Privacy Policy
How Sojial collects, uses and protects your personal data under the GDPR/DSGVO. This is a draft; the controller's verified details and retention periods are confirmed before launch.
Status: Reviewed · public-launch ready (GO) · Last updated: 2026-06-18
Controller
Controller within the meaning of Art. 4(7) GDPR: Claus Nisslmüller e.U. Mitterbergerweg 6 4040 Linz Austria Email: privacy@sojial.com Data Protection Officer: No Data Protection Officer has been appointed because there is currently no legal obligation to appoint one.
What we process
Account data (email, handle, display name), authentication sessions, content you create (posts, comments, reactions, events, circles), media you upload and its metadata, connections and blocking, reports you submit, and your privacy, notification and safety settings.
Legal bases
We rely on: performance of the contract to provide the service (Art. 6(1)(b) GDPR) for your account and core features; our legitimate interests (Art. 6(1)(f)) for safety, moderation, abuse prevention and security; your consent (Art. 6(1)(a)) where required; and legal obligations (Art. 6(1)(c)) where they apply. The specific basis per feature is mapped in our internal compliance matrix.
Media & user content
Uploaded media is stored with our object-storage provider; metadata is kept in our database. Private media is access-controlled and not exposed through public URLs. Allowed uploads are JPEG, PNG and WebP images.
Service providers (processors)
We use the following processors and infrastructure providers to operate Sojial. The data-processing agreements (DPAs) marked below must be accepted before public launch — see the Subprocessors page: 1. Vercel Inc., USA — hosting, deployment, frontend and serverless/runtime infrastructure. DPA: must be accepted in the relevant Vercel account/plan before public launch. Transfers: EU Standard Contractual Clauses and, where applicable, Data Privacy Framework mechanisms. 2. MongoDB, Inc., USA (MongoDB Atlas) — database hosting and storage of account, profile, content and operational records. EU region preferred where available. DPA: must be accepted before public launch. Transfers: EU Standard Contractual Clauses and additional safeguards. 3. Cloudflare, Inc., USA (Cloudflare R2) — object/media storage, security and delivery. EU jurisdiction/region used where available. DPA: must be accepted before public launch. Transfers: EU Standard Contractual Clauses and additional safeguards. 4. Resend, Inc., USA — transactional email (account, verification, notifications, support). DPA: must be accepted before public launch. Transfers: EU Standard Contractual Clauses and, where applicable, Data Privacy Framework mechanisms.
Data retention
Account data: kept while the account exists and deleted or anonymised within 30 days after account deletion, unless longer retention is legally required. Profile data and user content: kept while published and deleted or anonymised within 30 days after deletion by the user or account deletion. Media files: kept while linked to active content and deleted within 30 days after the related content or account is deleted. Security logs: up to 90 days, unless longer is required for investigation, legal claims or platform security. Report and moderation records: up to 24 months to document safety decisions, abuse prevention, legal compliance and appeals. Backups: rolling backups may retain deleted data for up to 90 days before automatic overwrite. Legal/accounting records: kept for the legally required period under Austrian law where applicable. See Account deletion for what happens when you delete your account.
Your rights
Subject to applicable law you have the right to access, rectification, erasure, restriction, data portability and objection, and the right to lodge a complaint with a supervisory authority (in Austria: the Datenschutzbehörde). See the Data rights page for how to exercise them. Contact: privacy@sojial.com.
Contact
Privacy and data-subject requests: privacy@sojial.com