Legal

Privacy Policy

Privacy Policy for Spotcast - how we collect, use, and protect your personal data

Last Modified: 19. March 2026

We are committed to protecting your personal information and ensuring transparency in how we collect and use it. This Privacy Policy applies to all users of the Spotcast platform, including talent, clients, and visitors to our website.

1. Data Controller

Spotcast OG
Johannes Balog & Stefanie Koch
Mannswörther Straße 57/3/8
2320 Mannswörth, Austria
Email: privacy@spotcast.com

2. Data We Collect

2.1 Personal Information

We collect the following categories of personal data:

Account Information:

  • Full name
  • Email address
  • Phone number
  • Profile picture
  • Professional biography
  • Social media links
  • Payment information (processed by Stripe)

Booking Information:

  • Event details (date, time, location, type)
  • Client contact information
  • Booking requirements and preferences
  • Communication history

Website Usage:

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and time spent
  • Referral sources

2.2 Automatically Collected Data

  • Cookies and similar technologies (see Section 8)
  • Analytics data (Google Analytics, only with your consent)
  • Security logs
  • Performance metrics

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary for booking services, payment processing, and platform functionality
  • Legitimate Interest (Art. 6(1)(f)): Security, platform improvement, fraud prevention, and AI-powered features (search, content assistance)
  • Consent (Art. 6(1)(a)): Analytics cookies (Google Analytics), marketing communications
  • Legal Obligation (Art. 6(1)(c)): Tax compliance, record keeping, and regulatory requirements

4. Purpose of Data Collection

We use your information for the following purposes:

Platform Operations:

  • Account creation and management
  • Booking facilitation and coordination
  • Payment processing and financial transactions
  • Communication between talent and clients

Service Improvement:

  • AI-powered search and content assistance (via OpenAI)
  • Platform security and fraud prevention
  • Customer support

Marketing (with consent):

  • Newsletter and promotional communications
  • Platform updates and announcements

5. Third-Party Services and Data Sharing

We use the following third-party services that may process your data:

5.1 Essential Services

Supabase (Database & Authentication)

  • Purpose: Secure data storage, user authentication, and API services
  • Data processed: All personal information, account data, booking information
  • Legal basis: Contract performance, legitimate interest
  • Privacy policy: https://supabase.com/privacy

Stripe (Payment Processing)

  • Purpose: Payment processing, subscription management, talent payouts via Stripe Connect
  • Data processed: Payment information, transaction details, billing addresses
  • Legal basis: Contract performance, legal obligation
  • Privacy policy: https://stripe.com/privacy

Cloudflare (Hosting, CDN & Security)

  • Purpose: Application hosting, content delivery, DDoS protection, bot protection (Turnstile)
  • Data processed: IP addresses, request logs, security events
  • Legal basis: Legitimate interest (security, infrastructure)
  • Privacy policy: https://www.cloudflare.com/privacy/

OpenAI (AI Features)

  • Purpose: Talent search (semantic matching), search suggestions, content writing assistance, and offering generation
  • Data processed: Search queries, talent profile data (name, profession, description, offerings), and user-authored text submitted for AI assistance
  • Legal basis: Legitimate interest (platform functionality), contract performance
  • Privacy policy: https://openai.com/privacy

Resend (Email Delivery)

  • Purpose: Transactional emails (booking confirmations, notifications)
  • Data processed: Email addresses, email content
  • Legal basis: Contract performance
  • Privacy policy: https://resend.com/legal/privacy-policy

5.2 Analytics and Marketing

Google Analytics

5.3 Data Transfers

Some of our service providers may transfer data outside the EU/EEA. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules (where applicable)

6. Data Retention

We retain your personal data for the following periods:

Account Data: Until account deletion or 3 years of inactivity
Booking Data: 7 years (legal requirement for business records under Austrian law — § 132 BAO)
Analytics Data: 14 months
Marketing Data: Until consent withdrawal
Security Logs: 12 months

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

Right of Access (Art. 15): Request copies of your personal data
Right to Rectification (Art. 16): Correct inaccurate or incomplete data
Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
Right to Restrict Processing (Art. 18): Limit how we use your data
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time for consent-based processing

7.1 Exercising Your Rights

To exercise any of these rights, contact us at:

  • Email: privacy@spotcast.com
  • Response time: Within 30 days (may be extended to 60 days for complex requests)

7.2 Supervisory Authority

You have the right to lodge a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde Barichgasse 40-42 1030 Vienna, Austria Website: https://www.dsb.gv.at

8. Cookies and Tracking Technologies

8.1 Essential Cookies (Required)

These cookies are necessary for platform functionality and cannot be disabled:

CookiePurposeDuration
sb-*-auth-tokenSupabase authentication sessionSession
i18n_localeLanguage preference (en/de)1 year
Cloudflare cookies (__cf_bm, __cfruid)Bot protection and securitySession

We also use browser local storage for functional purposes such as storing your analytics consent preference.

8.2 Analytics Cookies (Optional — Consent Required)

Google Analytics cookies are only set after you give explicit consent via our consent dialog:

CookiePurposeDuration
_gaDistinguishes users2 years
_ga_*Maintains session state2 years

How consent works: When you first visit the platform, a dialog asks whether you accept analytics. You can choose "That's ok" to enable Google Analytics, or "Opt Out" to decline. You can change your preference at any time via the link in the website footer. Google Analytics is not loaded until you consent. Your preference is stored locally in your browser.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

Technical Measures:

  • Encryption in transit (TLS) and at rest
  • Regular security updates
  • Access controls and authentication
  • Network security monitoring

Organizational Measures:

  • Limited access to personal data on a need-to-know basis
  • Regular security reviews
  • Incident response procedures

10. Children's Privacy

Our services are not directed to persons under 18. We do not knowingly collect personal information from persons under 18. If we become aware that we have collected such data, we will delete it immediately.

11. International Data Transfers

Some of our service providers are located outside the EU/EEA (notably OpenAI and Cloudflare in the USA). We ensure adequate protection through Standard Contractual Clauses (SCCs) and applicable adequacy decisions.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The updated policy will be effective upon posting.

13. Contact Information

For any questions about this Privacy Policy or our data practices:

Email: privacy@spotcast.com

General Support

Email: support@spotcast.com