← Back to Home

FluidCast Privacy Policy

Last Updated: 11 November 2025

1. Overview

FluidCast ("the App") is a privacy-respecting podcast application that focuses on minimal data collection. We only collect what is necessary to:

• Authenticate users (Supabase Authentication)
• Sync podcast subscriptions and playback progress across devices (Supabase PostgreSQL Database)
• Send verification and notification emails (Resend)
• Measure high-level daily active usage (a single analytics event per day per device - Firebase Analytics)
• Maintain app reliability and diagnose critical crashes (Firebase Crashlytics)
• Manage premium subscription entitlements (RevenueCat)

We do not use third-party advertising SDKs, behavioral tracking, or broad engagement analytics. We do not sell your personal data.

2. Data We Collect & Process

Below is a breakdown of data categories derived from the current implementation.

2.1 Account & Authentication (Supabase Auth)

• Email address (provided by you during sign up / sign in)
• Authentication tokens (managed by Supabase; passwords are hashed and not stored in plain text)
• Email verification status
• User ID (UUID assigned by Supabase)

2.2 Email Delivery (Resend)

• Email address (to send verification, password reset, and notification emails)
• Timestamp of email delivery
• Email delivery status (sent, delivered, bounced, etc.)

We currently use Resend only for transactional emails (verification, password reset). In the future, we may offer optional marketing emails (app updates, features, tips) through Resend, but only with your explicit consent. You can opt out at any time.

2.3 Subscription Sync Data (Supabase PostgreSQL Database)

Per user, we store only what is needed to reproduce your subscriptions and listening progress in the following tables:

• podcast_subscriptions: feed_url (the podcast feed URL), title, author, description, image_url, podcast preferences (download settings, notifications), timestamps
• episode_progress: episode_id, current_position (playback position), is_played (boolean), last_modified (timestamp), podcast_feed_url, episode_title

We intentionally keep metadata minimal—full podcast and episode details are resolved on-device from the RSS feed when needed.

2.4 Playback & Download Data (On Device Only)

Stored locally using Apple frameworks (SwiftData + file system):

• Episode metadata (title, description, duration, publish date)
• Downloaded audio files (saved under an app Documents/Downloads directory)
• Local file size & path for downloaded episodes
• Playback state: currentTime, isPlayed
• Automatic download settings (e.g., Wi-Fi only, latest only, max episodes)
• Per-podcast preferences: notification toggles, download strategy

This information is not uploaded unless explicitly mirrored as minimal sync fields (see 2.3).

2.5 Minimal Analytics (Firebase Analytics)

We limit analytics to a single custom event once per calendar day per device: active_user with parameters:

• authenticated (true/false) – whether you are signed in
• device_model (e.g., hardware identifier like iPhone15,2)
• device_class (iPhone / iPad / Mac)
• region (derived from system locale; not GPS)
• os_version (e.g., iOS_18.0.1)
• app_version and app_build
• language (primary preferred language code)

No interaction events (taps, searches, screens viewed, etc.) are logged.

2.6 Crash Reporting (Firebase Crashlytics)

On crashes or critical non-fatal errors, Crashlytics may collect:

• Stack traces & code paths
• Device model, OS version, app build identifiers
• (If signed in) A user ID (Supabase UUID) assigned to correlate crashes. We do not attach email or personal profile details.

2.7 Premium Subscriptions (RevenueCat)

RevenueCat processes data necessary to verify and manage your premium subscription entitlements. This includes:

• An anonymized app user identifier (linked to your Supabase UUID)
• App Store purchase receipts & transaction identifiers
• Platform + device metadata used to validate entitlements
• Subscription status and expiration date (non-personal)

We do not have access to your full payment details; all payments are processed securely through Apple.

2.8 System & Network Checks

We perform passive network reachability checks (Wi-Fi vs. Cellular) to decide when to sync or auto-download. We do not persist IP addresses or network identifiers.

2.9 Local Preferences & Caches

• A UserDefaults key (analytics.lastActiveUserLogDate) to prevent duplicate daily analytics events
• Image caches for artwork (not transmitted externally except when originally fetched from the podcast feed source)

3. What We Do NOT Collect

We do not collect:

• GPS / precise location
• Contact lists, calendars, photos, microphone recordings, or motion data
• Behavioral analytics (screen flows, button taps, retention funnels)
• Advertising identifiers (IDFA) for tracking
• Sensitive personal attributes

We also do not perform cross-app tracking or third-party ad targeting.

4. Legal Bases (EEA / UK / Similar Jurisdictions)

Where applicable under GDPR / UK GDPR:

• Account authentication & sync (Supabase): Performance of a contract (Art. 6(1)(b))
• Transactional email delivery (Resend): Performance of a contract (verification emails) and legitimate interest (notifications)
• Marketing emails (Resend - future/optional): Consent (Art. 6(1)(a)) - only if you opt in
• Crash diagnostics & minimal analytics (Firebase): Legitimate interest in app stability & aggregate usage measurement (Art. 6(1)(f))
• Subscription entitlement validation (RevenueCat): Performance of a contract
• User communications (support inquiries): Legitimate interest and/or performance of contract

Where consent is required by local law (e.g., for certain analytics jurisdictions), we will implement a consent prompt before activating optional analytics beyond the current minimal event.

5. How We Use the Data

• Provide cross-device sync of your podcast subscriptions and playback position
• Maintain reliable downloads & playback state
• Count daily active users (high-level only)
• Diagnose crashes & critical sync errors
• Verify and maintain premium subscription access

We do not profile users or build behavioral segments.

