Privacy Policy

1. What we collect

Data you provide directly:

• Name, email address, and business details when you register
• Social media access tokens needed to publish on your behalf
• Content you upload — images, brand guidelines, prompts, voice notes
• Payment information processed by Stripe — we do not receive your full card number, only the last four digits and brand for receipts

Data collected automatically when you use the service:

• IP address and approximate location
• Browser type, operating system, and device information
• Pages visited, actions taken, and timestamps
• Error logs and performance data
• If you consent to analytics cookies: product-analytics events via PostHog and (if you also consent to session replay) anonymised session recordings via Sentry — see §11

2. Why we collect it (legal bases)

• Contractual necessity (Art. 6(1)(b)): running the service — generating, scheduling and publishing posts to your connected accounts; handling subscriptions and invoices.
• Legal obligation (Art. 6(1)(c)): accounting and tax records under Finnish law; responding to lawful requests from competent authorities.
• Legitimate interest (Art. 6(1)(f)): service security and abuse prevention; debugging and error monitoring; improving product features at an aggregated, non-identifying level; sending you transactional emails and occasional product updates about features similar to those you already use. We have weighed these interests against your rights and consider them proportionate; you can object at any time under Art. 21.
• Consent (Art. 6(1)(a)): setting analytics cookies (PostHog), enabling session replay (Sentry), participating in pooled learning (§9), and any marketing communications outside the legitimate- interest basis above. Consent is opt-in, granular, and revocable at any time without affecting the lawfulness of prior processing.

When you use AI features, the content you send is transmitted to the model providers listed in §3 solely to generate the output you requested. We retain a record of your acceptance of the Terms of Service (which incorporates the AI acknowledgement under Terms §7) as our contractual basis and audit trail.

We do not sell your data and we do not use it for advertising.

3. Who processes your data on our behalf

We use the following recipients. Those that process personal data on our behalf are sub-processors bound by a written agreement under GDPR Art. 28 — this includes the AI model providers, which process inputs only to return the output you requested, under their API/data-processing terms (no training on your data). Where a recipient instead determines its own purposes — the social platforms you choose to publish to — it acts as an independent or separate controller under its own terms, as noted in the table. The Vercel AI Gateway is a routing/transit layer that forwards AI requests to the upstream model providers listed below; each provider is listed separately with its own safeguards.

The current sub-processor list is also maintained at info@someta.fi and we will give 30 days' notice of any addition or replacement (see Terms Annex A6). We do not share your data with anyone outside this list, except where required by law or to defend our legal rights.

4. Our role: controller and processor

For your account and billing information, and for product analytics, we act as the data controller — we decide how that data is used.

For the social media content we generate and publish on your behalf, we act as a data processor — we only handle it according to your instructions. Where that content contains personal data about third parties (for example, customers in a testimonial, or staff in a photo), you remain the controller for that data. The Data Processing Agreement at Terms Annex A governs that processing.

5. International data transfers

Several of the providers listed in §3 are based in or have parent companies in the United States. Where personal data is transferred outside the EEA, we rely on (a) the EU Commission's Standard Contractual Clauses (Decision 2021/914), (b) the EU-US Data Privacy Framework certification of the recipient where applicable, or (c) another lawful transfer mechanism. We carry out transfer impact assessments before adopting new providers in jurisdictions without an adequacy decision.

Copies of the SCCs and DPF certifications are available on request to info@someta.fi.

6. How we protect your data

All data is transmitted over encrypted HTTPS connections. Data at rest is stored on Supabase infrastructure with encryption enabled. Access to production systems is restricted to authorised personnel under contractual confidentiality obligations, audit-logged, and reviewed periodically. We undertake to maintain technical and organisational measures proportionate to the risk under Art. 32 GDPR.

7. How long we keep it

Account data, posts, and uploaded content are kept for the duration of your subscription plus 60 days, then permanently deleted. You can request deletion earlier.

Payment and invoice records are kept for 6 years; annual financial statements are kept for 10 years, as required by Finnish accounting law (kirjanpitolaki 1336/1997). These cannot be deleted on request.

Server logs and technical data are retained for up to 90 days for security and debugging purposes.

Activity and audit logs (post approvals, team actions) are automatically deleted after 2 years to comply with GDPR storage limitation principles.

Records of your acceptance of the Terms of Service and Privacy Policy (including version, timestamp and IP address) are kept for the duration of the contract plus 6 years to satisfy our burden of proof under Art. 7(1) GDPR and the limitation period for contractual claims under the Finnish Code of Obligations.

