Privacy Policy
Last updated: May 17, 2026
1. Who We Are
InkWaiver ("we", "us", "our") operates the InkWaiver platform at inkwaiver.com, providing digital consent form management software to tattoo and piercing studios ("Shop Owners"). Our registered contact for data protection inquiries is:
Email: privacy@inkwaiver.com
2. Our Dual Role
InkWaiver acts in two distinct capacities under the EU General Data Protection Regulation (GDPR):
- Data Controller for Shop Owner account data (registration, authentication, billing, platform usage).
- Data Processor for Client Personal Data submitted through consent forms. The Shop Owner is the Data Controller for their clients' data. We process it solely on their behalf and according to their instructions.
If you are a tattoo or piercing client and wish to exercise your data rights (access, deletion, correction), your first point of contact is the shop that collected your data. You may also contact us directly and we will forward your request to the relevant Shop Owner.
3. What Data We Collect
3.1 Shop Owner Data (We Are the Controller)
| Category | Data | Legal Basis |
|---|---|---|
| Account | Email address, name (from Google OAuth or signup form) | Contract performance (Art. 6(1)(b)) |
| Shop profile | Shop name, slug, logo URL, brand color | Contract performance (Art. 6(1)(b)) |
| Billing | Subscription status, Polar.sh customer ID (payment details are processed by Polar.sh and never touch our servers) | Contract performance (Art. 6(1)(b)), legal obligation for tax records (Art. 6(1)(c)) |
| Artists | Artist names added by Shop Owner | Contract performance (Art. 6(1)(b)) |
3.2 Client Data (Shop Owner Is the Controller; We Are the Processor)
When a client fills out a consent form, the following data is collected and stored on behalf of the Shop Owner:
| Category | Data | Why It Is Collected |
|---|---|---|
| Identity | Full legal name, date of birth, email, phone, address | Consent form identification and contact |
| Government ID | ID type and ID number | Age verification as legally required for tattoo/piercing services |
| Health data (special category) | Medical conditions, allergies, medications, pregnancy status, substance use | Safety screening required before tattoo/piercing procedures. Processed under Art. 9(2)(a) with explicit consent |
| Procedure details | Artist, description, body placement | Record of the service provided |
| Signature | Drawn signature image (PNG) or typed name | Legally valid consent under eIDAS / ESIGN Act |
| Audit trail | IP address, browser user agent, timestamp, form content hash (SHA-256) | E-signature integrity and non-repudiation (legitimate interest, Art. 6(1)(f)) |
| Minor data | Minor's name, date of birth, age, health data; guardian's identity and ID | Parental consent for minor procedures as legally required |
4. Special Category Data (Health Information)
The consent forms collect health-related information that constitutes special category data under GDPR Article 9. This data is processed based on explicit consent (Art. 9(2)(a)), which is obtained through a dedicated data processing consent checkbox on the form, separate from the procedural consent acknowledgments.
You may withdraw your consent at any time by contacting the shop or by contacting us at privacy@inkwaiver.com. Withdrawal does not affect the lawfulness of processing before withdrawal.
5. Third-Party Services (Sub-processors)
We use the following third-party services to operate InkWaiver:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase (supabase.com) | Database hosting and authentication | All stored data | EU (Ireland, eu-west-1) / see Supabase DPA |
| Polar.sh (polar.sh) | Subscription billing | Shop Owner email, subscription metadata | EU / see Polar.sh privacy policy |
| Google (accounts.google.com) | OAuth login for Shop Owners | Email, name (only for Shop Owners who choose Google login) | US (Standard Contractual Clauses apply) |
| Google Fonts (fonts.googleapis.com) | Font delivery | IP address (browser request) | US (Standard Contractual Clauses apply) |
| jsDelivr (cdn.jsdelivr.net) | Icon font delivery | IP address (browser request) | Global CDN |
Client form data (names, health data, signatures) is never shared with Polar.sh, Google, or any advertising or analytics service.
6. International Data Transfers
Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or reliance on an adequacy decision by the European Commission.
7. Data Retention
- Consent form submissions: Retained for as long as the Shop Owner's account is active, or until the Shop Owner or client requests deletion. Shop Owners can delete individual submissions at any time from their dashboard.
- Shop Owner account data: Retained for the duration of the account. Upon account deletion, all associated data (shop profile, templates, submissions, signatures) is permanently deleted within 30 days.
- Billing records: Retained as required by applicable tax law (typically 7 years).
8. Your Rights (GDPR)
Depending on your role, you have the following rights:
Shop Owners (we are the Controller)
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability -- receive your data in a structured format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
Tattoo / Piercing Clients
The Shop Owner is the controller of your data. Contact the shop directly to exercise your rights. If you cannot reach the shop, contact us at privacy@inkwaiver.com and we will assist in routing your request.
You also have the right to lodge a complaint with your local data protection supervisory authority.
9. Cookies and Tracking
InkWaiver does not use advertising cookies, analytics trackers, or third-party tracking pixels.
- Session storage: We store authentication tokens in your browser's local storage to keep you logged in. This is strictly necessary for the service to function and does not require consent under the ePrivacy Directive.
- External requests: Loading fonts (Google Fonts) and icons (jsDelivr) causes your browser to make requests to third-party CDN servers, which may log your IP address under their own privacy policies.
10. Security
All data is encrypted in transit (TLS) and at rest. Access to production data is restricted to essential personnel. Form submissions include a SHA-256 content hash to ensure integrity. Signatures are timestamped with IP address for audit trail purposes.
11. Children's Data
InkWaiver does not knowingly collect data from children under 16 for account creation. When a Shop Owner uses the Minor/Guardian Consent Form template, the minor's data is collected with the guardian's explicit consent and processed under the same conditions as adult client data.
12. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered Shop Owners. The "last updated" date at the top indicates the most recent revision.
13. Contact
For any privacy-related questions or to exercise your rights:
Email: privacy@inkwaiver.com