BackSomemind AI

Legal documents

PrivacyTermsGDPR & DPAData deletion
Punasaari Research
Vantaa, Finland
info@punasaariresearch.fi

Data protection

GDPR & DPA

How Somemind AI supports customers' GDPR responsibilities and governs processing performed on their behalf.

Updated
30 June 2026
DPA version
2.0
A precise commitment

Somemind AI is designed with GDPR principles and safeguards in mind. Compliance depends on the service, the Customer's configuration and instructions, and each party fulfilling its own legal duties; no product can make a customer automatically compliant.

1. Roles

Punasaari Research is controller for its own account administration, billing, security, support and product operations. The Customer is normally controller for personal data contained in its social media content, media, team workflows and connected accounts. Punasaari Research acts as processor for that Customer data when it processes it solely to provide the contracted service.

2. Data Processing Agreement

Workspace owners must accept the DPA during workspace creation. The recorded acceptance identifies the user, workspace, DPA version and time. The DPA applies when Punasaari Research processes personal data on the Customer's documented instructions under GDPR Article 28.

The processing details are:

Subject and durationProviding Somemind AI for the subscription term and documented deletion/return period.
Nature and purposeHosting, organizing, generating, scheduling, publishing, securing and analyzing customer-directed social media content.
Data subjectsCustomer users, team members, contacts or audience members whose information the Customer lawfully includes in content or permitted platform data.
Data typesIdentifiers, contact details, roles, content, media, brand context, social account identifiers, tokens and permitted performance data.

3. Processor commitments

  • Process Customer personal data only on documented instructions, unless Union or Member State law requires otherwise.
  • Ensure persons authorized to process data are bound by confidentiality.
  • Maintain measures appropriate to risk under Article 32.
  • Use sub-processors under equivalent data-protection obligations and provide information needed for lawful authorization and objection processes.
  • Assist, taking into account the nature of processing, with data-subject requests, security, breach assessment, DPIAs and supervisory consultation.
  • Delete or return Customer personal data at the end of services, subject to applicable law and backup rotation.
  • Provide information reasonably necessary to demonstrate Article 28 compliance and support proportionate audits.

4. Customer commitments

  • Have a lawful basis and provide required notices for all personal data submitted or connected.
  • Issue lawful, documented instructions and avoid uploading unnecessary or special-category data.
  • Configure roles, approvals, automation and connected platforms appropriately.
  • Review AI output before publication and respond to data-subject requests concerning Customer-controlled content.
  • Comply with the connected platform's terms and have authority over connected Facebook Pages, professional Instagram accounts and TikTok accounts.

5. Technical and organizational measures

AreaMeasures
Identity and accessSupabase sessions, workspace membership and role checks, protected admin sessions and optional provider sign-in.
IsolationWorkspace-scoped authorization and database row-level controls for tenant data.
EncryptionHTTPS in transit; AES-256-GCM for stored social access tokens; signed storage access.
Abuse preventionRate limits, input validation, audit events, webhook signature checks and least-privilege service paths.
ResilienceManaged infrastructure, provider monitoring, graceful failure handling and controlled backup rotation.
LifecycleAccount disconnection, token revocation handling, deletion requests and legal-retention controls.

6. Sub-processors and transfers

ProviderPurpose
SupabaseDatabase and authentication
VercelApplication hosting and delivery
CloudflareMedia storage and delivery
StripeSubscription and payment processing
ResendTransactional email
Google GeminiAI-assisted text processing
FALAI-assisted image and video generation
Meta PlatformsAuthorized Facebook and Instagram connectivity and publishing
TikTokAuthorized TikTok connectivity, account signals and publishing

Actual processing locations depend on provider configuration and service routing. Transfers outside the EEA must rely on a valid GDPR mechanism, such as an adequacy decision or Standard Contractual Clauses, plus supplementary measures where appropriate.

7. Incident and breach support

We maintain procedures to assess security events. Where we act as processor and become aware of a personal data breach affecting Customer data, we notify the Customer without undue delay and provide available information needed for the Customer's Articles 33 and 34 duties. Where Punasaari Research is controller, it assesses notification to the competent authority within the applicable 72-hour period and communication to affected people where required.

8. Rights, deletion and contact

Individuals can exercise GDPR rights as described in the Privacy Policy. Workspace owners can use in-product controls or contact info@punasaariresearch.fi. Meta connection and deletion instructions are at /datadeletion.

Customers needing a signed DPA copy, sub-processor information or a reasonable security review should contact the same address.

Privacy PolicyTerms of ServiceData Deletion
© Punasaari Research · Vantaa, Finland · Somemind AI is not affiliated with Meta Platforms, Inc.