:

ProviderPurposeData received
Supabase (US)Authentication, database, edge functionsAccount, entitlement, personalization, metering, feedback, support data
OpenAI (US)Transcription, polish, and experimental action mode where configuredAudio, transcript text, prompts, and screenshots only as needed for in-flight processing
Groq (US)TranscriptionAudio only as needed for in-flight processing
Apple (US/global)Sign in with Apple and iOS In-App PurchaseApple sign-in claims where used; StoreKit subscription transaction metadata for iOS purchases
Stripe (US)Payments (when paid tiers are available)Billing email, name, country, card details (handled by Stripe directly)
Axiom (US)Diagnostic log ingestion (optional)Scrubbed technical logs
Cloudflare (US/global)Website hosting, Workers, DNS, email routingWebsite and API traffic metadata
Resend (US)Transactional email (e.g. waitlist confirmations)Email address, message content

Each subprocessor has its own privacy policy. For transcription and model-processing providers, audio, transcript text, prompts, and screenshots are sent only as needed to provide the feature you request and are not stored by CastVerb as server-side records.

5. Cookies and analytics

The CastVerb website (castverb.com) does not use third-party analytics, advertising trackers, or marketing cookies. We use a single first-party browser storage key (castverb-theme) to remember your light/dark theme preference. This is essential for the UI and does not require consent under the EU ePrivacy Directive.

When you sign in, Supabase Auth sets a session cookie (and a refresh cookie) so you stay logged in. These are strictly necessary for the Service. Cloudflare may set short-lived security cookies to mitigate abuse; these are also strictly necessary and not used for tracking.

The native apps do not use web cookies. They store session tokens, settings, and (optionally) API keys locally on your device.

6. Retention

Account and entitlement data are retained for as long as your account is active. When you delete your account, data with a foreign-key reference to your user record is removed via database cascade, usually within 30 days, except for backups, subprocessors, security records, and legal-retention obligations. Logs shipped to Axiom are retained per Axiom's retention policy. Stripe and Apple retain transaction records under their own legal, tax, accounting, and platform obligations.

7. Your rights

Depending on your jurisdiction, you may have the following rights:

Use the export/delete controls in your account page or email support@castverb.com to exercise these rights. We respond within the time required by applicable privacy law and may need to verify your identity before acting on a request.

8. International data transfers

Our subprocessors are based primarily in the United States. If you access CastVerb from outside the US, your data will be transferred to and processed in the US. For EU, EEA, and UK residents, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum) with subprocessors that support them. You can request copies of the relevant clauses by emailing us.

9. Security and breach notification

We use industry-standard safeguards including TLS for data in transit, encryption at rest in our databases, OS keychains for local API-key storage, and least-privilege access controls for our production systems. No system is perfectly secure.

If we become aware of a personal-data breach that is likely to affect your rights, we will notify affected users and supervisory authorities where applicable law requires.

10. DPO and EU representative

CastVerb has not appointed a Data Protection Officer at this time. For all privacy enquiries please email support@castverb.com.

CastVerb does not currently list an EU or UK representative on this page. EU and UK residents may contact us directly using the email address above.

11. Children

CastVerb is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced in the app and on this page. The "Last updated" date at the top reflects the most recent revision.

13. Contact

CASTWORD LLC
support@castverb.com