Skip to main content
Thought Leadership Logo
Sign Up

Privacy Policy

Our privacy policy and how we use your data

PRIVACY POLICY

thoughtleadership.app

Operated by Vim Digital Oy

Last Updated: January 9, 2026

1. INTRODUCTION

Vim Digital Oy (Business ID: 3186318-3, VAT: FI31863183), operating as Thought Leadership App ("we," "us," "our"), respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use thoughtleadership.app and our services (collectively, the "Service").

This Privacy Policy applies to:

Key Information:

  • Data Controller: Vim Digital Oy, Runeberginkatu 25 a 25, 00100 Helsinki, Finland
  • Contact: hello@thoughtleadership.app
  • Legal Basis: This policy complies with the EU General Data Protection Regulation (GDPR), Finnish Data Protection Act, and other applicable data protection laws

2. WHAT PERSONAL DATA WE COLLECT

We collect different types of personal data depending on how you interact with our Service.

2.1 Data You Provide Directly

Account Information:

  • Full name
  • Email address
  • Password (encrypted and never stored in plain text)
  • Company name or organization (optional)
  • Job title or role (optional)
  • Profile information (optional)

Payment Information:

  • Billing name and address
  • Payment card details (processed by our payment provider, not stored by us)
  • VAT number (for EU business customers)
  • Transaction history and invoices

Content You Create:

  • LinkedIn post drafts and published content
  • Prompts and instructions you provide to our AI
  • Voice recordings (if you use voice training features)
  • Uploaded documents or training materials
  • Saved templates and preferences
  • Scheduled content and calendar data

Communications:

  • Support tickets and customer service inquiries
  • Email correspondence with us
  • Feedback and survey responses
  • Comments or reviews you provide
  • WhatsApp messages sent to your idea inbox (phone number, message content, timestamps)
  • WhatsApp Business communications (if you opt in)

2.2 Data We Collect Automatically

Usage Data:

  • Features and tools you use within the Service
  • Content generation frequency and patterns
  • Time spent using different features
  • Actions you take within the platform
  • Performance data and error logs

Technical Data:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and identifiers
  • Screen resolution and display settings
  • Referrer URL (the site you came from)
  • Pages visited and links clicked
  • Date and time of access
  • Session duration

Cookies and Tracking Technologies: We currently use minimal tracking, but may implement additional technologies in the future:

  • Essential Cookies: Required for the Service to function (e.g., session management, authentication)
  • Analytics Cookies: (Future) To understand how users interact with our Service (e.g., Google Analytics, Plausible)
  • Functional Cookies: (Future) To remember your preferences and settings
  • Marketing Cookies: (Future) To deliver personalized content and measure campaign effectiveness
  • Third-Party Cookies: (Future) From integrated services like payment processors or analytics providers

See our Cookie Policy (Section 11) for detailed information about cookies we use.

2.3 Data from Third-Party Sources

LinkedIn Data (if you connect your account):

  • Public profile information
  • Connection data (for analytics purposes only)
  • Post performance metrics (impressions, engagements)
  • Note: We only access data you explicitly authorize through LinkedIn's API

Payment Processor Data:

  • Transaction confirmation
  • Payment status
  • Billing address verification

AI Service Providers:

  • We use third-party AI models (such as OpenAI, Anthropic, or others) to power our content generation. Your prompts and inputs are processed by these providers according to their privacy policies.

2.4 Special Categories of Personal Data

We do NOT intentionally collect "special categories" of personal data (also known as "sensitive data") as defined by GDPR Article 9, including:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data
  • Health data
  • Sexual orientation

However, if you voluntarily include such information in your content inputs or voice training materials, it will be processed as part of the Service. We recommend not including sensitive personal data in your content.

3. HOW WE USE YOUR PERSONAL DATA

We use your personal data only for legitimate purposes and with proper legal basis.

3.1 Legal Bases for Processing (GDPR)

We process your personal data under the following legal bases:

Contract Performance (GDPR Article 6(1)(b)):

  • To provide the Service you subscribed to
  • To manage your account
  • To process payments
  • To deliver AI-generated content
  • To provide customer support

Legitimate Interests (GDPR Article 6(1)(f)):

  • To improve and optimize our Service
  • To detect and prevent fraud and abuse
  • To analyze usage patterns (aggregated and anonymized)
  • To develop new features
  • To ensure security and stability of our systems
  • To enforce our Terms and Conditions

Legal Obligation (GDPR Article 6(1)(c)):

  • To comply with applicable laws and regulations
  • To respond to legal requests and court orders
  • To maintain accounting and tax records
  • To prevent illegal activities

Consent (GDPR Article 6(1)(a)):

