CastPact
← Back to site

Legal

Terms of ServicePrivacy PolicyRefund PolicyDo Not Sell My InfoCampaign AgreementCreator Payout TermsPublisher Seller-of-Record AgreementAcceptable Use PolicyCopyright and DMCA Policy

Privacy Policy

Last updated: May 31, 2026

This Privacy Policy explains how CastPact LLC, an Idaho limited liability company ("CastPact," "we," "us," or "our"), collects, uses, and shares information in connection with the CastPact platform (the "Platform"). It forms part of, and is incorporated by reference into, our Terms of Service. By using the Platform, you agree to the practices described here.

The Platform is offered only to residents of the United States. This Privacy Policy is governed primarily by U.S. state privacy law. We extend the core rights described below to all U.S. residents regardless of the state in which you reside.

1. Information We Collect

1a. Registered Users (Creators & Publishers)

We collect information you provide directly: name, email address, account credentials, company information (publishers), platform connections (creators), and payment-account information via Stripe.

We automatically collect: IP addresses (hashed for tracking), browser type, device information, and usage data through cookies and similar technologies.

1b. Game Buyers (Non-Registered)

When you purchase a game key through CastPact, the game publisher is the seller and merchant of record for the transaction. Stripe processes your payment under the publisher's connected account; CastPact does not collect or store your payment card number. We collect your email address (for key delivery) and your IP address (for fraud prevention) and process this information as the publisher's payment-facilitating service provider and key-delivery provider.

2. Categories of Personal Information and Recipients

In the preceding 12 months we collected the following categories of personal information (as defined by Cal. Civ. Code 1798.140) and disclosed them to the categories of third parties listed:

  • Identifiers (name, email, account ID, IP address): disclosed to payment processor, hosting provider, email provider, and campaign counterparties.
  • Commercial information (purchase and transaction records, campaign participation): disclosed to payment processor and the publisher who is merchant of record for a purchase.
  • Internet/network activity (usage data, device and browser information): disclosed to hosting provider.
  • Professional/employment information (publisher company details, creator channel/audience statistics): disclosed to campaign counterparties.
  • Financial-account information (Stripe-connected payout account references; we do not store card numbers): disclosed to payment processor. This is treated as sensitive personal information.
  • Precise geolocation: we do not intentionally collect precise geolocation. To the extent any is inferred from IP address it is treated as sensitive personal information and used only as necessary for fraud prevention.

We do not use or disclose sensitive personal information for purposes other than those permitted as necessary business purposes under Cal. Civ. Code 1798.121. We do not use sensitive personal information to infer characteristics about you.

3. How We Use Information

We use your information to: operate and improve the Platform; process payments; match creators with campaigns; deliver game keys to buyers; provide customer support; send service communications; prevent fraud; and comply with legal obligations.

4. Information Sharing & Service Providers

We share information with the following categories of recipients, each engaged under a written contract that restricts their use of the information to providing services to us (service providers / contractors under Cal. Civ. Code 1798.140):

  • Stripe, Inc. Payment processing, connected-account payouts, and refund handling. For buyer key purchases Stripe processes payment card data under the publisher's connected account as merchant of record; we do not store card numbers.
  • Railway (infrastructure provider). Application hosting and managed PostgreSQL database.
  • Resend (email service). Transactional email delivery (verification emails, key-delivery links, notifications).
  • Twitch / YouTube / Google APIs. When creators connect their accounts, we access public profile information and audience statistics through their respective APIs.
  • Campaign counterparties. Publishers see creator profiles; creators see campaign details. For a key purchase, the publisher who is merchant of record receives the transaction record.

We do not sell your personal information (name, email, payment details, IP address) for money. We may share or license aggregated and de-identified marketplace data, such as sales volume by game title, campaign conversion rates, and creator-level attribution metrics, with industry analysts, publishers, or research firms. Some creator attribution data reflects identifiable public promotional activity. To the extent any disclosure of identifiable creator-attribution data constitutes a "sale" or "sharing" under U.S. state privacy law, you have the right to opt out, and your opt-out cannot be contracted away. See our Do Not Sell or Share My Personal Information page for the operative classification and how to exercise your choice.

5. Data Retention

We retain your personal data for as long as your account is active. When you request account deletion, we process it as follows:

  • 30-day grace period: After you request deletion, there is a 30-day window during which you can cancel the request and keep your account.
  • Personal data removed: After the grace period, we permanently delete or anonymize your profile information, messages, connected accounts, preferences, and other personal data.
  • Financial records retained: Payment records, invoices, and transaction data are retained for 7 years as required by tax law (IRS recordkeeping and information-reporting obligations).
  • Compliance records retained: FTC compliance records are retained for 5 years. Fraud prevention and platform safety records are retained for 3 years, as permitted under the deletion exceptions of applicable U.S. state privacy law.
  • Anonymized data: Retained records are linked to a generic "Deleted User" label with no personally identifying information.

