Privacy Policy

1. What we collect

Data you provide directly:

• Name, email address, and business details when you register
• Social media access tokens needed to publish on your behalf
• Content you upload — images, brand guidelines, etc.
• Payment information processed by Stripe. We never see your card number.

Data collected automatically when you use the service:

• IP address and approximate location
• Browser type, operating system, and device information
• Pages visited, actions taken, and timestamps
• Error logs and performance data

2. Why we collect it

We use your data to run the service: creating posts, scheduling them, and publishing to your connected accounts. Our legal basis is contractual necessity for data required to deliver the service, and legitimate interest for improving it and for server security and error monitoring.

We may occasionally send you service updates or feature announcements by email. Our legal basis for this is legitimate interest. You can unsubscribe at any time using the link in any email we send.

We do not sell your data or use it for advertising.

3. Who sees your data

We share data only with the service providers needed to run Someta:

• Supabase — database and authentication, hosted in the EU
• Sentry — error monitoring, performance tracking, and session replay (on consent), hosted in the EU
• Stripe — payment processing (US-based; see section 5)
• Meta / LinkedIn — to publish posts to your connected accounts (US-based; see section 5)
• n8n — our automation infrastructure, running on our own servers
• Google Gemini (Google LLC) — used to generate post text, captions, and images. Your content is not used to train AI models. Google processes data under Standard Contractual Clauses (SCCs); see the Google Cloud Data Processing Addendum.

We do not share your data with anyone else.

4. Our role: controller and processor

For your account and billing information, we act as the data controller — we decide how that data is used.

For the social media content we create and publish on your behalf, we act as a data processor — we only handle it according to your instructions. If your plan involves personal data about your own customers (e.g. testimonials), you remain the controller for that data. Contact us at info@someta.fi if you need a formal Data Processing Agreement (DPA).

5. International data transfers

Some of our service providers — Stripe, Meta, LinkedIn, and Google (Gemini) — are based in the United States. Transferring data outside the EU/EEA is only done where adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.

6. How we protect your data

All data is transmitted over encrypted HTTPS connections. Data at rest is stored on Supabase infrastructure with encryption enabled. Access to production systems is restricted to authorised personnel only. We review our security practices regularly.

7. How long we keep it

Account data, posts, and uploaded content are kept for the duration of your subscription plus 60 days, then permanently deleted. You can request deletion earlier.

Payment and invoice records are kept for 6 years; annual financial statements are kept for 10 years, as required by Finnish accounting law (kirjanpitolaki 1336/1997). These cannot be deleted on request.

Server logs and technical data are retained for up to 90 days for security and debugging purposes.

Activity and audit logs (post approvals, team actions): up to 2 years.

8. Your rights

Under GDPR you have the right to:

• Access the personal data we hold about you (Art. 15)
• Correct inaccurate data (Art. 16)
• Delete your data in certain circumstances (Art. 17)
• Restrict how we process your data (Art. 18)
• Export your data in a portable format (Art. 20)
• Object to processing based on legitimate interest, including direct marketing — if you object to marketing, we will stop immediately (Art. 21)
• Withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of prior processing

Some data fields are required to deliver the service (name, email, social media access tokens). Others are optional (brand voice description, contact person name). Withholding required fields means we cannot provide the service.

We do not make solely automated decisions that produce legal or similarly significant effects on you. Account suspension for policy violations involves human review.

To exercise any of these rights, email info@someta.fi. We will respond within 30 days.

You can also file a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): tietosuoja.fi · tietosuoja@om.fi

9. Data breaches

If we become aware of a data breach that is likely to affect your rights, we will notify you by email without undue delay. We will also report the breach to the Finnish Data Protection Ombudsman within 72 hours as required by GDPR.

10. Cookies

We use one analytics cookie (analytics_consent) to remember your consent choice and, if you agree, to enable usage analytics via PostHog and session replay via Sentry. This cookie is stored for 12 months and is never used for advertising or shared with third parties. You can withdraw consent at any time by clearing this cookie in your browser settings or by contacting us.

11. Changes to this policy

If we make significant changes to how we handle your data, we will notify you by email before the changes take effect. The "last updated" date at the top of this page always reflects the current version.