Privacy Policy

This policy explains how TryTattoo processes personal data when you use our service. It is based on the EU General Data Protection Regulation (GDPR). TryTattoo is the English version of the same service operated behind tatouageia.fr.

1. Controller

The controller responsible for data processing is:
Léo Pedroza
270 chemin des Prés
06270 Villeneuve-Loubet
France
Email: contact@tatouageia.fr

We have not appointed a data protection officer, as this is not legally required. For any privacy question you can reach us at contact@tatouageia.fr.

2. Data we process

Depending on how you use the service, we process the following categories of data:

• Account data (e.g. email address, account identifier, display name)
• Content data (your text inputs, descriptions, uploaded images, and the tattoo designs generated with AI)
• Usage data (features used, credits consumed, access times)
• Payment data (through our payment provider, see the Stripe section)
• Meta and communication data (IP address, device and browser information, server logs)

3. Purposes and legal bases

We process your data to provide and improve the service (creating tattoo designs with AI, account management, billing). The main legal bases are:

• Art. 6(1)(b) GDPR (performance of the user contract and pre-contractual steps) for your account, generation and billing
• Art. 6(1)(f) GDPR (legitimate interest) for IT security, server logs, abuse prevention and aggregate, anonymized usage measurement
• Art. 6(1)(a) GDPR (consent) for non-essential cookies and analytics or tracking services that require your consent
• Art. 6(1)(c) GDPR (legal obligation) for statutory retention duties

4. Hosting and server logs

Our service is hosted with DigitalOcean. When you open the pages, information is automatically recorded in server log files (e.g. IP address, date and time, requested file, browser type). This processing is based on our legitimate interest in secure and stable operation (Art. 6(1)(f) GDPR). A data processing agreement under Art. 28 GDPR is in place with the hosting provider.

5. Processors and recipients

To provide the service we use the following providers. Where they process personal data on our behalf, this is done under data processing agreements pursuant to Art. 28 GDPR.

Supabase (authentication and database)

We use Supabase for login, account management and the storage of your account and content data. Your credentials and the data about your generations are stored there. The provider is Supabase Inc., whose infrastructure may partly be operated outside the EU (see the section on transfers to third countries). The legal basis is Art. 6(1)(b) GDPR.

Stripe (payment processing)

Purchases of credits or subscriptions are handled by Stripe. The provider is Stripe Payments Europe Ltd. or Stripe, Inc. When you pay, the data required for the payment (e.g. name, email, payment method) is transmitted directly to Stripe and processed there. We do not receive full card details ourselves. The legal basis is Art. 6(1)(b) GDPR.

Replicate and OpenAI (AI image generation)

The actual creation of the tattoo designs is performed through the AI services of Replicate, Inc. and OpenAI. To do this we transmit your inputs (text, selected options and any images you upload) to these providers, which generate the images and return them to us. Both providers are based in the United States, so a transfer of data to a third country takes place (see the next section). The legal basis is Art. 6(1)(b) GDPR, as the processing is necessary to deliver the service you requested.

PostHog (product analytics)

To analyze product usage and improve our features we use PostHog. We use PostHog EU hosting where available. Where this analysis uses cookies or comparable technologies that are not strictly necessary, it only happens with your consent (Art. 6(1)(a) GDPR). Otherwise we base usage measurement on our legitimate interest (Art. 6(1)(f) GDPR).

Google Analytics (audience measurement)

Where enabled, we use Google Analytics, a service of Google Ireland Ltd. or Google LLC (USA), for statistical analysis of usage. Usage data may be transferred to the USA. This is done solely on the basis of your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future.

Resend (transactional emails)

We use Resend to send transactional and lifecycle emails (e.g. sign-in links, account and product notifications). The data required to send the message (e.g. email address) is processed for this purpose. The legal basis is Art. 6(1)(b) and Art. 6(1)(f) GDPR.

6. Cookies and consent

We use strictly necessary cookies so the service works (e.g. to keep you signed in). These do not require consent. For non-essential cookies and analytics or tracking services we ask for your consent through a cookie notice. You can withdraw or adjust your consent at any time with effect for the future.

7. Transfers to third countries

Some of the services we use (in particular Replicate, OpenAI, Google and possibly parts of the Supabase infrastructure) process data in the USA or other countries outside the EU/EEA. These countries may not offer a level of data protection equivalent to European law. Where a transfer takes place, we rely on appropriate safeguards under Art. 46 GDPR, in particular the EU Commission Standard Contractual Clauses, or on an adequacy decision (e.g. the EU-US Data Privacy Framework, where the relevant provider is certified). We provide details and a copy of the safeguards on request at contact@tatouageia.fr.

8. Retention

We store personal data only as long as necessary for the purposes described. We keep account data for the duration of the user relationship and delete it after you delete your account, unless statutory retention obligations apply (e.g. commercial and tax retention periods of up to ten years for invoicing and accounting data). Server logs are deleted or anonymized after 30 days.

9. Your rights

As a data subject you have the following rights:

• Right of access to the data we process (Art. 15 GDPR)
• Right to rectification of inaccurate data (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to withdraw a given consent at any time with effect for the future (Art. 7(3) GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, a message to contact@tatouageia.fr is enough. Our lead supervisory authority is the French data protection authority CNIL (Commission Nationale de l'Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. If you are located in the EU/EEA, you may also contact the data protection authority of your country of residence.

10. Obligation to provide data

Providing certain data (e.g. an email address for an account, payment data for a purchase) is necessary to use the relevant feature. Without this data we cannot deliver that part of the service.

11. Contact

For any privacy question you can reach us at contact@tatouageia.fr or by post at the controller address above.

Last updated: June 7, 2026. This text is a draft and does not constitute legal advice.