Legal
Privacy Policy
Last updated: March 2026
This Privacy Policy explains what personal data Ink Inbox collects, why it is collected, and what rights you have. It applies to everyone who uses Ink Inbox — both account holders (artists and studios) and their clients who submit requests.
Ink Inbox is operated by an individual based in Portugal. As a service offered to users in the EU, it is subject to the General Data Protection Regulation (GDPR).
1. What data we collect
Account holders (artists & studios)
| Data | Why we collect it |
|---|---|
| Name, email address | To create and manage your account |
| Business name, slug, Instagram handle | To personalise your public request form |
| Logo and branding assets | To display on your public form |
| Plan and billing information | To manage access to paid features |
Clients (people submitting tattoo requests)
| Data | Why it is collected |
|---|---|
| Name, email address | So the artist can follow up on the request |
| Tattoo details (placement, size, style, notes) | To describe the requested work |
| Reference images | To give the artist visual context |
| Availability and budget preferences | To help the artist understand scheduling |
| Instagram handle (optional) | As an alternative contact channel, if provided |
2. How we use your data
- To operate the Ink Inbox platform and provide its features.
- To send transactional emails (e.g. password reset, session confirmation).
- To manage billing and plan access.
- We do not use your data for advertising or marketing without consent.
- We do not sell your data to third parties.
3. Data storage and processors
Data is stored on Supabase (hosted on AWS in the EU region). Uploaded images are stored in Supabase Storage. Transactional emails are sent via Resend. These are the primary third-party data processors currently used by Ink Inbox.
We do not use analytics, tracking pixels, or ad networks.
4. Cookies and tracking
Ink Inbox uses a session cookie to keep you logged in. We do not use advertising cookies, tracking cookies, or any third-party analytics scripts.
5. Data retention
We retain your data for as long as your account is active. If you close your account or request deletion, we will remove your personal data within 30 days, unless we are required to retain certain records by law.
Client request data is retained as long as the associated artist account is active. Artists can delete individual requests at any time.
6. Your rights under GDPR
If you are based in the EU or EEA, you have the following rights:
- Access — request a copy of your personal data.
- Correction — ask us to fix inaccurate data.
- Deletion — ask us to delete your data (“right to be forgotten”).
- Portability — request your data in a structured, machine-readable format.
- Objection — object to how we process your data in certain circumstances.
- Withdraw consent — where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, email us at hello@inkinbox.app. We will respond within the timeframe required by applicable law (typically within 30 days).
If you feel your rights have not been respected, you have the right to lodge a complaint with the Portuguese data protection authority: CNPD — Comissão Nacional de Proteção de Dados.
7. Security
We use industry-standard security practices: all data is transmitted over HTTPS, authentication is handled by Supabase Auth (with email verification), and database access is restricted via Row Level Security policies. We take reasonable precautions, but no system is 100% secure.
8. Changes to this policy
We may update this policy as the product evolves. If we make significant changes, we will notify you by email or via an in-app notice.
Privacy questions? Contact hello@inkinbox.app.