Privacy Policy

Last Updated: February 24, 2026

1 — Introduction and Controller Identity

This Privacy Policy explains how softanova (“we”, “our”, “us”) collects, uses, and protects your personal data when you visit our website softanova.ink and when you contact or engage with our tattoo and piercing studio. We provide custom tattoos, piercing, temporary ink, and related consultations and aftercare guidance in our Shoreditch studio.

Data Controller: Softanova Ltd, 147 Curtain Road, Shoreditch, London EC2A 3QE, United Kingdom. Contact email: [email protected]. If you have questions about this Policy or your data rights, please reach out via the email provided. We do not process special-category data at scale and have not appointed a Data Protection Officer; privacy enquiries are handled by our management team.

This Policy applies to visitors, prospective clients, and clients who use our website or contact us via phone or email. By using our site, you acknowledge this Policy and our Terms of Service. If you do not agree, please discontinue use of the site.

2 — Personal Data We Collect

• Identity and contact details: name, email address, phone number, and (optionally) preferred artist or service.
• Form content: project ideas, style references, placement, budget context, and any free-text details you choose to provide.
• Technical information: IP address, device and browser type, operating system, language settings, and basic server logs for security and diagnostics.
• Usage data: pages viewed, time on page, clicks, and referrer URL gathered through consented analytics to help improve site performance and content relevance.
• Cookies and identifiers: essential cookies for site operation; optional analytics and marketing cookies where you give consent. See Section 4.
• Conversion events: successful form submissions and related booking milestones needed to operate our studio calendar and communications.

We do not request or store special-category data such as health information, religious beliefs, or political opinions through our website. We do not collect financial account numbers or government IDs through the site. If such information is needed for age verification or health screening at the studio, it is handled offline under a separate process and not stored in our website systems.

3 — Why We Process Your Data and Legal Bases

• Responding to enquiries and bookings: to review your request, suggest an artist, and propose timing and pricing. Legal bases: performance of a contract or steps prior to entering into a contract (GDPR Art. 6(1)(b)) and consent when applicable (Art. 6(1)(a)).
• Analytics: to understand site performance and improve content and navigation. Legal basis: consent (Art. 6(1)(a)).
• Marketing/remarketing: to reach interested audiences and measure advertising effectiveness. Legal basis: consent (Art. 6(1)(a)).
• Security and fraud prevention: to protect the site, prevent abuse, and maintain availability. Legal basis: legitimate interests (Art. 6(1)(f)).
• Legal and tax compliance: to meet statutory obligations. Legal basis: legal obligation (Art. 6(1)(c)).

Automated decision-making: We do not use automated decision-making or profiling in a way that produces legal or similarly significant effects for you (Art. 22 GDPR).

4 — Cookies and Tracking Technologies

We use three categories of cookies and similar technologies. Essential cookies are always active because the site cannot function without them. Analytics and marketing cookies are used only if you provide explicit consent via our cookie banner or preferences panel.

• Essential: site session continuity and consent storage (e.g., _site_session, cookie_consent). Retention ranges from session to 12 months.
• Analytics (consent): Google Analytics 4 with IP anonymisation. Examples include _ga (2 years) and _ga_XXXXXXXXXX (2 years). Data retention for analytics is typically 14 months.
• Marketing (consent): advertising identifiers for ad reach and conversion attribution (e.g., _gcl_au ~90 days; Meta identifiers such as _fbp and _fbc ~90 days).

You can review or change your choices at any time by selecting “Manage cookie preferences” in the site footer. Withdrawing consent does not affect the lawfulness of processing before withdrawal. See our Cookie Policy for additional details on categories and retention.

5 — Consent for EEA/UK Users

Users in the EEA and UK are presented with a consent banner. Analytics and marketing cookies are off by default and activate only after you choose “Accept” or enable specific categories. Your preferences are stored in the cookie_consent cookie for up to 12 months. You may withdraw consent at any time through the preferences panel or by clearing cookies in your browser settings.

6 — Sharing with Service and Advertising Partners

We share limited data with service providers who support our website, security, analytics, and advertising. These providers act as processors or independent controllers depending on their role. Typical providers include:

• Google (Google Analytics 4, Google Ads, Tag Manager): cookie identifiers, usage data, and conversion events.
• Meta (Pixel and Conversion API, if enabled): page views, conversion events, hashed identifiers for custom/lookalike audiences.
• Cloudflare (CDN and security): IP-based threat detection and performance optimisation.

