Privacy Policy

Last updated: March 30, 2026

1. Introduction

SonetHub ("we," "our," or "us") operates the SonetHub platform at sonethub.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. It applies to all users of SonetHub, including those in the European Economic Area (EEA), and complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

SonetHub is the data controller responsible for your personal data. For questions about data processing or to exercise your rights, contact us at info@sonethub.com.

3. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Per-Activity Legal Basis

Processing ActivityLegal Basis
Account creation and managementContract performance
Social account OAuth connectionContract performance
Post publishing and schedulingContract performance
AI content generationContract performance
AI brand memory extractionLegitimate interest (improving content quality)
Direct message inbox syncContract performance
DM importance classification (AI)Legitimate interest (communication management)
Analytics collectionContract performance
Email notificationsConsent (configurable in Settings)
Billing and payment processingContract performance + Legal obligation
Usage cost trackingLegitimate interest (service optimization)

Automated Decision-Making and Profiling

SonetHub uses AI to classify incoming direct messages by importance (important, general, spam). This classification is based on sender characteristics (such as follower count and verification status) and message content analysis. No decisions with legal or similarly significant effects are made solely by automated means.

SonetHub also uses AI to extract brand voice patterns from your content and interactions. This profiling is used solely to improve the quality of AI-generated content for your account.

Comment moderation: SonetHub provides tools to help you manage comments and mentions on your own posts. You may configure moderation rules to assist with community management — for example, hiding inappropriate comments, acknowledging positive feedback, or flagging messages for your review. When you enable these rules, actions are performed on your behalf using your authenticated account credentials, within each platform's API guidelines and rate limits. You retain full control and can disable or modify any rule at any time.

You can:

4. Information We Collect

4.1 Account Information

When you create an account, we collect your email address, name, and password (hashed). If you sign up via a third-party provider (e.g., Google), we receive your name, email, and profile picture from that provider.

4.2 Social Media Account Data

When you connect social media accounts (Instagram, Facebook, X/Twitter, LinkedIn, TikTok, Threads, YouTube, Pinterest), we store:

Instagram accounts can be connected via two methods: directly through Instagram (recommended, works for all account types including Creator accounts) or via Facebook (requires a linked Facebook Page, enables additional features like hashtag search and competitor analysis). Both methods use Meta's official APIs and OAuth 2.0 authorization.

4.3 Direct Messages and Inbox Data

If you enable the Social Inbox feature, we periodically sync direct messages from your connected social media accounts. This includes:

We access messages on your behalf to provide inbox management features. Messages from third parties are stored securely and used only to display them to you and to apply your configured classification and auto-reply rules. To classify messages by priority and category, message content is processed server-side by our AI service provider (see Section 7) acting as a data processor under contract — message content is processed transiently and is not retained by the provider or used for model training.

For Facebook and Instagram, we comply with Meta's 24-hour messaging window policy: replies can only be sent within 24 hours of the user's last message. Messages older than 90 days are automatically deleted from our systems to minimize data retention. When you disconnect a social account, all synced messages for that account are immediately deleted.

4.4 AI Agent Data

When you use our AI chat agent, we store:

You can view, manage, and delete AI memories at any time through the AI chat or Settings.

4.4a Media Library

When you upload files or generate media through our AI features, we store:

Media files are retained while your account is active. When you delete a post, any media files exclusively used by that post are automatically deleted from storage. You can also view and delete individual media files from the Compose page's Recent Media tab or via the AI chat agent.

4.4b Post Import

When you import posts from a CSV or XLSX file (e.g., exported from Buffer, Hootsuite, or another social media tool), we process:

Media downloaded during import is subject to the same retention and deletion policies as directly uploaded media. The uploaded CSV/XLSX file itself is deleted after import processing completes (or fails). We use AI to analyze column headers for automatic format detection — only the headers and a small sample of rows (up to 5) are sent to our AI provider for this analysis.

4.4c Feedback Submissions

If you submit feedback (feature requests or bug reports) through the Feedback page or AI agent, we collect the submission title, description, category, platform, priority, and your user ID and email. Feedback is sent to our team via email and is not stored in a database. We use this data solely to improve the Service.

4.5 Automation Data

If you create content automation schedules, we store your scheduling rules, target accounts, AI prompt templates, and media generation preferences (including music mode settings). Automated content generation uses the same AI processing described in section 4.4. When human review is enabled, automated posts are held in a pending state until manually approved by a workspace member — no content is published without review in this mode.

4.6 Usage Data

We collect information about how you use our service, including AI generation counts, features used, and session data.

4.7 Payment Information

Payment processing is handled by Stripe. We do not store your credit card numbers. We store your Stripe customer ID and subscription status.

4.8 Workspace and Collaboration Data

If you use workspace features, we store workspace and organization membership information, roles, and shared access permissions. Workspace members with appropriate roles may access shared social accounts, posts, analytics, and inbox data within the workspace. Organizations handle billing and member pools across workspaces.

4.9 Uploaded Brand Materials

When you use the "Teach AI Your Brand" feature, you may upload images, PDFs, CSVs, or text files. These files are processed transiently through our AI systems to extract brand intelligence (voice, visual style, preferences, audience insights). The uploaded files themselves are not stored — only the extracted brand memories are saved to your account. These memories can be viewed, edited, and deleted at any time in Settings > Brand Voice.

