Privacy Policy

Effective date: 18 June 2026

Changes:

• 2. Scope
  • include streaming services in the list of those services whose privacy policy is out of the scope of this Agreement.
• 4.1 Account data
  • corrected to reflect what we actually store: your email, the OAuth provider used, and that provider’s stable subject identifier. We do not collect your name, never receive your password, and do not retain the provider’s access or refresh tokens.
• 4.4 Listener analytics
  • clarified that the listener IP is truncated to a /24 at the CDN edge, used only momentarily to deduplicate requests within 24 hours and never stored; what we retain is aggregated (per-day download counts per episode, a derived country code, and a User-Agent category).
• 4.7 Website analytics
  • added to reflect consent-based Google Analytics 4 on castcore.fi.
• 5. Cookies and local storage
  • corrected to describe both strictly necessary cookies — the session cookie and the short-lived OAuth sign-in state cookie — and the optional GA4 analytics cookies on the main website.
• 7. Retention
  • account data is now erased when you delete your account; listener analytics, being aggregated and anonymous, are retained indefinitely.

The contents of this document may be subject to change without notice until launch.

This policy is written in English. In case of any translation, the English version prevails.

1. Controller

Castcore is operated by Collins Group Oy (Y-tunnus: 3325948-1), hereinafter “Castcore”, “we”, “us” or “our”. Registered address: Finland. Contact: castcore@collinsgroup.fi.

2. Scope

This policy applies to all personal data processed in connection with the Castcore service at castcore.fi and any associated subdomains (including shows.castcore.fi and manager.castcore.fi). It does not cover third-party websites linked from Castcore, or any platforms that are not linked from Castcore, but share content distributed through Castcore, including streaming services.

3. Legal basis

We process personal data on the following legal bases under Article 6 of the GDPR:

• Contract (Art. 6(1)(b)) — processing necessary to provide the service you have subscribed to, including account management, podcast hosting, transcoding and delivery.
• Legitimate interests (Art. 6(1)(f)) — analytics, fraud prevention, security monitoring, and improving the service.
• Legal obligation (Art. 6(1)(c)) — VAT and accounting records required under Finnish law (Accounting Act (Kirjanpitolaki) 1336/1997, Value Added Tax Act (Arvonlisäverolaki) 1501/1993).
• Consent (Art. 6(1)(a)) — where we ask for it explicitly, such as website analytics and optional marketing communications. Consent may be withdrawn at any time.

4. Data we collect

4.1 Account data

When you create an account: your email address, which OAuth provider you used (Google or Microsoft), and the stable subject identifier that provider issues for you. We do not collect your name, we never receive your password, and we do not retain the provider’s access or refresh tokens — they are discarded as soon as sign-in completes.

4.2 Billing data

Subscription plan, payment history, and country of residence. Payment card details are handled exclusively by Stripe and are never transmitted to or stored on Castcore systems. We receive a tokenised reference and Stripe’s VAT metadata (customer country, applied rate) for accounting purposes.

4.3 Content data

Audio files, episode metadata (titles, descriptions, artwork, chapter markers), show metadata, and any transcripts you create or upload. This content is yours and is processed only to provide the service (transcoding, delivery, index).

4.4 Listener analytics

When a listener fetches or plays your podcast, our CDN edge records the request with the IP address already truncated to a /24 block (the final octet removed). We use that truncated value only momentarily — to deduplicate repeated requests from the same listener within a 24-hour window — and never store it. What we retain is aggregated: per-day download counts per episode, a derived country code, and a User-Agent category (the kind of app, e.g. “Apple Podcasts”). These aggregates are surfaced to you as your show’s analytics. We do not and will not build listener profiles and do not link listener events to registered user accounts. Listener analytics data is never sold, licensed, or shared with third parties for commercial or advertising purposes.

We may use the aggregated listener data for improving our platform.

4.5 Usage data

Log entries from your use of the manager interface: HTTP method, path, response code, anonymized IP, and timestamp. Used for security monitoring and abuse detection.

4.6 Support communications

If you contact us by email, we retain the correspondence for up to three years.

4.7 Website analytics

With your consent, we use Google Analytics 4 (operated by Google Ireland Ltd.) to understand which pages on castcore.fi are read. We use this data solely to understand what content visitors find useful, so we can direct our attention to that content. No advertising profiles are built from this data, and we do not knowingly sell or share it with any third party.

5. Cookies and local storage

Castcore uses two strictly necessary cookies on manager.castcore.fi: a session cookie that keeps you signed in, and a short-lived state cookie set only during the OAuth sign-in handshake and discarded immediately afterwards. Both are strictly necessary for the service to function and do not require consent under Finnish law (Data Protection Act (Tietosuojalaki) 1050/2018 §22).

On the main castcore.fi website, we use Google Analytics 4 for page analytics. GA4 will only set cookies and collect analytics data if you give consent via the banner shown on your first visit. Without consent, GA4 runs in cookieless mode: no cookies are set and no identifiable data leaves your browser. You can change or withdraw your consent at any time by clearing the local storage for castcore.fi in your browser. We do not use advertising cookies or cross-site tracking.

6. Data processors and transfers

We use the following processors, each under a data processing agreement:

No personal data is transferred outside the European Economic Area by us or by the processors listed above. Stripe may transfer limited transaction data in accordance with their EU–US Data Privacy Framework commitments; we rely on standard contractual clauses where applicable.

7. Retention

After the applicable period, data is deleted or irreversibly anonymized.

* If the account is deleted, suspended, terminated or by other means made not accessible by the User, in case of confirmed fraudulent activity, including but not limited to, copyright infringement, CSAM, terrorism, or any other unlawful activity, the account data, along with any other data associated with the account, is kept for as long as required by any ongoing investigation, and will be excluded from automatic anonymization.

** An episode can only be deleted after thirty days have passed after its creation. When you delete an episode that has existed on our platform for a shorter period, it will be hidden from the directory and the RSS feed, and deleted on day 31. This retention period exists to allow us to detect and act on illegal content before permanent erasure, and is exercised under our legitimate interest in platform integrity (GDPR Art. 6(1)(f)).

8. Your rights

Under the GDPR and Data Protection Act (Tietosuojalaki) 1050/2018 you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data where no legal retention obligation applies.
• Portability — receive your account and content data in a machine-readable format.
• Restriction — ask us to limit processing while a dispute is resolved.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, email castcore@collinsgroup.fi. We will respond within one month. If you are not satisfied with our response, you may lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu, tietosuoja.fi).

Where data has been irreversibly anonymized, it no longer constitutes personal data and cannot be subject to individual rights requests.

9. Security

All data is encrypted in transit (TLS 1.2+) and at rest on OVH’s 3-AZ infrastructure. Access to production systems is restricted to named personnel and protected by multi-factor authentication.

In the event of a personal data breach, we will notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware of it, as required by GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Art. 34.

10. Children

Castcore is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact us and we will delete the account.

11. Changes to this policy

We will notify registered users of material changes by email at least 14 days before the change takes effect. The current version is always available at castcore.fi/privacy. Continued use of the service after the effective date constitutes acceptance.

12. Contact

Collins Group Oy castcore@collinsgroup.fi