  • To send marketing communications (you can opt out anytime)
  • To use non-essential cookies (with your cookie preferences)
  • For any other processing requiring explicit consent

3.2 Specific Purposes

To Provide the Service:

  • Create and manage your account
  • Authenticate your identity
  • Generate AI-powered content based on your inputs
  • Train voice models to match your writing style (if opted in)
  • Store and organize your content
  • Schedule and manage LinkedIn posts
  • Provide analytics on your content performance
  • Process payments and manage billing
  • Send transactional emails (account confirmations, receipts, service updates)

To Improve the Service:

  • Analyze usage patterns to understand how features are used
  • Identify bugs, errors, and technical issues
  • Test new features and improvements
  • Train and improve our AI models using aggregated, anonymized data
  • Conduct research and development
  • Optimize performance and user experience

To Communicate With You:

  • Respond to your support requests
  • Send important service updates and notifications
  • Notify you of changes to our Terms or Privacy Policy
  • Request feedback or surveys (optional participation)
  • Send marketing communications about new features or offers (with your consent - you can opt out)

For Security and Compliance:

  • Detect and prevent fraud, spam, and abuse
  • Protect against security threats
  • Monitor for unauthorized access or suspicious activity
  • Comply with legal obligations
  • Enforce our Terms and Conditions
  • Respond to legal requests from authorities

For Business Operations:

  • Process payments and manage subscriptions
  • Maintain accounting records
  • Calculate and pay taxes
  • Manage business relationships with partners and vendors
  • Conduct internal audits and quality assurance

4. HOW WE SHARE YOUR PERSONAL DATA

We do NOT sell your personal data to third parties. We only share your data in the limited circumstances described below:

4.1 Service Providers (Data Processors)

We share data with trusted third-party service providers who help us operate the Service. These providers act as data processors under our instructions and are contractually obligated to protect your data.

Current and Potential Service Providers:

Infrastructure & Hosting:

  • Cloud hosting and database: Supabase (PostgreSQL database, authentication, storage)
  • Content delivery networks (CDNs)
  • Database services

AI & Machine Learning:

  • OpenAI (GPT models)
  • Anthropic (Claude models)
  • Meta (Llama models)
  • Natural language processing services
  • Voice processing services

Payment Processing:

  • Stripe (payment gateway and billing)
  • Fraud detection services

Analytics & Performance:

  • Google Analytics (website and app analytics)
  • Mixpanel (product analytics and user behavior tracking)
  • Application performance monitoring
  • Error tracking and logging services

Communications:

  • Resend (email service provider for transactional and marketing emails)
  • WhatsApp Business API (for idea inbox and service communications)
  • Customer support platforms (if implemented in future)

Marketing & Advertising: (Future)

  • Email marketing platforms (e.g., Mailchimp, ConvertKit)
  • Advertising platforms (e.g., Google Ads, LinkedIn Ads, Facebook Ads)
  • Marketing automation tools

Security & Compliance:

  • Security monitoring services
  • DDoS protection
  • Backup services

All service providers are required to:

  • Process data only according to our instructions
  • Implement appropriate security measures
  • Comply with GDPR and other applicable data protection laws
  • Sign Data Processing Agreements (DPAs) with us

4.2 LinkedIn Platform

If you connect your LinkedIn account, we access and process your LinkedIn data through LinkedIn's API according to their terms and your authorization. We may share limited data with LinkedIn for:

  • Authenticating your account connection
  • Scheduling posts on your behalf
  • Retrieving performance analytics

4.3 Business Transfers

If we are involved in a merger, acquisition, sale of assets, bankruptcy, or reorganization, your personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Service before your data is transferred and becomes subject to a different privacy policy.

4.4 Legal Requirements

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, government requests). We will only disclose the minimum data necessary to comply with the legal requirement.

We may disclose data when we believe it is necessary to:

  • Comply with applicable laws and regulations
  • Respond to legal process or governmental requests
  • Enforce our Terms and Conditions
  • Protect our rights, property, or safety
  • Protect users' rights, property, or safety
  • Prevent fraud or illegal activities
  • Investigate security incidents

4.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot be used to identify you individually. This includes:

  • Usage statistics and trends
  • Performance benchmarks
  • Research findings
  • Marketing analytics

This data is not considered personal data under GDPR and can be shared without restriction.

4.6 With Your Consent

We may share your data with other parties when you explicitly consent to such sharing (e.g., integrations you authorize, beta features you opt into).

5. INTERNATIONAL DATA TRANSFERS

5.1 Where Your Data is Stored

Our Service is operated from Finland (European Union). Your data is primarily stored and processed within the EU/EEA, ensuring compliance with GDPR standards.

