BackSomemind AI

Legal documents

PrivacyTermsGDPR & DPAData deletion
Punasaari Research
Vantaa, Finland
info@punasaariresearch.fi

Privacy

Privacy Policy

How Punasaari Research handles personal data when you use Somemind AI, including data received through Facebook, Instagram and TikTok.

Effective
30 June 2026
Version
2.0
In plain language

We use personal data to operate Somemind AI, secure accounts, process subscriptions and publish content you authorize to Facebook, Instagram and TikTok. We do not sell personal data or use connected-platform data for advertising profiles.

1. Controller and contact

Punasaari Research, Vantaa, Finland, operates Somemind AI and acts as controller for account, billing, security and service-administration data.

For customer content and audience information processed solely on a workspace customer's instructions, Punasaari Research may act as processor under the Data Processing Agreement accepted during workspace creation.

Email: info@punasaariresearch.fi
Telephone: +358 40 815 9174

2. Scope and active integrations

This policy applies to somemindai.com, the authenticated Somemind AI application, transactional communications and the active Facebook, Instagram and TikTok integrations.

Facebook Pages, professional Instagram accounts and TikTok accounts are supported now. TikTok is a beta integration and its direct-post visibility remains subject to TikTok application review and platform restrictions. LinkedIn, YouTube and other platforms are presented only as coming soon.

3. Data we process

CategoryExamplesSource
Account and profileName, email, locale, authentication identifiersYou; Supabase Auth; Google sign-in if selected
Workspace and teamCompany and brand details, roles, invitations, settings, DPA acceptanceYou and authorized workspace members
Meta connection dataFacebook user and Page identifiers, Page names, Instagram professional account identifiers and usernames, encrypted access tokens, token expiry and connection statusMeta after your authorization
TikTok connection dataTikTok Open ID, display name, avatar, granted scopes, encrypted access and refresh tokens, token expiry and connection statusTikTok after your authorization
Content and mediaCaptions, prompts, drafts, schedules, images, videos, approvals and published-post identifiersYou, your team, AI providers and connected platform APIs
Performance dataReach, engagement and publishing results made available by Facebook or InstagramMeta APIs and your workspace activity
Billing and entitlementPlan, subscription state, invoice references and payment status; card details remain with StripeYou and Stripe
Security and technicalIP address, audit events, rate-limit events, device/browser signals and error logsYour device and our infrastructure

4A. TikTok permissions and use

When you connect TikTok, Somemind requests user.info.basic only to identify and display the authorized account, and video.publish to publish videos you authorize through TikTok Direct Post. Somemind does not request your TikTok video list or draft-upload access. Login Kit for Web uses OAuth 2.0, an HTTPS redirect URI, and a signed anti-CSRF state value. Access and refresh tokens are encrypted at rest. You can disconnect TikTok in workspace social-account settings; TikTok also processes information under its own privacy policy and account controls.

4. Meta permissions and use

Depending on the feature you connect, Somemind AI may request these Meta permissions:

  • public_profile to identify the authorizing Facebook user.
  • pages_show_list to show Pages you manage.
  • pages_manage_posts to create or manage authorized Facebook Page posts.
  • pages_read_engagement to read Page content and engagement needed for service analytics.
  • instagram_basic to identify a professional Instagram account linked to a Facebook Page.
  • instagram_content_publish to publish authorized Instagram content.

Permissions are used only to provide the connected feature. We do not transfer Meta user data to data brokers, use it to build advertising profiles, or sell it. Meta processes information under its own Privacy Policy. You can revoke Somemind access in Facebook Apps and Websites settings and request deletion through our Data Deletion page.

5. Purposes and legal bases

PurposeLegal basis
Create accounts, provide workspaces, generate content, schedule and publish authorized postsPerformance of a contract, GDPR Art. 6(1)(b)
Connect Facebook, Instagram and TikTok accounts at your requestPerformance of a contract; your affirmative authorization in the relevant platform OAuth flow
Process subscriptions, invoices and statutory accounting recordsContract and legal obligation, Arts. 6(1)(b) and 6(1)(c)
Prevent abuse, enforce limits, investigate incidents and protect the serviceLegitimate interests, Art. 6(1)(f)
Store optional preferences or send optional marketing communicationsConsent where required, Art. 6(1)(a)

Where we rely on legitimate interests, those interests are service security, fraud prevention, reliable operations and product improvement. You may object as described below.

6. Service providers and disclosures

We disclose data only as necessary to operate the service, comply with law, protect rights, or complete a business transaction subject to appropriate safeguards. Current categories include:

  • Supabase for database and authentication.
  • Vercel for application hosting and delivery.
  • Cloudflare R2 for media storage and signed delivery.
  • Stripe for subscriptions, payment processing and billing records.
  • Resend for transactional email.
  • Google Gemini and FAL for text and media generation when you use AI features. Prompts may include workspace brand context and content instructions; avoid entering unnecessary personal or special-category data.
  • Meta Platforms when you connect, read from or publish to Facebook or Instagram.
  • TikTok when you connect, read permitted account signals from or publish to TikTok.

Provider locations and processing routes can change. Where a transfer leaves the EEA, we use an available GDPR transfer mechanism such as an adequacy decision or Standard Contractual Clauses, together with supplementary measures where appropriate.

7. Retention

  • Account and workspace data: while the account or workspace is active, then deleted or anonymized following a valid deletion request, subject to legal holds and required retention.
  • Social platform tokens: until you disconnect the account, revoke authorization, the token expires, or the workspace is deleted.
  • Content and media: until deleted by an authorized user or the related workspace is deleted, subject to backup expiry.
  • Security and audit records: generally up to 12 months, or longer where reasonably necessary to investigate abuse or establish legal claims.
  • Accounting records: retained for the period required by Finnish accounting and tax law.
  • Backups: removed through normal backup rotation after production deletion.

8. Cookies and local storage

We use essential Supabase session cookies, the somemind_locale language cookie and local storage for your cookie-consent preference. We do not currently use third-party advertising cookies on the public site. If this changes, this notice and the consent controls will be updated before non-essential storage is used.

9. Security

We use measures designed for the risk level, including HTTPS, AES-256-GCM encryption for social access tokens, signed storage URLs, role and workspace checks, database row-level controls, rate limiting, audit logging and protected administrative sessions. No system is completely secure; report suspected incidents to info@punasaariresearch.fi.

10. Your rights

Subject to GDPR conditions and exceptions, you may request access, rectification, erasure, restriction, portability and objection. Where processing is based on consent, you may withdraw it without affecting earlier lawful processing. We do not make decisions producing legal or similarly significant effects solely by automated means.

Send requests to info@punasaariresearch.fi. We may need to verify identity and normally respond within one month; GDPR permits an extension for complex or numerous requests, with notice.

11. Complaints, children and changes

Somemind AI is intended for business users aged 18 or older and is not directed to children. You may complain to the Finnish Office of the Data Protection Ombudsman or another competent EEA authority.

We may update this policy when the service, providers or law changes. Material changes will be communicated by an appropriate channel before they take effect where required.

Terms of ServiceGDPR & DPAData Deletion
© Punasaari Research · Vantaa, Finland · Somemind AI is not affiliated with Meta Platforms, Inc.