4.10 WhatsApp Data

If you connect WhatsApp as a command interface, we collect and process the following:

When you disconnect WhatsApp or delete your SonetHub account, your phone number, its hash, conversation history, and any associated WhatsApp connection data are permanently deleted from our systems.

5. How We Use Your Information

6. Data Storage and Security

All social media OAuth tokens are encrypted at rest using AES-256-GCM symmetric encryption with a unique initialization vector per encryption operation. Our database is hosted on Supabase (AWS infrastructure) with encrypted connections. We use HTTPS/TLS for all data transmission. Media files are stored in a private Supabase Storage bucket — files are not publicly accessible and can only be retrieved via time-limited signed URLs (7-day expiry) generated server-side after authentication and ownership verification.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly via email without undue delay.

SonetHub incorporates data protection principles into the design of our platform (Art. 25 GDPR), including encryption at rest and in transit, private storage with time-limited access, minimal data collection, consent-gated optional features, and configurable privacy controls. We maintain records of processing activities as required by Art. 30 GDPR, available to the supervisory authority upon request.

7. Third-Party Services and Data Processors

We integrate with the following third-party services, which act as data processors:

7.1 Google API Services & YouTube Data

SonetHub's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect a YouTube account, SonetHub accesses the following data via the YouTube Data API v3 and YouTube Analytics API:

SonetHub uses YouTube data exclusively to provide the features described above. We do not:

Data retention: YouTube channel information and video analytics are retained while your YouTube account is connected to SonetHub. All YouTube data is deleted when you disconnect your YouTube account. OAuth tokens are immediately revoked and deleted.

Revoking access: You can disconnect your YouTube account from SonetHub at any time via the Accounts page. You can also revoke SonetHub's access directly from your Google Account permissions page. SonetHub's use of YouTube data is also subject to the YouTube Terms of Service and Google Privacy Policy.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our third-party service providers operate. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

You may contact us for more information about the specific safeguards in place for each transfer.

9. Data Sharing

We do not sell your personal data. We share data only with the third-party services listed above, as necessary to provide our service. Within workspaces, data is shared among workspace members according to their assigned roles and permissions. We may disclose information if required by law, to protect our rights, or to prevent fraud or security threats.

10. Your Rights (GDPR and Applicable Law)

Under the GDPR and other applicable data protection laws, you have the following rights:

To exercise any of these rights, contact us at info@sonethub.com. We will respond within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt.

You also have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain (www.aepd.es) if you believe your data is being processed unlawfully.

Based on our current scale of operations and the nature of our processing activities, we have determined that a Data Protection Officer is not required under Art. 37(1) GDPR. This assessment will be reviewed as our user base grows. For all data protection inquiries, contact us at info@sonethub.com.

Self-Service Data Controls

You can also take the following actions directly in SonetHub:

Information About Third-Party Data

When you connect social media accounts, SonetHub processes data about people who interact with those accounts — including message senders, comment authors, and mentioned users. This data includes names, usernames, profile pictures, and message or comment content. Additionally, the competitor tracking feature fetches publicly available profile data (follower counts, post engagement metrics, profile pictures, and biographies) for accounts you choose to track. This data is sourced exclusively from each platform's official APIs using publicly accessible endpoints.

Legal basis: The legitimate interest of our users in managing their social media communications (Art. 6(1)(f)).

Third-party rights: If you are not a SonetHub user but your data has been processed through our platform (for example, you sent a direct message to one of our users' social accounts), you may exercise your GDPR rights by contacting us at info@sonethub.com. We will work with the relevant user to address your request. We retain third-party inbox data for up to 90 days unless the user deletes it earlier.

11. Data Deletion

Social Platform Disconnection

When you disconnect a social account from SonetHub, or when you remove SonetHub from your social media platform's settings:

We provide automated data deletion callbacks for Meta platforms (Instagram, Facebook, Threads). When you remove SonetHub from your Meta account settings, we automatically receive and process the deletion request. See our Data Deletion page for more details.

Full Account Deletion

When you delete your SonetHub account, all associated data is permanently removed within 30 days, including all connected social accounts, posts, conversations, AI memories, analytics, automation schedules, and workspace memberships.

12. Data Retention

13. Children's Privacy

SonetHub is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a user under 18, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at info@sonethub.com.

14. Cookies

We use essential cookies for authentication and session management. We use temporary cookies for OAuth state verification during social account connections. We may use optional analytics cookies (such as error tracking via Sentry) to improve our service — these are only activated with your explicit consent.

You can manage your cookie preferences at any time using the cookie preferences link in the page footer, or by clearing your browser's cookie storage. For a complete list of every cookie we use, see our Cookie Policy.

15. AI-Generated Content Disclosure

Content generated by our AI features is clearly identified within the platform. Some social media platforms (including TikTok) require disclosure when content is AI-generated. You are responsible for complying with each platform's AI content disclosure requirements when publishing AI-generated content. SonetHub provides AIGC disclosure settings where required by the platform API.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the platform at least 30 days before the changes take effect.

17. Contact

If you have questions about this Privacy Policy or our data practices, contact us at: