← Back to Inklayed

Privacy Policy

Last updated: April 23, 2026

This policy explains what personal data Inklayed ("we", "us") collects, why, and how we handle it. It complies with GDPR and applies to all users.

Data Controller

Inklayed, Cyprus. Contact: privacy@inklayed.com.

What We Collect

DataPurposeLegal Basis
Email, username, password (hashed)Account creation, loginContract
Uploaded sketches, tattoos, photos, 3D scansProviding the ServiceContract
Usage events (sessions, actions)Improving the Service, preventing abuseLegitimate interest
Payment data (name, billing address, card last 4 digits)Processing subscriptionsContract
IP address, browser, deviceSecurity, rate limiting, fraud preventionLegitimate interest

What We Don't Collect

— We don't track you across other websites.
— We don't use behavioral advertising.
— We don't sell your data to anyone.
— We don't train AI models on your uploads.

Third Parties

We share data with these processors to operate the Service:

Lemon Squeezy (payment processing): name, email, billing info.
FAL AI (3D model generation from photos): images you upload for scanning.
Cloudflare (CDN, DDoS protection): IP, user-agent.
Backblaze B2 (backups): encrypted database dumps.

Each operates under its own privacy policy and GDPR-compliant data processing agreements.

Retention

— Account data: kept while your account is active, deleted 30 days after account termination.
— Uploaded images: retained until you delete them or close your account.
— Usage logs: 90 days.
— Backups: 90 days (daily), 4 weeks (weekly), 12 months (monthly).

Your Rights (GDPR)

You have the right to:

Access: request a copy of all data we hold about you.
Correct: update incorrect data through account settings or by emailing us.
Delete: request deletion of your data. We honor this within 30 days.
Portability: export your projects and uploads in JSON/ZIP format.
Object: opt out of processing based on legitimate interest.
Withdraw consent: for processing based on consent, at any time.
Lodge a complaint with your local Data Protection Authority.

Request any of these by emailing privacy@inklayed.com.

Security

We use industry-standard measures:

— Passwords hashed with bcrypt (not stored in plain text).
— HTTPS encryption for all traffic.
— Database encrypted at rest.
— Rate limiting and bot protection.
— Regular backups to encrypted cloud storage.

No system is perfectly secure. In the event of a data breach affecting you, we will notify you within 72 hours.

Cookies

We use essential cookies for authentication (JWT tokens in localStorage) and language preference. We do not use tracking, analytics, or advertising cookies.

Children

The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

Changes

Material changes to this policy will be communicated via email at least 30 days in advance.

Contact

Privacy questions: privacy@inklayed.com
General support: support@inklayed.com