Privacy Policy

AutoPodcast.ai ("we", "us", "the Platform") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal data in full compliance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018), the European Union General Data Protection Regulation (GDPR — Regulation 2016/679), and information security best practices aligned with ISO/IEC 27001:2022.

Data Controller

AutoPodcast.ai is the data controller responsible for your personal data. For all matters related to this policy, you can reach our Data Protection Officer (DPO) at: [email protected].

Legal Basis for Processing (LGPD Art. 7 / GDPR Art. 6)

We process your personal data based on: (a) Consent — when you voluntarily create an account on the Platform, you expressly consent to the collection and processing of your data for the purposes described in this policy; (b) Legitimate interest — to personalize your experience, display targeted advertisements based on your browsing behavior within the Platform, and improve our services; (c) Legal obligation — when required to comply with applicable laws and regulations; (d) Contract performance — to provide the services you requested upon registration.

Data We Collect

We collect only the minimum data necessary to provide our services: (1) Account data: name, email address, and profile picture (obtained via Google OAuth 2.0 or magic link email authentication) — strictly limited to what is essential for registration; (2) Browsing and usage data within the Platform: listening history, subscriptions, favorites, comments, episode interactions, and content preferences; (3) Technical data: IP address, browser type, device type, operating system, and access timestamps, collected for security, analytics, and platform improvement purposes; (4) Cookie and consent data: your cookie preferences and consent records; (5) Analytics data: page views, session duration, navigation paths, and interaction events collected through Google Analytics 4 (GA4) and Google Tag Manager (GTM); (6) Email engagement data: email open rates, click-through rates, and link interaction data from email digests and service communications. We do NOT collect sensitive data (racial origin, political opinions, religious beliefs, health data, biometric data, sexual orientation, or any special category data under LGPD Art. 11 / GDPR Art. 9).

Authentication and Third-Party Login

We use OAuth 2.0 protocol (currently via Google, and may integrate other providers in the future) exclusively to simplify and secure the registration and login process. Through OAuth 2.0, we receive only your name, email address, and profile picture — the minimum required for account creation. We do NOT access your contacts, files, calendar, or any other data from your Google account or any other provider. The OAuth token is used solely for authentication and is not stored after the session is established.

How We Use Your Data

Your data is used for: (a) Providing the service — managing your account, subscriptions, listening history, and email digest preferences; (b) Personalization — recommending podcasts and episodes based on your listening behavior and preferences within the Platform; (c) Communication — sending email digests you have opted into with episode notifications at your chosen time window; (d) Targeted advertising — using your browsing behavior and content preferences WITHIN the Platform to display personalized advertisements. Advertisers NEVER receive your personal data — they only select audience segments (e.g., "users interested in technology"), and we handle the ad targeting internally; (e) Analytics and improvement — understanding usage patterns through GA4, GTM, email engagement metrics, and link tracking data to improve Platform features, content quality, and the overall user experience; (f) Product and service development — all navigation data, platform usage data, email interaction data, and behavioral analytics may be used to develop, improve, and optimize our products and services; (g) Security — fraud prevention, abuse detection, and platform integrity.

Advertising, Affiliate Partnerships, and Data Sharing

We may use your email address and browsing/navigation data collected within the Platform to personalize and deliver targeted advertisements. We also participate in affiliate advertising programs, including the Awin affiliate network (awin.com), which allows us to earn commissions by linking to partner merchants' products and services. When you click an affiliate link, Awin may place cookies on your device to track the referral and any resulting transactions. Awin processes this data as an independent controller under its own privacy policy (available at awin.com/legal). However, your personal data from AutoPodcast.ai is NEVER shared, sold, rented, or otherwise disclosed to any third-party advertiser, affiliate network, or partner beyond what is strictly necessary for the affiliate tracking (i.e., the click event and transaction confirmation). Advertisers and affiliate partners define target audiences by interest category, and our systems match ads internally — the advertiser never knows who you are or has access to your personal data from our Platform. All ad targeting is performed within our systems, and no personally identifiable information leaves our infrastructure for advertising purposes beyond standard affiliate click tracking.

Analytics and Tracking Tools

We use the following analytics and tracking tools to understand user behavior, improve our services, and optimize the Platform experience: (a) Google Analytics 4 (GA4) — collects anonymized usage data including page views, session duration, navigation paths, user interactions, and demographic/interest reports. GA4 uses first-party cookies and may transfer data to Google servers in the United States. Data is processed in accordance with Google's data processing terms; (b) Google Tag Manager (GTM) — manages and deploys tracking tags on the Platform. GTM itself does not collect personal data but facilitates the deployment of analytics and marketing tags; (c) Shortened link tracking — we may use shortened URLs (in emails, social media, and within the Platform) that track click-through data including: the number of clicks, geographic region (country/city level), device type, referral source, and timestamp. This data is used to measure content engagement and optimize distribution strategies. All analytics tools are configured to respect your cookie consent preferences. Analytics cookies are only activated after you provide explicit consent through our cookie banner.

Email Communication Tracking

When you opt into receiving email digests or service communications from AutoPodcast.ai, we may track: (a) Email open rates — whether and when you opened an email, using a small transparent tracking pixel; (b) Link clicks — which links within the email you clicked and when; (c) Email client and device data — the type of email client and device used to open the email. This data is used exclusively to: improve the relevance and quality of our email communications, optimize send times and content based on engagement patterns, ensure deliverability, and enhance our products and services. You can opt out of email communications at any time through your profile settings or by clicking the unsubscribe link in any email.

