Privacy Policy
Last updated: 2026-06-03
This policy explains what data we collect about you, why we collect it, and what your rights are. It applies to the Inklee website, the Inklee web app, public artist pages hosted by Inklee, and the booking-request workflow.
1. Who is responsible
The data controller is Inklee OÜ, Pärnu mnt. 105, 11312 Tallinn, Estonia, registry code 17497625, represented by Michel Kräft.
Privacy contact: support@inklee.app Data protection: a Data Protection Officer is not currently appointed because Inklee considers itself below the mandatory-DPO thresholds in Article 37 GDPR. Use the privacy contact above for any data-protection request.
This policy applies under the EU/EEA GDPR (Regulation (EU) 2016/679). Where users in the United Kingdom are concerned, the equivalent rights under the UK GDPR and the UK Data Protection Act 2018 apply, and the UK Information Commissioner’s Office is the competent supervisory authority. Inklee currently has an EU focus but does not geo-restrict access; we apply GDPR-level protections to all users.
2. Different roles for different data
Inklee handles two main streams of personal data, with different responsibilities for each:
- As controller, we decide how to process: artist account data, billing data (if and when paid plans go live), website analytics, error and security logs, support communications, and any data we need to run and protect the platform.
- As processor for the Artist, we handle Client Booking Request Data on behalf of the Artist who receives the request. The Artist is the controller of that data. Our Data Processing Agreement (Section 5 of this package) governs that relationship.
If you submit a booking request through an Artist’s public page, the Artist is your primary controller for that submission. Inklee processes the data so that the Artist can review and respond, and to operate the technical service.
3. What we collect and why
3.1 Artist account data
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Name, email, password / OAuth identifier | Account creation, login, security | Contract (Art. 6(1)(b)) |
| Display name, Instagram handle, bio, location, timezone, logo | Public artist page; service operation | Contract (Art. 6(1)(b)) |
| Booking settings, email template content, calendar configuration | Service operation | Contract (Art. 6(1)(b)) |
| Stripe Connect identifiers, deposit metadata (Stripe payment-intent ID, refund ID, deposit amount and status, platform-fee amount) | Operate the in-app deposit workflow; charge and refund the platform fee. Inklee never sees card numbers (card data is entered directly into Stripe’s hosted fields) and never holds deposit funds. | Contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) for fraud-prevention and reconciliation |
| IP address, device, browser metadata, audit log of account actions | Security, abuse prevention, accountability | Legitimate interests (Art. 6(1)(f)) |
| Support messages | Responding to support requests | Legitimate interests / Contract |
3.2 Client booking request data (processed on behalf of the Artist)
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Name and/or Instagram handle, email | Identify the requester to the Artist | Controller (Artist) — contract / legitimate interests |
| Tattoo idea, placement (body area), size, references, links, uploaded images | Allow the Artist to assess the request | Controller (Artist) — contract / legitimate interests |
| Preferred date or slot selection | Scheduling | Controller (Artist) — contract |
| Magic-link access token (hashed) | Allow the Client to edit (before approval) and cancel their request | Controller (Artist) — contract |
| Status, audit log entries, communication history | Operating the booking workflow | Controller (Artist) — contract / legitimate interests |
Body-placement information and uploaded images may, depending on what the Client chooses to share, reveal health information or other sensitive context. We do not solicit special-category data within the meaning of Article 9 GDPR. We ask Artists and Clients not to submit information that is not necessary for the tattoo request.
3.3 Website data
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Aggregated, cookie-free analytics (e.g. Plausible) | Understand traffic, improve the site | Legitimate interests (Art. 6(1)(f)) |
| Error and performance monitoring (e.g. Sentry) | Detect and fix bugs, protect the service | Legitimate interests (Art. 6(1)(f)) |
| Strictly necessary cookies (session, auth, CSRF) | Run the service securely | Necessary for the service you requested |
4. How long we keep data
| Data | Retention |
|---|---|
| Artist account data | While your account is active, plus 30 days after deletion. |
| Client booking requests | Controlled by the Artist. Default platform behaviour: rejected requests are deleted (including uploaded images) after 30 days via a scheduled job; approved and cancelled bookings are retained while the Artist’s account is active or until the Artist deletes them. |
| Audit logs | 24 months, longer if required for security or legal reasons. |
| Email delivery logs | As required by the email provider (Resend) for deliverability and abuse handling. |
| Error / monitoring data | 90 days. |
| Backups | Rolling backup window of 30 days. |
5. Who we share data with (subprocessors)
We use the providers listed in Section 15 of this package. We only share what is needed to operate the Service. Where these providers process Client Booking Request Data, they do so as sub-processors under the Data Processing Agreement.
6. International transfers
Some subprocessors may be established outside the EU/EEA. Where this happens, transfers rely on (a) European Commission adequacy decisions where available (e.g. the EU-US Data Privacy Framework, where the provider is certified), (b) Standard Contractual Clauses, and (c) additional safeguards where appropriate. We will update Section 15 once final subprocessors and certifications are confirmed.
7. Your rights
If you are in the EU/EEA or another GDPR-equivalent jurisdiction, you have the right to:
- access your data;
- correct inaccurate data;
- have your data deleted ("right to be forgotten"), subject to legal retention requirements;
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent where processing is based on consent; and
- complain to a supervisory authority. In Estonia: Andmekaitse Inspektsioon (
https://www.aki.ee).
To exercise your rights, email support@inklee.app. If you are a Client whose data is held in connection with an Artist’s booking workflow, please contact the Artist directly; we will help the Artist respond.
8. Security
We use industry-standard safeguards, described in Section 12. No system is 100% secure; we cannot guarantee absolute security.
9. Children
Inklee is not directed at children. Artists are responsible for verifying age in line with their local law before tattooing a minor; we strongly discourage submission of booking requests on behalf of minors, and we do not knowingly collect data from children under 16. If you believe we hold data about a child, contact support@inklee.app.
10. Cookies
See our Cookie Policy (Section 6 of this package).
11. Changes
We may update this policy. Material changes will be notified by email or in-app at least 14 days before they take effect.