Privacy Policy

Last updated: April 10, 2025

Please read this document to understand how we collect, use, disclose, and safeguard your information when you use www.tattooed.co (the “Service”). The data controller is Stellar Ventures, LLC, the company that operates Tattooed.co. By using the Service, you agree to this Privacy Policy.

Note: Pricing and plan terms are covered in our Terms & Conditions.

Information We Collect

1) Information You Provide
  • Account details (e.g., name, username, email, password hash).
  • Profile and listing info (e.g., tattoo shop/artist details, hours, location, descriptions, links, profile pictures, and uploaded gallery photos).
  • Communications (e.g., messages sent via the platform inbox, contact forms, and support requests).
  • Reviews you submit about tattoo shops or artists.
  • Saved/favorited shops and artists associated with your account.
  • Payment-related information for paid features handled by our payment processor (see “Payments” below). We do not store full card numbers.
2) Information Collected Automatically

When you use the Service, we may automatically collect:

  • Usage data (pages viewed, time on page, referring URLs).
  • Device/technical data (IP address, browser type, OS, approximate location derived from IP).
  • Cookies and similar technologies (see “Cookies & Analytics”).
3) Information from Third Parties
  • Social Sign-In: If you sign in with Google or Apple, we receive basic account information necessary to create or authenticate your account (e.g., name, email, provider ID).
  • Analytics/Advertising Partners: We receive aggregated insights to improve the Service (see below).

Authentication Methods

You can create an account and sign in using either (a) email and password or (b) Google or Apple. When you register with email and password, your password is stored as a one-way cryptographic hash and is never stored in plaintext.

Cookies & Analytics

We use cookies and similar technologies to operate and improve the Service. You can adjust your browser settings to block cookies, but some features may not work properly if cookies are disabled.

  • Essential: Required for the Service to function (e.g., session/authentication cookies).
  • Analytics: To understand usage and improve the Service (e.g., Google Analytics).
  • Advertising/Performance: To measure ad campaign performance (e.g., Meta Pixel, Google Ads).

Consent for EEA/UK visitors: We detect your country via Cloudflare's IP geolocation. If you are visiting from the European Economic Area (EEA) or United Kingdom, a cookie consent banner is shown before any non-essential cookies or tracking scripts are activated. You may accept or reject non-essential cookies at that point. If you reject, analytics and advertising cookies will not be set. Essential cookies required to operate the Service are always active. You can withdraw your consent at any time by clearing your cookies, which will cause the banner to reappear on your next visit.

How We Use Your Information

  • Provide, maintain, and improve the Service.
  • Create and manage accounts and profiles (shops, artists, lovers).
  • Authenticate users (email/password and social sign-in) and secure sessions.
  • Process transactions and deliver paid features (see “Payments”).
  • Communicate with you (account notices, transactional emails, support). Marketing emails are optional and include an unsubscribe link.
  • Monitor safety, prevent abuse, enforce our Terms.
  • Comply with legal obligations.

Legal Bases for Processing (EEA/UK Visitors)

  • Contract: To provide the Service you request.
  • Consent: For optional cookies/marketing.
  • Legitimate Interests: To improve and protect the Service.
  • Legal Obligation: To meet compliance requirements.

How We Share Information

We do not sell personal information. We may share information with:

  • Service Providers (Processors) who help us operate the Service (hosting, analytics, email delivery, payments, authentication). They are contractually bound to use data only as instructed by us.
  • Payment Processor (Stripe): We use Stripe to process payments. Stripe may collect and process payment method details (e.g., card brand, last 4) and billing info. We do not store full card numbers on our servers. See Stripe’s privacy practices for details.
  • Authentication Providers: Google and Apple for social sign-in authorization. (Email/password authentication is handled directly by us; passwords are stored as one-way hashes.)
  • Cloud Storage & CDN (Cloudflare): Uploaded photos and profile pictures are stored on Cloudflare R2 and delivered via our media CDN (media.tattooed.co). Files stored this way are publicly accessible by URL and may be cached by Cloudflare's global network.
  • AI Photo Analysis (Anthropic): Tattoo photos you upload to your artist or shop profile are automatically analyzed by an AI service (Anthropic's Claude API) to generate descriptive style tags and captions. These tags are used to improve discoverability within the platform. No personally identifiable information is intentionally included in the data sent for analysis; only the image itself is submitted.
  • Legal/Compliance: To comply with law, enforce our Terms, or protect rights/safety.

Payments

When you purchase paid features, payments are processed by Stripe. We receive limited payment metadata (e.g., successful/failed status, card brand/last 4 via tokens) to manage your access. We do not store full payment card numbers. For recurring plans, Stripe stores your payment method on their PCI-compliant systems so we can bill annually until you cancel. See our Terms for plan types and billing rules.

Data Retention

We keep information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. You may request deletion of your account data (see “Your Rights & Choices”). Some data (e.g., transaction records) may be retained where required by law.

Your Rights & Choices

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate or incomplete data via your dashboard or by contacting us.
  • Erasure: Delete your account and associated profile data via the dashboard or by contacting us, subject to legal/operational retention requirements (e.g., billing records).
  • Restriction: Request that we limit processing of your data in certain circumstances (e.g., while a dispute is being resolved).
  • Portability: Request a copy of data you have provided to us in a structured, machine-readable format where technically feasible.
  • Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Marketing Opt-Out: Unsubscribe using the link in any marketing email, or adjust preferences in your dashboard.
  • Cookies: Manage via your browser settings or by clearing the cookie_consent cookie to re-trigger the consent banner.

To exercise any of these rights, contact us via the Contact page. We will respond within 30 days.

EEA/UK residents: You also have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK, or the relevant national DPA in your EU member state) if you believe we have not handled your data in accordance with applicable law.

California/CPRA Notice: California residents have the right to know, delete, correct, and opt out of the sale of personal information. We do not sell personal information. You also have the right not to be discriminated against for exercising your privacy rights. To submit a request, contact us using the details below.

Security & Data Breaches

We implement reasonable administrative, technical, and physical safeguards designed to protect your information. Passwords are stored using one-way hashing and are never stored in plaintext. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and, where required by law, the relevant supervisory authority within the timeframes required by applicable regulations (e.g., 72 hours under GDPR).

Children’s Privacy

The Service is not directed to children. We do not knowingly collect personal information from anyone under 13 (or under 16 for users in the EEA/UK, in accordance with GDPR Article 8). If you believe we have collected personal information from a child below the applicable age, please contact us so we can delete it.

International Transfers

We are based in the United States and your data may be processed and stored there or in other countries where our service providers operate (including Cloudflare, Stripe, Google, Anthropic, and Mapbox). For transfers of personal data from the EEA or UK to countries without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent mechanisms required by applicable law. By using the Service, you acknowledge that your data may be transferred internationally under these safeguards.

Third-Party Vendors

We use the following third-party tools and services on the platform:

  • Google Analytics / Firebase Analytics: To help us understand and improve the Service. These tools may collect IP addresses, device information, and usage data. For more information, visit Google’s Privacy & Terms.
  • Mapbox: We use Mapbox to display interactive maps on shop and artist pages. When a map loads, Mapbox may collect your IP address and general location in order to serve map tiles. For more information, see Mapbox’s Privacy Policy.

Email Communication

We may email you for account, transactional, support, and—if you opt in—marketing purposes. You can unsubscribe from marketing emails at any time using the link in those emails. Transactional and important account/security notices (e.g., email verification, password reset) are required to operate the Service.

Your Website Activity

Information you choose to publish (e.g., shop or artist listings, photos, profile pictures, descriptions, hours, links, reviews, and artist feed posts) is intended for public display and may be indexed by search engines. Uploaded photos are stored on Cloudflare R2 and served via CDN — once uploaded, a photo's URL is publicly accessible. Tattoo photos are automatically analyzed by AI to generate style tags and captions to improve search and discovery on the platform. Messages sent through the platform inbox are private between sender and recipient and are not publicly displayed. Contact forms are used for general communication and are not sold to third parties.

Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date above reflects the current version. Your continued use of the Service after changes indicates acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us via the Contact page.