Primary Data Location:

  • EU-based servers and data centers
  • Cloud services with EU data residency

5.2 Transfers Outside the EU/EEA

Some of our service providers may be located outside the EU/EEA (e.g., certain AI model providers, analytics services, or cloud infrastructure in the United States or other countries).

When we transfer your data outside the EU/EEA, we ensure appropriate safeguards are in place:

EU Standard Contractual Clauses (SCCs):

  • We use the European Commission's Standard Contractual Clauses with non-EU service providers
  • These are legally binding contracts that ensure EU-level data protection

Adequacy Decisions:

  • We may transfer data to countries that the European Commission has deemed to provide adequate data protection (e.g., UK, Switzerland, countries with adequacy decisions)

EU-US Data Privacy Framework:

  • For US-based service providers, we verify their participation in the EU-US Data Privacy Framework (where applicable)

Additional Safeguards:

  • Data encryption in transit and at rest
  • Access controls and authentication
  • Regular security audits
  • Contractual obligations requiring EU-level protection

5.3 AI Service Providers

Important Notice: Our AI-powered features use third-party AI models that may process your content inputs outside the EU/EEA.

AI Providers We Use:

OpenAI (United States)

  • Models: GPT-4, GPT-4 Turbo, GPT-3.5
  • Privacy Policy: https://openai.com/privacy
  • Data Processing: EU Standard Contractual Clauses
  • Data Location: United States and global infrastructure

Anthropic (United States)

  • Models: Claude 3 (Opus, Sonnet, Haiku) and newer versions
  • Privacy Policy: https://www.anthropic.com/legal/privacy
  • Data Processing: EU Standard Contractual Clauses
  • Data Location: United States and global infrastructure

Meta (United States)

  • Models: Llama 2, Llama 3, and newer versions
  • Privacy Policy: https://www.facebook.com/privacy/policy
  • Data Processing: EU Standard Contractual Clauses
  • Data Location: United States and global infrastructure

How We Use These Providers:

  • Your content prompts and inputs are sent to these AI providers for processing
  • They process your data to generate content according to your instructions
  • Processing happens in real-time; we don't control where their servers are located
  • Each provider has its own data retention and security practices

Data Processed by AI Providers:

  • Your content prompts and instructions
  • Voice recordings (if using voice features)
  • Training materials you provide
  • Generated content outputs
  • Usage metadata (API calls, timestamps)

What AI Providers Do NOT Receive:

  • Your email address or contact information
  • Your payment details
  • Your account credentials
  • Analytics or usage data unrelated to AI requests
  • Other users' data

Your AI Data Rights:

You can minimize data transfers by:

  • Not including personal data in your content prompts
  • Using generic examples rather than real names or information
  • Being mindful of what you input into AI features
  • Not including sensitive information in voice training materials

AI Training:

  • We use aggregated, anonymized data to improve our Service
  • AI providers may use your prompts to improve their models (check their policies)
  • OpenAI offers opt-out for training: https://openai.com/policies/usage-policies
  • You can contact us to opt out of certain data uses

6. HOW LONG WE KEEP YOUR DATA

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

6.1 Data Retention Periods

Active Accounts:

  • Account data: Retained for the duration of your account
  • Content and generated posts: Retained for as long as you keep them saved
  • Usage data: Retained for up to 2 years
  • Payment records: Retained for 7 years (Finnish accounting requirements)

Inactive Accounts:

  • If you don't use your account for 12 months, we may send reminders
  • After 18 months of complete inactivity, we may delete your account after notice

Deleted Accounts:

  • When you delete your account, we delete or anonymize your personal data within 30 days
  • Some data may be retained longer if required by law or for legitimate business purposes

Backup Systems:

  • Deleted data may remain in backup systems for up to 90 days before permanent deletion
  • Backups are securely stored and not used for active processing

6.2 Legal Retention Requirements

We may retain certain data longer to comply with legal obligations:

  • Financial records: 7 years (Finnish Accounting Act)
  • Tax records: 7 years (Finnish Tax Administration requirements)
  • Communications required for legal disputes: Duration of legal proceedings + reasonable period
  • Data subject to legal hold: Until the hold is lifted

6.3 Legitimate Business Purposes

We may retain data for legitimate business purposes:

  • Fraud prevention and security: Up to 5 years
  • Aggregated analytics data: Indefinitely (after anonymization)
  • Resolved support tickets: Up to 3 years
  • Marketing opt-out lists: Indefinitely (to respect your preferences)

7. YOUR PRIVACY RIGHTS (GDPR)

Under the General Data Protection Regulation (GDPR) and Finnish data protection law, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You have the right to:

  • Know whether we process your personal data
  • Access your personal data
  • Receive information about how we process your data
  • Obtain a copy of your personal data

How to exercise: Email hello@thoughtleadership.app with "Data Access Request" in the subject line. We will respond within 30 days.

