Privacy Policy

1. Who we are

We are the data controller of the personal data described in this policy. Our registered studio address is:

Alma Studio Tattooing Ltd
49-50 North Street
Brighton and Hove BN1 1RH
United Kingdom

For any privacy questions, contact info@alma-studio.uk.

2. What personal data we collect

Depending on how you interact with us, we may collect the following categories of personal data:

• Identity & contact details — name, email, phone number, postal address, Instagram handle.
• Booking and enquiry information — service requested, placement, size, preferred artist, reference photos you upload, notes and free-text messages you submit.
• Health disclosures — information you provide during consent / aftercare forms relevant to your procedure (e.g. allergies, medication, pregnancy, prior conditions). This is special category data under UK GDPR Article 9.
• Payment details — processed directly by Stripe on our behalf. We do not store full card numbers, CVVs or bank details on our systems. We retain transaction metadata (order ID, amount, last-4 of card, customer email) needed for fulfilment and accounting.
• Order and shipping information — items ordered, quantities, shipping or collection address, delivery status.
• Communications — emails you send us, messages submitted through our booking or contact forms, and our replies.
• Marketing preferences — your consent status for our newsletter and marketing emails.
• Technical and usage data — IP address, browser type, device, pages viewed, referring URL, approximate geo-location derived from IP, anonymised analytics events (page views, bookings opened, checkout completed).

If you are under 18 we will not knowingly collect your personal data in connection with tattooing services; tattoo appointments are not available under 18 as a matter of law.

3. How we use your data and our legal basis

We process your personal data under the following lawful bases:

• Contract (Article 6(1)(b)) — to provide services you have booked, fulfil online orders (products, events, flash designs, gift vouchers), issue receipts and communicate about your appointment or order.
• Legal obligation (Article 6(1)(c)) — to retain records required by HMRC, the Brighton & Hove City Council licensing regime for skin piercing and tattooing (Local Government (Miscellaneous Provisions) Act 1982), and for accounting, VAT and anti-fraud purposes.
• Legitimate interests (Article 6(1)(f)) — to run our studio efficiently, respond to enquiries, prevent fraud, secure our website, analyse site usage in aggregate, and send transactional emails to people who have transacted with us. We have assessed that these interests are not overridden by your rights.
• Consent (Article 6(1)(a)) — for marketing emails and for processing special category health data (Article 9(2)(a)) collected in consent / aftercare forms. You can withdraw consent at any time without affecting earlier processing.

4. Sharing your data

We share personal data only with trusted sub-processors who help us run the studio and website. Each acts on our written instructions and is bound by a data processing agreement:

• Stripe Payments Europe Ltd — card processing, fraud screening (Ireland; transfers subject to Standard Contractual Clauses).
• Resend (Resend.com Inc.) — transactional and marketing email delivery (United States; SCCs).
• Vercel Inc. — website hosting and request logging (United States / EU; SCCs).
• Turso (ChiselStrike Inc.) — database hosting for site content and order records (EU region where available).
• UploadThing (Ping Labs Inc.) — hosting of images you upload with your booking enquiry (United States; SCCs).
• Google LLC — address lookup (Places API) and embedded map tiles on the contact page.
• Fresha (Fresha.com Inc.) — aesthetics and wellness booking platform where you book directly through them.
• HMRC, our accountants, and regulators — where legally required for tax, licensing or safeguarding purposes.
• Royal Mail / couriers — to deliver physical goods you order.

We do not sell, rent or trade your personal data.

5. International transfers

Some of our processors are based outside the UK (notably the United States). Where data is transferred overseas, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision recognised by the UK Information Commissioner's Office.

6. How long we keep your data

• Booking enquiries — up to 24 months from last contact, then deleted or anonymised.
• Consent & aftercare records — retained for a minimum of 7 years in line with professional indemnity insurance requirements and licensing guidance.
• Order and transaction records — 7 years (HMRC requirement).
• Email marketing lists — until you unsubscribe, after which your email is suppressed (not deleted) to honour your preference.
• Analytics logs — aggregated after 30 days and retained in anonymised form.

7. Your rights

Under the UK GDPR you have the right to:

• request access to the personal data we hold about you;
• have inaccurate data corrected;
• request erasure of your data where it is no longer needed;
• restrict or object to certain processing, including direct marketing;
• receive a portable copy of the data you provided to us;
• withdraw consent at any time where we rely on it;
• lodge a complaint with the Information Commissioner's Office (ico.org.uk, 0303 123 1113).

To exercise any of these rights, email info@alma-studio.uk. We will respond within one month.

8. Cookies and similar technologies

Our website uses a small number of strictly necessary cookies and localStorage items to function. These include:

• Session and security — keeping you signed in to the admin area if applicable, and CSRF protection.
• Shopping basket — your cart items are stored in your browser's localStorage so they persist between visits. This never leaves your device unless you check out.
• Stripe — Stripe Elements sets its own cookies on js.stripe.com during checkout for fraud prevention and 3-D Secure; these are essential for processing payment.
• First-party analytics — we record anonymised, non-personal events (e.g. "booking_open", "checkout_failed") to improve the site. No tracking cookies are set by us for this.

We do not use third-party advertising or cross-site tracking cookies.

9. Children

Our services are not directed to children under 16. We do not knowingly collect data from children. Tattooing is legally restricted to adults aged 18 and over under the Tattooing of Minors Act 1969. For body piercings on persons under 16, a parent or legal guardian must attend in person and provide written consent.

10. Security

We protect personal data with appropriate technical and organisational measures: TLS encryption in transit, encryption at rest on our database provider, restricted staff access, a cookie-signed admin session, honeypot and rate-limit protection on public forms, and content-security and strict-origin headers across the site. Despite our controls, no transmission over the internet is ever completely secure — contact us immediately if you suspect your data has been compromised.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top always reflects the current version. For material changes that affect your rights, we will notify subscribers by email.

12. Contact

For any privacy or data protection matter, including requests to exercise your rights, contact us at info@alma-studio.uk or in writing at the address in section 1.