Privacy Policy

This privacy policy informs you pursuant to Art. 13 GDPR about the nature, scope and purpose of the processing of personal data within our online offering and the websites and functions connected with it.

1. Controller

Daniel Ovadia
CastLoop
Eugen-Richter-Str. 159
76187 Karlsruhe, Germany
Email: info@castloop.de

2. Definitions

This privacy policy uses the terminology of the General Data Protection Regulation (GDPR). “Personal data” means all information relating to an identified or identifiable natural person.

3. Purposes and legal bases of the processing

We process personal data for the following purposes:

• Provision of the online offering and its functions (Art. 6 (1) lit. b GDPR)
• Fulfillment of contractual obligations (Art. 6 (1) lit. b GDPR)
• Fulfillment of legal obligations, in particular tax and commercial law retention obligations (Art. 6 (1) lit. c GDPR)
• Safeguarding of legitimate interests — in particular security, abuse prevention, analysis and improvement of our offering (Art. 6 (1) lit. f GDPR)
• Consents, insofar as these have been granted (Art. 6 (1) lit. a GDPR)

4. Server log files & hosting

When our website is accessed, access data is automatically stored in server log files (IP address, date and time, page accessed, user agent, referrer). This data serves technical operational security and is deleted or anonymized after 14 days at the latest.

Hosting: IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany. Data processing takes place exclusively on servers in the European Union (Germany). IONOS also provides the SMTP relay for sending transactional emails as well as VM snapshot backups of the production environment. With the provider there is a data processing agreement pursuant to Art. 28 GDPR.

5. Registration & customer account

To use CastLoop you can create an account. Mandatory details are email address and password; optional are company/channel name, first and last name. The password is never stored in plain text, but stored as a hash using the modern Argon2id method (OWASP 2024 parameters).

Legal basis: Art. 6 (1) lit. b GDPR (performance of the contract). The data is deleted as soon as it is no longer required for the purposes of its collection and no statutory retention obligations conflict.

6. Processed content

CastLoop processes content that you actively provide — in particular URLs of YouTube videos or podcast episodes, as well as the transcripts, clip files, title and caption suggestions generated from them. This content is used exclusively to provide the ordered service and deleted after the contractually agreed retention periods expire (usually 7 days for raw downloads, up to 90 days for generated clips in the context of the recycling feature). The clip files are stored exclusively on EU servers of IONOS SE; a transfer to cloud storage providers outside the EU does not take place.

7. Social login / SSO

To simplify sign-in, we offer single sign-on (SSO) via various identity providers. If you use this option, you are redirected to the respective provider; after successful authentication, we receive a signed ID token (JWT), from which we read exclusively a stable user identifier (sub) and your email address. We receive no password and no unlimited access to your account there.

7.1 Google Ireland Ltd. — Google Sign-In

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Authentication via Google account (“Sign in with Google”). Processed are sub (stable Google user ID), email address, email confirmation status, optionally name and profile picture URL. Details: policies.google.com/privacy.

7.2 Microsoft Ireland Operations Limited — Sign in with Microsoft

Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Authentication via Microsoft account (personal or work/school). Processed are sub (stable Microsoft user ID, not oid), email address and optionally display name. Details: privacy.microsoft.com.

7.3 Apple Distribution International Ltd. — Sign in with Apple

Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Authentication via Apple ID. Processed are sub (stable Apple user ID) and email address.

Note on private relay addresses: Apple offers the “Hide My Email” option. In this case, we receive exclusively an anonymized forwarding address of the form <randomtoken>@privaterelay.appleid.com. We cannot see your real email address in this case; Apple forwards emails transparently to the address you have stored. Details: apple.com/legal/privacy.

Legal basis for SSO: Art. 6 (1) lit. b GDPR (performance of the contract / pre-contractual measures).

8. Multi-platform posting (OAuth tokens & publications)

The core service of CastLoop is the automated publication of the generated clips on social media platforms connected by you. To do this, you provide us with OAuth access tokens of the respective platform. Your platform passwords are at no time viewed or stored by us.

Encryption of the tokens: OAuth access and refresh tokens are stored in our database exclusively encrypted with AES-256-GCM (“envelope encryption”), bound to a row-specific additional-authenticated-data context (tenant ID, social account ID, platform). A leak of the database without access to the separately stored key material thus remains useless.

