PRIVACY POLICY

1. INTRODUCTION & CONTROLLER IDENTITY

Cast Labs, a company registered in the United Kingdom, operates CloneCast and acts as the data controller for all personal data processed through our Services. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA).

CloneCast is powered by our proprietary Cast Engine AI system, self-hosted retrieval-augmented generation (RAG) technology, and a licensed Fish Audio open-source voice synthesis system. All data processing occurs within our secure, self-hosted infrastructure—we do not rely on third-party AI services for biometric processing.

2. KEY DEFINITIONS

• Personal Data: Any information relating to an identified or identifiable natural person.
• Biometric Data: Special category data under GDPR Article 9, including voice recordings and facial images used for unique identification or authentication.
• Cast Engine: CloneCast's proprietary artificial intelligence system for agentic digital twin creation and management.
• Fish Audio: The licensed open-source voice synthesis technology we use for voice cloning and text-to-speech generation.
• RAG (Retrieval-Augmented Generation): Our self-hosted system for personalized knowledge retrieval and response generation.
• Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• Controller: Cast Labs, the entity determining purposes and means of personal data processing.
• Processor: Third parties processing data on our behalf under contractual obligations.

3. DATA SOVEREIGNTY PHILOSOPHY

4. CATEGORIES OF PERSONAL DATA COLLECTED

We collect and process the following categories of personal data, as defined under CCPA/CPRA:

4.1 Biometric Data (Special Category)

Under GDPR Article 9 and UK GDPR, biometric data constitutes "special category data" requiring heightened protection. We collect:

• Voice Recordings: High-resolution audio samples for Cast Engine training via Fish Audio.
• Facial Images/Video: Visual data for avatar creation and multimodal Cast synthesis.
• Biometric Templates: Derived mathematical representations (weights, embeddings) used for synthesis—not raw recordings.

We process biometric data only with your explicit, informed consent and solely for the purpose of creating your personalized Cast.

4.2 Account & Identity Data

• Email address (required for account creation)
• Username/display name
• Password (hashed and salted)
• Profile information (optional)

4.3 Technical & Usage Data

• IP addresses and geolocation data (city/country level)
• Device information (type, OS, browser)
• Session logs and interaction timestamps
• Cast usage statistics (generation count, duration)
• Error logs and diagnostic data

4.4 Payment & Billing Data

• Billing address
• Transaction history
• Payment method type (we never store raw card numbers—handled by PCI-DSS compliant processor)

5. SOURCES OF DATA COLLECTION

We obtain personal data from the following sources:

5.1 Directly From You

• Account registration forms
• File uploads (voice recordings, images)
• Cast configuration settings
• Support ticket submissions
• Newsletter subscriptions

5.2 Automatically Collected

• Browser cookies and similar tracking technologies
• Server logs (access times, pages viewed)
• Analytics tools (anonymized/pseudonymized)
• Security monitoring systems

5.3 Third-Party Sources

• Payment processors (transaction confirmation only)
• Authentication providers (if using social login—optional feature)

6. PURPOSES & LAWFUL BASIS FOR PROCESSING

We process your personal data only for specified, explicit, and legitimate purposes. Below is a comprehensive mapping of purposes to lawful bases under GDPR/UK GDPR and business purposes under CCPA:

6.1 Explicit Consent for Biometric Processing

Before processing your voice or facial biometric data, we obtain your explicit, freely given, specific, informed, and unambiguous consent through our onboarding flow. You may withdraw consent at any time via account settings or by contacting privacy@clonecast.io.

7. INTERNAL TRAINING PROTOCOLS

8. DISCLOSURE & SHARING

We do not sell personal data. We do not share personal data for cross-context behavioral advertising. We disclose data only in the following limited circumstances:

8.1 Service Providers (Data Processors)

We engage trusted third parties to perform functions on our behalf, bound by Data Processing Agreements (DPAs) and contractual confidentiality:

Important: Processors have no independent right to use your data. They process only per our instructions and under strict confidentiality.

8.2 Legal Obligations

We may disclose data when required by law, court order, or regulatory authority, or to protect our rights, property, or safety.

8.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections. You will be notified via email.

9. INTERNATIONAL DATA TRANSFERS

Cast Labs operates primarily within the UK/EEA. However, some processors may be located in countries without adequacy decisions. We implement appropriate safeguards:

We regularly review the necessity of international transfers and prioritize UK/EEA-based processors where feasible.

10. DATA RETENTION & DELETION

We retain personal data only as long as necessary for the purposes outlined, or as required by law. Below are our retention periods by data category:

10.1 Biometric Data Destruction Protocol

Upon retention expiry or account deletion:

• Raw biometric files are securely overwritten using DoD 5220.22-M standard (7-pass wipe).
• Fish Audio model weights are deleted from all storage tiers (production, backups).
• Deletion is verified via audit logs.
• De-identified analytics (aggregated usage stats) may be retained indefinitely for research—no re-identification possible.

11. SECURITY MEASURES

We implement technical and organizational measures to protect personal data against unauthorized access, loss, or destruction:

11.1 Technical Safeguards

• Encryption in Transit: TLS 1.3 for all data transmission between your device and our servers.
• Encryption at Rest: AES-256-GCM encryption for stored biometric data and sensitive records.
• Zero-Trust Architecture: Role-Based Access Control (RBAC) with principle of least privilege; no staff member accesses raw biometric data without audited, time-limited tokens.
• Pseudonymization: User identifiers separated from biometric data where possible.
• Anonymization: Analytics data stripped of direct identifiers via IP masking and aggregation.
• Secure Key Management: Encryption keys stored in hardware security modules (HSMs) or equivalent.

