Skip to main content
CastHubOne Logo

Privacy Policy

Last updated: May 2026

1. Introduction

This privacy policy explains how we — Brumm Labs GbR — process personal data when you use the app.casthub.one platform ("CastHubOne"). We process your data exclusively in compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable provisions. CastHubOne is a B2B SaaS offering: use typically takes place on behalf of an organization that has invited you as a user. The legally binding version of this policy is the German one.

2. Data Controller

The controller responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is:

Brumm Labs GbR

Schimmelmannstr. 5, 22043 Hamburg, Germany

Email: hallo@brummlabs.de

Phone: +49 160 99110511

Further information is available in our legal notice.

3. Data Protection Officer

We are currently not legally required to appoint a data protection officer. For data protection inquiries, please contact us using the details listed in Section 2.

4. Data We Process

We process only the data necessary to operate the platform and provide our services:

4.1 Account and Profile Data

  • Email address
  • First and last name
  • Profile image (optional, from OAuth provider or upload)
  • Language and theme preference
  • Role (owner, success_manager, admin, user)
  • Organization membership and group memberships
  • Account creation and last-update timestamps

4.2 Learning and Activity Data

  • Per-podcast listening progress (in seconds)
  • Quiz attempts, answers and scores
  • Quiz status (not started, in progress, completed)
  • Completion timestamps

4.3 Content You Provide

  • Uploaded audio files and file metadata
  • Comments and feedback
  • Learning Experience Requests (LXR) and related materials

4.4 Technical Data

  • IP address (for rate limiting and security)
  • User-Agent (browser, operating system)
  • Server logs (method, path, status, duration)
  • Error and audit logs
  • Session tokens and JWTs (via our auth provider Clerk)

4.5 Notifications

  • Notification records (type, title, message, link)
  • Read status and context

5. Legal Bases

We process personal data on the following legal bases:

  • Art. 6 (1)(b) GDPR (performance of a contract) — for providing the platform and all features you use as part of a contract with your organization.
  • Art. 6 (1)(f) GDPR (legitimate interest) — for hosting, security, rate limiting, anonymized reach measurement and error analysis.
  • Art. 6 (1)(c) GDPR (legal obligation) — for compliance with statutory retention and disclosure requirements.
  • Art. 6 (1)(a) GDPR (consent) — where you have expressly granted your consent (e.g. for optional notifications).

6. Service Providers

We use carefully selected service providers to operate the platform. We have concluded data processing agreements (DPAs) pursuant to Art. 28 GDPR with all providers. For transfers to third countries (in particular the USA), EU Standard Contractual Clauses (SCC) are in place unless an adequacy decision applies.

6.1 Vercel (Frontend Hosting & Analytics)

Hosting of the web application app.casthub.one, content delivery, anonymized performance measurement (Vercel Analytics).

Anbieter: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA

IP addresses, user-agent, request logs, anonymized page views. Vercel Analytics works cookieless and without personal identifiers.

Transfer to the USA based on EU Standard Contractual Clauses (SCC). Vercel operates edge locations in the EU.

Art. 6 (1)(f) GDPR (legitimate interest in stable hosting and reach measurement).

Privacy notice: https://vercel.com/legal/privacy-policy

6.2 Render (Backend Hosting & Database)

Hosting of the backend API core-api.brummlabs.com and the associated PostgreSQL database in which your account data, learning progress and content are stored.

Anbieter: Render Services, Inc., 525 Brannan St, Suite 300, San Francisco, CA 94107, USA

All data transmitted via the app, server and request logs.

Our backend instance is operated in the **Frankfurt (EU)** region. For operational purposes (support, monitoring), Render Inc. (USA) may obtain access on the basis of SCC.

Art. 6 (1)(b) GDPR (performance of contract).

Privacy notice: https://render.com/privacy

6.3 Clerk (Authentication)

Sign-in, session management, OAuth login via Google or Microsoft, multi-factor authentication.

Anbieter: Clerk, Inc., 660 King Street, Floor 4, San Francisco, CA 94107, USA

Email address, name, profile image URL, OAuth provider IDs, session tokens, IP addresses for security checks.

Transfer to the USA based on EU Standard Contractual Clauses (SCC).

Art. 6 (1)(b) GDPR (performance of contract — sign-in is required to use the platform).

Privacy notice: https://clerk.com/legal/privacy

6.4 Cloudflare R2 (Object Storage)

Storage of audio files (podcasts) and related metadata.

Anbieter: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA

Uploaded audio files, file metadata, access logs.

Transfer based on EU Standard Contractual Clauses (SCC). Cloudflare operates a global network; data is replicated preferentially in the EU.

Art. 6 (1)(b) GDPR (performance of contract).

Privacy notice: https://www.cloudflare.com/privacypolicy/

6.5 Anthropic (AI Features)

Support for AI-assisted features such as quiz generation, learning recommendations and LXR analysis.

Anbieter: Anthropic, PBC, 548 Market St PMB 90375, San Francisco, CA 94104, USA

Prompt content submitted to the AI (e.g. excerpts from podcasts, texts you create). Personal data is avoided wherever possible.

Transfer to the USA based on EU Standard Contractual Clauses (SCC). Anthropic does not use API content to train models.

Art. 6 (1)(f) GDPR (legitimate interest in efficient learning and analysis features).

Privacy notice: https://www.anthropic.com/legal/privacy

6.6 Resend (Email Delivery)

Sending of transactional emails (notifications, daily digests, invitations).

Anbieter: Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA

Email address, message content, send timestamps, delivery status.

Transfer to the USA based on EU Standard Contractual Clauses (SCC).

Art. 6 (1)(b) GDPR (performance of contract) and Art. 6 (1)(f) GDPR (legitimate interest in reliable notification delivery).

Privacy notice: https://resend.com/legal/privacy-policy

7. Retention

We store your data only as long as necessary for the processing purpose. Account and learning data are stored for the duration of your platform use; after termination they are deleted or anonymized within 90 days, unless statutory retention obligations apply. Server and audit logs are typically retained for 30 days. Orphaned uploaded files ("orphan blobs") are automatically deleted after 24 hours.

8. Your Rights

You have the following rights regarding personal data concerning you:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure ("right to be forgotten", Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7 (3) GDPR) — the lawfulness of processing carried out before withdrawal remains unaffected.

An informal message to hallo@brummlabs.de is sufficient to exercise your rights.

8.1 Right to Complain to a Supervisory Authority

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for us is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Ludwig-Erhard-Straße 22, 7. OG, 20459 Hamburg, Germany

https://datenschutz-hamburg.de

9. Security

We use technical and organizational measures to protect your data from unauthorized access, loss and manipulation. Data is transmitted encrypted (TLS 1.2 or higher). Passwords are stored hashed at industry standard by our auth provider Clerk; we ourselves do not store any passwords.

10. Automated Decisions and Profiling

Automated decision-making within the meaning of Art. 22 GDPR or profiling with legal effect does not take place.

11. Changes to This Privacy Policy

We reserve the right to amend this privacy policy, e.g. when we introduce new features or the legal situation changes. The current version is always available at this URL.