8.1 Google Ireland Ltd. — YouTube / YouTube Shorts

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. CastLoop uses the YouTube Data API v3 exclusively on the YouTube channel connected by you via the following OAuth scopes:

• https://www.googleapis.com/auth/youtube.readonly — reading your own channel and video metadata (channel ID, title, thumbnail, video list with title, description, length, publication date). Used to enable you in the dashboard to select from which long-form videos CastLoop should extract short clips. Only the endpoints channels.list and videos.list are called.
• https://www.googleapis.com/auth/youtube.upload — uploading the short clips you have approved (≤ 60 seconds, vertical format) as YouTube Shorts to your own channel. Only the endpoint videos.insert is called. No automatic upload takes place without your prior approval and scheduling.

At the time of upload, the clip file (MP4), the title you have assigned, the description, tags and the publication time are transmitted. The long-form original videos do not leave our servers at any time.

Limited Use — use assurance pursuant to the Google API Services User Data Policy (incl. Limited Use Requirements):

• We use the data received via the YouTube API exclusively to provide you with the function shown in the dashboard (clip selection, short upload).
• We do not sell data received via the YouTube API to third parties.
• We do not use data received via the YouTube API to display advertising or to personalize advertising.
• We do not train AI/ML models with the content received via the YouTube API.
• Human access (employees / contractors) to the data takes place exclusively (a) with your express consent, (b) for security purposes (e.g. investigation of an abuse or security incident), (c) to fulfill legal obligations or (d) if the data is anonymized/aggregated for internal operations.

You can deauthorize the YouTube channel at any time via Dashboard → Channels → Disconnect or revoke the connection directly in the Google account under “Third-party apps with account access”. After disconnection, the associated OAuth tokens are deleted immediately; YouTube Shorts already uploaded remain on your channel and can be managed by you as usual.

General privacy information from Google: policies.google.com/privacy.

8.2 Meta Platforms Ireland Ltd. — Instagram

Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. Publication of reels / feed posts via the Instagram Graph API. Details: facebook.com/privacy/policy.

8.3 TikTok Technology Ltd. — TikTok

TikTok Technology Limited (ByteDance group), 10 Earlsfort Terrace, Dublin 2, Ireland. Publication via the TikTok Content Posting API. Details: tiktok.com/legal/privacy-policy.

8.4 LinkedIn Ireland Unlimited Company — LinkedIn

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Publication of video posts via the LinkedIn Marketing Developer Platform. Details: linkedin.com/legal/privacy-policy.

8.5 X Corp. — X (formerly Twitter)

X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Publication via the X API v2. X Corp. is based in the USA; data transfers to the USA are unavoidable for the use of the X platform. The safeguarding takes place on the basis of the EU standard contractual clauses (SCC 2021/914). Details: x.com/privacy.

8.6 Meta Platforms Ireland Ltd. — Facebook

Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. Publication of Facebook page video posts via the Facebook Graph API. Privacy information: facebook.com/privacy/policy.

8.7 Meta Platforms Ireland Ltd. — Threads

Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. Publication of Threads posts via the Threads Graph API. Since Threads is a Meta product, the same privacy policy applies as for Instagram: facebook.com/privacy/policy.

Legal basis for posting: Art. 6 (1) lit. b GDPR (performance of the contract). The respective platform is an independent controller under data protection law for the processing on its systems.

9. AI-assisted processing (transcription & clip analysis)

For the automatic creation of transcripts, the detection of exciting moments and the generation of hook/title variants, we use Google Generative AI (Gemini 2.5 Flash) of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Audio/text transcripts as well as relevant metadata of the respective video are transmitted. The processing takes place within the EU or on the basis of standard contractual clauses; Google processes the content exclusively to provide the API service and not to train its models (paid-tier/enterprise terms, Gemini API Terms of Service).

Legal basis: Art. 6 (1) lit. b GDPR (performance of the contract).

10. Payment processing

The payment processing and the creation of the corresponding invoices is carried out via Mollie B.V. (Keizersgracht 126, 1015 CW Amsterdam, Netherlands). The data required for payment processing (amount, payment method, email, billing address) is transmitted to Mollie. Mollie is itself a controller within the meaning of the GDPR for the processing of the payment data. Further information can be found in the Mollie privacy policy.

Legal basis: Art. 6 (1) lit. b GDPR (performance of the contract), Art. 6 (1) lit. c GDPR (statutory retention obligations under § 257 HGB, § 147 AO).