7.2 Right to Rectification (Article 16)

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete personal data
  • Update outdated information

How to exercise: Update your information directly in your account settings, or email hello@thoughtleadership.app for assistance.

7.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed
  • The data must be deleted to comply with legal obligations

Exceptions: We may refuse deletion if we need the data to:

  • Comply with legal obligations
  • Establish, exercise, or defend legal claims
  • For archiving purposes in the public interest

How to exercise: Email hello@thoughtleadership.app or delete your account through your account settings. We will delete your data within 30 days (some data may remain in backups for up to 90 days).

7.4 Right to Restriction of Processing (Article 18)

You have the right to request that we limit how we process your data when:

  • You contest the accuracy of the data (during verification)
  • Processing is unlawful but you don't want deletion
  • We no longer need the data but you need it for legal claims
  • You object to processing (pending verification of legitimate grounds)

How to exercise: Email hello@thoughtleadership.app with your request and reason.

7.5 Right to Data Portability (Article 20)

You have the right to:

  • Receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON)
  • Transfer your data to another service provider

Applies to: Data you provided to us and that we process based on consent or contract.

How to exercise: Email hello@thoughtleadership.app with "Data Portability Request" in the subject line. We will provide your data within 30 days.

7.6 Right to Object (Article 21)

You have the right to object to processing of your personal data when:

  • Processing is based on legitimate interests (you can object for reasons relating to your particular situation)
  • Processing is for direct marketing purposes (absolute right - we must stop immediately)

How to exercise:

7.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise:

  • Cookie consent: Adjust your cookie settings in our cookie banner or preferences
  • Marketing consent: Unsubscribe from marketing emails
  • Other consent: Email hello@thoughtleadership.app

7.8 Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a data protection supervisory authority.

In Finland: Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Website: https://tietosuoja.fi/en/home
Email: tietosuoja@om.fi
Phone: +358 29 566 6700

In EU/EEA: Find your local data protection authority: https://edpb.europa.eu/about-edpb/board/members_en

7.9 Automated Decision-Making and Profiling (Article 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

Our Use of Automated Processing:

  • We use AI to generate content based on your inputs, but this does not constitute automated decision-making under GDPR Article 22
  • You always have human control over what content you create and publish
  • We do not make automated decisions that significantly affect you without human involvement

7.10 How to Exercise Your Rights

Primary Method: Email: hello@thoughtleadership.app
Subject: [Type of Request] - e.g., "Data Access Request"

Include in Your Request:

  • Your full name and email address
  • Description of your request
  • Specific data or processing you're referring to (if applicable)
  • Proof of identity (if needed to verify your request)

Our Response Time:

  • We will acknowledge your request within 72 hours
  • We will fulfill your request within 30 days
  • If complex, we may extend by an additional 60 days (we will notify you)

Free of Charge:

  • We will not charge a fee for most requests
  • We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests

8. HOW WE PROTECT YOUR DATA

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

8.1 Technical Security Measures

Encryption:

  • Data in transit: TLS/SSL encryption (HTTPS) for all connections
  • Data at rest: Encrypted databases and file storage
  • Passwords: Bcrypt or Argon2 hashing (never stored in plain text)
  • Payment data: Encrypted and processed by PCI-DSS compliant payment providers (we never store full card details)

Access Controls:

  • Multi-factor authentication (MFA) available for user accounts
  • Role-based access control (RBAC) for internal systems
  • Principle of least privilege for employees and contractors
  • Regular access reviews and revocations

Network Security:

  • Firewalls and intrusion detection systems
  • DDoS protection
  • Regular security patches and updates
  • Vulnerability scanning and penetration testing

Application Security:

  • Input validation and sanitization
  • Protection against common attacks (SQL injection, XSS, CSRF)
  • Security headers (CSP, HSTS, etc.)
  • Rate limiting and abuse prevention
  • Regular code security reviews

Monitoring and Logging:

  • Security event logging and monitoring
  • Anomaly detection for suspicious activity
  • Automated alerts for security incidents
  • Regular log reviews

8.2 Organizational Security Measures

Data Governance:

  • Data minimization principles (collect only what we need)
  • Regular data audits and cleanup
  • Clear data retention policies
  • Documented data processing activities (GDPR Article 30)

Access Management:

  • Background checks for employees with data access
  • Confidentiality agreements with all staff and contractors
  • Regular training on data protection and security
  • Immediate revocation of access for terminated employees

Vendor Management:

