Privacy
Privacy Policy
How Punasaari Research handles personal data when you use Somemind AI, including data received through Facebook, Instagram and TikTok.
- Effective
- 30 June 2026
- Version
- 2.0
We use personal data to operate Somemind AI, secure accounts, process subscriptions and publish content you authorize to Facebook, Instagram and TikTok. We do not sell personal data or use connected-platform data for advertising profiles.
1. Controller and contact
Punasaari Research, Vantaa, Finland, operates Somemind AI and acts as controller for account, billing, security and service-administration data.
For customer content and audience information processed solely on a workspace customer's instructions, Punasaari Research may act as processor under the Data Processing Agreement accepted during workspace creation.
Email: info@punasaariresearch.fi
Telephone: +358 40 815 9174
2. Scope and active integrations
This policy applies to somemindai.com, the authenticated Somemind AI application, transactional communications and the active Facebook, Instagram and TikTok integrations.
Facebook Pages, professional Instagram accounts and TikTok accounts are supported now. TikTok is a beta integration and its direct-post visibility remains subject to TikTok application review and platform restrictions. LinkedIn, YouTube and other platforms are presented only as coming soon.
3. Data we process
| Category | Examples | Source |
|---|---|---|
| Account and profile | Name, email, locale, authentication identifiers | You; Supabase Auth; Google sign-in if selected |
| Workspace and team | Company and brand details, roles, invitations, settings, DPA acceptance | You and authorized workspace members |
| Meta connection data | Facebook user and Page identifiers, Page names, Instagram professional account identifiers and usernames, encrypted access tokens, token expiry and connection status | Meta after your authorization |
| TikTok connection data | TikTok Open ID, display name, avatar, granted scopes, encrypted access and refresh tokens, token expiry and connection status | TikTok after your authorization |
| Content and media | Captions, prompts, drafts, schedules, images, videos, approvals and published-post identifiers | You, your team, AI providers and connected platform APIs |
| Performance data | Reach, engagement and publishing results made available by Facebook or Instagram | Meta APIs and your workspace activity |
| Billing and entitlement | Plan, subscription state, invoice references and payment status; card details remain with Stripe | You and Stripe |
| Security and technical | IP address, audit events, rate-limit events, device/browser signals and error logs | Your device and our infrastructure |
4A. TikTok permissions and use
When you connect TikTok, Somemind requests user.info.basic only to identify and display the authorized account, and video.publish to publish videos you authorize through TikTok Direct Post. Somemind does not request your TikTok video list or draft-upload access. Login Kit for Web uses OAuth 2.0, an HTTPS redirect URI, and a signed anti-CSRF state value. Access and refresh tokens are encrypted at rest. You can disconnect TikTok in workspace social-account settings; TikTok also processes information under its own privacy policy and account controls.
4. Meta permissions and use
Depending on the feature you connect, Somemind AI may request these Meta permissions:
public_profileto identify the authorizing Facebook user.pages_show_listto show Pages you manage.pages_manage_poststo create or manage authorized Facebook Page posts.pages_read_engagementto read Page content and engagement needed for service analytics.instagram_basicto identify a professional Instagram account linked to a Facebook Page.instagram_content_publishto publish authorized Instagram content.
Permissions are used only to provide the connected feature. We do not transfer Meta user data to data brokers, use it to build advertising profiles, or sell it. Meta processes information under its own Privacy Policy. You can revoke Somemind access in Facebook Apps and Websites settings and request deletion through our Data Deletion page.
5. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Create accounts, provide workspaces, generate content, schedule and publish authorized posts | Performance of a contract, GDPR Art. 6(1)(b) |
| Connect Facebook, Instagram and TikTok accounts at your request | Performance of a contract; your affirmative authorization in the relevant platform OAuth flow |
| Process subscriptions, invoices and statutory accounting records | Contract and legal obligation, Arts. 6(1)(b) and 6(1)(c) |
| Prevent abuse, enforce limits, investigate incidents and protect the service | Legitimate interests, Art. 6(1)(f) |
| Store optional preferences or send optional marketing communications | Consent where required, Art. 6(1)(a) |
Where we rely on legitimate interests, those interests are service security, fraud prevention, reliable operations and product improvement. You may object as described below.
6. Service providers and disclosures
We disclose data only as necessary to operate the service, comply with law, protect rights, or complete a business transaction subject to appropriate safeguards. Current categories include:
- Supabase for database and authentication.
- Vercel for application hosting and delivery.
- Cloudflare R2 for media storage and signed delivery.
- Stripe for subscriptions, payment processing and billing records.
- Resend for transactional email.
- Google Gemini and FAL for text and media generation when you use AI features. Prompts may include workspace brand context and content instructions; avoid entering unnecessary personal or special-category data.
- Meta Platforms when you connect, read from or publish to Facebook or Instagram.
- TikTok when you connect, read permitted account signals from or publish to TikTok.
Provider locations and processing routes can change. Where a transfer leaves the EEA, we use an available GDPR transfer mechanism such as an adequacy decision or Standard Contractual Clauses, together with supplementary measures where appropriate.
7. Retention
- Account and workspace data: while the account or workspace is active, then deleted or anonymized following a valid deletion request, subject to legal holds and required retention.
- Social platform tokens: until you disconnect the account, revoke authorization, the token expires, or the workspace is deleted.
- Content and media: until deleted by an authorized user or the related workspace is deleted, subject to backup expiry.
- Security and audit records: generally up to 12 months, or longer where reasonably necessary to investigate abuse or establish legal claims.
- Accounting records: retained for the period required by Finnish accounting and tax law.
- Backups: removed through normal backup rotation after production deletion.
8. Cookies and local storage
We use essential Supabase session cookies, the somemind_locale language cookie and local storage for your cookie-consent preference. We do not currently use third-party advertising cookies on the public site. If this changes, this notice and the consent controls will be updated before non-essential storage is used.
9. Security
We use measures designed for the risk level, including HTTPS, AES-256-GCM encryption for social access tokens, signed storage URLs, role and workspace checks, database row-level controls, rate limiting, audit logging and protected administrative sessions. No system is completely secure; report suspected incidents to info@punasaariresearch.fi.
10. Your rights
Subject to GDPR conditions and exceptions, you may request access, rectification, erasure, restriction, portability and objection. Where processing is based on consent, you may withdraw it without affecting earlier lawful processing. We do not make decisions producing legal or similarly significant effects solely by automated means.
Send requests to info@punasaariresearch.fi. We may need to verify identity and normally respond within one month; GDPR permits an extension for complex or numerous requests, with notice.
11. Complaints, children and changes
Somemind AI is intended for business users aged 18 or older and is not directed to children. You may complain to the Finnish Office of the Data Protection Ombudsman or another competent EEA authority.
We may update this policy when the service, providers or law changes. Material changes will be communicated by an appropriate channel before they take effect where required.