11. Email dispatch

For sending transactional emails (registration confirmation, password reset, invoices, notifications about clips) we use the SMTP relay of IONOS SE (see section 4). A separate dispatch service provider outside the EU is not used. The dispatch takes place exclusively over TLS-encrypted connections (TLS 1.2 or higher).

12. Cookies & comparable technologies

Our marketing website castloop.de sets no tracking cookies and no cookies for advertising purposes. The application app.castloop.de uses exclusively technically necessary cookies (in particular an HttpOnly cookie for the secure refresh token, CSRF protection, CSP nonces). No consent is required for this pursuant to § 25 (2) no. 2 TDDDG. Further details can be found in our cookie policy.

13. Recipients of the data / processors

The following service providers process personal data on behalf or as independent controllers (in the case of social media platforms and Mollie):

• IONOS SE (Montabaur, DE) — hosting infrastructure, SMTP relay, VM snapshot backups
• Mollie B.V. (Amsterdam, NL) — payment processing & invoice handling
• Google Ireland Ltd. (Dublin, IE) — transcription and clip analysis via Google Generative AI (Gemini 2.5 Flash), YouTube Data API, Google Sign-In
• Microsoft Ireland Operations Ltd. (Dublin, IE) — authentication via Microsoft account
• Apple Distribution International Ltd. (Cork, IE) — authentication via Apple ID
• Meta Platforms Ireland Ltd. (Dublin, IE) — Instagram, Facebook and Threads publications
• TikTok Technology Ltd. (Dublin, IE) — TikTok publications
• LinkedIn Ireland Unlimited Company (Dublin, IE) — LinkedIn publications
• X Corp. (San Francisco, USA) — X/Twitter publications (data processing also in the USA, secured by SCC 2021/914)

We conclude a data processing agreement (DPA) pursuant to Art. 28 GDPR with all processors; corporate customers can, for their part, conclude a DPA with us (see DPA template).

14. Third-country transfers

Wherever possible, we process personal data within the European Union or the European Economic Area. In the following cases, a transfer to third countries (in particular to the USA) is unavoidable:

• X Corp. (USA) — when publishing clips on X
• Meta Platforms, Inc. (USA) — when publishing on Instagram, Facebook or Threads, insofar as Meta Ireland passes data to its US parent company
• TikTok Inc. / ByteDance Ltd. (USA / Singapore) — for TikTok publications, insofar as data is passed to group companies
• Apple Inc. (USA) — for Sign in with Apple, insofar as Apple Distribution International Ltd. passes data to its US parent company
• Google LLC (USA) — insofar as Google Ireland Ltd. passes data to its US parent company
• Microsoft Corporation (USA) — insofar as Microsoft Ireland Operations Ltd. passes data to its US parent company

For these third-country transfers, the safeguarding takes place on the basis of the EU standard contractual clauses (SCC) pursuant to Commission Implementing Decision (EU) 2021/914 of the European Commission. Google, Microsoft, Meta and Apple are additionally certified under the EU-US Data Privacy Framework (DPF) and offer corresponding transfer commitments. If required, we provide you with copies of the concluded SCC upon request.

Legal basis: Art. 46 (2) lit. c GDPR.

15. Storage period

We process and store personal data only for as long as this is required to achieve the processing purpose or statutory retention obligations (in particular § 257 HGB: 10 years for accounting records / invoices, § 147 AO: 6 or 10 years for tax-relevant documents) exist.

16. Your rights

Under the GDPR you have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Withdrawal of consents granted with effect for the future (Art. 7 (3) GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Self-service in the dashboard: You can manage your data yourself at any time via the dashboard:

• Data export (Art. 15 GDPR) — under Settings → Export data you can download a machine-readable copy of your personal data (JSON).
• Account deletion (Art. 17 GDPR) — under Settings → Delete account you can permanently remove your account. The deletion takes place without undue delay from the production database and within 30 days also from all backups (IONOS VM snapshot rotation).

Alternatively, an informal message to info@castloop.de suffices.

17. Competent supervisory authority

The data protection supervisory authority competent for us is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, baden-wuerttemberg.datenschutz.de. A complete list of the state data protection commissioners can be found at the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

18. Currency

This privacy policy is continuously adapted to legal and technical developments.

As of: 28 May 2026 · Version 1.1 (Threads + Facebook added, new sections 8.6 + 8.7)