How CastMath handles your data.

Who we are.

CastMath is a product of My Cosmic Message Pty Ltd (ABN 30 652 358 159), trading as WOW Enterprise Company, of Sydney, Australia. The CastMath product is built and operated by Built by Asteris, our studio of record. In this policy, "we", "us", "CastMath" refers to the legal entity above.

For privacy questions or requests, contact us at hello@castmath.com.

What we collect.

The categories of personal information CastMath collects, and why:

• Account information. Your email address and authentication tokens, via Clerk. Required to create and access your account.
• Profile information. Display name, default currency, default geo. Provided by you during onboarding.
• Podcast metadata. The RSS URL you provide, episode titles, publish dates, durations and download counts pulled from your hosting platform. Required for the Episode P&L feature.
• Financial entries you give us. Revenue and expense transactions you record manually, via voice memo, via photo of a receipt, or via email forward. Tagged to specific episodes by you. CastMath stores what you tell it.
• Sponsor pipeline data. Sponsor names, contact details, deal stages and rates that you record yourself.
• Usage telemetry. Page views, error logs, performance data. Anonymised and aggregated. Used to improve the product.

What we don't collect.

This is core to CastMath's design. We will not, under any circumstances:

• Connect to your bank account. No Plaid, no Basiq, no Yodlee, no Open Banking. Ever.
• Connect to your payment processors. No Plaid, no Open Banking, no bank-feed aggregators. And Stripe — that's for podcasters who sell their own products. Sponsors pay by invoice and bank transfer; we have no access to either.
• Connect to membership platforms. No Patreon, Memberful, Substack income data. You record what you've earned manually.
• Read your bank statements as files. If you upload a CSV, we parse it for transactions you choose to enter — we do not retain the raw statement.

If we ever introduce optional integrations of this nature, they will be opt-in, gated, and disclosed prominently. The default product will always be what is described above.

How we use what we collect.

We use the information you give us to provide the CastMath service. Specifically:

• To compute Episode P&L, sponsor rates and tax forecasts you've asked for.
• To send transactional email (sign-up confirmation, password reset, billing notifications) via Resend.
• To send marketing email (product updates, founding-member communications) via MailerLite — only if you've opted in. You can unsubscribe any time.
• To improve the product based on aggregated, de-identified usage patterns.
• To comply with our legal obligations (tax records, dispute resolution, regulatory requests).

We do not sell your data. We do not use your data to train AI models. We do not share your data with advertisers.

AI processing.

CastMath uses Anthropic's Claude API to parse your voice memos, receipt photos and forwarded emails into structured transactions. When you submit one of these inputs:

• The content is sent to Anthropic's API for parsing only.
• Anthropic does not retain or train on the inputs (per Anthropic's Zero Data Retention configuration where applicable).
• The parsed result returns to your CastMath account.
• Original audio or photo files are stored encrypted in Cloudflare R2 and accessible only to you.

You can disable AI parsing in your account settings. Manual entry is always available as a fallback.

Subprocessors — who else sees your data.

To run CastMath we rely on the following service providers, each contractually bound to handle your data securely:

This list is updated as our subprocessor stack changes. You can request the current list at any time via hello@castmath.com.

Where your data lives.

Your data is stored on Cloudflare D1 and R2, distributed across Cloudflare's global edge network. Primary regions for Australian and European customers are Sydney (OC) and Frankfurt (EEUR) respectively. Data may be replicated to other regions for performance and redundancy, in accordance with Cloudflare's regional service offerings.

If you're in the EU, UK or another jurisdiction with data-transfer protections, your data may be transferred to the United States or other countries via the subprocessors listed above. We rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms for these transfers.

Your rights.

You have the right to:

• Access the personal data we hold about you.
• Export your data in machine-readable format (JSON or CSV).
• Correct any inaccurate data via your account settings.
• Delete your account and all associated data.
• Object to certain processing (marketing email, AI parsing).
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local data protection authority.

To exercise these rights, use the controls in your account settings or contact us at hello@castmath.com. We respond within 30 days.

How long we keep your data.

We retain your data for as long as your account is active. If you delete your account:

• Active data is removed within 7 days.
• Backups are purged within 30 days.
• Some records (billing, tax-relevant transaction logs) may be retained for up to 7 years to comply with Australian tax law.

You can request expedited or extended deletion in writing. We honour all reasonable requests within applicable legal constraints.

Cookies.

CastMath uses essential cookies for authentication and session management. We do not use advertising cookies, third-party tracking pixels, or behavioural advertising tools. If we add analytics in future, it will be a privacy-respecting tool (Plausible or PostHog with anonymisation), and you'll be notified.

Children.

CastMath is not directed at people under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact us and we'll remove the account.

Security.

We use industry-standard security practices: TLS for data in transit, encryption at rest for sensitive fields, strict access controls, audit logging, regular security reviews. No system is perfectly secure, but we treat your data the way we treat our own.

Changes to this policy.

If we make material changes to this policy, we'll notify you via email and post the change at least 30 days before it takes effect. Minor edits (typo fixes, clarifications) are made without notice but always logged in the version history at the top of this page.