Privacy Policy

§ 1 Overview and Scope

This Privacy Policy explains how personal data is processed when you visit our marketing website at www.loonacast.com and when you use the Loonacast web application (together, the "Service"). It applies to visitors, registered users and persons whose voice, image or other personal data is contained in content that users upload to the Service.

Processing takes place in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications-Digital-Services Data Protection Act (TDDDG).

§ 2 Controller

The controller responsible for the processing of personal data within the meaning of Art. 4 No. 7 GDPR is:

A separate Data Protection Officer has not been appointed because the statutory criteria of Art. 37 GDPR / § 38 BDSG are not met.

§ 3 Key Terms

• Personal data – any information relating to an identified or identifiable natural person.
• Processing – any operation performed on personal data, such as collection, storage, use or transmission.
• Controller – the natural or legal person who determines the purposes and means of the processing.
• Processor – a third party who processes personal data on behalf of the controller under a data processing agreement.
• Data subject – the identifiable natural person whose personal data is processed.

§ 4 Server Log Files

Every request to the Service is logged automatically. Logs typically contain: browser type and version, operating system, referrer URL, requested resource, date and time of the request, transferred volume of data, HTTP status code and the user's IP address.

Purpose: ensuring stability and security of the Service, detecting and analysing abuse and technical errors.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a stable and secure Service).

Storage period: up to 14 days, unless extended retention is necessary to investigate a specific security incident.

§ 5 Cookies and Local Storage

The Service uses cookies, local storage entries and similar technologies. Some of them are strictly necessary to operate the Service (e.g. session cookies for authentication, a cookie that preserves a pending upload across page reloads, consent state). Strictly necessary technologies are stored on the basis of § 25 (2) No. 2 TDDDG and Art. 6 (1) (f) GDPR.

Non-essential technologies (such as analytics) are only loaded after you have given your consent via our cookie banner pursuant to § 25 (1) TDDDG and Art. 6 (1) (a) GDPR. You can withdraw your consent at any time with effect for the future via the cookie settings on this website.

§ 6 Analytics (Umami)

Subject to your consent, we use a self-hosted instance of the open-source analytics tool Umami to measure how visitors interact with our marketing website. The Umami instance runs on servers located in the European Union, so visitor data does not leave the EU for analytics purposes.

Processed data includes: pseudonymous distinct ID (stored locally in your browser), page URL, referrer, browser and operating system family, device category, approximate region derived from the truncated IP address, UTM parameters, and standardised conversion or engagement events triggered by your interaction with the page (e.g. clicking a call-to-action).

Legal basis: Art. 6 (1) (a) GDPR and § 25 (1) TDDDG (consent).

Storage period: aggregated metrics for up to 24 months; raw events for up to 6 months. You can revoke your consent at any time via the cookie banner.

§ 7 Hosting and Object Storage (Hetzner)

The Service is hosted in data centres operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Application servers, databases and the object storage that holds your uploaded episodes and rendered clips are located in German Hetzner data centres (Falkenstein / Nuremberg).

Hetzner acts as our processor on the basis of a data processing agreement pursuant to Art. 28 GDPR. Data does not leave the European Union for hosting purposes.

Legal basis: Art. 6 (1) (b) GDPR (performance of contract) and Art. 6 (1) (f) GDPR (legitimate interest in a reliable infrastructure).

§ 8 Account Creation and Authentication (Clerk)

Sign-up and sign-in are operated by Clerk, Inc., 660 King Street, Unit 345, San Francisco, CA 94107, USA. When you create an account, Clerk processes your email address, hashed password (or external OAuth identity for "Sign in with Google"), session tokens, IP address, browser fingerprint and authentication events on our behalf.

Account verification codes and security-related notifications are sent by Clerk via its own email infrastructure.

Legal basis: Art. 6 (1) (b) GDPR (performance of contract).

International transfer: data is transferred to the USA. The transfer is safeguarded by the EU–US Data Privacy Framework (Clerk is certified) and additionally by Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR.

§ 9 Transcription (AssemblyAI)

Uploaded audio and video files are transcribed by AssemblyAI, Inc., 185 Clara Street, Suite 100B, San Francisco, CA 94107, USA. AssemblyAI receives the audio track, returns a text transcript with word-level timestamps and speaker labels, and deletes the audio after processing in line with its data retention policy. We have disabled any use of customer audio for the training of AssemblyAI's models.

Legal basis: Art. 6 (1) (b) GDPR.

International transfer: data is transferred to the USA on the basis of Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR.

§ 10 AI Processing (OpenAI, Anthropic)

To identify interesting moments in a podcast episode and to generate titles, hashtags and B-roll keywords, we send the transcript (not the audio itself) to third-party large language model providers:

• OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, Ireland (with sub-processing by OpenAI, L.L.C. in the USA).
• Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA.

We use API endpoints that do not train the providers' models on our input or output ("zero data retention" or equivalent settings, where offered). Both providers may, however, retain content for a short period (up to 30 days) for abuse-monitoring purposes.

Legal basis: Art. 6 (1) (b) GDPR.

International transfer: transfers to the USA are safeguarded by Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR.

§ 11 Stock B-Roll (Pexels)

Optional B-roll footage is retrieved from Pexels GmbH, Hermannstr. 13, 20095 Hamburg, Germany. When the Service queries Pexels, we send a generic search term derived from your transcript. Pexels logs the request and IP address of the originating server (not your IP). Legal basis: Art. 6 (1) (b) GDPR.

§ 12 Social-Media Publishing (Zernio)

Publishing rendered clips to social-media platforms (YouTube, Instagram, TikTok, LinkedIn, X, Facebook) is handled through ARBICHAT, S.L., trading as Zernio, Carrer Mallorca 2A, 17230 Palamós, Girona, Spain. Zernio acts as our processor under Art. 28 GDPR and holds, on our behalf, the OAuth access tokens you grant for each connected platform.

