Skip to main content

Privacy Policy

· ·

How Podhoc handles your data and protects your privacy.

Data Controller

This website and the Podhoc service are operated by Nexo Apex SL (“Podhoc”, “we”, “our”, or “us”), acting as data controller for the personal data described in this policy.

Company details

  • Company: Nexo Apex SL
  • Address: Edificio Cami Reial c/ Cami Reial, 13-17, 3a planta, 43700 El Vendrell, Tarragona, Spain
  • Email: hi@podhoc.com
  • Website: nexoapex.com

Scope

This Privacy Policy explains how we process personal data when you:

  • visit the Podhoc website,
  • create and use a Podhoc account,
  • submit sources and generate podcasts,
  • contact support or communicate with us.

By registering, creating an account, or signing up in Podhoc, you acknowledge and consent to the processing described in this Privacy Policy, together with the applicable Terms and policies.

Data We Process

We apply data minimization and process only what is necessary to operate, secure, and improve Podhoc.

1) Data you provide

  • Account data: email address, authentication details, and profile preferences.
  • Generation input data: URLs, text, and uploaded files (for example PDF, DOCX, TXT) used to create podcasts.
  • Support data: information included in support requests and communications.
  • Billing and subscription data: plan, credits, invoices, and payment status (full card data is processed by Stripe, not stored by Podhoc).

2) Data generated during service use

  • Service metadata: timestamps, status events, language, generation settings, and technical processing events.
  • Security and operational logs: anonymized or pseudonymized logs used for reliability, abuse prevention, and troubleshooting.
  • Essential cookies: required for basic functionality and security.
  • Analytics cookies: used only for aggregate analytics and enabled only if you explicitly allow them through the cookie banner/preferences.
  • _podhoc_uid (cross-subdomain analytics linker): a first-party cookie set on .podhoc.com once you sign in on app.podhoc.com, login.podhoc.com, or admin.podhoc.com, and readable across all *.podhoc.com subdomains (including the marketing site and our browser extensions). It carries a stable pseudonymous identifier (the Cognito subject for your account — never your email, name, or other personal field) so that Google Analytics can attribute the full conversion funnel across our subdomains. The cookie has a lifetime of 30 days (matching the Cognito refresh-token window so stale sessions on shared devices age out within a month), is refreshed on each sign-in, is cleared on logout, and is never used for authentication or authorization (the authentication boundary is the Cognito JWT validated by our API). The cookie is set with Secure and SameSite=Lax flags.

User Responsibility for Submitted Content

You are solely responsible for any information or materials you submit to Podhoc for AI generation, including URLs, text, documents, and files.

By using Podhoc, you confirm that:

  • you have the legal right to submit and process that content,
  • your submissions comply with applicable law,
  • you will not submit unlawful, sensitive, or third-party data without a valid legal basis.

Nexo Apex SL does not pre-validate all dynamic user-submitted content and is not responsible for illegal, sensitive, infringing, or unauthorized data provided by users.

This includes, without limitation, copyright-protected material uploaded or processed without required permissions.

Podhoc reserves the right to suspend or restrict accounts if anomalies are detected in usage behavior or in the nature of submitted content, including signals of abuse, illegal activity, or policy non-compliance.

How We Use Data

We process data to:

  • provide account access and authentication,
  • run podcast generation workflows and deliver outputs,
  • manage subscriptions, credits, and transactions,
  • maintain security, prevent abuse, and monitor reliability,
  • provide support and respond to legal requests,
  • improve product quality using anonymized/aggregated metrics.

Where GDPR applies, our legal bases are:

  • Contract performance: to provide Podhoc features you request.
  • Legitimate interest: service security, fraud prevention, quality, and reliability.
  • Consent: non-essential analytics cookies and similar optional tracking.
  • Legal obligation: accounting, compliance, and lawful disclosure obligations.

Data Sharing

We do not sell personal data.

We may share data with processors and vendors strictly to provide Podhoc, including:

  • Infrastructure and hosting: AWS
  • Authentication providers: Google and Apple (when you choose SSO)
  • Payments: Stripe
  • AI processing providers: providers used to generate scripts/audio
  • Operational communications: email/support tooling
  • Analytics tooling: only when analytics consent is enabled

These providers process data under contractual obligations and applicable data protection laws.

Public Discover Publication

Podhoc operates a public Discover surface where generated podcasts can be discovered, streamed, and shared by other users and search engines. Publication to Discover is a separate processing activity from generating the podcast for your private use and is governed by the rules below.

What is published. When a podcast is published to Discover, the audio, the title, the cover image, the script summary, and non-sensitive generation metadata (style, language, duration) are made publicly accessible. The source materials you upload (PDFs, DOCX, TXT, notes) are never published. Source files remain private to your account and are processed only to generate the podcast.

Default behaviour by tier.

  • Free tier: generated podcasts are published to Discover by default and cannot be made private. To keep a podcast private, upgrade to a paid tier before generation, or delete the podcast / account to withdraw the listing.
  • Creator and Pro (paid tiers): generated podcasts are published by default, but you can disable publication per-podcast or globally via the “Auto-publish to Discover” toggle in advanced settings. You may also retract a previously published podcast at any time.
  • API integrators: the auto_publish parameter defaults to true. Production tokens on paid tiers may set auto_publish: false.

