Privacy Policy
Effective date: 17 June 2026 · Last updated: 9 July 2026
Sessio ApS ("Sessio," "we," "us," "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Sessio mobile application, our website (sessio.io), and related services (collectively, the "Platform").
By using the Platform, you agree to the practices described here. If you do not agree, please do not use the Platform.
We are the data controller responsible for your personal data. Contact: [email protected].
1. Who we are
- Sessio ApS
- CVR: 45830012
- Burmeistersgade 2, 1. th, 1429 København K, Denmark
- Email: [email protected] (privacy & legal) / [email protected] (general support)
2. What this policy covers
This Privacy Policy covers:
- The Sessio mobile app (iOS and Android)
- sessio.io, our marketing website
- Email and form-based contact with us
- Any future services we add and link to this Privacy Policy
3. Information we collect
3.1 Information you give us
Account and profile.
- Email address, password (stored only as a salted hash — never in plaintext).
- Display name, country, optional city.
- Profession(s), instruments, genres, experience level (from a fixed option list).
- Short biographical text ("BIO"), optional.
- Optional career fields: "Member of," "Represented by," and "Credits / Worked with" (free-text).
- Optional audio embed link to Spotify or SoundCloud (a single URL pointing to a public track — Sessio does not connect to your Spotify or SoundCloud account; we only display the link).
- Profile photo (required at onboarding).
Sessions.
- Title, optional description, optional genre tag.
- Date and time, location type (in-person or remote) and free-text location detail.
- Visibility settings: discoverability toggle on your profile, Public-session toggle, "Looking For" professions, and "Who Can View" scope (Everyone / Connections / Favourites).
- Optional reference playlist URL (free-text URL).
- Optional cover image (host-uploaded).
- The list of participants you invite or who accept invitations.
- Group chat thread tied to the session.
External email invites.
When you invite a non-Sessio user to a session via email, we store the recipient email, your user ID as the inviter, and the session ID. We send a transactional email containing a magic link scoped to that session. The recipient email is used only to deliver invitations and to attribute conversions if the recipient later signs up. The lawful basis for this processing is legitimate interest (GDPR Art. 6(1)(f)), with anti-harassment safeguards (a per-recipient rate limit of 15 invitations per rolling 7-day window) and a delete-on-request route via [email protected].
Messages and communications.
- Direct 1:1 messages between connections.
- Session group-chat messages.
- Support emails or in-app reports.
We store messages so that you and your collaborators can refer back to them.
3.2 Information collected automatically
- IP address, browser type, device type, operating system, app version.
- Pages visited, screens viewed, features used, time spent, session start/end.
- Crash reports and performance diagnostics.
- Marketing attribution: UTM parameters from links you click; install attribution for the app.
- Cookies and similar technologies on sessio.io (see Section 10).
We use this data to operate the Platform, debug issues, and understand product usage in aggregate.
3.3 Information from third parties
- App Store and Google Play may share install attribution and crash reports with us according to their own privacy practices.
- If you embed a Spotify or SoundCloud track on your profile, the embed loads content directly from those services when other users view your profile. Sessio does not receive a copy of your Spotify or SoundCloud account data; only the public URL you chose to share.
4. Legal basis for processing (GDPR Art. 6)
We rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)) — to create and operate your account, enable discovery, connections, sessions, messaging, and send transactional emails.
- Consent (Art. 6(1)(a)) — to notify you about product updates if you opted in, send marketing newsletters, and set non-essential cookies via the cookie banner. You can withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f)) — for analytics and product improvement, fraud prevention and security, and external email invites to non-members (subject to the safeguards described in Section 3.1).
- Legal obligation (Art. 6(1)(c)) — to retain financial and tax records under Danish law and to respond to legal process.
You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
5. How we use your data
- Create and operate your account.
- Match you with collaborators via Explore (no automated decision-making with legal effects on you — Explore is a discovery surface, not an automated ranking with consequences).
- Schedule sessions; deliver invitations and reminders; auto-create group chats.
- Send transactional notifications by push, email, or in-app.
- Detect, prevent, and respond to abuse, fraud, and unauthorised access.
- Improve the Platform through aggregated analytics.
- Comply with legal obligations.
We do not sell your personal data. We do not engage in cross-site behavioural advertising. We do not make automated decisions that produce legal or similarly significant effects on you.
