AdCast Privacy Notice (GDPR)
GDPR & Data Protection
AdCast LLC · 75 E 3rd St Ste 7, Sheridan, WY 82801, USA · privacy@adcast.app
Last updated:
1) Scope & Roles
Controller: For our website, accounts, billing, support, marketing, and product telemetry, AdCast LLC acts as the data controller.
Processor: For end-viewer and device telemetry processed on behalf of business customers using AdCast Player, AdCast acts as a data processor. Those activities are governed by our Data Processing Addendum (DPA).
EU/EEA Representative (Art. 27)
eurep.ie
27 Cork Road, Midleton Co. Cork, Ireland (A form through which to make GDPR requests)
We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation (“GDPR”). All GDPR queries from EU Data Subjects or Data Protection authorities should be submitted to eurep.ie via their dedicated form. BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Midleton Co. Cork, Ireland. Company number 635921.
We have not appointed a Data Protection Officer as we do not meet the statutory criteria. You may contact us at privacy@adcast.app.
2) What Personal Data We Process (Controller)
- Account & Identity: name, email, password hash, organization, country.
- Billing: payment token/ID, last-4, VAT/tax info, invoices (via payment provider).
- Device & Display: device/display IDs, OS/version, app version, screen size/orientation, IP address, coarse location (from IP).
- Service Telemetry: playlist/ad playback events, timestamps, error/crash logs, performance metrics.
- Support & Communications: tickets, chat/email content, attachments, feedback.
- Marketing Preferences: newsletter opt-in/out, campaign/UTM data (only if non-essential cookies/SDKs are consented).
- Cookies & Online IDs: strictly necessary cookies; non-essential analytics/ads only after consent.
3) Purposes & Lawful Bases
| Purpose | Examples of Data | Lawful Basis |
|---|---|---|
| Provide & maintain the service | account, device, telemetry | Contract (Art. 6(1)(b)) |
| Billing, fraud prevention, tax | payment token/ID, invoices | Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)) |
| Security & reliability | IP, device info, logs, crash data | Legitimate interests (service security, Art. 6(1)(f)) |
| Customer support | contact details, ticket content | Contract; Legitimate interests |
| Product analytics/A-B tests (non-essential) | cookies/online IDs | Consent (Art. 6(1)(a)) |
| Marketing communications | email, preferences | Consent (withdraw anytime) |
When we act as a processor, the customer is the controller and determines the lawful basis; we process only on documented instructions (see DPA).
5) Recipients & Sub-Processors
We use vetted vendors under data-processing agreements and appropriate safeguards. We disclose the minimum necessary data for the stated purposes. Customers will be notified of material sub-processor changes as required by the DPA.
| Vendor | Purpose | Typical Data | Region | Safeguard |
|---|---|---|---|---|
| Amazon Web Services (AWS) – S3, CloudFront, Lambda, MediaConvert | Hosting, storage, media processing, CDN | media files, telemetry, logs | EU/US (per service config) | SCCs; encryption at rest/in transit |
| Firebase Cloud Messaging (Google) | Push notifications | device token, app ID | Global (incl. US) | SCCs; limited use of tokens |
| Stripe / RevenueCat | Payments/subscriptions | payment token/ID, receipts | US/EU | SCCs; PCI-DSS |
| Sentry | Error & crash reporting | crash logs, stack traces, device/app metadata | EU/US (per plan) | SCCs; PII scrubbing |
| Email (e.g., Amazon SES) | Transactional emails | email address, metadata | US/EU (per region) | SCCs |
| Analytics (if enabled) – [e.g., GA4 or Plausible] | Product analytics | pseudonymous IDs, events | [EU/self-hosted/US] | Consent-based; SCCs if outside EEA/UK |
| Support (if used) – [e.g., Help Scout/Intercom] | Ticketing/chat | contact details, ticket content | [EU/US] | SCCs |
6) International Transfers & TIAs
When personal data is transferred outside the EEA/UK (e.g., to the United States), we rely on the European Commission’s Standard Contractual Clauses (and UK Addendum where applicable), apply supplementary measures (encryption, access controls, data minimization), and document transfer impact assessments for significant transfers. Where a vendor participates in an adequacy framework (e.g., EU–US Data Privacy Framework), we may rely on it in addition to SCCs where appropriate.
7) Security (Art. 32)
- Encryption in transit (TLS) and at rest (e.g., S3 SSE); key management.
- Least-privilege access, RBAC/MFA, audit logging, and monitoring.
- Network segmentation, WAF/CDN protections, throttling/rate limiting.
- Secure SDLC: code review, dependency scanning, secret hygiene.
- Incident response playbooks, on-call procedures, evidence collection.
- Backups and disaster recovery with periodic restore testing.
- Vendor due diligence and contractual security obligations.
8) Data Retention
We keep personal data only as long as necessary for the purposes described above or to meet legal obligations, then delete or irreversibly anonymize it.
- Account data: life of account + 6 years (tax/audit).
- Playback/telemetry logs: 12–24 months (service reliability).
- Support tickets: 24 months after closure (unless legally required longer).
- Marketing consent records: duration of consent + 24 months.
- Backups: rolling schedule [e.g., 30–90 days].
9) Your Rights (EEA/UK)
You can request access, rectification, erasure, restriction, portability, and objection, and you may withdraw consent at any time (withdrawal does not affect prior lawful processing). We respond within one month (extendable by two months for complex requests) and may verify your identity.
How to exercise: email privacy@adcast.app
You may lodge a complaint with your local supervisory authority (EU list via the EDPB; UK: ICO).
10) Children
AdCast is not directed to children and should not be used by individuals under the age of 16 without parental consent where required by law.
11) Automated Decision-Making
We do not make decisions producing legal or similarly significant effects solely by automated means. If this changes, we will provide meaningful information and a right to human review.
12) Data Breach Notification
We assess suspected personal-data incidents without undue delay. Where required, we notify the competent supervisory authority within 72 hours and affected individuals without undue delay.
13) Changes
We may update this page to reflect legal, technical, or business developments. We will indicate the “Last updated” date and, where appropriate, notify you.
14) Contact
AdCast LLC
75 E 3rd St Ste 7,
Sheridan, WY 82801, USA
Email: privacy@adcast.app
Phone: +1 (307) 683-0295
Appendix A — Processor Activities (Summary for Customers)
Subject matter & duration: operation of AdCast Player and related services for the term of the customer agreement.
Nature & purpose: storage, transmission, processing of media/playlists, device telemetry, and related support.
Types of data: device/display IDs, playback timestamps/events, IP address, user/admin account details in the customer workspace, support content.
Categories of data subjects: customer admins and users; display operators; viewers indirectly via device telemetry (no direct identification).
Customer responsibilities: provide a lawful basis and transparent notices to end users, configure retention, and honor data-subject rights requests directed to them as controller.
AdCast obligations: process only on documented instructions; confidentiality; security measures; sub-processor controls; assist with data rights, DPIAs, and incidents; delete/return data at end of services; audits per the DPA. See /dpa.
Get in touch
Have questions or want to learn more? Drop us a message.
