Privacy Policy

Last updated: February 9, 2026

Your Privacy Matters

Wysestats is built for creators and teams who want analytics without giving up control of their data. This Privacy Policy explains what we process, why we process it, where it goes, how long we keep it, and what choices you have.

1. Who We Are (Controller) & Scope

Controller: Visualsofjulius OY (Finland)

Privacy contact: privacy@wysestats.com

This policy applies to our website, the Wysestats application, and related support and billing communications. It covers visitors, registered users (workspace owners and team members), Instagram accounts you connect, and public competitor accounts you choose to track.

Wysestats is intended for users 16+ and is not directed to children under 16.

2. Information We Process

Account Information

  • Email address (required for account creation and communication)
  • Authentication and session data (we use passwordless/magic-link login via Supabase Auth)
  • Workspace settings and preferences (e.g. dashboard layout, selected Instagram account)

Connected Instagram Data (Your Own Account)

  • Instagram profile data (e.g. username, profile picture URL, follower/following counts, media count)
  • Your posts metadata (e.g. caption, timestamp, permalink, media URL/thumbnail URL)
  • Your post insights (e.g. reach, views/impressions, saves, shares, profile visits)
  • Account-level insights (e.g. daily follower count trends, reach/views totals)
  • Audience demographics (aggregated statistics such as age/gender distribution and top countries/cities)
  • Access tokens needed to fetch data from Meta/Instagram APIs (stored encrypted)

Competitor Tracking (Public Data Only)

  • Public Business/Creator account profile data (e.g. username, name, bio, website, profile picture)
  • Public post data and public metrics (e.g. like counts, comment counts, view counts, captions)
  • We do not access private insights, DMs, or non-public data of competitor accounts.

AI Feature Data (OpenAI)

  • Lab (your own posts): when you use Lab, we may send your post captions, image URLs, and (for videos) audio for transcription, plus relevant performance metrics, to OpenAI to generate analysis and suggestions.
  • Competitor indexing: we may send public competitor post captions and public profile context (username/name/bio) to OpenAI to extract keywords, search terms, and themes.
  • We store the resulting analysis outputs in our database so you can view them later. The raw prompts and the minimum necessary inputs are processed to generate those outputs.

Billing Information

  • Subscription status, Stripe customer identifiers, invoices and payment metadata
  • Business information you provide for invoicing (e.g. address, VAT ID) where applicable

Usage, Device & Log Data

  • IP address, device and browser information, and timestamps (primarily for security and reliability)
  • Service logs and diagnostic events (to troubleshoot and prevent abuse)
  • Cookie and consent preferences

3. Why We Process Data (Purposes)

  • Provide the service: connect your Instagram account, fetch analytics, and display dashboards
  • Operate features you enable: competitor tracking, Notion exports, and Lab analysis
  • Security and abuse prevention: protect accounts, investigate incidents, prevent fraud
  • Support: respond to tickets, diagnose bugs, and help you use the product
  • Billing: manage subscriptions, invoices, and tax/VAT where applicable
  • Marketing (optional): newsletter and marketing communications if you opt in

4. Legal Bases (GDPR Article 6)

We rely on one or more of the following legal bases depending on what you use:

  • Contract performance (Art. 6(1)(b)): core Instagram analytics, Notion export, and service delivery
  • Legitimate interests (Art. 6(1)(f)): security, service reliability, competitor tracking of public accounts, and competitor AI indexing
  • Consent (Art. 6(1)(a)): non-essential cookies (analytics/marketing), newsletter marketing, and first-time Lab AI notice/acknowledgement
  • Legal obligation (Art. 6(1)(c)): accounting, invoicing, and tax compliance retention

When we rely on legitimate interests, we consider necessity and balance your rights against our interests, and you can object as described below.

5. Sharing, Processors, and Third Parties

We do not sell your personal data. We share data only to operate the service, and only to the extent needed.

Our processors (vendors)

  • Supabase: database hosting, authentication, and file storage
  • Vercel: application hosting and serverless compute
  • OpenAI: AI analysis for Lab and competitor indexing
  • Stripe: subscription billing, invoices, and payments
  • Resend: transactional emails (e.g. login links, service notices)
  • Notion: when you connect Notion, we push data into your own Notion workspace

Independent controllers

  • Meta / Instagram: provides the Instagram platform and APIs; their own terms and policies apply
  • Notion: for data stored in your Notion workspace, Notion typically acts as an independent controller

6. Your Rights (GDPR)

If you are in the EEA/UK (and in many other jurisdictions), you have rights over your personal data:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21) where we rely on legitimate interests
  • Withdraw consent (Art. 7) for consent-based processing

Product-first controls: you can export your data and delete your account from inside the app, and you can disconnect Instagram/Notion to stop further processing. To exercise rights by request, contact us at privacy@wysestats.com. We typically respond within one month (and may extend where permitted by law).

7. Data Security

  • Encryption in transit (TLS) and security controls at rest via our hosting providers
  • Access controls, authentication, and row-level security (RLS) in our database
  • Operational monitoring and incident response procedures

8. Data Retention

We keep data only as long as needed for the purposes described above, including legal obligations. In practice, this generally means:

  • Account and connected Instagram analytics: while your account is active, and deleted when you delete your account (subject to backups)
  • Competitor media: maintained in a rolling window (approximately 90 days) for trend analysis
  • Security and operational logs: kept for a limited period
  • Billing and invoices: retained for up to 10 years to meet legal/accounting obligations

9. Cookies, Analytics, and Marketing Pixels

We use essential cookies for core functionality (such as authentication). We may also use analytics cookies and marketing/advertising pixels, but only when you enable them via our cookie banner.

  • Essential cookies: required for login, security, and basic functionality
  • Analytics cookies: help us understand how the service is used (e.g. Google Analytics, if enabled)
  • Marketing cookies: help measure and improve marketing campaigns (e.g. Meta Pixel, if enabled)

You can change your cookie choices at any time via “Cookie settings” (see the footer) or your browser settings.

10. International Transfers

Some of our service providers may process data outside the EEA. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and (where applicable) adequacy decisions.

11. Complaints and Supervisory Authority

If you have concerns, contact us first and we will try to resolve them. You also have the right to lodge a complaint with a supervisory authority. As a Finnish company, our lead authority is typically the Finnish Data Protection Ombudsman, but you may contact your local authority in the EEA/UK.

12. Contact Information

Data Controller: Visualsofjulius OY (Finland)

Privacy contact: privacy@wysestats.com

Support: support@wysestats.com

Legal: legal@wysestats.com

13. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide a notice in the service and/or via email. The updated version becomes effective when posted.