Privacy Policy

OneCast Studio is operated by OneCast Media (“we”, “us”, “our”), an Australian business providing studio management software to photographers and videographers. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information.

We are committed to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using OneCast Studio, you consent to the collection and use of your personal information as described in this policy.

This policy applies to two categories of individuals:

• Studio owners and administrators ("Studios") who create an account and use OneCast Studio to manage their business.
• End clients of Studios ("Clients") whose personal information is stored in OneCast Studio at the direction of the Studio they work with.

Studios are responsible for ensuring they have appropriate consent from their clients before entering client information into OneCast Studio. We process client data on behalf of Studios as a data processor.

Studio account information:

• Name and email address (from Google sign-in or registration)
• Business name, ABN, phone number, and Instagram handle
• Billing information (processed by Stripe — we do not store card numbers)
• Studio settings, preferences, and configuration
• Date and time of account creation and terms agreement

Client information (entered by Studios):

• Name, company name, and email address
• Project and booking details
• Notes, briefs, quotes, and invoices
• Portal access logs and activity

Usage and technical information:

• Log data, IP addresses, and browser type
• Pages visited and features used within the platform
• Session tokens stored as secure, HTTP-only cookies

We collect personal information when you:

• Create an account using Google authentication or email/password registration
• Complete the studio onboarding process
• Add clients, projects, bookings, or other records through the dashboard
• Contact us via email or our support channels
• Use our website or application (automatically, via cookies and logs)

We collect personal information for the following purposes:

• To create and maintain your OneCast Studio account
• To provide the studio management and client portal service
• To process subscription payments via Stripe
• To send transactional emails (e.g. client welcome emails, booking confirmations, invoices)
• To send administrative notifications relevant to your account
• To improve, maintain, and develop the platform
• To comply with our legal obligations
• To investigate complaints and resolve disputes

We will not use your personal information for any purpose that you would not reasonably expect, and we will not sell your data to third parties.

We share personal information only with the following trusted service providers, who are contractually required to protect it:

• Stripe (stripe.com) — payment processing and subscription management. Governed by Stripe's Privacy Policy.
• Supabase / Amazon Web Services (AWS ap-southeast-2, Sydney) — secure database hosting within Australia.
• Resend (resend.com) — transactional email delivery (e.g. client portal welcome emails).
• Google LLC — authentication via Google OAuth (when using "Continue with Google").
• Vercel Inc. — application hosting and edge delivery.

We may also disclose personal information if required by law, court order, or government authority, or to protect the rights, property, or safety of OneCast Studio, its users, or the public.

We do not sell, rent, or trade personal information to third parties for marketing purposes.

All personal information is stored on servers located in Sydney, Australia (AWS ap-southeast-2). We implement industry-standard security measures including:

• All data transmitted using HTTPS (TLS encryption)
• Passwords hashed using scrypt with a random salt — never stored in plain text
• Session tokens stored in secure, HTTP-only, same-site cookies
• Access controls and authentication required for all admin functions
• Regular security reviews of our infrastructure

While we take reasonable precautions, no system is entirely secure. We encourage you to use a strong, unique password and to report any suspected security issues to info@onecast.media.

We retain personal information for as long as your account is active or as needed to provide our services. Specifically:

• Studio account data is retained while the account remains open and for up to 7 years after closure (for financial record-keeping obligations).
• Client information entered by Studios is retained until the Studio deletes it or closes their account.
• Log and usage data is typically retained for 90 days.

You may request deletion of your account and associated data at any time by contacting us at info@onecast.media. Requests will be processed within 30 days.

Under the Australian Privacy Act and APPs, you have the right to:

• Access the personal information we hold about you (APP 12)
• Request correction of inaccurate, outdated, or incomplete information (APP 13)
• Make a complaint about how we handle your personal information
• Opt out of any direct marketing communications
• Request deletion of your account and personal data

To exercise any of these rights, please contact our Privacy Officer at info@onecast.media. We will respond within 30 days.

When a Studio adds their clients' personal information to OneCast Studio, the Studio acts as the data controller for that information. Studios must:

• Have a lawful basis for collecting and storing their clients' personal information
• Have an appropriate Privacy Policy in place for their own business
• Notify their clients that their information will be stored and managed using OneCast Studio
• Obtain appropriate consent from clients before adding their details
• Ensure clients are aware of their rights to access, correct, or delete their information

OneCast Media processes client data only as directed by Studios and in accordance with this policy.

OneCast Studio uses a single essential session cookie to keep you signed in. This cookie is:

• HTTP-only (cannot be accessed by JavaScript — protects against XSS attacks)
• Secure (transmitted only over HTTPS in production)
• Set with SameSite=Lax to protect against CSRF attacks
• Valid for 30 days — giving you a persistent login like standard web applications

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individual users.

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, please contact us first at info@onecast.media. We take privacy complaints seriously and will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• GPO Box 5218, Sydney NSW 2001

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice in the OneCast Studio dashboard. Your continued use of OneCast Studio after any change constitutes acceptance of the updated policy.

The current version of this policy is always available at onecast.studio/privacy.

For any privacy enquiries, access requests, corrections, or complaints:

• Privacy Officer, OneCast Media
• Email: info@onecast.media
• Australia