Privacy Policy
GDPR-compliant — InkManager
Data Controller
Janes Reichel
Email: janesreichel@solut1ons.cloud
Address: 78054 Schwenningen
solut1ons.cloud
1. Principles
InkManager processes data in accordance with the principles of the GDPR: lawfulness, purpose limitation, data minimisation, storage limitation, integrity, and confidentiality.
2. Categories of Data Processed
- Anonymised motifs and image data: Tattoo motifs, photos of motifs; stored in pseudonymised/anonymised form so that no conclusions about natural persons are possible.
- Appointment metadata: Confirmed duration, price range, studio context, date/time; stored without personal data or only in pseudonymised form.
- Account and profile data: Registration and master data such as name, contact email, studio name, and voluntary profile details required to use the account.
- Usage data: Login data, technical data regarding platform usage (IP anonymisation, log data).
- Communication data: Email correspondence with studios or support.
- Calendar and OAuth data (optional): When studios connect an external calendar: access and refresh tokens, associated account identifier at the provider, selected calendar (name/technical ID), synchronisation and mapping data, and — within the scope of the respective function — calendar event data (e.g. start/end, title or short description, external event IDs). Details in section 7.
3. Purposes and Legal Bases
- Platform provision and contract performance: Art. 6(1)(b) GDPR.
- Registration, login, and account management: Processing of account and profile data to create and manage user accounts; Art. 6(1)(b) GDPR.
- Consent: Publication of images/motifs where persons are identifiable; Art. 6(1)(a) GDPR.
- Legitimate interest: Operation, security, platform improvement, fraud prevention; Art. 6(1)(f) GDPR.
- Anonymised analytics: Statistics, quality analysis; no personal data.
- Calendar integration: Provision of optional synchronisation with external calendars (export of appointments, import of busy information, conflict avoidance); Art. 6(1)(b) GDPR.
4. Anonymisation and Pseudonymisation
Tattoo motifs and appointment metadata are processed so that personal references are removed or technically separated. Identifiable person photographs may only be published with express consent.
5. Data Retention
Anonymised data is retained for the duration required for the stated purposes; specific periods are defined in an internal deletion policy. Personal data is deleted as soon as the purpose ceases to apply and no statutory retention obligation exists.
6. Recipients
Data is only disclosed to service providers necessary for platform operation (hosting, payment service providers, IT support). Transfers are made exclusively on the basis of data processing agreements.
When calendar integration is activated, data is exchanged with the respective calendar services for synchronisation purposes: Google (Google Calendar), Microsoft (Microsoft 365 / Outlook Calendar), and Apple (iCloud Calendar). These providers process data in accordance with their own privacy policies and, where applicable, as processors or as independent controllers; location and transfers to third countries are governed by provider terms and, where applicable, standard contractual clauses.
7. Calendar Integration (Optional) — Google, Microsoft, Apple
7.1 Data Accessed
When a studio connects a calendar account, InkManager accesses and stores the following categories of data from the respective provider:
- OAuth access and refresh tokens
- Account identifier (email address or account ID at the provider)
- Calendar list (names and technical IDs of available calendars)
- Calendar event data: start/end time, title or short description, external event ID, busy/free status
- Synchronisation metadata (sync tokens, last sync timestamp, mapping between internal appointments and external events)
7.2 Purpose of Data Usage
The calendar data is used exclusively for:
- Exporting InkManager appointments to the connected external calendar
- Importing external events and busy times to display availability within InkManager
- Conflict detection and scheduling optimisation (avoiding double-bookings)
Calendar data is not used for advertising, profiling, analytics, AI/ML model training, or any purpose unrelated to the calendar synchronisation feature described above.
7.3 Data Sharing
Calendar data (including OAuth tokens) is not sold, rented, or shared with third parties for their own purposes. Data is only processed by:
- Our hosting and infrastructure provider (Vercel, Supabase) as data processors under contract
- The respective calendar provider (Google, Microsoft, Apple) for the synchronisation API calls initiated by the studio
7.4 Data Storage and Security
- OAuth tokens and calendar metadata are stored in an encrypted database (Supabase/PostgreSQL) with row-level security policies
- All data in transit uses TLS encryption
- Access to tokens and calendar data is restricted to authenticated studio owner/team sessions
- Tokens are never exposed to client-side code or browser storage
7.5 Data Retention and Deletion
Calendar data is retained only while the calendar connection is active. Users can delete their calendar data at any time through the following means:
- Disconnecting the calendar in Settings → Calendar (immediately revokes tokens and removes stored calendar data)
- Deleting the studio account (removes all associated data including calendar connections)
- Contacting us at janesreichel@solut1ons.cloud to request manual deletion
Upon disconnection, OAuth tokens are revoked at the provider (where the API supports it) and all locally stored tokens, sync metadata, and event mappings are permanently deleted.
8. Google API Services — Limited Use Disclosure
InkManager's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, InkManager does not use Google user data for:
- Serving advertisements or ad targeting
- Selling or transferring data to third parties
- Training AI/ML models unrelated to the calendar sync feature
- Determining creditworthiness or for lending purposes
9. Data Subject Rights
Data subjects have the right to access, rectification, erasure, restriction, data portability, and objection. Requests to janesreichel@solut1ons.cloud.
10. Security
Technical and organisational measures are implemented (access controls, encryption, backups). Details are documented internally.
11. Image Processing
- Identifiable persons: Express consent must be obtained before publication.
- Anonymised motifs: May be used for cataloguing and matching without a personal-data legal basis.
- DPIA: It must be assessed whether a Data Protection Impact Assessment is required for the processing of image data.
12. Changes
If the privacy policy changes, a notice will be published on the platform.