PRESTOplay end-user privacy notice

This privacy notice applies to our media player, PRESTOplay. castLabs, we, our, and us refers to castLabs GmbH, castLabs Inc.

What is PRESTOplay?

PRESTOplay is a video streaming player that makes it possible for the app or browser you are using with your content provider to deliver the right video to your device and play it correctly, no matter your device’s operating system. PRESTOplay is seamlessly integrated in the apps and services you use, so you are likely not aware of PRESTOplay running on your device. Our technology is typically used when you view content provided by your content provider. Find out more in the short glossary we’ve put together below.


  • client/customer: Our customers are companies who rely on our technology and services to deliver video content to your device. Their expertise is packaging and offering you video content while ours is making the technical distribution of that content to you possible.

  • end user: You are the end user. You have a service agreement with the content provider and we support them in getting the videos you request to your device.

  • data controller: A data controller is a company that determines what personal data is needed and defines the purposes for that data collection and use. The reason you are reading this notice is because castLabs is a data controller.

If the integration is so seamless, why do I need to know about it?

We take our data protection obligations seriously. This privacy notice describes how we collect and process your data for our own use. Under the General Data Protection Regulation (GDPR), data related to your device is personal data. If we process that data for our own purposes we become responsible for it as data controllers. This means we must be transparent about what we do with your data.

Who we are and how to contact us

The data controller providing this policy is castLabs GmbH. You can reach us by post (Wilhelmine-Gemberg-Weg 5-7, 10179 Berlin, Germany) or by email at

Our appointed Data Protection Officer (DPO) is TechGDPR DPC GmbH. You can reach them by post (Prenzlauer Allee 53, 10405, Berlin, Germany) or by email at

Data processing by castLabs

The purposes served by the data we process

We process your personal data in order to check for the validity of licenses of the use of our software. In other words, we verify that our customer, the company providing you with video content, is making use of a valid license of our software. This is done under our legitimate interest (GDPR Art. 6.1.f).

We also process your data (i.e. data about the software operated on your device in which our player operates) to analyse the player environment and acquire viewing metrics (statistics). This allows us to understand which versions of operating systems and software are more reliable than others and consequently decide which version of our software deserves an update.

How we legitimise and retain this data

Purpose served

Legitimation of the purpose

Retention period *

Data processed to help acquire viewing metrics

Legitimate interest (GDPR Art. 6.1.f)

This data is not stored but is rather used to calculate sums and ratios (raw data is not retained by castLabs)

Only for certain castLabs customers, raw data is kept raw for 12 months.

Data processed to help prevent unauthorised / expired licenses from being used

* If you would like to find out which of the two options apply to you directly, feel free to contact us.

What third party service providers we rely on and whether your data travels out of the European Union (EU)

The tools that we rely on to process your data were developed by us. We host our tools on Amazon Web Services (AWS), located in the EU.

What data is being processed

The purpose this processing serves for castLabs

Data point processed

Purpose of the data point

Helps acquire viewing metrics


This informs on the Version of our software that triggered the request


This informs on the basic playback content type (eg: live, video-on-demand)


This informs on the type of content


This informs on the device manufacturer (eg: LG)


This informs on the device model (eg: Nexus 5X)


This informs on the OS family (eg: Android)


This informs on the OS version (eg: 7.0.0)


This informs on the list of enabled player plugins (eg: download, VR, thumbnails, etc.)


This informs on the type of digital rights management (DRM) solution implemented


This informs on the the type of Content Decryption Module (CDM)



This informs on the DRM security level implemented


This helps initiate playback depending on whether the license is stored or persistant

Helps prevent unauthorised / expired licenses from being used


This is used in case no referrer URL can be found in the headers


This informs the castLabs license key attributed and used by the client

Note that when you make use of your content provider services, more personal data might also be used. This will be outlined in their privacy policy. As far as castLabs is concerned, this notice outlines all you need to know. We intend to review this policy once a year or sooner, when necessary.

Data belonging to children

We do not knowingly or purposefully collect personal information from under age users, nor is the data processed about the individual themselves, but rather their device.

Data used to communicate with you directly

We may use your information in order to respond to your enquiries. The data you thus provide constitutes your name or pseudonym, your email address, the nature and content of your request. We collect this information under performance of a contract (GDPR Art.6.1.a) and retain it for 12 months.

