Podigee and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses the Podigee podcast player, they typically process web server log data and – depending on configuration – listening statistics for the purpose of providing podcast episodes, usually on the basis of third-party content consent or a legitimate interest in functionality. This page on Podigee data protection explains the data flow when embedding the player, the data processing agreement (DPA) and the mandatory information for the privacy policy.

A. Purpose and Functionality of Podigee

Podigee is a podcast hosting and distribution service of Podigee GmbH, based in Berlin. Website operators that produce a podcast host their episodes with Podigee and can embed the Podigee player into their website via an iFrame or embed snippet. When the page is loaded, the visitor's browser fetches the player and – on playback – the audio file directly from Podigee servers.

This article focuses on this integration function (embedding the Podigee player into a website). Podigee also offers other services such as podcast distribution to directories (Apple Podcasts, Spotify), listening statistics, dynamic advertising and guest management; these features lie outside the typical player embedding and are not addressed in detail here.

Loading the player and playing back an episode establish a direct connection between the visitor's device and Podigee servers. According to Podigee, web server log data and listening statistics are recorded in line with the IAB standard for podcast measurement.

B. Mandatory Information in the Privacy Policy When Using Podigee

The GDPR requires website operators to inform visitors transparently about data processing. In addition to general information on the controller, data subject rights and the supervisory authority, the following items are mandatory when using a tool such as Podigee:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases of processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data is transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• and – where data is not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR).

These items are broken down for Podigee in the following sections.

In practice, it is not necessary to list every individual tool – including Podigee – with its own text block. The widespread "text-block-per-tool" approach has become bad practice: long, formulaic texts that repeat themselves and make the privacy policy hard to maintain. A topic-oriented approach that describes processing such as third-party content and audio embeds across the board and names specific providers in a recipient list in the appendix is more appropriate. The matterius generator implements this method.

C. Provider of Podigee

According to publicly available information from Podigee, the contracting party for website operators based in Germany is

Podigee GmbH Schlesische Strasse 20 10997 Berlin, Germany

Podigee is a German provider based in Berlin and is directly subject to the GDPR and German data protection law. According to the provider, no third-country transfer within the meaning of Art. 44 et seq. GDPR takes place for core processing; processing is essentially carried out on servers in the EU. Sub-processors should be checked against the Podigee sub-processor list.

Podigee's privacy notices are available at https://www.podigee.com/de/about/privacy/; additional information on listening statistics and IAB measurement is available in the Podigee help documentation at https://www.podigee.com/de/help/.

D. Podigee Data Processing – Step by Step

1. Collection: when a page with the Podigee player embedded is loaded, the visitor's browser establishes a direct connection to Podigee servers. Podigee receives the IP address, user agent, referrer and technical request metadata. When an episode is played, the audio file request is also logged.
2. Storage: Podigee stores web server log data and – where configured – listening statistics in line with the IAB standard for podcast measurement. According to the provider, processing takes place on servers within the EU.
3. Use: Podigee uses the data to deliver player code, cover images and audio files, ensure operations, protect against abuse and produce listening statistics. The website operator receives aggregated analyses (e.g. listener counts, devices, regions) via the Podigee back-end.
4. Disclosure: according to its own information, Podigee uses technical sub-processors (e.g. hosting infrastructure, CDN). According to Podigee, no disclosure for own marketing purposes to independent third parties takes place for the player service.
5. Deletion: retention periods are set out in Podigee's privacy notices. Website operators can remove the player from the website or close the account; aggregated, non-personal statistics may continue to be processed by Podigee.

E. Data Collected When Using Podigee

When a website with the Podigee player embedded is loaded, the following data, in particular, is transmitted to Podigee servers: IP address, date and time of the request, URL of the requested player or audio file, referrer URL, user agent (browser name, browser version, operating system, device type) and additional technical metadata. During playback, playback events (e.g. start, pause, skip, seconds played) are also captured and can be used for aggregated listening statistics.

