Privacy Policy
Last updated: 2026-06-13
Privacy Policy
Last updated: 13 June 2026
This Privacy Policy describes how [LEGAL ENTITY] ("SOSH", "we", "us", "our") collects, uses, stores, and shares your personal data when you use SOSH at sosh.app and its subdomains. It is issued pursuant to GDPR Articles 13 and 14.
1. Who we are
[LEGAL ENTITY] is the Data Controller responsible for personal data collected through SOSH. We are incorporated under the laws of Portugal.
Contact: privacy@sosh.app
2. Data we collect
Identity data
- Email address (provided at registration; held by Supabase Auth)
- Name and business profile: company name, website, industry, description, logo
- Social account identifiers: platform username and display name (received from LinkedIn, X, Instagram, Facebook, or Threads when you connect an account)
Billing data
- Stripe customer identifier and subscription identifier
- Card fingerprint (a non-reversible partial identifier provided by Stripe; we do not store full card numbers)
- Stripe event payloads received via webhook, which may include your email address as provided to Stripe during checkout
Content data
- Brand voice profiles: tone descriptors, target audience, keywords, writing examples, competitor references, unique value proposition
- Campaign information: names, objectives, instructions, scheduling preferences
- Post copy you draft or edit; feedback notes
AI-generated content
- Post drafts and hashtag suggestions generated by the AI on your instructions
- Generation metadata: model version, number of regeneration attempts (no prompts or output text stored separately from post records)
Usage and telemetry data
- AI usage records: token counts, response times, cost estimates — no content
- Trial counters, post generation counts
- Job execution logs (publish, metrics sync, email delivery)
- Email engagement events (delivery status, open events, bounce and complaint signals) received from our email provider (Resend) as webhooks. These are used to manage your subscription communications and suppress future emails where required by anti-spam law.
Security and operational data
- Rate-limit records: IP addresses and email-based keys used to enforce access-rate limits
- Error and performance events via Sentry (PII-scrubbed before transmission; Session Replay is disabled)
Third-party engagement data (Engagement Inbox — not active at launch) When the Engagement Inbox feature is available, we may receive public comments, mentions, and direct-message content posted to your connected social accounts by third parties. We process this data as Data Processor on your instructions; you are the Data Controller for that content.
3. How we use your data
| Purpose | Lawful basis (GDPR Art. 6) | |---|---| | Create and maintain your account | Art. 6(1)(b) — Contract performance | | Provide the Service (generate, store, schedule, and publish content) | Art. 6(1)(b) — Contract performance | | Process payments and manage subscriptions | Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation (tax records) | | Send transactional email (billing confirmations, product notifications) | Art. 6(1)(b) — Contract performance | | Send trial-period reminders | Art. 6(1)(b) — Contract performance | | Prevent abuse and enforce rate limits | Art. 6(1)(f) — Legitimate interest: protect the Service and users | | Monitor errors and service performance | Art. 6(1)(f) — Legitimate interest: maintain service quality |
We do not use your content or personal data to train AI models. The AI we use (Anthropic Claude) is called via API under Anthropic's data usage policy, which does not use API inputs for model training. See our Subprocessors list for details.
4. Sources of data
- Directly from you: at registration, during onboarding, when managing campaigns and posts.
- From social platforms: profile identifiers, usernames, and display names received via OAuth when you connect a social account.
- From Stripe: billing events and payment status via webhook.
- Automatically: rate-limit records, usage telemetry, error events.
5. Who we share your data with
We share personal data only with the sub-processors listed at sosh.app/subprocessors. We do not sell your personal data. We do not share it with advertisers or for marketing purposes.
Sub-processors are contractually bound to process your data only as necessary to provide their service to SOSH and in accordance with applicable data protection law.
6. International transfers
Our sub-processors are primarily located in the European Economic Area. One sub-processor — Anthropic PBC — is based in the United States. When generating content, relevant portions of your business profile and campaign brief are sent to Anthropic's API, hosted in the United States.
Anthropic (our AI provider) is based in the United States. We rely on the EU-US Data Privacy Framework as the transfer mechanism for data processed by Anthropic. You can verify Anthropic's current certification at dataprivacyframework.gov.
Where any sub-processor transfers data outside the EEA in future, we will update sosh.app/subprocessors and ensure appropriate safeguards (Standard Contractual Clauses or an applicable adequacy decision) are in place before the transfer occurs.
7. How long we keep your data
| Data category | Retention period | |---|---| | Account identity and business profile | Lifetime of your account, plus 30 days after a verified deletion request | | Brand voice profiles, campaigns, and posts | Same | | Social account OAuth tokens | Deleted immediately on disconnect (access revoked, identifiers removed, vault secret deleted) | | Social account metadata (username, display name) | Lifetime of account + 30 days | | Billing records | 10 years from the transaction date (Portuguese tax law) | | Security and rate-limit records (IP addresses, email keys) | 30 days | | Error monitoring events | 90 days (Sentry platform default) | | AI usage telemetry | 24 months | | Email delivery records | 30 days after final delivery status | | Email suppression list | Indefinitely (required to honour unsubscribe and bounce requests) |
8. Your rights
Under GDPR, you have the following rights:
- Access (Art. 15) — request a copy of the personal data we hold about you.
- Rectification (Art. 16) — ask us to correct inaccurate data.
- Erasure (Art. 17) — To request deletion of your account and all associated data, email privacy@sosh.app. We will verify your request, confirm by email, and permanently delete your data within 30 days. Billing records required by Portuguese tax law are retained for 10 years per §7.
- Restriction (Art. 18) — ask us to pause processing in certain circumstances.
- Portability (Art. 20) — receive your data in a structured, machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interest.
To exercise any right, email privacy@sosh.app. We will respond within 30 days. For complex or numerous requests we may extend to 60 days; we will notify you within the first 30 days if so.
We have not appointed a Data Protection Officer. All data-subject requests should be directed to privacy@sosh.app.
9. Cookies
We use one cookie:
| Cookie | Purpose | Type | Lifetime |
|---|---|---|---|
| sb-[project]-auth-token | Stores your authentication session | Strictly necessary | Access token: ~1 hour; refresh token: persistent until you log out |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Vercel Analytics and Vercel Speed Insights, used for aggregate traffic measurement, are cookieless and collect no personal identifiers. No cookie consent banner is shown because no non-essential cookies are used.
10. Security
We implement reasonable technical and organisational measures to protect your personal data, including:
- TLS encryption for all data in transit
- Encryption at rest (Supabase platform default)
- OAuth tokens stored in Supabase Vault — an encrypted secrets store with key management separate from application data; no raw token appears in any application database table
- Row-Level Security on all database tables, ensuring each account accesses only its own data
- Incident response aligned with GDPR Art. 33/34: in the event of a personal data breach, we will notify you and the supervisory authority (CNPD) within 72 hours of becoming aware
11. Contact
Privacy enquiries and data-subject requests: privacy@sosh.app
Data Processing Agreement requests: legal@sosh.app
To report a security vulnerability, contact security@sosh.app.
12. Supervisory authority
If you believe we have not handled your data lawfully, you may lodge a complaint with:
Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, Portugal
www.cnpd.pt
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address at least 30 days before they take effect, and this page will be updated with the new effective date. Continued use of the Service after the effective date constitutes acceptance of the revised policy.