Link Tracking and URL Shortening

We may use shortened or tracked URLs across the Platform, in emails, and on social media to measure engagement and understand content performance. When you click a tracked link, we may collect: the URL you clicked, timestamp of the click, your approximate geographic location (country/city level based on IP), device type and browser, and the referral source. This data is aggregated and used to improve content recommendations, measure the effectiveness of our communications, and optimize the user experience. Tracked links always redirect to the intended destination without delay.

Third-Party Data Sharing

We do NOT sell, rent, or share your personal data with third parties, except: (a) Service providers who process data on our behalf (Google Cloud Platform for hosting, Google Analytics for analytics, SendGrid for email delivery) under strict contractual obligations and data processing agreements (DPAs) compliant with LGPD and GDPR; (b) When required by law, court order, or competent authority request; (c) To protect the rights, property, or safety of AutoPodcast.ai or its users. All third-party processors are contractually bound to process your data solely for the purposes we specify and to implement appropriate technical and organizational security measures.

Your Rights (LGPD Art. 18 / GDPR Art. 15-22)

You have the following rights regarding your personal data: (a) Right of access — request a copy of all personal data we hold about you; (b) Right to rectification — correct inaccurate or incomplete data; (c) Right to deletion (right to be forgotten) — request permanent deletion of your account and all associated data at any time, directly through the Platform; (d) Right to data portability — receive your data in a structured, machine-readable format; (e) Right to withdraw consent — revoke your consent at any time, which will not affect the lawfulness of prior processing; (f) Right to restrict processing — request limitation of data processing in certain circumstances; (g) Right to object — object to data processing based on legitimate interest; (h) Right to information — be informed about third parties with whom your data has been shared; (i) Right to non-discrimination — exercising your rights will never result in discriminatory treatment. To exercise any of these rights, contact us at [email protected] or use the account deletion feature directly on the Platform.

Account Deletion and Data Erasure

You may request the deletion of your account and all associated personal data at any time directly through the Platform's profile settings. Upon deletion request: (a) Your account is immediately deactivated and your data is soft-deleted; (b) After 30 days, all your personal data is permanently and irreversibly erased from our active systems; (c) Backup copies containing your data are purged within 90 days following our backup rotation cycle; (d) Anonymized and aggregated statistical data (which cannot identify you) may be retained for analytics. If you prefer not to register, you can freely use the Platform without an account — all podcast content is publicly available. Registration is entirely optional and exists solely to enhance your experience (subscriptions, listening history, personalized digests).

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy: (a) Account data — retained while your account is active; (b) Browsing and usage data — retained while your account is active; (c) Analytics data (GA4/GTM) — retained for up to 14 months as per Google Analytics default retention settings; (d) Technical/security logs — retained for up to 12 months for security audit purposes, then permanently deleted; (e) Consent records — retained for 5 years as required by law to demonstrate compliance. Upon account deletion, the data erasure process described above is initiated immediately.

International Data Transfer

Your data may be processed and stored on servers located outside your country of residence (including the United States, via Google Cloud Platform and Google Analytics). All international transfers comply with LGPD Chapter V and GDPR Chapter V, using Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent safeguards recognized under Brazilian law. We ensure that all data processors in third countries provide adequate levels of data protection.

Information Security (ISO/IEC 27001:2022 Aligned)

We implement technical and organizational security measures aligned with ISO/IEC 27001:2022 best practices, including: (a) Encryption — all data in transit is protected via TLS 1.3, and data at rest is encrypted using AES-256; (b) Access control — role-based access control (RBAC) with principle of least privilege for all system access; (c) Authentication security — OAuth 2.0 protocol with secure token handling; no passwords are stored; (d) Infrastructure — hosted on Google Cloud Platform with SOC 2 Type II, ISO 27001, and ISO 27017 certifications; (e) Monitoring — continuous security monitoring, logging, and alerting for suspicious activities; (f) Regular assessments — periodic vulnerability assessments and security reviews; (g) Data minimization — we collect and process only the minimum data necessary for each purpose.

Security Incident Response

In the event of a security incident involving personal data, we will: (a) Notify the Brazilian National Data Protection Authority (ANPD) and/or the relevant EU supervisory authority within 72 hours, as required by LGPD Art. 48 and GDPR Art. 33; (b) Notify affected data subjects without undue delay when the incident poses a high risk to their rights and freedoms; (c) Document the incident, its effects, and remedial actions taken; (d) Implement corrective measures to prevent recurrence.

Cookies

We use essential cookies for session management, language preferences, and theme settings (strictly necessary — cannot be disabled), and optional analytics cookies including Google Analytics 4 (GA4) cookies (only with your explicit consent). For complete details, see our Cookie Policy.

Children and Minors

Our Platform is not intended for children under 13 years of age (or under 16 in jurisdictions where GDPR applies). We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor without proper parental consent, we will take immediate steps to delete such data.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Material changes will be communicated via email to registered users and/or through a prominent notice on the Platform. Continued use of the Platform after changes constitutes acceptance of the updated policy.

Data Protection Contact

For any privacy-related inquiries, data subject requests, or complaints, contact our Data Protection Officer at: [email protected]. We will respond to all legitimate requests within the timeframes mandated by applicable law (15 days under LGPD, 30 days under GDPR).

Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with: (a) In Brazil: the National Data Protection Authority (ANPD) — www.gov.br/anpd; (b) In the EU: the Data Protection Authority (DPA) of your country of residence. We encourage you to contact us first at [email protected] so we can address your concerns directly.