Suomeksi

Privacy Policy

Version 1.0 · Updated 10 July 2026 · EU General Data Protection Regulation (GDPR)

This policy describes how Luviamo (the “Service”) collects, uses, retains, and shares personal data. Luviamo is a marketing lifecycle platform for Nordic small and medium-sized businesses: ideation, planning, content creation, publishing, and analytics in a single application.

1. Data Controller

Sunrise Software Oy
Business ID: 3588983-1
Postal address: Pilotinkatu 48, 33900 Tampere, Finland
Privacy contact: [email protected]
Contact person: Petri Korhonen

2. Personal data we process

We process the following data arising from use of the Service:

3. Purposes and legal bases

4. Google user data (Google Analytics 4 and Google Ads)

If you connect your own Google account, Luviamo reads your reporting data on a read-only basis. We never modify, create, or manage your accounts, campaigns, or settings.

What data is retrieved

How the data is used

The data is displayed back to the same user in their own analytics dashboard and PDF reports. It is not used for anything else and is not combined with other customers’ data (per-organization isolation).

Retention, sharing, and deletion

Luviamo's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Meta data (Facebook and Instagram)

If you connect your Facebook Page and its linked Instagram Business account, we process for publishing purposes:

When you remove the app from Facebook or request data deletion, Meta sends a signed request to our callback URL. We verify the signature (HMAC-SHA256) and delete the stored connection data (the encrypted Page access token and the account linkage). See data deletion.

6. AI (content creation)

We use Anthropic’s AI to assist with content creation. Only the following is sent to the AI:

We do not send Google or Meta raw data, email addresses, access tokens, or account identifiers to the AI. The AI produces suggestions that the user reviews and edits; this is not automated decision-making producing legal effects within the meaning of GDPR Art. 22.

7. Subprocessors

We use the following subprocessors. A data processing agreement (DPA) under GDPR Art. 28 is in place with each. Transfers outside the EU/EEA are covered by the EU Standard Contractual Clauses (SCC).

SubprocessorRoleData processedLocation / transfer
CloudflareHosting (Workers, Pages, D1, R2, KV)All application data, media, sessionsEU (Frankfurt, Germany)
AnthropicAI (content creation)Your own content input + de-identified index valueUSA · SCC
StripePayments and subscriptionsCustomer and subscription IDs (no card data with us)SCC
ResendTransactional and newsletter emailRecipient email + message contentSCC
MetaSocial publishing (on your initiative)Content and media to publishSCC
GoogleSource of analytics data (read-only)We send no personal data; we receive reporting data

8. Data location and transfers

Application data (database) and media files are stored on Cloudflare’s EU servers (Frankfurt, Germany). Some subprocessors (Anthropic, Stripe, Resend) operate outside the EU; those transfers are covered by the EU Standard Contractual Clauses (SCC).

9. Retention periods

Data categoryRetention
Account and organization dataFor the life of the account; deleted immediately on request (from backups within 30 days)
Security log (audit log)12 months
Analytics aggregate metricsFor the life of the account; removed on account deletion
Sessions (refresh tokens)Time-based expiry (KV TTL)
Media (R2)Until you delete the file or disconnect
Integration tokens (OAuth)Deleted on disconnect or deauthorize/deletion request
Billing dataAs required by accounting law

10. Your rights

You have the rights under GDPR Art. 15–22: access, rectification, erasure, restriction, data portability, and objection.

To exercise your rights: [email protected].

11. Security

Access tokens and sensitive identifiers are encrypted (AES-256-GCM); passwords are stored as hashes. Application secrets reside only on the server, never in the browser. Organizations’ data is isolated from one another through three-layer tenant isolation (query-level scoping, static analysis, and an integration test).

12. Cookies

This marketing website (luviamo.app) uses no cookies and no tracking. The application itself (app.luviamo.app) uses only strictly necessary session tokens for sign-in.

13. Right to lodge a complaint

If you believe we process your data unlawfully, you may lodge a complaint with the supervisory authority: the Office of the Data Protection Ombudsman (tietosuoja.fi), Finland.

14. Changes to this policy

We may update this policy. Changes are published on this page; the “updated” date and version number indicate the latest version.