InkMate
Inkmate
TATTOO · CO.
Start

Privacy Policy

Effective: May 15, 2026 · Last updated: May 15, 2026

1. Who we are

InkMate is a tattoo-studio CRM operated by Automata Army (“InkMate”, “we”, “us”). This policy covers two audiences:

  • Studios — tattoo artists and owners who sign up to run their shop on InkMate.
  • Clients — the people those studios book, message, and take deposits from through InkMate.

For client data, the studio is the data Controller and InkMate is the data Processor. See our Data Processing Agreement for the full contractual terms.

2. Information we collect

2.1 From studios

  • Name and email address (account login)
  • Studio name and timezone
  • Password — stored hashed with bcrypt; we never see it in plaintext
  • Stripe Connect account ID once you link your studio's Stripe account (we do not store your bank details — Stripe does)
  • InkMate subscription billing details, processed by Stripe

2.2 From clients (collected by studios)

  • Contact: name, email, phone number
  • Health intake: allergies, medications, skin conditions, medical history — only what the studio's consent form asks for
  • Identification: date of birth for age verification
  • Consent records: e-signatures, form responses, IP, timestamps
  • Appointment history: bookings, services, deposit status
  • Images: reference photos, design files, healed-tattoo photos uploaded by the studio

2.3 Automatically

  • IP address and user-agent (basic request logs)
  • Authentication session state via secure NextAuth cookies — see Cookie Policy
  • Error reports when something breaks (no third-party analytics SDK runs in v1)

3. How we use it

3.1 Studios

  • Run the product — accounts, booking calendars, consent forms, image galleries
  • Bill your InkMate subscription via Stripe
  • Send transactional emails (account, password reset, receipts) via Resend
  • Customer support when you contact us

3.2 Client data

  • Let the studio manage appointments and client records
  • Capture consent forms and e-signatures
  • Route deposit payments through Stripe Connect to the studio
  • Store reference images and design files for the studio

We do not profile clients, build advertising audiences, or sell any of this data.

4. Payment flow — important

Deposit payments are processed by Stripe via Connect. InkMate never receives or holds your clients' payment funds — money settles directly into the studio's connected Stripe account. We see the metadata Stripe returns (amount, currency, payment intent ID, last-4 of the card on receipts), not the card itself.

The InkMate subscription (paid by the studio to us) is also processed by Stripe, on the InkMate platform account. Stripe's privacy policy: stripe.com/privacy.

5. Sub-processors

We do not sell personal data. We share it with a small set of vendors we need to run the product:

  • Stripe (US) — payment processing for subscriptions and Connect deposits
  • Resend (US) — transactional email delivery
  • AWS (US-East-1, N. Virginia) — hosting, database, and file storage

The full list with categories of data and links is in the DPA.

We may also disclose data when required by law (subpoena, court order), to protect our rights, or as part of a business transfer (merger, acquisition, asset sale).

6. Security

  • All traffic served over HTTPS (TLS 1.2+)
  • Passwords hashed with bcrypt
  • Database isolated per environment; production credentials rotated and not shared
  • File uploads scoped per organization — studios can only see their own data
  • Webhook payloads signature-verified against Stripe's endpoint secrets
  • Hosted on AWS in US-East-1

No system is bulletproof. If we discover a breach affecting your data, we will notify affected studios within 72 hours of confirmation, with what we know and what we're doing about it.

7. Retention

7.1 Consent forms and health intake

Consent forms and the health information attached to them are retained for at least 7 years from the date of the appointment, or longer where your local regulations require it. This is standard practice in the tattoo industry — statute of limitations for personal-injury claims, regulatory inspection, and medical-record completeness all point to a long horizon.

7.2 Everything else

  • Studio account: kept while active; 30-day soft delete window after you close the account, then purged
  • Client contact records: kept while the studio account is active or until the client requests deletion
  • Uploaded images: kept while the studio account is active or until deleted in the dashboard
  • Appointment history: 7 years for business-record purposes
  • Billing records: 7 years for tax compliance

8. Image storage

  • Images live on AWS storage scoped per organization
  • Only authenticated users in the owning studio can read them
  • Studios are responsible for getting client consent before photographing them
  • We do not use any client image for marketing without the studio's and client's explicit consent
  • Deleting an image in the dashboard removes it from the database; underlying object storage is purged on a rolling schedule

9. Your rights

9.1 Studios

  • Access: request a copy of your data
  • Correction: fix anything inaccurate
  • Deletion: close the account; we purge after 30 days
  • Export: we'll send you your data in a portable format
  • Opt-out: unsubscribe from non-essential email at any time. Transactional email (receipts, password reset) can't be disabled while your account is active.

Email privacy@inkmate.app from the address on file.

9.2 Clients

If you're a client of a studio that uses InkMate, your data is controlled by that studio. Contact the studio directly for access, correction, or deletion. If you can't reach them or you don't know which studio holds your data, email privacy@inkmate.app and we'll connect you.

10. GDPR (EEA / UK users)

If you are in the European Economic Area or the UK, you have additional rights:

  • Legal basis: contract performance (running the product you signed up for), legitimate interests (security, fraud prevention), and consent where required
  • Data portability: structured machine-readable export on request
  • Right to object to processing based on legitimate interests
  • Right to restriction of processing while a request is being reviewed
  • Withdrawal of consent at any time (for consent-based processing)
  • Complaint: right to lodge a complaint with your local supervisory authority

Controller / Processor split: for studio account data, Automata Army is the Controller. For client data the studio collects through InkMate, the studio is the Controller and Automata Army is the Processor under our DPA.

Our servers are in the US. Where required, we rely on Standard Contractual Clauses for cross-border transfers.

11. CCPA (California users)

If you're a California resident:

  • Right to know what we collect and how we use it (this page)
  • Right to delete your personal information
  • Right to opt out of sale — we do not sell personal information
  • Non-discrimination for exercising your rights

To exercise these rights: privacy@inkmate.app.

12. Cookies

We set the minimum set of cookies required for sign-in to work: a NextAuth session cookie and a CSRF token. No analytics cookies, no advertising cookies. Full breakdown in the Cookie Policy.

13. Minors

InkMate is built for adult professionals running tattoo studios. We don't knowingly collect data from anyone under 13. Studios are responsible for age verification of their clients under the laws of their jurisdiction; see the Terms of Service.

14. Changes

We'll post any changes on this page with a new effective date. For material changes (new sub-processor, new category of data, change in retention) we'll email account owners.

15. Contact

Privacy questions: privacy@inkmate.app

Everything else: support@inkmate.app