This data falls into the following standardised data categories:

• Web server log data: data the third party's web server receives with each request, including IP address, date, time, URL of the requested content, referrer, browser/OS/device information, and additional technical metadata.
• Device data: information about the user's device, e.g. device type and operating system.
• Browser information: information about the browser used, e.g. browser name and version.
• Coarse location data: approximate location of the user (city or municipality level) derivable from the IP address.
• Interaction data: information about how the user operates the player, e.g. clicks on play/pause/skip or scroll/touch actions with date and time.
• Conversion events: interactions defined by the website operator as relevant for performance analysis, e.g. listening to an episode or reaching certain timestamps.
• Technical telemetry data: technical data on the playback flow, e.g. load times, data volumes and status codes.

F. Purposes When Using Podigee

The website operator primarily uses Podigee to make their podcast accessible under their own domain or embedded on their own website, deliver episodes reliably and measure listener counts and reach.

The purposes fall into the following standardised categories:

• Functionality provision: providing the player and audio delivery function on the website, including error detection and avoidance, and presenting interactive content.
• Security and abuse protection: ensuring data security in player embedding, detecting and stopping attacks as well as bot and abuse defence.
• General product improvement: non-user-individual adjustments to the podcast offering, e.g. optimisation of episode lengths or topics based on aggregated listening statistics.
• General marketing: general reach analysis, e.g. evaluating the reach of the podcast as a whole.

G. Legal Bases for Using Podigee

Podigee falls into the third-party content category (audio player embed via third-party servers) and – depending on configuration – additionally into the tracking (statistics) category for listening data.

Possible legal bases include:

• Consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG: with online embedding of the player, web server log data is transmitted to third-party servers when the player is loaded and played. Third-party content consent obtained via the consent banner is generally regarded as the appropriate basis, in particular where playback sets cookies or where listening statistics are personal.
• Legitimate interest under Art. 6(1)(f) GDPR: with a sparing configuration (e.g. click-to-play, no cookies, anonymised listening statistics in line with the IAB standard), processing can in narrow limits rely on legitimate interests in functionality provision, efficiency and security. For reach-based analysis ("business steering", "improvement"), the legal basis must be assessed in each case.

The legal basis is case-specific and must be assessed by the website operator on the merits.

H. Special Considerations and Notes on Podigee

• Based in Germany: Podigee is a German provider directly subject to the GDPR and German data protection law. According to the provider, third-country transfers within the meaning of Art. 44 et seq. GDPR are generally not expected for core processing; specific sub-processors are listed in the sub-processor list.
• DPA: for its hosting and player services, Podigee regularly provides a data processing agreement (DPA). It should be concluded prior to productive use where the processing qualifies as commissioned processing; the precise role must be assessed in each case.
• IAB-compliant listening statistics: Podigee offers listening statistics in line with the IAB standard for podcast measurement. The standard is designed for aggregated reach measurement; depending on configuration, personal data may still be involved.
• Cookies: according to the provider, the Podigee player does not regularly set extensive tracking cookies in the default configuration; this should be verified case by case.
• Click-to-play as an alternative: where the player is loaded only after active user interaction, data transmission to Podigee can be limited to the moment of conscious player activation.
• Sub-processors: Podigee uses sub-processors for hosting and delivery; the website operator should refer to the DPA or Podigee's documentation for an up-to-date list.
• Settings for the website operator: control player embedding via the consent banner; consider click-to-play; configure listening statistics in the Podigee back-end as required.

This presentation is based on publicly available information from Podigee and other publicly available sources; it does not replace a case-by-case assessment.

I. FAQ on Podigee Data Protection

J. Conclusion on Podigee Data Protection and Next Step

As a German provider, Podigee offers an established solution for podcast hosting and player embedding. From a data protection perspective, what matters is the data flow during player embedding (IP address, web server log data), the configuration of listening statistics and the conclusion of a DPA. A clear advantage over US providers is that processing takes place within the EU; third-country transfers are generally not expected for core processing. Website operators should embed the player on a consent basis or via click-to-play and present purposes, data categories, recipients and legal basis transparently in the privacy policy.

For the privacy policy itself: it is generally not useful to maintain a separate text block for Podigee. Doing so makes the privacy policy long, unwieldy and hard to maintain and conflicts with the transparency principle in Art. 12(1) GDPR. A topic-oriented approach that describes third-party content and audio embeds across the board and only lists specific providers such as Podigee in a "Recipients" appendix is more appropriate. This is exactly what the matterius generator delivers.

K. Curator