Scribekast.AI
Log inStart a Kast

Privacy Policy

Last updated: April 15, 2026

1. Introduction

Scribekast.AI ("we", "our", or "us") is operated by Agentive Group Co Pty Ltd (ACN 695 269 222, ABN 54 695 269 222), an Australian company trading as Scribekast.AI. We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Where we process personal data of individuals located in the European Economic Area (EEA) or the United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and the UK GDPR, respectively.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your personal information when you use our platform at app.scribekast.ai.

2. Information We Collect

We collect the following categories of personal information:

2.1 Account Information

When you register for an account, we collect your name, email address, and password. Your password is hashed using bcrypt before storage and is never stored in plain text.

2.2 Connected Social Media Accounts

When you connect third-party platforms (LinkedIn, Facebook, Instagram, X/Twitter, TikTok, YouTube, WordPress), we receive and store OAuth access tokens and refresh tokens. These tokens allow us to publish content to your accounts on your behalf. We encrypt OAuth tokens at rest. We do not access or store your social media passwords.

2.3 Content Data

  • RSS feed URLs and source configurations you provide.
  • Source articles fetched from your configured RSS feeds.
  • AI-generated content created by the platform.
  • Any edits, modifications, or annotations you make to generated content before approval.
  • Publishing history, including which content was published to which platforms and when.

2.4 Usage and Analytics Data

  • Job counts, approval rates, and feature usage statistics.
  • Login timestamps, session duration, and interaction patterns.
  • Browser type, operating system, device type, and screen resolution.
  • IP address and approximate geographic location.

2.5 Payment Information

We use Stripe as our payment processor. When you subscribe to a paid plan, your payment card details are collected and processed directly by Stripe. We do not store your full credit card number, CVV, or other sensitive payment data on our servers. We receive and store your Stripe customer ID, subscription status, plan tier, and billing history metadata.

2.6 Cookies and Similar Technologies

We use cookies for authentication and user preferences. The cookies we use include:

  • Authentication cookie (token): An httpOnly, secure JWT cookie used to authenticate your session.
  • Theme preference cookie (scribekast-theme): Stores your light/dark mode preference.

3. How We Use Your Information

We use your personal information for the following purposes:

  • Providing the Service: Operating the Scribekast.AI platform, including RSS feed monitoring, AI content generation, human-in-the-loop review workflows, and publishing to your connected accounts.
  • Account management: Creating and managing your account, authenticating your sessions, and maintaining your subscription.
  • Billing and payments: Processing subscription payments through Stripe, enforcing usage limits based on your subscription tier (Starter, Professional, or Enterprise), and managing invoices.
  • Content generation: Sending source article content to AI providers (OpenAI) to generate multi-channel social media content according to your configured verticals and brand voices.
  • Publishing: Using your stored OAuth tokens to publish approved content to your connected social media platforms at your scheduled times.
  • Communications: Sending transactional emails including account verification, password resets, approval notifications, and service updates.
  • Analytics and improvement: Analyzing usage patterns to improve the platform, fix bugs, and develop new features.
  • Security: Detecting and preventing fraud, abuse, and security incidents.
  • Legal compliance: Complying with applicable laws, regulations, and legal processes.

4. Legal Basis for Processing

For individuals in the EEA and UK, we process personal data under the following legal bases as defined by the GDPR:

  • Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Scribekast.AI service you have subscribed to, including account management, content generation, and publishing.
  • Consent (Art. 6(1)(a)): Where you have given explicit consent, such as connecting third-party social media accounts via OAuth, or opting into marketing communications.
  • Legitimate interests (Art. 6(1)(f)): For purposes such as platform improvement, analytics, fraud prevention, and security, where our interests do not override your fundamental rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): Where processing is required to comply with applicable laws, such as tax reporting and responding to lawful requests from authorities.

5. Sharing and Disclosure

We do not sell your personal information. We share your information only in the following circumstances:

5.1 AI Content Generation (OpenAI)

Source article content and your configured brand voice/vertical prompts are sent to OpenAI's API to generate social media content. OpenAI processes this data in accordance with their data processing terms. We do not send your account credentials or payment information to OpenAI.

5.2 Payment Processing (Stripe)

Your billing information is processed by Stripe, Inc. Stripe is a PCI DSS Level 1 certified payment processor. Your payment card details are transmitted directly to Stripe and are never stored on our servers.

