TattooForm (“we”, “us”, or “our”) is a B2B SaaS platform that enables tattoo artists and studios to create and manage client inquiry forms. This Privacy Policy explains what data we collect, how we use it, how long we keep it, and your rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
TattooForm is operated by:
1. Data Controller vs. Data Processor
- ·For artist and studio accounts: TattooForm acts as the data controller for personal data you provide when creating and managing your account.
- ·For client submission data: TattooForm acts as a data processor on behalf of the tattoo artist or studio (our customer, who is the data controller). The artist or studio determines which fields appear on their form and is responsible for their clients' data under GDPR.
- ·For payment data: Our payment provider, Paddle, acts as an independent data controller for personal data it processes in connection with payments and subscriptions. See Section 4 for details.
2. Data We Collect
2.1 Artist and Studio Account Data
- ·Name and email address (registration and profile)
- ·Profile photo (optional)
- ·Business name and public URL slug
- ·Form configuration: branding, fields, text content
- ·Micro-site content: bio, portfolio images, social links
- ·Usage data: IP address, browser type, pages visited, timestamps
- ·Error and diagnostic data collected via Sentry (error monitoring)
2.2 Client Submission Data (collected on behalf of the artist/studio)
- ·Name and email address
- ·Phone number (if provided)
- ·Tattoo preferences: placement, size, style, description
- ·Reference images uploaded during form submission
- ·Preferred appointment date (if provided)
- ·Any additional information requested via custom fields configured by the artist or studio — the specific fields vary per form and are displayed to the client before submission
- ·GDPR consent timestamp
- ·IP address and user agent at time of submission
2.3 Payment and Billing Data
Payment processing is handled entirely by Paddle.com (Paddle.com Market Limited), which acts as the Merchant of Record for all TattooForm orders. Paddle collects and processes billing information — including payment card details, billing address, email, and tax identifiers — directly. TattooForm does not store credit card numbers or full payment details. Paddle's handling of your data is governed by Paddle's Privacy Policy and Paddle's Buyer Terms.
3. Why We Process Your Data (Legal Bases)
| Purpose | Legal Basis |
|---|---|
| Providing the TattooForm service and maintaining your account | Contract performance |
| Processing payments and managing subscriptions (via Paddle) | Contract performance / Legitimate interest |
| Sending transactional emails (submission notifications, password resets) | Contract performance / Legitimate interest |
| Improving the platform and diagnosing technical issues | Legitimate interest |
| Protecting the Service from spam and abuse (Cloudflare Turnstile) | Legitimate interest |
| Complying with legal obligations (tax records, fraud prevention) | Legal obligation |
| Collecting and processing client submission data on behalf of artists/studios | Consent (provided via the GDPR consent checkbox on the form) and legitimate interest of the artist/studio in processing booking inquiries |
4. Data Sharing and Sub-processors
We do not sell your personal data. We share data only with the following sub-processors as necessary to operate our service:
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Supabase | Database and file storage | EU — Frankfurt, Germany |
| Paddle | Payment processing, subscription management, invoicing, tax collection. Paddle acts as an independent data controller for buyer data it processes. | See Paddle's Privacy Policy |
| Resend | Transactional email delivery | — |
| Cloudflare | Spam protection via Turnstile on public forms — processes IP address and browser data for bot detection | — |
| Google Analytics 4 | Analytics on the marketing website (tattooform.app) and the dashboard app (app.tattooform.app) — only active after cookie consent is given on each | — |
| Sentry | Error monitoring and application diagnostics (EU ingest endpoint — Frankfurt). May capture IP address and user identifiers when errors occur. | EU — Frankfurt, Germany |
Client submission data is accessible to the tattoo artist or studio who owns the form. It is not shared with any other third parties beyond the sub-processors listed above.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Artist/studio account data | Retained until the account is deleted by the user. |
| Client submission data | Retained for a maximum of 2 years from the date of submission, unless the artist deletes the submission or their account earlier. After 2 years, submissions are automatically deleted. |
| Uploaded images (reference images from client submissions) | Retained for a maximum of 30 days from the date of upload, then automatically and permanently deleted from our storage. |
| Payment records | Retained by Paddle as required by applicable tax and accounting law (typically up to 7 years). TattooForm retains basic transaction references (plan type, subscription status) for the duration of the account. |
| Server and error logs | Retained for up to 30 days. |
When an artist deletes their account, all associated data — including all client submissions and uploaded images — is deleted in accordance with this policy.
6. Data Storage and Security
All TattooForm application data is stored within the European Union (Frankfurt, Germany) using Supabase, which provides a PostgreSQL database and encrypted object storage.
- ·Database: encrypted at rest, access controlled via Row Level Security (RLS).
- ·File storage: uploaded images are stored in private buckets and served via time-limited signed URLs.
- ·In transit: all connections encrypted via TLS.
- ·Payment data: processed and stored exclusively by Paddle, which is PCI DSS compliant.
- ·Error monitoring: Sentry EU ingest endpoint (Frankfurt).
7. International Data Transfers
TattooForm stores application data in the EU (Frankfurt, Germany). Some sub-processors may transfer data outside the EU/EEA. Where this occurs, appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the sub-processor is located in a country with an adequacy decision. For payment data, Paddle's data transfer practices are described in Paddle's Privacy Policy.
8. Your Rights Under GDPR
If you are located in the EU or EEA, you have the following rights:
Right of access
You can request a copy of all personal data we hold about you. Contact us at the address below to submit an access request.
Right to rectification
You can update your profile information at any time via account settings. For other corrections, contact us.
Right to erasure
You can delete your account and all associated data via Settings → Danger Zone. Artists can also delete individual client submissions upon request.
Right to data portability
You can request an export of your data in a structured, commonly used format. Contact us at the address below to submit a portability request.
Right to restrict processing
You may request restriction of processing in certain circumstances.
Right to object
You may object to processing based on legitimate interests.
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
For clients who submitted a tattoo inquiry form: To exercise your GDPR rights (such as requesting access to or deletion of your data), please contact the tattoo artist or studio directly, as they are the data controller for your submission. Alternatively, you can contact us at the address below and we will facilitate the request.
9. Cookies and Analytics
Essential Cookies
TattooForm uses a session cookie required for authentication. This cookie is strictly necessary to operate your account and cannot be declined.
Analytics Cookies (marketing site and dashboard app)
We use Google Analytics 4 on both our marketing website (tattooform.app) and the dashboard application (app.tattooform.app) to understand how visitors and registered users interact with TattooForm. Analytics cookies are only set after you explicitly accept via the cookie banner shown on each. Consent is stored separately per site and you can change your preference at any time by clearing your browser's local storage.
Google Analytics is not loaded on tattoo artist micro-sites or inquiry forms.
Spam Protection
Public tattoo inquiry forms use Cloudflare Turnstile for spam protection. Turnstile may set cookies or use local storage as part of its bot detection. This is a functional necessity to protect forms from automated abuse and does not involve advertising or cross-site tracking.
10. Children's Data
TattooForm is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has submitted personal data through a form, please contact us and the relevant artist/studio so that the data can be promptly deleted.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you via email or an in-app notice. We encourage you to review this page periodically.
12. Contact and Data Protection Inquiries
For any questions about this Privacy Policy, to exercise your GDPR rights, or to report a data protection concern, please contact us at:
TattooForm (Adrian Waler)
Email: privacy@tattooform.app
You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has not been handled in compliance with GDPR. In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO).
© 2026 TattooForm. All rights reserved.