  • Due diligence on all service providers
  • Data Processing Agreements (DPAs) with all processors
  • Regular vendor security assessments
  • Monitoring of vendor compliance

Incident Response:

  • Security incident response plan
  • Data breach notification procedures (GDPR Article 33-34)
  • Regular incident response drills
  • Post-incident reviews and improvements

Privacy by Design:

  • Privacy considerations in all new features
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Privacy-enhancing technologies where feasible
  • Regular privacy audits

8.3 Data Breach Procedures

In the unlikely event of a personal data breach, we will:

Immediate Actions:

  1. Contain and assess the breach
  2. Document the incident
  3. Determine the scope and impact

Notification to Authorities (GDPR Article 33):

  • If the breach poses a risk to individuals' rights and freedoms, we will notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware

Notification to You (GDPR Article 34):

  • If the breach poses a high risk to your rights and freedoms, we will notify you directly without undue delay
  • We will explain what happened, what data was affected, and what steps we're taking

Remediation:

  • Fix the vulnerability that caused the breach
  • Implement additional security measures
  • Conduct post-incident review

8.4 Limitations of Security

Important: While we implement robust security measures, no system is 100% secure. Data transmission over the internet and data storage systems carry inherent risks.

Your Responsibilities:

  • Keep your password secure and confidential
  • Don't share your account with others
  • Use a strong, unique password
  • Enable multi-factor authentication if available
  • Log out when using shared devices
  • Report any suspected security issues immediately

We Cannot Guarantee:

  • Absolute security of data
  • Prevention of all possible security breaches
  • Security of data transmitted through unsecured networks
  • Security on devices you control

9. CHILDREN'S PRIVACY

Our Service is not intended for children under 18 years of age.

We do not knowingly collect personal data from children under 18.

If you are under 18, do not:

  • Use or register for the Service
  • Provide any personal information to us
  • Use any interactive features of the Service

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at hello@thoughtleadership.app. We will delete such data as soon as possible.

Age Verification: By using the Service, you represent that you are at least 18 years old.

10. THIRD-PARTY LINKS AND SERVICES

Our Service may contain links to third-party websites, applications, or services that are not owned or controlled by us.

Important Notice:

  • We are not responsible for the privacy practices of third parties
  • This Privacy Policy does not apply to third-party services
  • We encourage you to read the privacy policies of any third party you interact with

Examples of Third-Party Services:

  • LinkedIn (when you connect your account)
  • Stripe (payment processing)
  • OpenAI, Anthropic (Claude), Meta (Llama) - AI model providers
  • Google Analytics and Mixpanel (analytics services)
  • WhatsApp (idea inbox and communications)
  • Resend (email delivery)
  • Supabase (database and authentication)
  • Social media platforms (if you share content)

When You Use Third-Party Services:

  • You are subject to their terms and privacy policies
  • They may collect data about you independently
  • We have limited or no control over their data practices

Our Responsibility:

  • We conduct due diligence on third-party providers
  • We require appropriate data protection agreements
  • We do not sell your data to third parties
  • We choose reputable, privacy-conscious providers where possible

10A. WHATSAPP INTEGRATION

10A.1 What is the WhatsApp Feature?

We offer a WhatsApp integration that allows you to:

  • Send content ideas to your personal "idea inbox" via WhatsApp messages
  • Receive notifications and updates about your content (optional)
  • Communicate with our Service through WhatsApp

10A.2 What Data We Collect via WhatsApp

When you use our WhatsApp feature, we collect:

  • Your phone number (to identify your account and enable messaging)
  • Message content (ideas, notes, or instructions you send to your inbox)
  • Timestamps (when messages were sent and received)
  • Message metadata (delivery status, read receipts if enabled)

10A.3 How We Use WhatsApp Data

  • To deliver messages to your idea inbox in the Service
  • To process and organize your content ideas
  • To send you confirmations or responses (if you've opted in)
  • To improve the WhatsApp integration feature
  • To provide customer support related to WhatsApp messages
  • To send service notifications (if you've enabled this)

10A.4 WhatsApp's Privacy Policy

WhatsApp is operated by Meta Platforms, Inc. Your use of WhatsApp is governed by:

Important: WhatsApp messages are end-to-end encrypted between you and our WhatsApp Business account. However, once received by our Service, messages are stored and processed according to this Privacy Policy, not WhatsApp's encryption.

