Privacy Policy

Inkally is a French company. The French version is the legally binding reference. This English translation is provided for convenience.

1. Data controller

The controller of your personal data is:
Inkally — [TO BE FILLED]
Address: [TO BE FILLED]
Email: privacy@inkally.app

2. GDPR roles

Inkally operates in two distinct roles under GDPR:

• Data controllerfor the subscribing artist's data (account identity, email, payments, service usage logs).
• Data processor for data entered by the artist about their end clients (client records, photos, consents, health questionnaires).

3. Data collected

• Artist identification: name, email, phone, studio address.
• Professional data: SIRET, ARS declaration number, insurance policy, ink/needle batches, sterilisation cycles.
• Payment data: managed exclusively by Stripe. Inkally never stores credit card numbers.
• End-client data entered by the artist: identity, contacts, photos, signed consents, health questionnaires.
• Technical data: access logs, IP (anonymised after 30 days), user agent, timestamps of sensitive actions.

4. Processing purposes

• Provide, operate and maintain the Inkally service.
• Authenticate users and manage subscriptions.
• Enable legal traceability (sequential invoices, audit log).
• Send transactional emails (reminders, aftercare, etc.).
• Improve the product via anonymous statistics (only with consent).
• Comply with legal obligations.

5. Legal basis

• Contract performance (art. 6.1.b) for service operation.
• Consent (art. 6.1.a) for analytics cookies and marketing emails.
• Legal obligation (art. 6.1.c) for invoice retention (10 years).
• Legitimate interest (art. 6.1.f) for security logs.
• Explicit consent (art. 9.2.a) for health data in questionnaires.

6. Health data — strong encryption

Health questionnaires contain sensitive data (GDPR art. 9). They are:

• Column-level encrypted using pgcrypto (AES). The decryption key lives in the application environment, never in the database in clear.
• Accessible only by the artist via the encrypted consultation form.
• Inaccessible to Inkally's technical team (even an admin cannot read them without the application key).

7. Hosting and EU transfers

All data is hosted in the European Union:

• PostgreSQL database → Supabase, Frankfurt (eu-central-1).
• Photos and PDFs → Cloudflare R2, EU region.
• App hosting → Vercel, Frankfurt (eu-central-1).

No transfers outside the EU occur during normal service operation. Vercel and Stripe being US companies, indirect transfers may occur under the EU-US Data Privacy Framework (DPF).

8. Retention

• Active account: data kept while subscription is active.
• After cancellation: 30-day export window, then permanent deletion (with reminder email).
• Invoices: 10 years (French Commerce Code).
• Access logs: max 1 year (anonymised after 30 days).
• Health data: erased on request at any time (GDPR art. 17).

9. Your GDPR rights

• Access (art. 15): ZIP export from your dashboard.
• Rectification (art. 16): direct edit in Settings.
• Erasure (art. 17): on written request, subject to legal retention.
• Restriction (art. 18): on request to privacy@inkally.app.
• Portability (art. 20): export in open formats.
• Objection (art. 21): opt-out of marketing emails in one click.
• Complaint: you can refer to the CNIL (French DPA).

10. Processors

• Supabase — database + auth, EU.
• Cloudflare — R2 storage + CDN, EU.
• Vercel — app hosting, EU (Frankfurt).
• Stripe — payments, EU/US (DPF).
• Resend — transactional emails, EU.

11. Cookies

Inkally only uses cookies essential to service operation. Details and consent management on the Cookies page.

12. Contact

For any data protection question:
Email: privacy@inkally.app
Postal address: see Legal Notice.

13. Changes

This policy may be updated. The last-updated date is shown at the top. Any substantial change will be notified by email at least 30 days before taking effect.