Summary: We collect only what we need, store it securely on encrypted infrastructure, never sell your data, and give you full control over your information. We comply with POPIA (South Africa), GDPR (EU/UK), and CCPA (California).
1. Who We Are
Scoutcast (PTY) LTD (“Scoutcast,” “we,” “us,” “our”) is a South African company registered under number 2026/040587/07. We operate the Scoutcast mobile application and website (collectively the “Platform”).
Scoutcast is the responsible party (under POPIA) and data controller (under GDPR) for the personal information processed through the Platform.
1.1 Information Officer
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, phone number, password (hashed), date of birth
- Profile information: Bio, profile photo, location, profession, skills, categories, rates, availability
- Portfolio content: Photos, videos, audio files, showreels, and descriptions you upload
- Communications: Messages sent through the Platform, project chat messages, support requests
- Payment information: Subscription tier selection (payment processing is handled by Apple/Google — we do not store card numbers)
- User-generated content: Community posts, Collab listings, comments, reviews
2.2 Information Collected Automatically
- Device information: Device type, operating system, app version, unique device identifiers
- Usage data: Features accessed, screens viewed, search queries, interaction timestamps — captured through our product analytics provider (PostHog) to understand how the Platform is used and to improve it
- Location data: Approximate location (city/region level) derived from IP address for geographic features. We do not use precise GPS tracking.
- Error and performance data: Crash reports, error logs, performance metrics (via Sentry)
2.3 Information from Third Parties
- Social sign-in providers: If you sign in via Google or Apple, we receive your name and email as permitted by your settings
- App store data: Subscription status from Apple App Store or Google Play Store
2.4 Special Personal Information
Some Scoutcast profiles — particularly for talent and casting — may include optional attributes that constitute “special personal information” under POPIA Section 26 and “special category data” under GDPR Article 9, most notably race or ethnic origin. This is an established professional requirement of the casting and production industry (for example, a casting call for a specific role).
This is always your choice. Providing this information is entirely optional — you may leave it blank and still use the Platform fully. Where you do provide it, we process it only on the basis of your explicit consent (POPIA Section 27(1)(a); GDPR Article 9(2)(a)), solely to make your profile discoverable for relevant professional opportunities, and you may edit or delete it at any time in your profile settings.
3. Lawful Basis for Processing (POPIA Section 11 / GDPR Article 6)
We process your personal information only where we have a lawful basis:
| Purpose | POPIA Condition | GDPR Basis |
| Account creation and authentication | Consent (s11(1)(a)) & Contract (s11(1)(b)) | Contract (Art 6(1)(b)) |
| Profile visibility in Scout directory | Consent (s11(1)(a)) | Consent (Art 6(1)(a)) |
| Special personal information (e.g. ethnicity) in your profile | Explicit consent (s27(1)(a)) | Explicit consent (Art 9(2)(a)) |
| Processing subscriptions & payments | Contract (s11(1)(b)) | Contract (Art 6(1)(b)) |
| Messaging between users | Contract (s11(1)(b)) | Legitimate interest (Art 6(1)(f)) |
| Error monitoring & crash reporting | Legitimate interest (s11(1)(f)) | Legitimate interest (Art 6(1)(f)) |
| Platform security & fraud prevention | Legitimate interest (s11(1)(f)) | Legitimate interest (Art 6(1)(f)) |
| Direct marketing communications | Consent (s69) — explicit opt-in | Consent (Art 6(1)(a)) |
| Legal compliance & tax records | Legal obligation (s11(1)(c)) | Legal obligation (Art 6(1)(c)) |
| Analytics & improving the Platform | Legitimate interest (s11(1)(f)) | Legitimate interest (Art 6(1)(f)) |
4. Direct Marketing (POPIA Section 69)
We will only send direct marketing communications (emails, push notifications about promotions or new features) if you have given explicit, prior consent (opt-in). You may withdraw consent at any time by:
- Toggling notification preferences in your account settings
- Clicking “Unsubscribe” in any marketing email
- Emailing [email protected]
Transactional communications (account verification, subscription confirmations, security alerts) are not marketing and will still be sent as necessary.
