Last updated: April 23, 2026
This policy explains what personal data Inklayed ("we", "us") collects, why, and how we handle it. It complies with GDPR and applies to all users.
Inklayed, Cyprus. Contact: privacy@inklayed.com.
| Data | Purpose | Legal Basis |
|---|---|---|
| Email, username, password (hashed) | Account creation, login | Contract |
| Uploaded sketches, tattoos, photos, 3D scans | Providing the Service | Contract |
| Usage events (sessions, actions) | Improving the Service, preventing abuse | Legitimate interest |
| Payment data (name, billing address, card last 4 digits) | Processing subscriptions | Contract |
| IP address, browser, device | Security, rate limiting, fraud prevention | Legitimate interest |
— We don't track you across other websites.
— We don't use behavioral advertising.
— We don't sell your data to anyone.
— We don't train AI models on your uploads.
We share data with these processors to operate the Service:
— Lemon Squeezy (payment processing): name, email, billing info.
— FAL AI (3D model generation from photos): images you upload for scanning.
— Cloudflare (CDN, DDoS protection): IP, user-agent.
— Backblaze B2 (backups): encrypted database dumps.
Each operates under its own privacy policy and GDPR-compliant data processing agreements.
— Account data: kept while your account is active, deleted 30 days after account termination.
— Uploaded images: retained until you delete them or close your account.
— Usage logs: 90 days.
— Backups: 90 days (daily), 4 weeks (weekly), 12 months (monthly).
You have the right to:
— Access: request a copy of all data we hold about you.
— Correct: update incorrect data through account settings or by emailing us.
— Delete: request deletion of your data. We honor this within 30 days.
— Portability: export your projects and uploads in JSON/ZIP format.
— Object: opt out of processing based on legitimate interest.
— Withdraw consent: for processing based on consent, at any time.
— Lodge a complaint with your local Data Protection Authority.
Request any of these by emailing privacy@inklayed.com.
We use industry-standard measures:
— Passwords hashed with bcrypt (not stored in plain text).
— HTTPS encryption for all traffic.
— Database encrypted at rest.
— Rate limiting and bot protection.
— Regular backups to encrypted cloud storage.
No system is perfectly secure. In the event of a data breach affecting you, we will notify you within 72 hours.
We use essential cookies for authentication (JWT tokens in localStorage) and language preference. We do not use tracking, analytics, or advertising cookies.
The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
Material changes to this policy will be communicated via email at least 30 days in advance.
Privacy questions: privacy@inklayed.com
General support: support@inklayed.com