10A.5 Data Sharing with WhatsApp/Meta

When you message us via WhatsApp:

  • WhatsApp/Meta processes the message delivery through their infrastructure
  • WhatsApp/Meta may collect metadata about your usage of WhatsApp
  • WhatsApp/Meta's own data collection practices apply to the WhatsApp app

We share with WhatsApp/Meta only:

  • Your phone number (to enable messaging)
  • Message delivery confirmations and status
  • Basic connection handshake data

We do NOT share with WhatsApp/Meta:

  • Your email or other account details
  • Your content created in the Service (unless you send it via WhatsApp)
  • Payment information
  • Analytics or usage data from our platform
  • Other personal data unrelated to WhatsApp messaging

10A.6 Your WhatsApp Privacy Options

Opt-In Required:

  • You must explicitly enable the WhatsApp feature to use it
  • We do not automatically connect your WhatsApp
  • First-time setup requires phone number verification

Opt-Out:

  • Disconnect WhatsApp integration in your account settings anytime
  • Stop sending messages to our WhatsApp number
  • Contact hello@thoughtleadership.app to delete WhatsApp message history
  • No penalty for opting out

Data Deletion:

  • When you disconnect WhatsApp, we retain messages for 30 days (for recovery), then delete them
  • You can request immediate deletion by contacting us
  • Deletion is permanent and cannot be undone

Control What You Share:

  • Only send content you're comfortable storing in our Service
  • Don't send sensitive personal data via WhatsApp if possible
  • Remember messages are stored on our servers after receipt

10A.7 WhatsApp Data Location and Transfers

International Data Transfers:

  • WhatsApp messages are processed through Meta's global infrastructure
  • This may include servers outside the EU/EEA (including United States)
  • Meta uses Standard Contractual Clauses and other safeguards for EU data transfers
  • See Meta's privacy policy for details on international data transfers

Our Storage:

  • Once received, messages are stored on Supabase servers (EU-based)
  • Subject to our standard data retention and security practices

10A.8 WhatsApp for Business Communications

Service Notifications (Opt-In): If you opt in to receive service updates via WhatsApp, we may send you:

  • Content reminders and scheduling notifications
  • Account alerts and important updates
  • Feature announcements (if you've opted in)
  • Customer support responses

Marketing Messages:

  • Marketing communications via WhatsApp require separate explicit consent
  • You can opt out at any time by:

Your Rights:

  • Same GDPR rights apply to WhatsApp data (access, deletion, portability, etc.)
  • You can request a copy of all WhatsApp messages we've stored
  • You can object to processing of WhatsApp data
  • You can lodge a complaint with data protection authorities

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences, authenticate your session, and provide analytics.

11.2 Cookies We Currently Use

Essential Cookies (Always Active): These cookies are necessary for the Service to function and cannot be disabled.

  • Session Cookies: Keep you logged in as you navigate the Service
  • Authentication Cookies: Verify your identity and secure your account
  • Security Cookies: Detect abuse and protect against attacks
  • Load Balancing Cookies: Distribute traffic across servers

Example Cookies:

  • session_id - Maintains your logged-in session
  • csrf_token - Protects against cross-site request forgery attacks
  • auth_token - Authenticates your identity

11.3 Analytics Cookies We Use

Google Analytics (Active):

  • Tracks page views, user flows, and feature usage
  • Helps us understand how users interact with the Service
  • Used to improve user experience and identify issues
  • Collects: pages visited, time on site, referrer, device type, location (country/city level)
  • Retention: 26 months (configurable)
  • Privacy Policy: https://policies.google.com/privacy
  • Opt-out: https://tools.google.com/dlpage/gaoptout

Mixpanel (Active):

  • Product analytics and user behavior tracking
  • Tracks feature usage, user journeys, and engagement
  • Helps us improve product features and user experience
  • Collects: events, user actions, feature interactions, device data
  • Retention: Configurable, typically 5 years for aggregated data
  • Privacy Policy: https://mixpanel.com/legal/privacy-policy
  • Opt-out: Available in your account settings

How We Use Analytics:

  • Understand which features are most/least used
  • Identify technical issues and bugs
  • Optimize user experience and interface
  • Measure effectiveness of new features
  • Improve onboarding and retention
  • Generate aggregated statistics (anonymized)

11.4 Additional Tracking We May Implement (Future)

Functional Cookies (Requires Consent):

  • Remember your preferences (language, timezone, theme)
  • Store your settings and customizations
  • Enhance your user experience

Heatmaps and Session Recording: (Future - Requires Consent)

  • Visual representation of where users click and scroll
  • Session replay for UX improvement
  • Only implemented with explicit consent
  • Sensitive data automatically masked

Marketing/Advertising Cookies (Requires Consent):

  • Track effectiveness of marketing campaigns
  • Deliver personalized content and ads
  • Retargeting cookies (e.g., Google Ads, LinkedIn Ads, Facebook Pixel)
  • Attribution tracking

11.5 Third-Party Cookies

Some cookies are set by third-party services we use:

Active Third-Party Cookies:

