Skip to content

Privacy Policy

Last updated: 2026-06-13

Privacy Policy

Last updated: 13 June 2026

This Privacy Policy describes how [LEGAL ENTITY] ("SOSH", "we", "us", "our") collects, uses, stores, and shares your personal data when you use SOSH at sosh.app and its subdomains. It is issued pursuant to GDPR Articles 13 and 14.


1. Who we are

[LEGAL ENTITY] is the Data Controller responsible for personal data collected through SOSH. We are incorporated under the laws of Portugal.

Contact: privacy@sosh.app


2. Data we collect

Identity data

Billing data

Content data

AI-generated content

Usage and telemetry data

Security and operational data

Third-party engagement data (Engagement Inbox — not active at launch) When the Engagement Inbox feature is available, we may receive public comments, mentions, and direct-message content posted to your connected social accounts by third parties. We process this data as Data Processor on your instructions; you are the Data Controller for that content.


3. How we use your data

| Purpose | Lawful basis (GDPR Art. 6) | |---|---| | Create and maintain your account | Art. 6(1)(b) — Contract performance | | Provide the Service (generate, store, schedule, and publish content) | Art. 6(1)(b) — Contract performance | | Process payments and manage subscriptions | Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation (tax records) | | Send transactional email (billing confirmations, product notifications) | Art. 6(1)(b) — Contract performance | | Send trial-period reminders | Art. 6(1)(b) — Contract performance | | Prevent abuse and enforce rate limits | Art. 6(1)(f) — Legitimate interest: protect the Service and users | | Monitor errors and service performance | Art. 6(1)(f) — Legitimate interest: maintain service quality |

We do not use your content or personal data to train AI models. The AI we use (Anthropic Claude) is called via API under Anthropic's data usage policy, which does not use API inputs for model training. See our Subprocessors list for details.


4. Sources of data


5. Who we share your data with

We share personal data only with the sub-processors listed at sosh.app/subprocessors. We do not sell your personal data. We do not share it with advertisers or for marketing purposes.

Sub-processors are contractually bound to process your data only as necessary to provide their service to SOSH and in accordance with applicable data protection law.


6. International transfers

Our sub-processors are primarily located in the European Economic Area. One sub-processor — Anthropic PBC — is based in the United States. When generating content, relevant portions of your business profile and campaign brief are sent to Anthropic's API, hosted in the United States.

Anthropic (our AI provider) is based in the United States. We rely on the EU-US Data Privacy Framework as the transfer mechanism for data processed by Anthropic. You can verify Anthropic's current certification at dataprivacyframework.gov.

Where any sub-processor transfers data outside the EEA in future, we will update sosh.app/subprocessors and ensure appropriate safeguards (Standard Contractual Clauses or an applicable adequacy decision) are in place before the transfer occurs.


7. How long we keep your data

| Data category | Retention period | |---|---| | Account identity and business profile | Lifetime of your account, plus 30 days after a verified deletion request | | Brand voice profiles, campaigns, and posts | Same | | Social account OAuth tokens | Deleted immediately on disconnect (access revoked, identifiers removed, vault secret deleted) | | Social account metadata (username, display name) | Lifetime of account + 30 days | | Billing records | 10 years from the transaction date (Portuguese tax law) | | Security and rate-limit records (IP addresses, email keys) | 30 days | | Error monitoring events | 90 days (Sentry platform default) | | AI usage telemetry | 24 months | | Email delivery records | 30 days after final delivery status | | Email suppression list | Indefinitely (required to honour unsubscribe and bounce requests) |


8. Your rights

Under GDPR, you have the following rights:

To exercise any right, email privacy@sosh.app. We will respond within 30 days. For complex or numerous requests we may extend to 60 days; we will notify you within the first 30 days if so.

We have not appointed a Data Protection Officer. All data-subject requests should be directed to privacy@sosh.app.


9. Cookies

We use one cookie:

| Cookie | Purpose | Type | Lifetime | |---|---|---|---| | sb-[project]-auth-token | Stores your authentication session | Strictly necessary | Access token: ~1 hour; refresh token: persistent until you log out |

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Vercel Analytics and Vercel Speed Insights, used for aggregate traffic measurement, are cookieless and collect no personal identifiers. No cookie consent banner is shown because no non-essential cookies are used.


10. Security

We implement reasonable technical and organisational measures to protect your personal data, including:


11. Contact

Privacy enquiries and data-subject requests: privacy@sosh.app
Data Processing Agreement requests: legal@sosh.app
To report a security vulnerability, contact security@sosh.app.


12. Supervisory authority

If you believe we have not handled your data lawfully, you may lodge a complaint with:

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, Portugal
www.cnpd.pt


13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address at least 30 days before they take effect, and this page will be updated with the new effective date. Continued use of the Service after the effective date constitutes acceptance of the revised policy.