6. Data Sharing & Processors

We use the following service providers (data processors):

• Supabase (Authentication & PostgreSQL Database) – User authentication and cloud data storage for subscriptions and progress sync
• Resend (Email Delivery) – Transactional email delivery (verification, password reset, notifications)
• Google Firebase (Analytics & Crashlytics only) – Minimal usage analytics and crash diagnostics
• Apple (App Store) – Facilitates purchases and receipt generation
• RevenueCat – Subscription receipt validation & entitlement management

We do not sell or rent your data. We only disclose data if required by law or to defend legal rights.

7. Data Retention

• Subscription & progress sync data (Supabase): Retained until you delete your account. When you initiate deletion, data is marked for removal and permanently deleted after a 7-day grace period (see Section 9). We do not automatically delete inactive accounts, as this data is necessary to preserve your podcast subscriptions and listening progress if you return later.
• Pending account deletions: Records of deletion requests are stored for the grace period duration and purged along with your account data once the grace period expires.
• Email delivery logs (Resend): Retained according to Resend's standard retention policy (typically 30-90 days).
• Daily active analytics events (Firebase): Stored by Firebase according to its standard retention (typically up to 14 months unless configured otherwise).
• Crash reports (Firebase): Retained per Firebase Crashlytics default retention window.
• Subscription data (RevenueCat): Retained as long as your subscription is active and for a reasonable period thereafter for entitlement verification.
• Local downloads: Remain on your device until you delete them or uninstall the App.

We may implement optional account cleanup tools in future updates, but we will not delete your data without your explicit request.

8. Your Rights

Depending on your jurisdiction (e.g., GDPR, CCPA/CPRA, UK GDPR), you may have rights to:

• Access a copy of personal data we store about you
• Correct inaccurate data (limited—data set is minimal)
• Delete your account & associated sync data
• Restrict or object to certain processing (e.g., crash correlation via user ID)
• Data portability (your subscription feed URLs and progress metadata)

To exercise rights, contact support@fluidcastapp.com. We may need to verify account ownership (e.g., by sending a confirmation link to your registered email).

CCPA/CPRA: We do not sell or share personal information as defined under California law.

9. Account & Data Deletion

You can delete your account and all associated sync data directly within the App using the Delete Account option in settings.

9.1 Soft Deletion & Grace Period

When you initiate account deletion, we implement a 7-day grace period by default:

• Your account is marked for deletion and scheduled for permanent removal after 7 days.
• During this grace period, you can cancel the deletion request by signing back in. All your data remains intact and accessible.
• After the grace period expires, your account and all associated data are permanently deleted and cannot be recovered.

This grace period protects against accidental deletions and gives you time to reconsider. If you need immediate deletion without a grace period, contact support@fluidcastapp.com with your request.

9.2 What Gets Deleted

Account deletion (after grace period) permanently removes:

• Your Supabase authentication account and profile
• All podcast subscriptions and episode progress stored in our database
• Premium subscription entitlement records (note: active App Store subscriptions must be cancelled separately through Apple)
• Sync queue records
• Any crash correlation identifiers tied to your user ID

9.3 What Remains

• Local data on your device (downloaded episodes, preferences) remains until you uninstall the app.
• Historical analytics events (already anonymized) may persist in Firebase's retention window.
• Email delivery logs in Resend's system (per their retention policy, typically 30-90 days).
• RevenueCat transaction history (per their compliance requirements for financial records).

You can also email support@fluidcastapp.com with the subject: "FluidCast Data Deletion" and include the email you used to register if you prefer manual processing.

10. Security Measures

• Transport security: All network calls use HTTPS/TLS.
• Cloud storage: Hosted on Supabase infrastructure (built on PostgreSQL with industry-standard physical and logical safeguards).
• Database security: Row Level Security (RLS) policies ensure users can only access their own data.
• Principle of data minimization: Only essential fields are synced (feed URLs, titles, and progress metadata).
• Access control: Authentication required for any user-specific database reads/writes.
• Password security: Passwords are hashed using industry-standard algorithms and never stored in plain text.

No system is perfectly secure; if we detect a data incident affecting you, we will follow applicable legal notification requirements.

11. Children's Privacy

The App is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us to request deletion.

12. International Transfers

Data may be processed in the United States or other regions where Supabase, Resend, Firebase, or RevenueCat operate. Appropriate safeguards (such as Standard Contractual Clauses) are relied upon where required.

13. Third-Party Podcast Content

When you subscribe to a podcast, the App fetches RSS feed data & artwork directly from the podcast's hosting servers. Those third parties may log standard server access data (e.g., IP address). Their practices are governed by their own policies.

14. Changes to This Policy

We will update this policy if we expand analytics beyond the current minimal implementation or make significant changes to data handling. Material changes will be highlighted in-app or via release notes.

15. Contact

Data Controller / Privacy Contact:

• Name / Entity: Joseph Bishop (FluidCast)
• Email: support@fluidcastapp.com

For EU/UK users wishing to exercise rights, please include "Privacy Request" in the subject line.

16. Summary (Human-Readable)

FluidCast keeps things simple: we use Supabase to store your podcast subscriptions and where you stopped listening so you can pick up on another device. We send verification emails through Resend. We log one anonymous-ish event per day (via Firebase) so we know someone used the app. If it crashes, we get a technical report (via Firebase). Premium subscriptions are handled securely through RevenueCat. You can delete your account at any time from within the app—we'll give you 7 days to change your mind before permanent deletion. That's it.