Privacy Policy

InkBookr is a workspace for tattoo artists, studios, and clients. This policy explains what personal data we collect when you use inkbookr.com, why we collect it, how we use it, and the rights you have over it.

It applies to everyone who uses the service, with specific additional rights for users in the European Economic Area (EEA) and the United Kingdom under the GDPR/UK GDPR, and for California residents under the CCPA/CPRA.

We collect only what we need to run the service:

• Account data: email address, display name, and a password hash, managed by Supabase Auth.
• Profile data: your role (client, artist, or studio admin), bio, portfolio images, and any city or location you choose to share.
• Studio data: if you operate a studio, the studio name, address, opening hours, member roster, and seat assignments.
• Booking and messaging data: appointment details, conversation contents, and any attachments you send.
• AI generation data: the prompts you submit to the AI Sketchpad, the images the model returns (stored in our ai-generations bucket), and credit usage records.
• Payment data: payments are processed by Dodo Payments. We receive transaction metadata (amount, status, plan) but never your card number or full bank details.
• Technical data: IP address, user agent, device type, session cookies, and error reports captured by Sentry.
• Location data: coarse coordinates derived from addresses you provide, used to power studio search results on the map.

We use the data above to:

• Provide and operate the service (accounts, bookings, messaging, search, AI generation).
• Authenticate you and protect against fraud or abuse.
• Process payments and manage subscriptions through Dodo Payments.
• Send transactional email (booking confirmations, invitations, receipts) through Resend.
• Monitor errors and performance through Sentry so we can fix bugs.
• Produce aggregate, non-identifying analytics about how the product is used.
• Comply with legal, tax, and accounting obligations.

We do not use your data to train AI models, and we do not sell personal information.

If you are in the EEA or UK, we rely on the following lawful bases under Article 6 GDPR:

• Contract — to deliver the service you signed up for (account, bookings, payments).
• Legitimate interest — to keep the service secure, prevent abuse, and improve the product.
• Consent — for optional features such as AI prompt history and any future non-essential analytics. You can withdraw consent at any time.
• Legal obligation — to retain billing records and respond to lawful requests.

We share data with a small set of vetted sub-processors who help us run the service. Each is bound by a data processing agreement.

We do not share personal data with advertisers, data brokers, or social networks.

Some of our sub-processors are based in the United States. When we transfer personal data outside the EEA or UK, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) as the transfer mechanism, together with supplementary technical measures such as encryption in transit and at rest.

• Account, profile, and studio data: while your account is active.
• Account closure: account data is deleted within 30 days of closure, except where we are required to keep it longer.
• AI generations: retained in your library until you delete them or close your account.
• Booking and messaging history: retained while either party’s account is active, then deleted on closure.
• Payment and tax records: retained for up to 7 years to meet accounting obligations.
• Error reports and logs: typically 30–90 days.

To exercise any of these rights, email privacy@inkbookr.com. We will respond within 30 days.

We use a small number of essential cookies and local storage items, primarily to keep you signed in (Supabase auth session) and to remember interface preferences. We do not use third-party advertising cookies.

If session replay is enabled in Sentry for diagnostic purposes, inputs are masked by default and replays are tied to error events only.

InkBookr is not directed to children. We do not knowingly collect personal information from anyone under 16 in the EEA/UK or under 13 in the United States. If you believe a child has provided us with personal data, please contact us and we will delete it.

We protect your data with TLS in transit, encryption at rest in Supabase, row-level security on database tables, and least-privilege access controls for our team. No system is perfectly secure, so if you believe you have found a vulnerability, please report it to security@inkbookr.com.

When we make material changes to this policy we will update the “last updated” date above and notify active users by email and through an in-app banner before the changes take effect.

Questions about this policy or about how we handle your data? Reach out:

Postal address: [TODO — add registered business address before publishing].