5.3 Social Media Platforms

When you approve content for publishing, we transmit that content to your connected social media platforms (LinkedIn, Facebook, Instagram, X/Twitter, TikTok, YouTube, WordPress) using their respective APIs. Each platform processes the published content according to their own privacy policies.

5.4 Error Monitoring (Sentry)

We use Sentry for error tracking and application monitoring. Sentry may receive technical error data, which could include anonymised request metadata. We configure Sentry to minimise the collection of personal information.

5.5 Infrastructure Providers

Our platform is hosted on cloud infrastructure providers who may process your data as part of providing hosting, database, and compute services to us. These providers act as data processors under our instructions.

5.6 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Agentive Group Co Pty Ltd, our users, or others.

6. International Data Transfers

Agentive Group Co Pty Ltd is based in Australia. Your personal information may be transferred to, and processed in, countries other than Australia, including the United States and Japan, where our cloud infrastructure providers (Railway for application hosting; Supabase on AWS ap-northeast-1 (Tokyo) for database hosting), AI services (OpenAI, Anthropic), and payment processor (Stripe) operate.

Where we transfer personal data outside of Australia, we take reasonable steps to ensure the recipient handles your information in a manner consistent with the Australian Privacy Principles.

For transfers of personal data from the EEA or UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms as required by the GDPR.

7. Data Retention

We retain your personal information as follows:

  • Account data: Retained for as long as your account is active, and for up to 30 days after account deletion to allow for recovery.
  • Content data: Generated content, publishing history, and edit history are retained for the duration of your active subscription. Upon account deletion, content data is deleted within 90 days.
  • OAuth tokens: Retained while the connected account integration is active. Tokens are deleted immediately when you disconnect a social media account.
  • Payment records: Billing transaction records are retained for 7 years to comply with Australian tax and accounting obligations.
  • Usage analytics: Aggregated and anonymised analytics data may be retained indefinitely. Identifiable usage data is deleted within 90 days of account deletion.
  • Error logs: Application error logs are retained for up to 90 days.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including:

  • Encryption at rest: OAuth tokens and other sensitive credentials are encrypted at rest using industry-standard encryption algorithms.
  • Password hashing: User passwords are hashed using bcrypt with a sufficient work factor. We never store passwords in plain text.
  • Transport encryption: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Secure cookies: Authentication tokens are stored in httpOnly, secure cookies that are inaccessible to client-side JavaScript and transmitted only over HTTPS.
  • Access controls: Multi-tenant architecture ensures strict data isolation between organisations. Internal access to production data is restricted on a need-to-know basis.
  • Infrastructure security: Our cloud infrastructure employs network-level security controls, automated patching, and monitoring.

While we take reasonable steps to protect your information, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

9. Your Rights

9.1 Rights Under the Australian Privacy Act

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you (APP 12).
  • Request correction of inaccurate, out-of-date, or incomplete information (APP 13).
  • Complain to us about a breach of the APPs, and if unsatisfied with our response, lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9.2 Rights Under the GDPR (EEA/UK Residents)

If you are located in the EEA or UK, you have the following additional rights under the GDPR:

  • Right of access: Request a copy of the personal data we process about you.
  • Right to rectification: Request correction of inaccurate personal data.
  • Right to erasure: Request deletion of your personal data in certain circumstances.
  • Right to restrict processing: Request that we limit the processing of your personal data.
  • Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: Lodge a complaint with a supervisory authority in your member state.

9.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@scribekast.ai. We will respond to your request within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

9.4 Account-Level Controls

You can also take the following actions directly within the platform:

  • Disconnect any connected social media account at any time, which immediately revokes our access and deletes the stored OAuth tokens.
  • Delete your RSS sources and associated content data.
  • Update your account information in your account settings.
  • Request full account deletion, which removes your account and associated data subject to our retention policy.

10. Children's Privacy

Scribekast.AI is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us at privacy@scribekast.ai.

11. Third-Party Links

Our platform may contain links to third-party websites, including the social media platforms you connect and the RSS feed sources you configure. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party services you interact with.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending a notification to the email address associated with your account. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

13. Data Deletion

You may request the deletion of your personal data at any time. To submit a deletion request, contact us at mick@agentivegroup.ai. We will delete your account and all associated data within 30 days of receiving your request. Note that some data may be retained where required by law or for legitimate business purposes such as fraud prevention.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

  • Email: privacy@scribekast.ai
  • Entity: Agentive Group Co Pty Ltd (ACN 695 269 222, ABN 54 695 269 222)
  • Location: Australia

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. If you are located in the EEA or UK, you may also lodge a complaint with your local data protection authority.