6. Who we share data with
We work with the following subprocessors. Each is bound by a Data Processing Agreement that obliges them to act only on our instructions and apply appropriate security measures.
- Marketing site + web hosting (sessio.io) — Vercel Inc. (US company; EU regions used; Standard Contractual Clauses).
- Backend application hosting — Fly.io Inc. (US company; EU regions used; Standard Contractual Clauses).
- Relational database (accounts, sessions, messages) — Neon Inc. (US company; EU region used; Standard Contractual Clauses).
- File storage (profile photos, session cover images, any uploaded files) — Cloudflare, Inc. (US company; EU regions used; Standard Contractual Clauses).
- Push notifications + mobile app build pipeline — Expo (650 Industries, Inc.) (US; Standard Contractual Clauses).
- Transactional email (account verification, password reset, magic-link invites, session reminders, in-app notifications) — Postmark, a service of ActiveCampaign LLC (US; Standard Contractual Clauses).
- Waitlist signup + marketing newsletter delivery — EmailOctopus Ltd (UK / EEA; UK adequacy decision).
- Web analytics (cookieless) — Vercel Web Analytics (Vercel Inc.) (EU; Standard Contractual Clauses).
- Product analytics (mobile app) — PostHog (PostHog Inc., US company; EU region eu.i.posthog.com used; Standard Contractual Clauses). Collects in-app usage events and screen views tied to your Sessio account identifier — not your email — to help us understand how the app is used and improve it. You can opt out at any time in the app under Settings → Privacy & Data → "Share usage analytics."
- Cookie consent banner (sessio.io) — implemented in-house; no third-party vendor.
Note on push notifications. When we send a push notification, the message is routed through Expo's push service, which then delivers it to Apple Push Notification service (APNs) for iOS devices or Firebase Cloud Messaging (FCM, a Google service) for Android devices. Apple and Google act as upstream subprocessors of Expo for this purpose; their own privacy practices apply to the delivery leg.
A current list of subprocessors is available on request at [email protected]. We update this list whenever processor relationships change and will notify users by email of material changes.
Other disclosures
- Legal obligation: we may disclose data if compelled by a court order, subpoena, or legal authority.
- Business transfer: if Sessio is acquired or merges with another company, your data may transfer to the new entity. We will notify you before any change of controller affects you.
- With your consent: if you ask us to share your data with a third party for a specific purpose.
7. International data transfers
Where possible, we use European data-centre regions to keep your data within the EEA at rest. Our backend hosting (Fly.io), database (Neon), and file storage (Cloudflare) all hold Sessio's data in EU regions, and our marketing site (Vercel) is configured for EU regions.
Where a subprocessor is established outside the EEA — for example, US-based companies operating EU regions, or US-based services that we cannot avoid for technical reasons (Expo for push notifications and app builds; Postmark for transactional email) — we rely on the European Commission's Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. For EmailOctopus (UK), we rely on the UK adequacy decision.
A complete and current list of subprocessors, the regions they use, and the applicable transfer mechanism is set out in Section 6 above and available on request at [email protected].
8. How long we keep your data
- Account credentials (email, password hash) — until account deletion, then 7 days for processing the deletion.
- Profile information (photo, bio, professions, etc.) — until account deletion, then deleted within 30 days.
- Uploaded images (profile photos, session cover images) — until you delete them or close your account, then deleted within 60 days.
- Sessions, messages, chat threads — until you delete your account; deleted within 30 days thereafter (subject to other collaborators' active participation).
- External-invite emails — 30 days from invite if the recipient has not signed up; longer if the recipient signs up and joins the session.
- Server logs (IP, request data) — 30 days.
- Analytics in identifiable form — maximum 14 months.
- Analytics aggregated or anonymised — indefinitely.
- Support emails and tickets — 3 years (statute of limitations).
- Cookie consent records — 12 months.
- Marketing email subscribers — until you unsubscribe.
- Tax and financial records — 7 years (Danish tax law).
After the retention period, data is deleted or irreversibly anonymised.
9. Your rights under GDPR
You have the following rights regarding your personal data:
- Access — receive a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion, subject to retention obligations described in Section 8.
- Restriction — ask us to limit how we use your data while a dispute or correction is pending.
- Portability — receive your data in a structured, commonly used, machine-readable format.
- Object — object to processing based on legitimate interest, including direct marketing.