5. How We Use Your Information
- Provide, maintain, and improve the Platform
- Display your profile in Scout searches based on your subscription tier and geographic settings
- Power natural-language (“semantic”) search, so users can find profiles by describing what they need — see Section 6
- Facilitate messaging, project collaboration, and community features
- Process subscription payments through Apple/Google
- Send transactional notifications (new messages, Collab applications, project updates)
- Understand usage and improve the Platform through aggregated product analytics (via PostHog)
- Monitor platform stability and fix errors (via Sentry)
- Enforce our Terms of Service and Community Guidelines
- Comply with legal obligations including SARS tax record requirements
6. Automated Decision-Making & AI Search (GDPR Article 22 / POPIA Section 71)
Scoutcast uses the following automated processing that may affect how your profile is displayed:
- Search ranking: Profiles in Scout search results are ranked based on subscription tier, profile completeness, activity level, and geographic proximity. Higher-tier subscribers receive priority placement.
- AI semantic search: To let users search by describing what they need in plain language, the public text on your profile (such as your bio, skills, categories and portfolio captions) is converted into a mathematical representation (an “embedding”) using a machine-learning model run by Cloudflare (Workers AI). This is processed server-side to match your profile to relevant searches. It does not include your private messages or contact details.
- Content moderation: Automated filters may flag content that potentially violates Community Guidelines for human review.
These automated processes do not make decisions that produce legal effects or similarly significantly affect you. You may contact us to request human review of any automated decision affecting your account.
7. Service Providers & Data Sharing
We do not sell, rent, or trade your personal information. We share data with the following categories of service providers, each bound by data processing agreements:
| Provider | Purpose | Data Shared | Location |
| Supabase (PostgreSQL) | Database, authentication, file storage | All account & platform data | AWS ap-southeast-1 (encrypted at rest) |
| Cloudflare (Workers AI) | Semantic-search embeddings, CDN, DNS, DDoS protection | Public profile text; IP addresses, request metadata | Global edge network |
| PostHog | Product analytics & usage insights | Usage events, device info, user ID | USA / EU (configurable) |
| Sentry | Error monitoring & crash reporting | Device info, error logs, user ID | USA (EU data routing available) |
| Resend | Transactional email delivery | Email address, name | USA |
| Apple / Google | Payment processing, app distribution | Subscription status, purchase receipts | USA |
| Expo (EAS) | App build & update delivery | Device tokens for push notifications | USA |
We may also disclose information when required by law, court order, or to protect the safety and security of our users.
8. Cross-Border Transfers (POPIA Section 72)
Your data may be transferred to and processed in countries outside South Africa (see service providers above). We ensure adequate protection through:
- Selecting providers in jurisdictions with adequate data protection laws (per Section 72(1)(a))
- Binding contractual agreements that require equivalent protections (per Section 72(1)(b))
- Your consent to this policy, which includes acknowledgement of these transfers (per Section 72(1)(d))
For GDPR: transfers outside the EEA rely on Standard Contractual Clauses (SCCs) or adequacy decisions.
