Back
SomemindSomemind

Privacy Policy

Last updated: March 20, 2026

1. Data Controller

Punasaari Research
Vantaa, Finland
Email: info@punasaariresearch.fi
Phone: +358 40 815 9174

2. What Data We Collect

We collect the following categories of personal data:

  • Account information: Name, email address, and password (hashed) when you create an account.
  • Workspace data: Company name, business identifier (Y-tunnus), and brand preferences you provide.
  • Social media tokens: OAuth access tokens for connected platforms (Instagram, Facebook, TikTok). These are encrypted with AES-256-GCM and stored securely.
  • Content data: Posts, captions, images, and videos you create or that our AI generates on your behalf.
  • Usage data: Feature usage statistics, AI generation counts, and subscription status.
  • Technical data: IP address, browser type, device information, and cookies for authentication and language preferences.
  • Payment data: Processed by Stripe. We do not store credit card numbers.

3. Purpose of Processing

We process your data for the following purposes:

  • Providing and maintaining the Somemind service
  • Authenticating users and managing sessions
  • Connecting and managing social media accounts
  • Generating and publishing AI content on your behalf
  • Processing payments and managing subscriptions
  • Sending transactional emails (invitations, weekly digests, billing notifications)
  • Improving our service through anonymous usage analytics

4. Legal Basis

We process personal data based on:

  • Contract performance (Art. 6(1)(b) GDPR): To provide the services you have subscribed to.
  • Legitimate interest (Art. 6(1)(f) GDPR): For security, fraud prevention, and service improvement.
  • Consent (Art. 6(1)(a) GDPR): For optional cookies and marketing communications.

5. Data Storage and Security

  • Hosting: EU region (Stockholm, Sweden) via Vercel and Supabase.
  • File storage: Cloudflare R2 with signed URLs (EU jurisdiction).
  • Encryption: All social media tokens encrypted with AES-256-GCM. All data transmitted over HTTPS/TLS.
  • Access control: Row Level Security (RLS) ensures workspace-level data isolation.
  • Admin access: Protected by TOTP two-factor authentication, IP whitelist, and brute force protection.

6. Data Sharing

We share data only with the following third-party processors:

  • Supabase (Pty Ltd): Database and authentication — EU region
  • Vercel Inc: Application hosting — EU region (Stockholm)
  • Cloudflare Inc: File storage (R2) — EU jurisdiction
  • Stripe Inc: Payment processing — PCI DSS certified
  • Resend Inc: Transactional emails
  • Google (Gemini AI): AI content generation — no personal data sent, only content prompts
  • Meta Platforms: Social media publishing via authorized APIs
  • ByteDance (TikTok): Social media publishing via authorized APIs

We do not sell personal data to third parties.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Content data: Retained while your subscription is active.
  • Audit logs: Retained for 12 months for security purposes.
  • Payment records: Retained for 6 years as required by Finnish accounting law.

8. Cookies

We use the following cookies:

  • somemind_locale: Language preference (essential, 1 year)
  • sb-*: Supabase authentication session (essential, session)
  • somemind_cookie_consent: Cookie consent preference (stored in localStorage)

We do not use advertising or tracking cookies.

9. Your Rights (GDPR)

As a data subject, you have the right to:

  • Access (Art. 15): Request a copy of your personal data.
  • Rectification (Art. 16): Correct inaccurate data via your account settings.
  • Erasure (Art. 17): Request deletion of your account and data. Available in Settings > GDPR.
  • Portability (Art. 20): Export your data in a machine-readable format.
  • Restriction (Art. 18): Request restriction of processing.
  • Objection (Art. 21): Object to processing based on legitimate interest.

To exercise your rights, contact us at info@punasaariresearch.fi.

10. Supervisory Authority

You have the right to lodge a complaint with the Finnish Data Protection Ombudsman:
Tietosuojavaltuutetun toimisto
Lintulahdenkuja 4, 00530 Helsinki
tietosuoja.fi

11. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email or in-app notification. Continued use of the service after changes constitutes acceptance.