GDPR Compliance
Last updated: March 20, 2026
Our Commitment
Somemind is built with privacy by design. We are fully committed to GDPR compliance and protecting the personal data of our users. Our infrastructure is hosted in the EU, we use strong encryption, and we provide full transparency over how your data is processed.
1. Data Controller
Punasaari Research
Vantaa, Finland
Email: info@punasaariresearch.fi
Phone: +358 40 815 9174
2. Data Processing Agreement (DPA)
In accordance with Article 28 of the GDPR, we offer a Data Processing Agreement to all workspace owners. The DPA can be accepted directly within the platform at Settings > GDPR & Privacy.
The DPA covers:
- Purpose and scope of data processing
- Obligations of the processor (Somemind)
- Sub-processor list and notifications
- Data security measures
- Audit rights
- Data return and deletion procedures
3. Data We Process
| Data Category | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Account info (name, email) | Authentication | Contract | Until deletion |
| Social media tokens | Publishing | Contract | Until disconnection |
| Content (posts, media) | Service delivery | Contract | Until deletion |
| Payment info | Billing | Contract / Legal | 6 years (accounting law) |
| Usage logs | Limit enforcement | Legitimate interest | 12 months |
| Audit logs | Security | Legitimate interest | 12 months |
| Locale preference | Language setting | Consent | 1 year (cookie) |
4. Your Rights
Under the GDPR, you have the following rights:
Right of Access (Art. 15)
You can request a complete copy of all personal data we hold about you. Contact us at info@punasaariresearch.fi and we will respond within 30 days.
Right to Rectification (Art. 16)
You can update your personal information at any time through your account settings or workspace settings.
Right to Erasure (Art. 17)
You can request complete deletion of your account and all associated data. This is available at Settings > GDPR & Privacy > Request Account Deletion. After requesting deletion, there is a 30-day waiting period during which you can cancel the request. After 30 days, all data is permanently and irreversibly deleted.
Right to Restriction (Art. 18)
You can request that we restrict processing of your data while a dispute is being resolved.
Right to Data Portability (Art. 20)
You can export your data in a machine-readable format. Contact us to receive your data export.
Right to Object (Art. 21)
You can object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
5. Security Measures
We implement the following technical and organizational measures:
- Encryption at rest: Social media tokens encrypted with AES-256-GCM (iv:tag:cipher format)
- Encryption in transit: All communications over HTTPS/TLS 1.3
- Data isolation: Row Level Security (RLS) ensures strict workspace-level data separation
- Access control: Role-based access (owner/admin/member) with workspace membership verification on every request
- Authentication: Supabase Auth with secure session management, optional Google OAuth
- Admin protection: TOTP two-factor authentication, IP whitelist, brute force protection (5 attempts = 30-minute lockout)
- Rate limiting: API rate limits to prevent abuse (10-60 req/min depending on endpoint)
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Input validation: All user inputs validated with Zod schemas
- Audit logging: All critical actions logged immutably
6. Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | EU (Frankfurt) |
| Vercel | Application Hosting | EU (Stockholm) |
| Cloudflare | File Storage (R2) | EU |
| Stripe | Payment Processing | EU / US (PCI DSS) |
| Resend | Transactional Email | US (SCCs) |
| Google (Gemini) | AI Content Generation | US (SCCs, no PII sent) |
| FAL.ai | AI Image Generation (FLUX Schnell) | US (SCCs, no PII sent) |
| FAL.ai | AI Video Generation | US (SCCs, no PII sent) |
7. Breach Notification (Art. 33/34)
In the event of a personal data breach, we will:
- Notify the Finnish Data Protection Authority within 72 hours of becoming aware of the breach
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights
- Document the breach, its effects, and remedial actions in our breach notification system
Our admin panel includes a dedicated breach notification tool for rapid response.
8. International Data Transfers
Where data is transferred outside the EU/EEA (e.g., to US-based sub-processors), we ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs)
- Supplementary technical measures (encryption, pseudonymization)
- Transfer Impact Assessments
No personal data is sent to AI providers — only content prompts and brand context are shared for content generation.
9. Cookies
We use only essential cookies:
- somemind_locale: Language preference — essential for service delivery
- sb-* (Supabase): Authentication session — essential for login
We do not use analytics, advertising, or tracking cookies. A cookie consent banner is displayed on first visit.
10. Contact & Complaints
For any GDPR-related questions or requests:
Email: info@punasaariresearch.fi
Phone: +358 40 815 9174
If you are not satisfied with our response, you have the right to lodge a complaint with:
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Lintulahdenkuja 4, 00530 Helsinki, Finland
Website: tietosuoja.fi