Privacy.

Last updated 2026-05-24

The short version

We collect the bare minimum needed to make pictures and keep them in your account: your name, your email, and the photo you upload for each picture. Your uploaded photo is sent to an image model, then deleted from our servers. The finished picture stays in your account until you delete it. We don't sell your data, we don't post anywhere on your behalf, and we don't use your photos to train models.

What we collect

Account info — your name, email, and (if you sign in with Google) your Google profile picture. Stored in our database for as long as your account exists.
Photos you upload — each picture you make starts with an uploaded photo. We hold the photo in memory long enough to send it to the image model, then delete it from our servers.
Finished pictures — the result of each filter is stored in your account so you can come back to it. You can delete any picture at any time, and we delete it for real.
Technical metadata — your IP address, browser/user-agent, and timestamps for each sign-in. Stored against your session so we can keep your account secure. Old sessions are removed after 30 days of inactivity.

What we don't collect

We don't track you across other websites.
We don't sell, rent, or share your personal data with third parties for advertising.
We don't use your photos to train any model — ours or anyone else's.
We don't post anywhere on your behalf. The finished pictures only go where you choose to send them.

Who we share with

To make a picture, we send your uploaded photo and the filter's prompt to Replicate, Inc. — they run the image model on our behalf. Replicate processes the photo to generate the result and then deletes it on their end. Their privacy policy is at replicate.com/privacy.

We host the site on Vercel, Inc. and store your account data and finished pictures on Vercel-managed infrastructure (Neon Postgres and Vercel Blob). Vercel's privacy policy is at vercel.com/legal/privacy-policy.

If you sign in with Google, Google receives the standard sign-in request and we receive your verified name, email, and profile picture. We never see your Google password.

Cookies

We use one cookie — cast_session — to keep you signed in. It's httpOnly (not readable by JavaScript), Secure (HTTPS only), and SameSite=Lax (only sent with same-site requests). It expires after 30 days. We don't use third-party advertising or analytics cookies.

Your rights

See what we have — your sign-in page shows your account info. Your library shows every picture we hold for you.
Delete a picture — remove any picture from your library at any time. We delete the underlying file too.
Delete your account — email us (see below) and we'll remove your account and every picture in it. We aim to do this within 7 days.
Export your pictures — open your library and save each one. We're working on a one-click bulk export.

If you live in the EU, UK, or California, you have additional rights under GDPR / CCPA — including the right to object to processing, to data portability, and to lodge a complaint with your local regulator. Email us and we'll help.

Kids

Cast isn't designed for children under 13. We don't knowingly accept sign-ups from anyone under 13. If you believe a child has signed up, email us and we'll remove the account.

Changes

If we change this notice in a way that materially affects how we handle your data, we'll let you know by email before the change takes effect. Otherwise we'll update the date at the top of this page.

Contact

Questions, requests, or just curious? Email hello@cast.app.