8. Your rights

Under GDPR you have the right to:

• Access the personal data we hold about you (Art. 15)
• Correct inaccurate data (Art. 16)
• Delete your data in certain circumstances (Art. 17)
• Restrict how we process your data (Art. 18)
• Export your data in a portable format (Art. 20)
• Object to processing based on legitimate interest, including direct marketing — if you object to marketing, we will stop immediately (Art. 21)
• Withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of prior processing

Some data fields are required to deliver the service (name, email, social media access tokens). Others are optional (brand voice description, contact person name). Withholding required fields means we cannot provide the service.

We do not make solely automated decisions that produce legal or similarly significant effects on you under Art. 22 GDPR. Account suspension under Terms §9 involves human review. Note that our payment provider Stripe runs automated fraud checks (Stripe Radar) on transactions, which can decline a charge; if that happens, we will work with you to resolve it. Product analytics via PostHog produces aggregated behavioural insight but does not produce individual decisions about you.

To exercise any of these rights, email info@someta.fi. We will respond within one month of receiving your request, as required by Art. 12(3). Where a request is particularly complex or numerous, we may extend this period by a further two months and will tell you within the first month why.

You can also file a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): tietosuoja.fi · tietosuoja@om.fi, or with the supervisory authority of your habitual residence or place of work.

9. Pooled learning, biometric processing, and AI training

No training on your data. Someta does not use your prompts, uploaded images, generated outputs, or brand kit content to train its own models or contribute to third-party model training. The AI sub-processors listed in §3 operate in inference-only mode for traffic routed through Someta, and their API terms prohibit training on data we send. If we ever introduce a feature that trains on customer data, we will request your specific consent first and re-publish this Privacy notice with the change disclosed in the version history.

No biometric inference (EU AI Act Art. 50(3) / GDPR Art. 9 special-category). The Studio Photoshoot pipeline does not extract face embeddings, voice prints, or other biometric templates from your uploaded photos. It does not infer emotion, age, gender, or any other special-category attribute. BiRefNet (background removal) produces an alpha mask, not an identity vector. Where a photo contains a face, the face is processed only as image pixels by inference-only models and is not retained as biometric data. If a future feature changes this (for example, identity-preserving edits across images), we will refresh our DPIA, publish a notice under Art. 50(3), and request your explicit consent before enabling it for your account.

Pooled learning (optional, consent-based). During onboarding you can choose to participate in pooled learning. If you opt in, we may use anonymised, aggregated signals from your content (such as which post styles perform well) to improve AI-generated content across all Someta accounts. No personally identifiable information or raw content is shared between clients. Participation is voluntary under Art. 6(1)(a). You can withdraw consent at any time from in-app settings or by emailing info@someta.fi. Withdrawal does not affect any processing carried out before that point.

9b. Monitoring of public social posts (UGC)

On behalf of our business customers we monitor public Instagram posts tagged with a customer's brand hashtags, so the customer can find user-generated content they may want to ask permission to repost. For matching posts we store the public username, post link, caption, and image URL. Our basis is legitimate interest (Art. 6(1)(f); LIA per EDPB Guidelines 01/2024); Someta acts as an independent controller for this processing. Un-actioned candidates are deleted within 7 days (90-day hard cap), and we do not profile, advertise to, or train AI on this data. If your public post was picked up, you can object and have it removed at someta.fi/legal/ugc-monitoring — see that notice for the full GDPR Art. 14 information.

10. Data breaches

If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR, including the information required under Art. 34(2). We will also notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware of a notifiable breach as required by Art. 33.

11. Cookies and similar technologies

We use a small number of cookies and equivalent client-side storage. Under § 205 of the Finnish Information Society Code (917/2014) and Art. 5(3) of the ePrivacy Directive, non-essential cookies are only set after you give consent. You can give, refuse, or withdraw consent at any time via the "Manage cookies" link in the page footer.

Client-side localStorage keys (informational).The Someta app also stores a small number of non-tracking preference keys in your browser's localStorage to keep the UI useful between sessions. These are not cookies, are not transmitted to our servers, and are not subject to ePrivacy Art. 5(3) consent — but we list them here so the inventory is complete: someta-theme (light / dark preference), someta-editor-prefs (Studio editor v2 toolbar layout, zoom level, ruler visibility), someta-tours (which in-app onboarding tours you have dismissed), someta-recent-brands (the brand-switcher recent-brands list, ≤ 10 ids). Removing them from your browser only resets the UI preference; it does not affect your data.

Analytics and session replay are off by default and only activate after you grant the corresponding consent. Withdrawing analytics consent stops further collection; previously collected data remains lawful until its retention period expires.

12. Changes to this policy

If we make significant changes to how we handle your data, we will notify you by email at least 30 days before the changes take effect, and where the change materially expands the categories of personal data we process we will require renewed acceptance on next sign-in. The "last updated" date at the top of this page always reflects the current version.