- Withdraw consent — where we rely on consent, you can withdraw it at any time.
To exercise these rights, email [email protected] with "GDPR Request" in the subject line. We respond within 30 days. If your request is complex, we may extend by up to two further months and will explain why.
Limits on erasure
We cannot fully delete information where:
- It is required by law (e.g. tax records for 7 years).
- It is needed to establish, exercise, or defend legal claims.
- Other users actively rely on it — for example, your participation history in a session you co-hosted. In such cases your name may be replaced by an anonymous identifier ("Former Collaborator") on shared records while the activity history remains.
Supervisory authority
- Datatilsynet — Carl Jacobsens Vej 35, 2500 Valby, Denmark
- Email: [email protected]
- Phone: +45 33 19 32 00
- Website: www.datatilsynet.dk
10. Cookies and similar technologies
On sessio.io, we use cookies in three categories: strictly necessary, analytics (optional), and marketing attribution (optional). The cookie banner controls non-essential categories. Preferences can be changed at any time via "Cookie settings" in the footer.
We do not use cookies for cross-site advertising, behavioural retargeting, or the sale of data to third parties.
The cookie banner on sessio.io is implemented in-house — there is no third-party consent management vendor.
Our chosen web analytics provider (Vercel Web Analytics) is cookieless: it does not set any cookies, does not use local storage, and does not assign persistent identifiers to visitors. It uses a daily-rotating salted hash of IP + user agent for de-duplication only, which cannot be linked back to an individual visitor across days. We therefore do not place analytics cookies on your device.
The mobile app does not use browser cookies. It uses platform-standard SDK identifiers (e.g. Apple's IDFA, Google's Advertising ID) only if you grant permission via the iOS/Android consent prompt, and only for the purposes disclosed in this Privacy Policy.
The mobile app uses PostHog for product analytics. PostHog does not use browser cookies or advertising identifiers (IDFA / Advertising ID); it records in-app usage events and screen views under a first-party identifier tied to your Sessio account — never your email. This is based on our legitimate interest in understanding and improving the app (Section 4), and you can switch it off at any time in the app under Settings → Privacy & Data → "Share usage analytics." We do not enable PostHog session recording.
11. Children's privacy — 18+ only
Sessio is intended for users 18 years or older. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with data, contact [email protected] and we will remove it.
12. Security
We apply reasonable technical and organisational measures to protect your personal data from loss, misuse, unauthorised access, alteration, and disclosure, including:
- In transit: HTTPS / TLS encryption for all connections to the Platform.
- At rest: industry-standard encryption applied by our hosting providers to data stored on their infrastructure.
- Authentication: passwords are stored as salted hashes only — never in plaintext.
- Access controls: access to production systems and user data is limited to authorised staff who need it to perform their roles.
- Patching: we apply security updates and patches to our systems as they become available.
No security system is completely perfect. If you believe your account or our security has been compromised, contact [email protected] immediately.
13. Third-party links and embeds
The Platform contains links and embeds from third-party services — including Spotify, SoundCloud, App Store, Google Play, and partner organisations. Their privacy practices are governed by their own policies:
- Spotify: https://www.spotify.com/legal/privacy-policy/
- SoundCloud: https://soundcloud.com/pages/privacy
- Apple (App Store, APNs): https://www.apple.com/legal/privacy/
- Google (Play, Firebase): https://policies.google.com/privacy
Embedding a Spotify or SoundCloud track on your profile causes those services to load content directly when other users view your profile. They may set their own cookies or process IP addresses according to their policies.
14. Marketing and communications
We send marketing emails only to users who have opted in (e.g. via the waitlist signup or in-app preference). You can unsubscribe at any time using the link in any marketing email or by emailing [email protected].
We will continue to send transactional emails — account verification, password reset, session invitations, session reminders, request approvals — regardless of marketing-email status, because they are necessary for the Platform to function. Finer-grained notification controls will be added to in-app settings in a later release.
15. Changes to this Privacy Policy
We may update this Privacy Policy as our practices evolve or as required by law. Changes take effect when posted. For material changes, we will notify users by email or in-app at least 30 days before the change takes effect, where reasonably practicable.
16. Contact
For privacy questions or to exercise GDPR rights:
- [email protected]
- Sessio ApS, Burmeistersgade 2, 1. th, 1429 København K, Denmark
For general support: [email protected].