5a. Game Buyer Data Retention

Buyer purchase records (including email) are retained for the chargeback dispute window (up to 540 days) plus 7 years for tax/financial reporting. Buyer IP addresses in access logs are retained for fraud prevention during the chargeback window. Buyers may request anonymization of their email at any time; if the purchase is within the retention period, the email is replaced with an anonymous identifier while the financial record is preserved.

5b. Non-User PII Cleanup

Expired team invitation emails and unclaimed referral emails are automatically deleted on a regular schedule (90 days for unclaimed referrals, immediately upon expiry for team invitations).

6. Your Privacy Rights

We extend the following rights to all U.S. residents:

  • Right to know / access: Know the categories and specific pieces of personal information we collect, use, and disclose, and obtain a copy. Download your data from Settings > Export My Data, or email privacy@castpact.com.
  • Right to correct: Correct inaccurate personal data via your account settings.
  • Right to delete: Delete your account and personal data via Settings > Delete Account, subject to the retention exceptions above. You can also email privacy@castpact.com.
  • Right to opt out of sale/sharing: Opt out of any sale or sharing of your personal information. See Do Not Sell or Share My Personal Information.
  • Right to limit sensitive personal information: Direct us to limit use of sensitive personal information to permitted business purposes.
  • Right to portability: Download your data in machine-readable JSON format via Settings > Export My Data.
  • Right to non-discrimination: Exercise these rights without receiving discriminatory treatment.
  • Right to appeal (where applicable): Residents of states that provide an appeal right (for example Virginia, Colorado, Connecticut, Texas, and Oregon) may appeal a denied request by replying to our decision or emailing privacy@castpact.com.

To exercise any of these rights, visit your account settings or contact privacy@castpact.com. We will confirm receipt within 10 business days and respond within 45 calendar days. We may extend that period by an additional 45 days when reasonably necessary, and will notify you of any extension. We will verify your identity before fulfilling a request. You may use an authorized agent to submit a request on your behalf with proof of authorization.

Game buyers without an account: You may request access to or deletion of your purchase data by emailing privacy@castpact.com with the email address used for the purchase. We will verify your identity via that email before processing the request.

7. Do-Not-Track and Opt-Out Preference Signals (Global Privacy Control)

Some browsers transmit a "Do Not Track" (DNT) signal. There is no industry-standard response to DNT, and because we do not engage in cross-site behavioral advertising, we do not change our practices in response to a DNT signal.

We recognize the Global Privacy Control (GPC) and other opt-out preference signals as a valid request to opt out of any sale or sharing of personal information. When we detect a GPC signal from your browser or device, we treat it as an opt-out for that browser or device and, where you are logged in, for the account associated with it, and we display confirmation that the signal has been recognized.

8. Cookies

We use the following cookies and local storage:

  • Session cookie (essential): Maintains your authenticated session. Cannot be disabled.
  • Theme preference (functional): Stores your light/dark mode preference in localStorage.
  • Visitor ID (functional): Anonymous identifier for A/B testing on game store pages. Does not contain personal information.

We do not use third-party advertising or cross-site analytics cookies.

9. Security

We implement reasonable security measures designed to protect personal information, including: encryption in transit (TLS) and at rest; secure password hashing (bcrypt); encrypted storage of OAuth tokens (AES-256-GCM); two-factor authentication (TOTP); rate limiting on sensitive endpoints; and regular security reviews. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Data Breach Notification

If we become aware of a breach of the security of the system that compromises unencrypted personal information, we will notify affected individuals and, where required, applicable regulators without unreasonable delay and in the manner and time required by applicable law, including the breach-notification statutes of California and Idaho.

11. Where Your Data Is Processed

The Platform is offered only to U.S. residents, and your data is processed in the United States.

12. Children's Privacy

The Platform is not intended for users under 18, and we do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a minor, we will delete it. If you believe a minor has provided us with personal information, please contact privacy@castpact.com.

13. Copyright, Abuse, and Non-Consensual Imagery

To report copyright infringement, abuse, or non-consensual intimate imagery involving content on the Platform, see our Copyright and DMCA Policy and Acceptable Use Policy, or contact our designated agent at copyright@castpact.com.

14. Consent

By creating an account, you acknowledge that you have read and agree to this Privacy Policy and our Terms of Service. We record the date and time of your acceptance. You may withdraw consent for optional processing at any time without affecting the lawfulness of processing based on consent before withdrawal.

15. Changes

We may update this Privacy Policy periodically. Material changes will be communicated via email to registered users. Continued use of the Platform after changes constitutes acceptance.

16. Governing Law

This Privacy Policy and any dispute relating to it are governed by the laws of the State of Idaho and the dispute-resolution provisions of our Terms of Service, except where an applicable U.S. state privacy law grants you rights or remedies that cannot be waived.

17. Contact

For privacy inquiries or to exercise your data rights:

  • Email: privacy@castpact.com
  • Postal: CastPact LLC, Attn: Privacy, 784 Clearwater Loop, #4458, Post Falls, ID 83854, USA

CastPact LLC, an Idaho limited liability company. 784 Clearwater Loop, #4458, Post Falls, ID 83854, USA.

Questions? legal@castpact.com · privacy@castpact.com