Privacy Policy

Status: February 24, 2025

1. Controller

Daniel Menius Travemünder Allee 23 23568 Lübeck Germany Email: info@tatme.com

2. What data is processed?

In the context of using tatme, the following data may be processed:

  • Master data (name, date of birth)
  • Contact data (email, phone number, address)
  • Request data (tattoo design, placement, appointment)
  • Documentation data (consent forms, timestamps, digital signature)
  • Health data (medical history, contraindications) – stored fully encrypted in the database (GDPR-compliant)
  • Login information
  • IP address (technically required)
  • Biometric data (e.g. digital signature) – stored fully encrypted in the database (GDPR-compliant)

3. Purposes of processing

Processing is carried out for:

  • Provision of the platform
  • Setting up and managing user accounts
  • Documentation of consent forms
  • Communication between tattoo artist and customer
  • Ensuring system security

4. Legal basis

  • Art. 6 (1) lit. b GDPR – Contract / Contract initiation
  • Art. 6 (1) lit. f GDPR – Legitimate interest (platform operation, security)
  • Art. 6 (1) lit. a GDPR – Consent (e.g. optional email notifications)
  • Art. 9 (2) lit. a GDPR – Express consent for health data (medical history)

5. Automatic account creation

When using certain functions (request, appointment, consent form), a personal user account is created. This serves to provide secure access to documents and information.

6. Recipients / Service providers

The following service providers are used for the technical provision of the platform:

  • Hosting provider (e.g. Vercel)
  • Backend/database provider (e.g. Supabase)
  • SMS verification (Twilio Verify)

Processing is carried out on the basis of data processing agreements pursuant to Art. 28 GDPR.

7. Storage duration

Data is stored as follows:

  • Consent forms & health data: 10 years (liability reasons)
  • Contact & master data: until account deletion
  • Log data & IP addresses: 30 days

8. Rights of data subjects

Users have the right to:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability
  • Withdrawal of consent
  • Lodging a complaint with a data protection supervisory authority

Competent supervisory authority:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
www.datenschutzzentrum.de

9. Third country transfer

For technical provision, we use service providers (e.g. Vercel, Supabase) that may process data on servers outside the EU. Appropriate safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses) are in place.

10. Data security

tatme implements technical and organizational measures to protect personal data from loss, manipulation or unauthorized access.

11. Contact

For questions regarding data protection: info@tatme.com