Privacy Policy

This policy describes how InkFindr, an unincorporated project of Gavin Olson ("InkFindr," "we," "our," or "us") handles your personal information. For privacy-related inquiries, contact us at privacy@inkfindr.com.

This policy applies to the InkFindr website (inkfindr.com) and, when launched, any InkFindr mobile applications. It does not apply to third-party websites or services that InkFindr links to.

We collect the following categories of information:

• Account information: name, email address, password (stored as a bcrypt hash — we never store your plaintext password), and role (customer or artist).
• Artist profile information: bio, pricing, Instagram handle, portfolio images, tattoo styles.
• Inquiry content: free-text description of your tattoo idea, size, placement, budget range, reference image URLs, and contact email you provide when submitting a consultation request.
• Review content: star rating, written review, and optional healed-photo image.
• Boards and favorites: the artists and portfolio items you save.
• Technical data: IP address, browser user-agent, referring URL, and request timestamps. Collected automatically by standard server logs. Used only for security and abuse prevention.

• Directly from you when you create an account, submit an inquiry, write a review, or interact with any form on the site.
• Automatically via standard server logs when you visit the site.

• To operate and improve the InkFindr service.
• To authenticate your identity and maintain your session.
• To deliver your consultation inquiries to the relevant artist.
• To detect and prevent abuse, fraud, and security incidents.
• To comply with applicable law.

We do NOT sell your personal data. We do NOT use it for targeted advertising. We do NOT use it to train AI models.

For users in the European Economic Area or United Kingdom, our legal bases for processing are:

• Contract: processing your account information and delivering inquiries to artists is necessary to perform our service agreement with you.
• Legitimate interest: security logging and abuse prevention are in our and your legitimate interest in a safe platform.
• Consent: where required by law, we will ask for your consent before processing.

We share data with the following categories of service providers only to the extent necessary to operate the service:

• Hosting provider (planned: AWS): servers and database that store InkFindr data.
• Email delivery (planned: Resend or Amazon SES): for sending inquiry notifications and transactional emails.
• Error monitoring: none in v1.
• Analytics: none in v1. No tracking pixels; no third-party advertising cookies.

All third-party service providers we engage are required to protect your personal data under data-protection terms that provide a level of protection equivalent to this policy.

• Account data and associated content are retained until you delete your account.
• Server logs are retained for 30 days and then deleted.
• You can delete your account at any time: customers / artists. Deletion is immediate and permanent — we perform a hard delete, not deactivation.
• Deleted data may remain in encrypted backups for up to 30 days, after which it is overwritten.
• Some records may be retained longer where required by law (for example, tax or financial records related to artist payments — none currently; placeholder for a future payments feature).

The following rights apply to all users to the extent permitted by applicable law:

• Access: request a copy of the personal data we hold about you — email privacy@inkfindr.com.
• Correct: update or correct inaccurate information in-app, or by emailing us.
• Delete: delete your account in-app or email us.
• Portability: request a machine-readable export of your data — email us.
• Opt-out of sale or targeted advertising: not applicable — we do neither — but you may still contact us to confirm.
• Appeal a refusal: if we deny a rights request, you may appeal within 45 days by emailing privacy@inkfindr.com with the subject line "Appeal." If you remain unsatisfied, Virginia residents may contact the Virginia Attorney General at https://www.oag.state.va.us/.
• Withdraw consent at any time for processing based on consent.
• Lodge a complaint with a supervisory authority (EU/UK users).

InkFindr is not directed to anyone under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please email privacy@inkfindr.com and we will delete it promptly.

InkFindr uses session cookies for authentication only. Your session is stored in an httpOnly, secure cookie using NextAuth JWT. We do not use third-party advertising cookies, tracking pixels, or any analytics cookies. You may disable cookies in your browser, but doing so will prevent you from signing in.

InkFindr is operated from the United States. If you access the service from outside the United States, your personal data will be transferred to and processed in the United States. By using InkFindr, you acknowledge this transfer.

We may update this policy from time to time. Material changes will be communicated via email (to the address on your account) or an in-app banner before the changes take effect. The "last updated" date at the top of this page will reflect the most recent revision.

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) grants you the following rights with respect to your personal data:

• Access: confirm whether we process your personal data and obtain a copy.
• Correct: correct inaccuracies in your personal data.
• Delete: delete personal data you have provided to us.
• Portability: obtain a portable copy in a commonly used, machine-readable format.
• Opt out: opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects. InkFindr does none of these — but you may request confirmation.
• Appeal: appeal our refusal to act on a rights request within a reasonable period. We will respond within 45 days; appeals via email to privacy@inkfindr.com (subject: "Appeal"). If unsatisfied, you may contact the Virginia Attorney General.

To exercise any VCDPA right, email privacy@inkfindr.com. We will respond within 45 days. See also §9 above.