11.2 Organizational Safeguards

• Staff security training and confidentiality agreements.
• Annual third-party security audits and penetration testing.
• Data Protection Impact Assessments (DPIAs) for high-risk processing (biometric recognition).
• Incident response plan with 72-hour breach notification commitment (GDPR Article 33).

11.3 Privacy-Enhancing Technologies (PETs)

Where feasible, we deploy PETs to minimize data exposure:

• Differential privacy for aggregate analytics.
• Federated learning concepts (local Cast training without centralized raw data pooling).

12. COOKIES & TRACKING TECHNOLOGIES

We use cookies and similar technologies to enable functionality and improve user experience. Categories include:

• Essential Cookies: Required for authentication, session management, security (no consent required under UK PECR).
• Analytics Cookies: Measure site usage via pseudonymized data (consent obtained via banner).
• Marketing Cookies: Not currently deployed; if introduced, opt-in consent will be required.

13. CHILDREN'S PRIVACY

14. ELIGIBILITY RESTRICTIONS & USER REPRESENTATIONS

By using CloneCast, you represent and warrant that:

• You are 18 years of age or older.
• You do not suffer from serious mental health conditions or addictive tendencies that impair your ability to provide informed consent.
• You possess full legal rights (including "Right of Publicity") to all voice recordings, images, and other media you upload.
• You will not create Casts impersonating others without explicit written consent from the represented individual.
• You agree to indemnify Cast Labs against any legal claims arising from unauthorized use of another person's likeness.

Violation of these representations may result in immediate account termination and potential legal action.

15. PROFILING & AUTOMATED DECISION-MAKING

We engage in limited automated processing:

15.1 Profiling

Cast Engine analyzes your interaction history and preferences to personalize Cast responses and recommend features. This constitutes profiling under GDPR Article 22 but is based on your consent and contract performance—it does not produce legal or similarly significant effects.

15.2 Automated Decisions

We use automated systems for:

• Fraud Detection: Flagging suspicious account activity (e.g., abnormal Cast creation patterns, payment anomalies).
• Eligibility Verification: Automated checks of age self-certification during signup.

If an automated decision significantly affects you (e.g., account suspension), you have the right to:

• Obtain human intervention and review.
• Express your viewpoint and contest the decision.
• Receive an explanation of the logic involved.

No solely automated decisions produce adverse legal effects without human oversight.

16. YOUR PRIVACY RIGHTS

Depending on your jurisdiction, you have the following rights regarding your personal data:

16.1 GDPR/UK GDPR Rights (EEA/UK Residents)

• Right of Access (Article 15): Obtain confirmation of processing and a copy of your data.
• Right to Rectification (Article 16): Correct inaccurate or incomplete data.
• Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful (subject to legal retention obligations).
• Right to Restriction (Article 18): Limit processing in specific circumstances (e.g., during accuracy disputes).
• Right to Data Portability (Article 20): Receive your data in machine-readable format (JSON/CSV) for transfer to another service.
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw consent for biometric processing at any time (does not affect prior lawful processing).
• Right to Lodge a Complaint: File complaints with the Information Commissioner's Office (ICO) in the UK or your local supervisory authority.

16.2 CCPA/CPRA Rights (California Residents)

• Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom shared.
• Right to Delete: Request deletion of personal information (subject to exceptions for legal compliance, fraud prevention, etc.).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising—this right is not applicable but available at /do-not-sell.html if practices change.
• Right to Limit Use of Sensitive Personal Information: Limit use of biometric data beyond service provision (not applicable—we use only for disclosed purposes).
• Right to Non-Discrimination: Exercise rights without receiving discriminatory treatment (pricing, service quality).

16.3 How to Exercise Your Rights

Submit requests via:

We will verify your identity using account credentials and contextual information (e.g., recent Cast names). For sensitive requests, additional verification may be required. Response time: 30 days (GDPR) or 45 days (CCPA), extendable once with notice.

17. DATA BREACH NOTIFICATION

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (e.g., ICO) within 72 hours of becoming aware (GDPR Article 33).
• Notify affected individuals without undue delay if the breach poses a high risk (GDPR Article 34).
• Provide details on the nature of the breach, likely consequences, and mitigation measures taken.
• Document all breaches internally for regulatory review.

Our incident response plan includes immediate containment, forensic analysis, and remediation to prevent recurrence.

18. THIRD-PARTY LINKS & SERVICES

Our Sites may contain links to external websites or integrate third-party services (e.g., social media embeds). These are not covered by this Privacy Policy. We recommend reviewing the privacy policies of any third-party sites you visit. Cast Labs is not responsible for third-party data practices.

19. CHANGES TO THIS PRIVACY POLICY

We may update this policy to reflect legal, operational, or technological changes. Updates will be posted on this page with a revised "Effective Date." For material changes affecting your rights:

• We will notify you via email to your registered address.
• Where required by law, we will obtain fresh consent (e.g., for new biometric processing purposes).

Continued use of Services after the effective date constitutes acceptance of the updated policy. We encourage periodic review.

20. LEGAL BASIS & COMPLIANCE SUMMARY

CloneCast's privacy framework is designed to comply with:

• UK GDPR: Data Protection Act 2018 (post-Brexit UK law).
• EU GDPR: Regulation (EU) 2016/679.
• CCPA/CPRA: California Civil Code §§ 1798.100–1798.199.
• UK PECR: Privacy and Electronic Communications Regulations 2003 (cookies).
• ICO Biometric Guidance: Best practices for biometric recognition systems.

Cast Labs maintains a Record of Processing Activities (ROPA) and conducts regular Data Protection Impact Assessments (DPIAs) for high-risk operations, available to supervisory authorities upon request.

END OF PRIVACY POLICY

© 2026 Cast Labs. All Rights Reserved.