  • Stripe: Payment processing and fraud detection
  • Google Analytics: Website and app analytics
  • Mixpanel: Product analytics and user behavior
  • Supabase: Authentication and session management
  • OpenAI, Anthropic, Meta: AI model processing (API calls, not cookies)

Future Third-Party Cookies:

  • Advertising platforms (Google Ads, LinkedIn Ads, Facebook Ads)
  • Social media platforms (if embedded content)
  • Customer support tools
  • Additional analytics or marketing tools

11.6 Cookie Consent (GDPR/ePrivacy)

For EU/EEA Users:

  • We obtain your consent before setting non-essential cookies (analytics, marketing)
  • Essential cookies (authentication, security) do not require consent
  • You can manage your cookie preferences at any time
  • We use cookie banners and preference centers to collect consent
  • Pre-checked boxes are not used for non-essential cookies
  • You can withdraw consent at any time

Cookie Banner: When you first visit our Service, you'll see a cookie banner explaining:

  • What cookies we use and why
  • Which cookies are essential vs. optional
  • How to accept or reject non-essential cookies
  • How to change your preferences later

Current Cookie Usage:

  • Google Analytics: Requires consent (analytics cookies)
  • Mixpanel: Requires consent (analytics cookies)
  • Stripe: Essential for payment processing (no consent required)
  • Supabase: Essential for authentication (no consent required)

11.7 How to Control Cookies

Browser Settings: Most browsers allow you to control cookies through settings:

  • Block all cookies
  • Block third-party cookies only
  • Delete cookies when you close the browser
  • Receive notifications when cookies are set

Browser-Specific Instructions:

  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Cookies and website data
  • Edge: Settings > Cookies and site permissions

Our Cookie Preferences:

  • Click "Cookie Settings" in our footer (when implemented)
  • Manage your consent for different cookie categories
  • Changes take effect immediately

Important: If you disable essential cookies, some features of the Service may not work properly.

11.8 Other Tracking Technologies

We may also use:

Web Beacons / Pixels:

  • Small invisible images embedded in emails or web pages
  • Track email opens and link clicks
  • Measure campaign effectiveness

Local Storage:

  • HTML5 local storage to remember preferences
  • Similar to cookies but not automatically sent with requests

Device Fingerprinting:

  • (Future) May collect device characteristics for fraud prevention
  • Used only for security purposes, not for tracking

Session Replay: (Future - Only with Explicit Consent)

  • May record user sessions to improve UX
  • Only with explicit opt-in consent
  • Sensitive data will be masked
  • You can opt out at any time

11.9 Do Not Track (DNT)

Some browsers have a "Do Not Track" (DNT) feature. Currently, there is no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we respect your privacy choices through our cookie consent mechanisms.

12. MARKETING COMMUNICATIONS

12.1 Types of Marketing Communications

We may send you:

  • Product updates and new features
  • Tips and best practices for using the Service
  • Special offers and promotions
  • Company news and blog posts
  • Event invitations (webinars, workshops)
  • Customer success stories and case studies

12.2 Your Choices

Opt-In (For EU/EEA Users):

  • We will only send marketing emails if you opt in
  • Opt-in can be during registration or separately
  • We do not use pre-checked boxes

Opt-Out:

  • Click "Unsubscribe" at the bottom of any marketing email
  • Email hello@thoughtleadership.app with "Unsubscribe" in the subject
  • Update your preferences in your account settings

What Happens When You Opt Out:

  • We will stop sending marketing emails within 10 business days
  • You will still receive transactional emails (receipts, account updates, security notifications)
  • We keep your email on a suppression list to honor your preference

12.3 Transactional Emails (Cannot Opt Out)

Essential service emails we must send:

  • Account creation and verification
  • Password reset requests
  • Payment confirmations and receipts
  • Subscription changes and renewals
  • Service updates and security notifications
  • Responses to your support requests
  • Changes to our Terms or Privacy Policy

You cannot opt out of transactional emails as they are necessary for the Service.

13. CHANGES TO THIS PRIVACY POLICY

13.1 Updates

We may update this Privacy Policy from time to time to reflect:

  • Changes in our data practices
  • New features or services
  • Changes in applicable laws
  • Feedback from users or regulators

13.2 Notification

Material Changes:

  • We will notify you by email (to your registered email address)
  • We will post a prominent notice on our Service
  • We will provide at least 30 days' notice before changes take effect

Minor Changes:

  • We will update the "Last Updated" date at the top
  • We will post the updated policy on our Service
  • Changes take effect immediately upon posting

13.3 Your Acceptance

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

If you do not agree with changes:

  • Stop using the Service
  • Delete your account before the effective date
  • Contact us to exercise your GDPR rights

13.4 Version History

We maintain previous versions of this Privacy Policy for reference. Contact hello@thoughtleadership.app if you need access to a previous version.

14. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Vim Digital Oy
Operating as: Thought Leadership App
Business ID: 3186318-3
VAT Number: FI31863183

Email: hello@thoughtleadership.app
Website: https://thoughtleadership.app

Address:
Runeberginkatu 25 a 25
00100 Helsinki
Finland

For Privacy-Specific Inquiries:

  • GDPR rights requests (access, deletion, portability, etc.)
  • Questions about how we process your data
  • Concerns about data security
  • Complaints about data handling
  • Data breach reports

Response Time:

  • We acknowledge all privacy inquiries within 72 hours
  • We respond fully within 30 days
  • Complex requests may take up to 90 days (we will notify you)

15. LEGAL INFORMATION

15.1 Data Controller

Vim Digital Oy is the data controller responsible for your personal data under GDPR.

15.2 Legal Compliance

This Privacy Policy complies with:

  • EU General Data Protection Regulation (GDPR) 2016/679
  • Finnish Data Protection Act (1050/2018)
  • Finnish Act on the Protection of Privacy in Electronic Communications (516/2004)
  • ePrivacy Directive (2002/58/EC)
  • Other applicable Finnish and EU privacy laws

15.3 Governing Law

This Privacy Policy is governed by the laws of Finland.

15.4 Relationship to Terms and Conditions

This Privacy Policy supplements our Terms and Conditions available at https://thoughtleadership.app/terms-of-service

In case of conflict between this Privacy Policy and our Terms and Conditions, this Privacy Policy prevails regarding data protection matters.

16. GDPR COMPLIANCE SUMMARY

For quick reference, here's a summary of our GDPR compliance:

GDPR RequirementOur Compliance
Legal BasisContract, Legitimate Interests, Consent, Legal Obligation
Data MinimizationWe collect only data necessary for the Service
Purpose LimitationData used only for stated purposes
Storage LimitationData deleted after retention period
AccuracyUsers can update data anytime
SecurityEncryption, access controls, monitoring
TransparencyThis comprehensive Privacy Policy
Data Subject RightsAll GDPR rights fully implemented
Data Protection OfficerNot required (but privacy contact available)
Data Breach NotificationProcedures in place per Articles 33-34
International TransfersStandard Contractual Clauses, adequate safeguards
Privacy by DesignBuilt into all features and processes
Records of ProcessingMaintained per Article 30

APPENDIX A: DATA PROCESSING DETAILS

Categories of Personal Data

CategoryExamplesLegal BasisRetention
Identity DataName, usernameContractAccount lifetime
Contact DataEmail, addressContractAccount lifetime
Financial DataPayment info, VAT numberContract, Legal Obligation7 years
Account DataPassword, preferencesContractAccount lifetime
Content DataPosts, prompts, voiceContractUser-controlled
Technical DataIP, device, browserLegitimate Interest2 years
Usage DataFeature usage, analyticsLegitimate Interest2 years
Marketing DataEmail preferencesConsentUntil opt-out
CommunicationsSupport tickets, emailsLegitimate Interest, Contract3 years

Data Recipients

Recipient TypePurposeLocationSafeguards
SupabaseDatabase & infrastructureEU/EEADPA, encryption, EU servers
OpenAIAI content generationUS/GlobalDPA, SCCs, encryption
Anthropic (Claude)AI content generationUS/GlobalDPA, SCCs, encryption
Meta (Llama)AI content generationUS/GlobalDPA, SCCs, encryption
StripePayment processingEU/USPCI-DSS, DPA, SCCs
ResendEmail deliveryUS/EUDPA, encryption
WhatsApp/MetaMessaging & inboxUS/GlobalDPA, SCCs, end-to-end encryption
Google AnalyticsUsage analysisUS/GlobalDPA, SCCs, anonymization
MixpanelProduct analyticsUSDPA, SCCs, data controls

APPENDIX B: YOUR CHECKLIST FOR PRIVACY

As a User, You Can:

✅ Access your data anytime
✅ Correct inaccurate information
✅ Delete your account and data
✅ Export your data (data portability)
✅ Object to certain processing
✅ Restrict how we use your data
✅ Withdraw consent
✅ Opt out of marketing emails
✅ Manage cookie preferences
✅ Lodge a complaint with authorities

Contact us at hello@thoughtleadership.app to exercise any of these rights.

END OF PRIVACY POLICY

Last Updated: January 9, 2026

This Privacy Policy is designed to be GDPR-compliant and future-proof for additional tracking and features. Regular reviews and updates ensure continued compliance as the Service evolves.

QUICK LINKS