Privacy Policy

Inkspot Tattoo Market ("Inkspot", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

This policy applies to all users of the Inkspot platform, including clients, artists, and visitors. We comply with the EU General Data Protection Regulation (GDPR) and applicable national data protection laws.

Account Information: Name, email address, password (hashed), profile photo, and role (client or artist). Artists additionally provide: artist name, phone number, studio location, and Stripe payment details.

Preferences & Onboarding Data: Tattoo style preferences, themes, vibes, placement preferences, budget range, and timeline — collected during onboarding and the Tattoo Finder wizard to personalise your experience.

Health Information: If voluntarily provided, health-related information (allergies, skin conditions, medications) to support safe tattoo consultations. This data is stored with elevated access controls.

Usage Data: Page views, search queries, wishlist activity, and interaction events — collected to improve the platform experience.

Performance Data: Core Web Vitals (LCP, INP, CLS, FCP, TTFB) and API response times — collected to monitor and improve platform performance.

Device & Browser Information: Browser type, operating system, device type, screen resolution, and country (derived from headers) — collected for analytics and compatibility.

• Service delivery: Account management, booking facilitation, payment processing, and customer support
• Personalisation: Tailored design recommendations, search results, and discovery based on your preferences
• Communication: Booking confirmations, appointment reminders, payment receipts, and platform notifications
• Safety & moderation: Content moderation, fraud prevention, and enforcing our Terms of Service
• Analytics & improvement: Understanding usage patterns, monitoring performance, and improving features
• Legal compliance: Meeting regulatory requirements and responding to legal requests

Your data is stored in a PostgreSQL database hosted by Supabase, with servers located in the EU. Files and images are stored in Supabase Storage (S3-compatible) with appropriate access controls.

We implement industry-standard security measures including encrypted connections (TLS), hashed passwords, role-based access control, and regular security reviews.

We share data with the following third-party services, only as necessary:

• Stripe — Payment processing. Stripe receives payment card details, transaction amounts, and billing information. See Stripe's Privacy Policy.
• Resend — Email delivery. Resend receives email addresses and message content for transactional emails (booking confirmations, reminders, etc.).
• Supabase — Database hosting and file storage. Supabase stores all platform data in EU-based infrastructure. See Supabase's Privacy Policy.

We do not sell your personal data to third parties. Data is shared only as described above or when required by law.

We use the following cookies:

• Essential cookies: Authentication session cookies and CSRF protection — required for the platform to function. These do not require consent.
• Preference cookies: Theme preference (light/dark mode) — stored locally to remember your display settings.
• Analytics cookies: Anonymous identifier ( inkspot-anon-id) used for A/B testing and feature flag evaluation. This cookie does not contain personal information and is used only for aggregated analytics.
• Consent cookie: cookie-consent — stores your cookie preferences so we respect your choices on subsequent visits.

Non-essential cookies are only set after you provide consent via our cookie banner. You can change your preferences at any time.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to data portability: Request your data in a machine-readable format
• Right to object: Object to processing of your data for specific purposes, including direct marketing
• Right to restrict processing: Request that we limit how we use your data
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@inkspot.app. We will respond within 30 days as required by law. You also have the right to lodge a complaint with your local data protection authority.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law.

• Account data: Retained while your account is active and for a reasonable period after deletion to allow for reactivation requests
• Page view analytics: Automatically deleted after 30 days
• Performance metrics: Automatically deleted after 7 days
• A/B testing events: Automatically deleted after 90 days
• Transaction records: Retained for the period required by applicable tax and accounting law

Inkspot is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. Tattooing is an age-restricted activity, and users must confirm they are 18 or older during registration.

If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through a prominent notice on the Platform. The "Last updated" date at the top indicates when the most recent changes were made.

For privacy-related enquiries or to exercise your data rights, contact our Data Protection Officer:

• Email: privacy@inkspot.app
• Help Center: inkspot.app/help

We aim to respond to all privacy requests within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.