Legal basis (GDPR). Publication to Discover relies on:

  • Contract performance for users on the Free tier — publication is part of the Free service, disclosed before account creation and at the point of generation.
  • Consent for users on paid tiers, given each time you generate a podcast with auto-publish enabled; consent is withdrawable per-podcast (toggle off, retract, or delete).

Withdrawal of consent and right to be forgotten. You can withdraw consent at any time on paid tiers by toggling auto-publish off, retracting individual podcasts, or downgrading your account. Free-tier users can withdraw consent by deleting individual podcasts or their account. We will remove the public listing within a reasonable propagation window (CDN/cache typically clears within 24 hours). Retracted podcasts remain in your private library unless you also delete them.

Discoverability. Published podcasts can be indexed by search engines, embedded by third parties, and referenced from RSS feeds. We cannot guarantee that third-party caches, archives, or downloaded copies are removed after retraction.

Personal data warning. Do not generate (and therefore do not publish) podcasts from material that contains personal data of others, confidential information, copyrighted text without permission, or anything you would not want listed publicly. Free-tier users in particular should treat every generated podcast as a public statement.

Public Discover Visibility, Comments, and Embeds

This section complements the previous one and explains the privacy implications of the public-facing surfaces of Discover — search-engine discoverability, the comments system, anonymous browsing, and the embed widget.

Search-engine indexing and third-party referencing. Published podcasts are intended to be discovered. Their listing pages, audio URLs, covers, AI-generated summaries, and the public username of the creator are crawlable by search engines, ingestible by RSS readers, and addressable by third-party indexes. Once a podcast is published, you should expect copies of its metadata to appear in third-party caches that we do not control.

What public Discover data contains. Each public listing includes the podcast title, the AI-generated summary, the generated audio file, the cover image, and the public username of the creator. The username is the public-by-design identifier and is the only personal field we expose on Discover. Email addresses, account IDs, billing data, source files (PDF, DOCX, TXT, notes), and any other private account data are never published.

Comments and feedback. Logged-in users can post comments and feedback on public podcasts. When a comment is stored, we record the internal commenter_user_id for audit, moderation, and abuse-handling — but the display surface only shows users.username. We never display email addresses, account IDs, or any other identifier next to a comment. Comment text is public on submission and is included in third-party crawls of the listing page. By submitting a comment, you accept that it is public, attributable to your public username, and subject to the moderation rules in the Terms of Use.

Anonymous browsing and comment viewing. Visitors who are not signed in can browse Discover listings and read comments without an account. For abuse-protection purposes we log anonymous request metadata (IP address, user-agent, route) at the edge for a short retention window, but these logs are not linked to any user account and are not used for profiling or advertising. Edge logs are aggregated and rotated according to our standard retention schedule.

Embed widget telemetry. Podhoc offers an embed widget so third-party sites can play published podcasts inline. Plays from the embed widget are counted at the (embed_id, slug, day) level only — we record no IP address, no user-agent string, no referrer, and no visitor identifier in the embed-play counters. This counter exists solely to throttle abuse and to surface aggregated play counts to creators.

Right of erasure (per-podcast and global).

  • Paid-tier users (Creator, Pro) can opt out of Discover publication per-podcast or globally from their account preferences. Opting out retracts the public listing and removes the slug, audio URL, cover, and summary from Discover within a reasonable CDN propagation window. The same retraction also removes any comments attached to that listing.
  • Free-tier users cannot opt out of publication while remaining on the Free tier — to remove a listing they must upgrade to a paid tier (which exposes the per-podcast retract control) or delete the individual podcast / their account. Deleting the account removes all Discover presence including comments authored by that account.
  • Erasure of a specific comment (e.g. a comment posted by another user that mentions you) can be requested via legal@podhoc.com; we will review and act on legitimate erasure requests per the rights section below.

Caveats on erasure. As noted above, search-engine caches, third-party archives, downloaded audio files, and other re-publications are outside our control. We will retract from podhoc.com but cannot guarantee removal from external indexes.

International Transfers

Some providers may process data outside your country. When required, we use appropriate safeguards (for example, contractual safeguards and equivalent protections under applicable law).

Retention

We keep data only for as long as needed for the purposes above, including legal and security obligations. Retention periods vary by data type (account, billing, logs, generated assets, support records). When data is no longer required, it is deleted or irreversibly anonymized.

Security

We implement technical and organizational safeguards including encrypted transport, controlled access, log sanitization, and monitoring. No system is absolutely risk-free, but we continuously improve our protections.

Your Rights

Depending on applicable law, you may have the right to:

  • access your personal data,
  • correct inaccurate data,
  • request deletion,
  • object to or restrict certain processing,
  • request portability,
  • withdraw consent for analytics cookies at any time.

To exercise your rights, contact us at hi@podhoc.com with subject “Podhoc Privacy Request”.

Children

Podhoc is not intended for children under the minimum age required by applicable law. If you believe a minor has provided data unlawfully, contact us and we will review and act promptly.

Policy Updates

We may update this Privacy Policy to reflect legal, technical, or operational changes. The latest version is always published on this page with the updated date.

If you have legal questions about this policy or your obligations when submitting content, contact legal@podhoc.com.

Last Updated: May 13, 2026