Privacy Policy

This Privacy Policy explains how [PLACEHOLDER — Company legal name] ("InkMap," "we," "us," or "our") collects, uses, stores, and protects your personal data when you use the InkMap mobile application, website, and related services (the "Services").

InkMap is the data controller for the personal data processed through the Services. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and all other applicable data protection laws.

By using the Services, you acknowledge that you have read and understood this Privacy Policy. For information on your rights, see Section 7.

The data controller responsible for your personal data is:

[PLACEHOLDER — Company legal name]

Registration number: [PLACEHOLDER]

Registered address: [PLACEHOLDER — Tallinn, Estonia]

Email: [PLACEHOLDER — privacy@inkmap.app]

Our Data Protection Officer (if appointed): [PLACEHOLDER]

3.1 Account information: Name, email address, phone number (optional), profile photo, username, account type (client, practitioner, studio), date of birth.

3.2 Profile information: Biography, portfolio images, tattoo style preferences, specialties, studio affiliation, location (city/address for practitioners and studios), professional qualifications and certifications.

3.3 Location data: Approximate location derived from your device (with your consent) to show nearby practitioners and studios on the map. Precise location is never stored on our servers; only the location you explicitly set in your profile is stored.

3.4 Content data: Photos, images, videos, and text you upload or post on InkMap, including portfolio content, social feed posts, comments, and messages.

3.5 Booking data: Booking requests, confirmations, cancellations, policy snapshots, deposit amounts, payment status, and related timestamps.

3.6 Payment data: Payment processing is handled by Stripe. InkMap does not store your full credit card number or banking details. We store transaction references, amounts, and status for record-keeping.

3.7 Communication data: Messages exchanged between Users through the in-app messaging system.

3.8 Device and usage data: Device type, operating system, app version, IP address (anonymized), usage patterns, and interaction data to improve the Services. We use [PLACEHOLDER — analytics provider, e.g., Sentry for error monitoring].

3.9 Authentication data: Processed and stored by our authentication provider, Clerk. Includes hashed passwords, session tokens, and OAuth tokens (for Google sign-in). InkMap does not have access to your raw passwords.

We process your personal data on the following legal bases under GDPR:

4.1 Performance of contract (Article 6(1)(b)): Processing necessary to provide the Services as described in our Terms of Service — account management, booking facilitation, messaging, payment processing.

4.2 Consent (Article 6(1)(a)): Where we explicitly ask for your consent — location data access, marketing communications, optional data sharing. You may withdraw consent at any time.

4.3 Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate business interests — platform security, fraud prevention, dispute resolution, service improvements, admin access to messages for safety investigations. We balance these interests against your rights and freedoms.

4.4 Legal obligations (Article 6(1)(c)): Processing required to comply with laws — tax records, fraud prevention, responding to legal requests from authorities.

We share your data with the following third-party processors, all of whom are bound by Data Processing Agreements (DPAs):

5.1 Convex (database & backend): Stores your account data, content, bookings, and messages. Convex operates servers in the EU (Ireland). SOC 2 Type II certified, GDPR verified.

5.2 Clerk (authentication): Processes authentication data (email, name, session tokens). US-based; data transfer covered by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.

5.3 Stripe (payment processing): Processes payment data and identity verification for practitioners using Stripe Connect. Stripe is PCI DSS compliant. Data shared includes booking and transaction data for fraud prevention (Stripe Radar) and chargeback resolution.

5.4 Google (Maps/Places API): Processes location queries when you search for practitioners on the map. Subject to Google's Data Processing Terms.

5.5 Sentry (error monitoring): [PLACEHOLDER — when set up] Processes error reports that may include device info and anonymized user context. Used for debugging and service reliability.

5.6 Apple App Store / Google Play Store: App analytics, crash reports, and user reviews are processed by the respective platform.

We do not sell your personal data to third parties. We do not share your data with third parties for their own marketing purposes.

6.1 Active accounts: Your data is retained for as long as your account is active and as necessary to provide the Services.

6.2 Account deletion: When you delete your account, a 30-day recovery window begins. After this period, your personal data is permanently deleted or anonymized. Some anonymized data may be retained for aggregated statistics.

6.3 Dispute evidence: Data related to disputes (messages, booking details, payment records) may be retained for up to 2 years after dispute closure for potential legal proceedings.

6.4 Legal obligations: Certain data (e.g., transaction records, invoices) may be retained longer as required by tax or accounting laws.

6.5 Backups: Deleted data may persist in encrypted backups for a limited period (up to 30 days) before being purged.

If you are in the European Economic Area (EEA), you have the following rights under the GDPR:

7.1 Right of access (Article 15): You can request a copy of all personal data we hold about you.

7.2 Right to rectification (Article 16): You can correct inaccurate data through your profile settings or by contacting us.

7.3 Right to erasure (Article 17): You can request deletion of your personal data by deleting your account through the app.

7.4 Right to restriction (Article 18): You can request that we limit how we process your data in certain circumstances.

7.5 Right to data portability (Article 20): You can request your data in a machine-readable format (JSON). This feature is accessible from your profile settings.

7.6 Right to object (Article 21): You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

7.7 Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, use the relevant feature in app settings or contact us at [PLACEHOLDER — privacy@inkmap.app]. We will respond within 30 days as required by GDPR.

If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local Data Protection Authority. In Estonia, this is the Andmekaitse Inspektsioon (Data Protection Inspectorate).

8.1 We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

8.2 These measures include: encryption of data in transit (TLS/SSL) and at rest, secure authentication via Clerk, access controls, regular security assessments, and SOC 2 Type II certified infrastructure (Convex).

8.3 Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8.4 In the event of a personal data breach, we will notify the relevant Data Protection Authority within 72 hours as required by GDPR Article 33, and will notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

9.1 Your data is primarily stored in the European Union (Convex servers in Ireland).

9.2 Some processors are based in the United States (Clerk, Stripe, Google). Data transfers to these processors are protected by: (a) Standard Contractual Clauses (SCCs) approved by the European Commission, (b) the EU-US Data Privacy Framework (where applicable), or (c) other appropriate safeguards as required by GDPR Chapter V.

9.3 You can request information about the specific safeguards applied to international transfers by contacting us at [PLACEHOLDER — privacy@inkmap.app].

10.1 InkMap is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children under 18.

10.2 If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly. If you believe a child under 18 has provided us with personal data, please contact us at [PLACEHOLDER — privacy@inkmap.app].

11.1 We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and notify you through the app or by email.

11.2 We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes are posted constitutes acceptance of the updated policy.

For any questions about this Privacy Policy or your personal data:

Email: [PLACEHOLDER — privacy@inkmap.app]

General support: [PLACEHOLDER — support@inkmap.app]

[PLACEHOLDER — Company legal name]

[PLACEHOLDER — Registered address, Tallinn, Estonia]