9. Data Retention
- Active account data: Retained for the duration of your account
- Deleted account data: Permanently deleted within 30 days of account deletion request, except where retention is legally required
- Messages: Deleted when both parties have deleted their accounts, or when you delete a conversation
- Error logs (Sentry): Automatically purged after 90 days
- Financial records: Retained for 5 years as required by the South African Revenue Service (SARS) under the Tax Administration Act
- Legal hold: Data relevant to disputes or legal proceedings may be retained until the matter is resolved
10. Data Security
We implement appropriate technical and organisational measures to protect your information:
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Row-Level Security (RLS) on all database tables — users can only access their own data
- Password hashing using bcrypt via Supabase Auth
- Rate limiting and brute-force protection on authentication endpoints
- Regular security audits and dependency updates
- No storage of payment card details (handled by Apple/Google)
11. Data Breach Notification (POPIA Section 22)
In the event of a security breach that compromises your personal information, we will:
- Notify the Information Regulator as soon as reasonably possible after discovery
- Notify affected data subjects (you) as soon as reasonably possible, providing:
- A description of the possible consequences of the breach
- A description of the measures we are taking or propose to take to address the breach
- Recommendations for what you can do to mitigate possible adverse effects
- The identity of the unauthorised person who may have accessed the data, if known
- Notification will be made by email (to your registered address) and, where appropriate, via in-app notification. If direct notification is not possible, we will use public channels including our website and social media.
12. Your Rights
12.1 Under POPIA (South African Residents)
You have the right to:
- Access: Request confirmation of whether we hold your personal information and obtain a copy (Section 23)
- Correction: Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading information (Section 24)
- Deletion: Request destruction or deletion of your personal information (Section 24)
- Object: Object to the processing of your information on reasonable grounds (Section 11(3)(a))
- Object to direct marketing: Object to the use of your information for direct marketing at any time (Section 69(3))
- Withdraw consent: Withdraw consent (including for special personal information) at any time, without affecting the lawfulness of prior processing
- Complain: Lodge a complaint with the Information Regulator (see Section 14 below)
12.2 Under GDPR (EU/UK Residents)
In addition to the above, you have the right to:
- Data portability: Receive your data in a structured, commonly used, machine-readable format (Article 20)
- Restrict processing: Request that we limit how we process your data in certain circumstances (Article 18)
- Automated decisions: Not be subject to decisions based solely on automated processing, including profiling (Article 22)
- Withdraw consent: Withdraw consent at any time where processing is based on consent (Article 7(3))
- Complain: Lodge a complaint with your local supervisory authority
12.3 Under CCPA (California Residents)
California residents have the right to:
- Know: Request what personal information we have collected
- Delete: Request deletion of personal information
- Non-discrimination: Not be discriminated against for exercising your rights
- Opt-out of sale: We do not sell personal information, so no opt-out is necessary
12.4 How to Exercise Your Rights
To make any request, contact us at [email protected]. We will:
- Verify your identity before processing any request
- Respond within 30 days (POPIA) or 30 days (GDPR, extendable by 60 days for complex requests)
- Not charge a fee unless the request is manifestly unfounded or excessive
13. Children's Privacy
Scoutcast is intended for users aged 18 and older. We do not knowingly create accounts for, or collect personal information from, children under 18. No minor may register as a user of the Platform.
Professional content uploaded by adult account holders (such as agencies, production companies, or photographers) may depict minors in a lawful, professional context, subject to the content requirements set out in our Terms of Service (Section 4.3). In such cases, Scoutcast does not collect or process any personal data of the depicted minor — the uploading account holder is solely responsible for holding all necessary consents.
If we become aware that a child’s personal data has been collected as an account holder, we will delete it immediately. If you believe a minor has created an account or that their personal data has been processed in breach of this policy, please contact [email protected].
14. Regulatory Contacts
15. Cookies & Tracking
The Scoutcast mobile app does not use cookies. It does use a privacy-respecting product-analytics SDK (PostHog) to measure how the app is used so we can improve it (see Sections 2.2 and 7). We do not use advertising trackers or third-party advertising pixels, and we do not sell or share your data for advertising.
Our website (scoutcast.app) uses only essential cookies required for the site to function.
16. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- Material changes will be communicated via in-app notification and email
- The “Last updated” date at the top will be revised
- Continued use of the Platform after notification constitutes acceptance of the updated policy
- Previous versions will be archived and available on request
17. Contact Us
For any privacy-related questions, requests, or complaints: