Tattoomii: Privacy Policy
Version 3.0 – February 2026
The protection of your personal data is of central importance to Tattoomii. This Privacy Policy explains in detail which data we process, why we process it, how we protect it, and which rights you have under applicable data protection laws. We comply with the Swiss Federal Data Protection Act (DSG) and – where applicable – the EU General Data Protection Regulation (GDPR).
This Privacy Policy applies to all website visitors, registered Users, Artists, and all individuals who interact with or submit data via the platform.
1. Controller
Content
Company: Tattoomii GmbH
Address: Badenerstrasse 541
Location: 8048 Zurich, Switzerland
Email: hello@tattoomii.com
Tattoomii is responsible for the processing of personal data within the meaning of applicable data protection laws. In certain cases, external service providers may act as processors or independent controllers. Such cases are outlined below.
Email Label: E-Mail:
2. Categories of Personal Data We Process
We process only the data necessary for the operation, security, and further development of our platform. This includes technical data, profile data, communication data, and voluntarily provided content.
2.1 Data Collected When Visiting Our Website
Data
- IP address (possibly shortened or pseudonymised)
- date and time of access
- browser type and version
- operating system and device type
- referrer URL
- interaction data (navigation, clicks, session duration)
- technical identifiers (e.g., cookie IDs)
Purposes
- ensuring technical functionality
- monitoring and maintaining system security
- protection against misuse and cyberattacks
- analysis of stability and performance
Legal Basis: Legal basis: Legitimate interest (Art. 6(1)(f) GDPR; Art. 31 DSG).
Note: These data are not used for personal identification.
2.2 Use of the Price Calculator
Data
- style
- size
- body placement
- motif category
- selected location
- text input / uploaded image
Note: No personal data is stored. Use in guest mode is anonymous and not linked to accounts. If a User is logged in, a project request can optionally be saved in the profile under "Wishlist".
Ai Note: To categorise tattoo ideas, entered text and uploaded images may be transmitted to the AI service provider OpenAI (see Section 13: Artificial Intelligence).
2.3 Registration as a User
Data
- name
- email address
- password (encrypted with BCrypt)
- optional profile data (phone number, location, profile picture)
- activity data (saved artists, wishlist entries, etc.)
Purposes
- management of the user account
- enabling contact with Artists
- provision of personalised functionalities
Legal Basis: Legal basis: Performance of a contract.
Google OAuth: When registering via Google Single Sign-On (SSO), we receive from Google only the name and email address. No further data is transmitted.
2.4 Registration as an Artist
Data
- name and/or studio name
- contact information and social media links
- location data
- portfolio content (images, videos, texts)
- style information, specialisations
- diplomas and certificates (optional)
- optional additional information (spoken languages, years of experience, wait time, hourly rate)
Responsibilities
- legality and authenticity of their content
- obtaining consent from depicted individuals
- respecting personality and copyright laws
License: Artists grant Tattoomii a non-exclusive, worldwide license to display their content on the platform and in marketing materials. Copyright remains with the Artist.
2.5 Uploading Videos and Voice Notes
Artists may optionally upload an introduction video or voice notes.
Legal Basis: Legal basis: Explicit consent.
Storage Period: Storage period: Until deletion or withdrawal.
Withdrawal: Withdrawal: At any time via the profile or hello@tattoomii.com.
Note: Videos and voice notes are not shared with third parties without consent.
2.6 Communication Through the Platform
We process message content, file attachments (images, documents), and metadata of chats between Users and Artists.
Purposes
- enabling direct communication
- preventing misuse
- technical delivery in real time (WebSocket)
Note: Messages are not automatically analysed and are accessed only when necessary for support cases or legal obligations.
Storage Period: Messages are stored as long as the associated chat room is active. Upon account deletion, messages may be anonymised or deleted.
2.7 Newsletter and Marketing Emails
Data
- email address
- role (User or Artist)
- optional name
- delivery and interaction data
Legal Basis: Legal basis: Consent.
Withdrawal: Withdrawal: At any time via the unsubscribe link.
Provider: Emails are sent through the third-party provider Brevo (see Section 4).
2.8 Tattoo Projects
Data
- placement, style, size, budget
- description and reference images
- calculated and final price
- confirmation status
Purposes
- management and communication between User and Artist
- price calculation and project presentation
Legal Basis: Legal basis: Performance of a contract.
Ai Note: Project descriptions and images may be transmitted to OpenAI for automatic categorisation (see Section 13).
2.9 Reviews
Data
- review text and star rating
- review images (optional)
- time of review
- association with User and Artist
Note: Reviews may remain in anonymised form after account deletion to maintain the integrity of the review system.
Legal Basis: Legal basis: Legitimate interest.
2.10 Appointments and Calendar
Data
- appointment time and duration
- association with Artist, Customer, and project
- appointment status
Purposes
- organisational appointment management
- synchronisation with Google Calendar (optional)
Legal Basis: Legal basis: Performance of a contract and consent (for Google Calendar synchronisation).
Note: When optionally synchronising with Google Calendar, appointment data is transmitted to Google.
2.11 Contact Form
Data
- name
- email address
- message content
- reCAPTCHA token (technical data transmitted to Google)
Legal Basis: Legal basis: Legitimate interest.
Note: The contact form is protected by Google reCAPTCHA. Technical data (IP address, browser behaviour) is transmitted to Google.
2.12 Bug Reports
Data
- description of the bug
- browser and device information
- optional: screenshots
Legal Basis: Legal basis: Legitimate interest.
Note: Bug reports are used exclusively for technical improvement of the platform.
3. Cookies & Tracking Technologies
We use various types of cookies:
Categories
3.1 Technically Necessary Cookies
Required for basic functionalities such as navigation, security, and language settings.
3.2 Performance & Analytics Cookies
Collect anonymous usage metrics. Activated only with consent.
3.3 Marketing & Tracking Cookies
Tools such as Meta Pixel or Google Analytics require explicit consent. Without consent, they are not used.
Withdrawal: All consents can be withdrawn at any time.
4. Disclosure of Data to Third Parties
To provide our services, we work with the following third-party providers:
Providers
Hetzner Online GmbH
Backend servers, databases, and file storage (S3-compatible). Server location: Germany/EU.
Data: All user data, images, messages, database contents.
Vercel Inc.
Frontend hosting (website). Server location: global (Edge Network).
Data: Technical access data (IP, browser, referrer).
Google LLC
Login via Google OAuth (SSO), location services (Google Maps), calendar synchronisation (Google Calendar), video meetings (Google Meet), spam protection (reCAPTCHA), optional: Google Analytics.
Data: Depending on service: name, email (OAuth), location (Maps), appointment data (Calendar), IP address and browser behaviour (reCAPTCHA).
Meta Platforms Inc. (Instagram)
Optional portfolio synchronisation for Artists via Instagram. Import of publicly available Instagram content.
Data: Instagram profile information, public media content, webhook data.
OpenAI Inc.
AI-powered features: categorisation, style recognition, title generation, translation, image classification (see Section 13).
Data: Entered text and uploaded images transmitted for AI processing.
Brevo (formerly Sendinblue)
Sending transactional emails (verification, password reset, notifications), managing contact lists, optional: WhatsApp notifications.
Data: Email address, name, role, registration date, optional: phone number (WhatsApp).
Stripe Inc.
Exclusively for calculating exchange rates. No processing of payment data.
Data: Currency information (no personal data).
Note: We work exclusively with reputable providers that have signed data processing agreements (DPAs) with us.
No Sale: Tattoomii does not sell personal data.
5. International Data Transfers
The backend and databases are hosted with Hetzner in Germany (EU). When using international providers (e.g. Google, OpenAI, Vercel, Stripe), data may be transferred to countries outside the EU or Switzerland (in particular the USA).
Safeguards
- EU Standard Contractual Clauses (SCC)
- adequacy decisions (e.g. Swiss-US Data Privacy Framework)
- additional technical safeguards
- encrypted transport
- minimisation of processed data
6. Storage Periods
Data is stored only as long as necessary:
Periods
- Technical logs: 30 days
- User profiles: until account deletion
- Artist profiles & content: until account deletion
- Messages: until account deletion (may be anonymised)
- Tattoo projects: until deletion by user or account deletion
- Reviews: until deletion (may remain anonymised after account deletion)
- Appointments: until deletion by user or account deletion
- Newsletter data: until withdrawal
- Verification codes: 10 minutes (automatic deletion via Redis)
- Rate limit data: 60 minutes (automatic deletion via Redis)
- Backups: automatic deletion after defined intervals
7. Rights of Data Subjects
You have the following rights at any time:
Rights List
- access to stored data
- rectification of incorrect data
- deletion of your data ("right to be forgotten")
- restriction of processing
- data portability
- withdrawal of consent (without affecting the lawfulness of prior processing)
- objection to processing
Complaint: You also have the right to lodge a complaint with:
Authorities
- the Swiss Federal Data Protection and Information Commissioner (EDÖB)
- any competent EU data protection authority
Contact: Contact: hello@tattoomii.com
8. Data Security
We protect data with modern technical and organisational measures:
Measures
- encryption (SSL/TLS) for all data transmissions
- encrypted password storage (BCrypt)
- access controls and role-based permission systems
- JWT-based authentication
- firewalls & monitoring
- regular security audits
- strict separation of staging and production systems
Hosting: Backend, databases, and file storage are located on Hetzner servers in Germany (EU). The frontend is hosted via Vercel (global Edge Network).
9. Minors
Tattoomii can be used by individuals of any age, for example to find inspiration, use the price calculator, or save Artists in a profile.
Notes
- Contracts for tattoo services are formed exclusively between User and Artist. Artists are responsible for ensuring compliance with legal age requirements.
- We do not process special categories of personal data of minors. Parents or legal guardians may request deletion of minor-related data at any time.
10. Responsibility for Content by Artists & Users
Artists and Users are responsible for:
Responsibilities
- uploaded content
- copyright compliance
- personality rights
- accuracy of information
No Liability: Tattoomii assumes no liability for:
Exclusions
- incorrect information
- contractual relationships between Users and Artists
- legal violations through uploaded content
Action: We may remove content or suspend accounts.
11. Account Deletion and Data Processing
Upon account deletion, personal data is handled as follows:
Actions
- profile information and uploaded content will be removed
- messages in existing chat rooms may be anonymised or deleted
- reviews may remain in anonymised form
- data linked to Instagram will be deleted in accordance with Meta's requirements
- contact data at Brevo will be removed where technically feasible
- statutory retention obligations are reserved
Deactivation: As an alternative to deletion, accounts can be temporarily deactivated. Deactivated accounts are not publicly visible but can be reactivated.
Contact: Deletion can be requested at any time via profile settings or by emailing hello@tattoomii.com.
12. Analytics and Tracking
To improve the platform, Tattoomii collects the following usage data:
Data Collected
- profile views (with IP address, user agent, referrer)
- search behaviour and filter usage
- interactions with the price calculator (conversion tracking)
- page views and time spent on pages
- A/B test assignments for user interface optimisation
- feature usage statistics
Purpose: This data is used exclusively to improve the platform, analyse usage trends, and optimise the offering.
Legal Basis: Legal basis: Legitimate interest (for own analytics tools) or consent (for third-party tools such as Google Analytics).
Consent Note: Analytical cookies and marketing trackers from third parties are only used with explicit consent. Internal analysis by Tattoomii is carried out on the basis of legitimate interests.
13. Artificial Intelligence (AI)
Tattoomii uses AI technology (provided by OpenAI) to support certain features:
Use Cases
- categorisation and style identification of tattoo ideas based on images and text descriptions
- automatic generation of project titles
- translation of content into different languages
- image classification (e.g. tattoo vs. non-tattoo during Instagram synchronisation)
- style assignment to Artist portfolios
Data Transmitted: When using these features, entered text and uploaded images may be transmitted to OpenAI (USA).
Legal Basis: Legal basis: Legitimate interest (improvement of platform features) or consent (when the user actively uses AI features).
Disclaimer Note: AI-generated results are automatically produced and may contain inaccuracies. They serve solely as guidance.
Opt Out: The use of AI-powered features is optional in most cases. Users can configure tattoo projects manually.
Provider Note: Processing is carried out in accordance with OpenAI's privacy policy. Tattoomii ensures that appropriate safeguards for data transmission are in place.
14. WhatsApp Notifications
Optionally, notifications about new messages, project requests, and reminders may be sent via WhatsApp.
Provider: Delivery is handled through the third-party provider Brevo (not directly through WhatsApp/Meta).
Data: The recipient's phone number is transmitted to Brevo.
Legal Basis: Legal basis: Consent.
Opt Out: The WhatsApp notification feature can be disabled at any time.
15. Automated Decision-Making & Profiling
Tattoomii does not conduct automated decision-making with legal effect.
Ranking: Ranking functions are based on:
Criteria
- search criteria
- location information
- manual filters
Ai Note: AI-powered features (e.g. automatic categorisation, style recognition) provide suggestions but do not make binding decisions. Users can manually override all AI suggestions.
16. Changes to This Privacy Policy
We may update this Privacy Policy at any time. The current version is available at www.tattoomii.com/privacy.
Contact: Contact for Data Protection Inquiries:
Email: Email: hello@tattoomii.com
Address: Tattoomii GmbH, Badenerstrasse 541, 8048 Zurich, Switzerland