Privacy Policy

Eteya Consulting AB is the data controller for the processing of your personal data.

For questions about privacy and personal data, contact us at: Kontakt@eteya.ai

• Basic information: name, email address
• Technical information: IP address, browser type, operating system
• Communication: email correspondence, meeting notes

• To provide our services (GDPR Art. 6(1)(b)): Contractual necessity: We process data required to deliver our services to you as a customer or supplier.
• For customer support (GDPR Art. 6(1)(b)): Contractual necessity: We process data to provide you with support and answer your questions.
• For marketing (GDPR Art. 6(1)(a)): Consent: We send newsletters and marketing only if you have given us your consent. You can withdraw your consent at any time.
• For business development (GDPR Art. 6(1)(f)): Legitimate interests: We process business contact information to market our services to relevant decision-makers. Our legitimate interest is to develop our business. We conduct a balancing test where your rights take precedence if you object.

Right to withdraw consent: If the processing is based on your consent, you always have the right to withdraw it at any time. Withdrawal does not affect processing that took place before the withdrawal.

• Customer data: Duration of contract + 3 years
• Marketing: Until unsubscribed or 2 years
• Technical data: 12 months

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

• Subprocessors: Hosting, email services, CRM systems
• Authorities: Only when required by law
• International transfers: Some of our subprocessors (e.g., Google, Microsoft) may process data outside the EU/EEA, primarily in the USA. We protect your data through the EU Commission's Standard Contractual Clauses and additional technical measures. Contact us for more information.

• Encryption of data in transit and at rest
• Access control and permission management
• Regular security audits

• Necessary cookies — required for the site to function (consent record, language preference). Cannot be disabled.
• Analytics — we use Google Analytics 4 (GA4) to understand how visitors use the site. GA4 uses cookies stored for up to 14 months. IP addresses are anonymized before storage. Data is processed by Google LLC in the US under the EU–US Data Privacy Framework.
• Vercel Web Analytics — anonymous, hash-based visitor counting without cookies. No information is stored on your device, and the hash is discarded after 24 hours. Does not require consent under EU ePrivacy law but is disclosed here for transparency. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
• Marketing — currently disabled. If we later enable remarketing, it will require your consent and be disclosed here.
• Google Consent Mode v2 — the site respects your choice in the cookie banner. If you decline, only anonymous signals are sent — no cookies or identifiers.
• Withdraw consent — you can change or withdraw your consent at any time by clicking "Manage cookies" in the footer.
• Supervisory authority — you may file a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY — formerly Datainspektionen). Website: imy.se

If you have complaints about our processing of personal data, you can contact the Swedish Authority for Privacy Protection (IMY):

Eteya Social Manager (available at social.eteya.ai) is a SaaS product that helps users automate publishing to social media. This section describes how we handle personal data specifically for this service.

When you connect your account from LinkedIn, Facebook, Instagram, Threads, X (Twitter), Bluesky, TikTok, YouTube, Pinterest, Mastodon or other platforms, we store:

• OAuth access token (encrypted in our database, AES-256)
• OAuth refresh token (encrypted, to renew access)
• Platform user ID for your account
• Platform account name / profile picture (for display in the app)
• Permissions you have granted us (e.g. "publish on your behalf")

We NEVER store your password for social platforms. The OAuth protocol ensures we only receive a limited and revocable token. Retention period: Tokens are deleted immediately when you click "Disconnect account" in the app, delete your Eteya account, or revoke access directly on the respective platform.

We store drafts and scheduled posts (text, images, tags, timestamps), published posts (references to platform IDs), images and media (on a Hetzner server in Frankfurt, Germany), and statistics and engagement data from the platforms. Retention period: Retained as long as your account is active. Deleted within 30 days of account deletion.

When you use the "Generate" feature, data is sent to our AI providers:

• Ollama Cloud (USA) — for Swedish text via the kimi model
• OpenAI (USA) — for carousel data + image generation
• Anthropic (USA) — for specific language tasks

Data is transferred to the USA under the EU-US Data Privacy Framework + Standard Contractual Clauses. NOTHING is used for AI training — contractually agreed with providers.

When you schedule a post, we use your OAuth token to publish at the scheduled time. We publish ONLY what you have created and approved yourself — never autonomous publications.

Every organization has fully isolated data. Users from one organization can never see or access data from another. Eteya personnel access data only for support requests with your permission.

• Encryption at rest: All data, all tokens, all files (AES-256)
• Encryption in transit: TLS 1.3
• Passwords: bcrypt + salt
• 2FA: Supported via Authentik

You have the right at any time to request deletion of your personal data under GDPR Article 17 (the "right to be forgotten").

• Your user account (email address, name, hashed passwords)
• Connected OAuth tokens to social platforms
• Saved drafts and scheduled posts that have not been published
• AI-generated content linked to your account
• User data and settings in your organization

• Accounting data (paying customers): 7 years under the Swedish Bookkeeping Act
• Security logs: 12 months
• Anonymized aggregated statistics: retained (cannot be traced)
• Content already published on your social channels: must be deleted directly on the respective platform

• 1. Directly in the app (fastest): Log in at social.eteya.ai → Settings → Account → "Delete my account" → Confirm with password → Click "Delete permanently". Confirmation sent via email.
• 2. Via email: Send to kontakt@eteya.ai with subject "Request for data deletion (GDPR)" and your email address + name. We respond within 30 days (usually 5 business days).
• 3. Written request: Eteya Consulting AB, Att: Data Protection, Solhagsvägen 26 A, 691 52 Karlskoga, Sweden. Response within 30 days.

If you only want to prevent Eteya from posting to your social accounts:

• In the app: Settings → Connected accounts → Disconnect
• On the platform: LinkedIn/Facebook/Instagram/X → "Authorized Apps" → Find "Eteya Social Manager" → Revoke

To deliver Eteya Social Manager, we engage the following sub-processors that process personal data on our behalf. All are contracted under GDPR Article 28 (DPA) and follow Standard Contractual Clauses (SCC) for international transfers.

• Hetzner Online GmbH — Server hosting (Germany, EU)
• Cloudflare, Inc. — CDN + DNS + security (USA + global)
• OpenAI, L.L.C. — AI (text + image) (USA)
• Anthropic, PBC — AI (Claude) (USA)
• Ollama Cloud — AI (kimi text) (USA)
• n8n GmbH — Workflow orchestration (Germany, EU)
• Stripe, Inc. (for billing) — Payments (USA + global)
• Authentik (self-hosted) — Identity & SSO (Sweden, our VPS)

Social media platforms (LinkedIn, Meta, X, Bluesky and others) are NOT sub-processors — they are third-party services where you have your own account. Their own privacy policy applies to data they process.

International transfers to USA-based providers are protected by the EU-US Data Privacy Framework, Standard Contractual Clauses (SCC) under EU Commission decision 2021/914, and supplementary measures (encryption, pseudonymization).

If we change sub-processors, you will receive 30 days advance notice via email. You have the right to object and terminate the service without charge.

Last updated: 2026-05-11