When you connect a platform, you are forwarded to that platform's authorisation flow. After you confirm the requested scopes, the platform issues tokens that are stored encrypted at Zernio and used only for the publishing actions you trigger (uploading a clip, scheduling a post, reading account metadata).

Once a clip has been published, the destination platform becomes an independent controller for the processing of the post and any audience interaction with it. The respective platform's own privacy policy applies in addition:

• YouTube / Google
• Instagram / Meta
• TikTok
• LinkedIn

Legal basis for the publishing workflow itself: Art. 6 (1) (b) GDPR (performance of contract) and, with regard to the activation of an individual integration, your express consent given during the OAuth flow pursuant to Art. 6 (1) (a) GDPR.

You can disconnect any linked platform at any time from within Loonacast or directly via the platform's security settings. The stored tokens are then revoked and deleted.

§ 13 Payment Processing (Creem)

Subscription billing for paid plans is processed by Armitage Labs OÜ (creem.io), registry code 16977866, Telliskivi 57b/1, 10412 Tallinn, Estonia. When you purchase a paid plan, the data needed to process the payment (name, email address, billing address, payment method details) is collected and processed by Creem in its capacity as an independent data controller for the payment transaction. We only receive the information required to recognise your subscription (plan, status, invoice reference); we do not store full payment-card details on our own systems.

Legal basis: Art. 6 (1) (b) GDPR (performance of contract) and Art. 6 (1) (c) GDPR (compliance with statutory accounting and tax obligations).

International transfer: Creem is established in Estonia (EU). No third-country transfer takes place for the payment processing performed by Creem itself.

§ 14 Transactional Emails (Resend)

Notifications relating to the Service (e.g. confirmation that a clip has been rendered, billing notifications, support replies) are sent via Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Resend processes your email address and the content of the message for the purpose of delivery and reports delivery, bounce and complaint status back to us.

Account-related emails such as email verification codes are sent by Clerk (see § 8).

Legal basis: Art. 6 (1) (b) GDPR.

International transfer: data is transferred to the USA on the basis of Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR; Resend is in addition certified under the EU–US Data Privacy Framework.

§ 15 Contact Requests

If you contact us by email or via a contact form, the information you provide (in particular your name, email address and the content of your message) is processed in order to answer your request and to deal with any follow-up communication.

Legal basis: Art. 6 (1) (b) GDPR for requests related to a contract, otherwise Art. 6 (1) (f) GDPR (legitimate interest in responding to inquiries). Messages are deleted as soon as their processing is no longer required and no statutory retention obligations apply.

§ 16 Content You Upload (Voices and Images of Third Parties)

The audio and video material that users upload typically contains personal data of third parties – in particular the voice and, in video material, the image of hosts, co-hosts and guests, as well as personal information shared during the conversation.

With regard to this content, the user uploading the material is the controller vis-à-vis the persons appearing in it. Loonacast acts as a processor on the user's behalf in accordance with our Data Processing Agreement. The user is responsible for obtaining any required consents or other legal bases from the persons concerned.

We do not use the uploaded content for our own purposes, in particular not for training our own AI models, and we instruct our sub-processors accordingly.

§ 17 Encryption (TLS, At-Rest Encryption)

All connections to the Service are encrypted via TLS (HTTPS). Uploaded media and generated clips are stored encrypted at rest in Hetzner Object Storage. OAuth tokens for connected social-media accounts are stored encrypted at our publishing processor.

§ 18 International Data Transfers

The following processors are located outside the EU/EEA or transfer data to a third country: Clerk, AssemblyAI, OpenAI (USA sub-processing), Anthropic and Resend (USA). All other processors named in this Privacy Policy — including Hetzner, Pexels, Zernio (ARBICHAT, S.L.), Creem (Armitage Labs OÜ) and Umami — operate exclusively within the EU.

For transfers to the USA we rely on the EU–US Data Privacy Framework (where the recipient is certified) and on the European Commission's Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR, supplemented by additional technical and contractual safeguards where appropriate.

§ 19 Storage Period

• Account data: for as long as your account exists; deleted within 30 days after account deletion, unless statutory retention obligations require longer storage.
• Uploaded episodes and rendered clips: for as long as you choose to keep them; deleted within 30 days after you delete the content or the account.
• Transcripts and metadata: same as the corresponding episode/clip.
• Server logs: up to 14 days.
• Analytics events: raw events up to 6 months, aggregated metrics up to 24 months.
• Invoices and accounting data: 10 years (§ 147 AO, § 257 HGB).
• Support correspondence: usually 3 years from the end of the year in which the inquiry was resolved.

§ 20 Your Rights as a Data Subject

Under the GDPR you have the following rights vis-à-vis us:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing based on Art. 6 (1) (e) or (f) GDPR (Art. 21 GDPR), in particular against direct marketing
• Right to withdraw consent at any time with effect for the future (Art. 7 (3) GDPR)

To exercise these rights, please contact us at sascha@loonacast.com. We may ask for information necessary to verify your identity.

§ 21 Automated Decision-Making, including Profiling

We use automated processing – including AI models – to generate proposals (clip suggestions, captions, hashtags, B-roll keywords) for our users. Such processing produces content for the user to review and does not have legal or similarly significant effects on the data subjects appearing in the uploaded material within the meaning of Art. 22 GDPR. The user always decides whether and in which form to use the generated output.

§ 22 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement (Art. 77 GDPR).

Competent authority for us:

§ 23 Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes to the Service, to our processors or to applicable law. The current version is always available on this page. For material changes affecting registered users we will provide notice in text form (e.g. by email).