When contacting us in order to formulate a data subject rights request, we process this information under legal obligation (GDPR Art.6.1.c) to perform these requests. We keep a data-minimised record of your request for 25 months in order to fulfil our obligation to demonstrate compliance (GDPR Art.24.1). Data-minimized records don’t directly identify you but help us show data protection authorities we have addressed a request similar to your own on a specific date.

What rights you can exercise in relation to this data processing

Rights relative to data processing


  • We do not hold a profile or an account related to a user of our technology. This makes us essentially unable to trace a data subject request to a specific data set.

  • Determining viewing metrics (counting views) or determining whether a license has expired is done in real time. This means we do not hold on to (store) personal data once we have counted a view or determined whether a license is still valid. However, for some of our customers (your content provider as an end user), we do keep these metrics for 12 months. This scenario applies with customers we bill “per view” or “per user”. Keeping this non-identifying information allows us to retain view / viewer volumes to potentially settle outstanding billing issues.

  • Your device’s data is not used to profile you, nor does it allow us to identify you. This considered, the data cannot be used to make decisions about you, much less decisions that would impact your rights and freedoms.

  • This implementation of privacy-by-design (GDPR Art.25) is in strict application of purpose limitation (GDPR Art.5.1.b) and storage limitation (GDPR Art.5.1.e).

  • Since the processing takes place in milliseconds and your data is not saved, we can only help you exercise the below rights in a very limited manner. Please consult the below table for clarification.

Rights Applicability Description / justification
Right of access Partially available As outlined above, our storage of the data depends on the contract we have with your content provider. If we bill them “per view”, we hold on to this data for 12 months, otherwise we do not store it. If you so wish, please get in touch with us and provide us the name of the content provider you use to access videos. We will be able to tell you which data points are processed (see table above) but since we cannot identify you, we will not be able to tell you which combination of values these data points constitute. Please see the table above “What data is being collected and what purposes it serves”.
Right to restrict Not available Article 18 of the GDPR provides you the right to obtain from the controller restriction of processing where one of the following applies:
a) you contest the accuracy of the personal data;
b) the processing is unlawful;
c) we no longer need the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims;
d) you have objected to processing (see below).
Right to rectify Not available Article 16 of the GDPR provides the right to obtain from us that we rectify inaccurate personal data concerning you. Considering a) the data is not about you but your device, b) it is automatically shared by your device in a form that cannot be inaccurate, there is no need for rectification. Additionally, since we do not store your data, we are technically unable to rectify it. This right is consequently not available to you.
Right to erasure Not available Article 17 of the GDPR defines your right to erasure as obtaining from us the erasure of your personal data without undue delay. However, considering we do not store your data, we cannot exercise this right.
Right to object Partially available

Article 21 of the GDPR provides the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data when the processing is based on legitimate interest.

The right to object allows you to request that we halt the processing of your data until we have demonstrated compelling legitimate grounds for the processing which override your interests, rights and freedoms. However, considering the processing takes place in milliseconds and your data is not saved, we cannot help you exercise this right for data we have processed in the past.

If you object to the future processing of data, should you make use of an app integrating our technology, we are happy to make available our documented Legitimate Interest Assessment in order to demonstrate our compelling legitimate grounds. Please get in touch with us to request a copy of this document.

Please note we do not proceed to profiling of any kind nor do we use your data for direct or indirect marketing.

The right to lodge a complaint with a supervisory authority

Our company is registered at:

Berliner Beauftragte für Datenschutz und Informationsfreiheit, An der Urania 4-10, 10787 Berlin, Phone: 030/138 89-0,

You can contact us at for more information and if not satisfied by our response, you have the right to lodge a complaint to the data protection authority of your choice.

Note that castLabs may refuse to process requests that are unreasonably duplicated, require disproportionate technical efforts, jeopardize the confidentiality of other users, requests which are extremely impractical, or otherwise not required by law. The exercise of your rights, when they are not repetitive and unreasonable, is not subject to a fee.

Contacting us and updates to this policy

We may modify this privacy policy at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date at the bottom of this page. Each time you interact with PRESTOplay, that interaction will be subject to the version of the policy in use at that time. We will record past versions of this policy through an archive on this page. If you have any questions about this policy, please get in touch with us.

Policy version effective as of: 27 Sept 2021