We do not sell personal data. We instruct providers not to use site data for their own independent commercial purposes. Where required, we have data processing agreements or rely on publicly available controller terms that govern the handling of personal information.

7 — International Data Transfers

When personal data is transferred outside the UK or EEA, we rely on one or more of the following safeguards: participation in the EU–US Data Privacy Framework (and UK Extension or Swiss–US DPF, as applicable), European Commission Standard Contractual Clauses (2021/914), or the UK International Data Transfer Addendum. We assess transfer mechanisms periodically and update our approach if legal requirements change.

8 — Data Retention

• Contact submissions and booking correspondence: up to 2 years from your last interaction.
• Analytics data: generally 14 months, subject to the settings available in the analytics platform.
• Marketing cookies and identifiers: per their stated lifetimes (see Section 4).
• Email correspondence: for the duration of the client relationship plus up to 1 year.
• Server logs: approximately 90 days for security and diagnostics.
• Consent records: up to 3 years for audit purposes.
• Legal and tax records: as required by law (typically 6–10 years in the UK).

9 — Your Rights

If you are in the EEA or UK, you have the following rights under GDPR/UK GDPR, subject to conditions and exemptions in the law:

• Access (Art. 15) — request a copy of your personal data.
• Rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion where processing is no longer necessary.
• Restriction (Art. 18) — ask us to limit processing in certain scenarios.
• Portability (Art. 20) — receive your data in a structured, commonly used format.
• Objection (Art. 21) — object to processing based on legitimate interests, including direct marketing.
• Withdraw consent (Art. 7(3)) — where processing is based on consent.
• Lodge a complaint — with your local supervisory authority (for the UK, the Information Commissioner’s Office).

To exercise your rights, email [email protected] with sufficient information to identify you. We will respond within 30 days, extendable where requests are complex as permitted by law.

10 — Children’s Privacy

Our website and services are not directed at individuals under 16. We do not knowingly collect data from children via this site. If you believe a child has provided us with personal information without appropriate consent, please contact us and we will delete it promptly.

11 — Do Not Track

Some browsers offer a Do Not Track (DNT) signal. Our website does not respond to DNT signals. Analytics and marketing technologies are controlled through our cookie consent tools as described in this Policy.

12 — Account and Data Deletion

We do not offer user accounts on this website. To request deletion of personal data submitted via our forms or email, contact us with the subject line “Data Deletion Request.” We may need to verify your identity before fulfilling the request. We will retain only the minimum necessary where law requires continued storage (for example, invoice records).

13 — Business Transfers

In the event of a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor entity, subject to confidentiality commitments and continued protection consistent with this Policy. If a transfer materially changes how your data is used, we will provide a site notice before the change takes effect.

14 — California (CCPA/CPRA) Disclosures

If you are a California resident, the following applies:

• Categories disclosed in the last 12 months: identifiers (name, email, IP, device IDs) to service providers and ad partners; internet activity (page views, clicks) to analytics and advertising providers; inferences (interests) for advertising audiences.
• We do not “sell” personal information as defined by CCPA. We may “share” personal information for cross-context behavioral advertising. You can opt out by disabling marketing cookies in our preferences panel.
• Rights include: know/access, delete, correct, and opt-out of sale/sharing. We do not discriminate for exercising these rights. Submit requests via [email protected] with “California Privacy Request” in the subject line. We will take reasonable steps to verify your identity. Authorized agents must provide written permission.

15 — Virginia (VCDPA)

Virginia residents have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects. Submit requests via email with the subject “Virginia Privacy Request.” If we deny a request, you may appeal by emailing “Appeal of Refusal — Privacy Request.” We will respond to appeals within 60 days. Unresolved concerns may be directed to the Virginia Attorney General.

16 — Nevada

Nevada residents may submit a verified request to opt out of a sale of covered information by emailing “Nevada Do Not Sell Request.” We do not currently sell personal information as defined under Nevada Revised Statutes Chapter 603A.

17 — Changes to This Policy

We may update this Policy from time to time to reflect legal, technical, or business developments. Material changes will be announced via a notice on our homepage at least 14 days before they take effect. Please review this page periodically. The “Last Updated” date at the top indicates the latest revision.

18 — Contact

Controller: Softanova Ltd

Registered address: 147 Curtain Road, Shoreditch, London EC2A 3QE, United Kingdom

Email: [email protected]

Postal enquiries may be sent to the registered address. For faster handling, please use email with a clear subject line describing your request.