Privacy Policy
Effective Date: 06/06/2025 | Last Updated: 06/06/2025 | Version 1.0
1. Controller Information and Contact Details
Data Controller: TATYOU Limited
Registered Address: 128 City Road, London, United Kingdom, EC1V 2NX
Email: [email protected]
Website: www.tatyou.com
Data Protection Officer (DPO): Thomas Gordon
DPO Email: [email protected]
2. Information We Collect and Lawful Basis for Processing
2.1 Account and Authentication Data
Information Collected:
- Email address (required)
- First and last name
- Encrypted password
- User type (artist or client)
- Account creation/modification timestamps
Lawful Basis:
- Performance of contract (Art. 6(1)(b))
- Legitimate interests (Art. 6(1)(f))
Purpose: Authentication, personalization, security.
Retention: Duration of account + 7 years.
2.2 Profile and Professional Information
Artist Data:
- Location, Instagram handle (optional)
- Style specializations
- Price range (JSON)
- Apprentice/featured status
- Portfolio count
- Profile photo
Client Data:
- Location and service preferences
- Profile photo
- Booking history
Lawful Basis:
- Performance of contract
- Legitimate interests
Purpose: Service matching, filtering, recommendations.
Retention: Active + 3 years post-deactivation.
2.3 Portfolio and Creative Content (Artists)
Collected:
- Images, metadata, tags, titles
- Upload timestamps
- Visibility preferences
Lawful Basis:
- Performance of contract
- Consent (for public display)
Purpose: Artist promotion, client discovery.
Retention: Until deletion or termination.
2.4 Availability and Scheduling Data (Artists)
Collected:
- Weekly availability
- Time-off, capacity, history
Lawful Basis: Performance of contract
Purpose: Scheduling and booking
Retention: Active + 2 years historical
2.5 Communication and Messaging Data
Collected:
- Chat messages, timestamps, read status
- Booking-related messages
- Media attachments
Lawful Basis:
- Performance of contract
- Legitimate interests
Purpose: Communication, support, coordination
Retention: Active + 7 years
2.6 Booking and Transaction Data
Collected:
- Booking details, history
- Artist/client IDs
- Payment data (via Stripe)
Lawful Basis:
- Performance of contract
- Legal obligation
Purpose: Appointments, transactions
Retention: 7 years (Stripe policies apply)
2.7 Device and Technical Information
Collected:
- FCM tokens
- Platform info (iOS/Android)
- Locale, usage analytics, IP
Lawful Basis: Legitimate interests
Purpose: Notifications, performance, security
Retention: 2 years
2.8 Location Data
Collected:
- User-provided region (no GPS)
- Preferences for discovery
Lawful Basis:
- Consent
- Performance of contract
Purpose: Geographic matching, filtering
Retention: Active + 1 year post-deactivation
3. Special Category Data Processing
Tattoo images may imply sensitive personal data.
Lawful Basis: Explicit consent (Art. 9(2)(a))
Safeguards: Restricted access, security, deletion on request
4. Automated Decision-Making and Profiling
Used for:
- Matching artists and clients
- Recommendations
- Fraud detection
User Rights:
- Request human review
- Object to profiling
5. Data Sharing and Third-Party Processors
5.1 Essential Service Providers
- Supabase: Database & storage (EU)
- Stream Chat: Messaging
- Firebase (Google): Notifications
- Stripe: Payments (future)
5.2 Data Processing Agreements
All providers comply with GDPR.
5.3 International Data Transfers
Protected by:
- Adequacy decisions
- Standard Contractual Clauses
- Binding Corporate Rules
- User consent where required
6. Comprehensive Data Subject Rights
Under UK/EU GDPR:
6.1 Right of Access (Art. 15)
6.2 Right to Rectification (Art. 16)
6.3 Right to Erasure (Art. 17)
6.4 Right to Restrict Processing (Art. 18)
6.5 Right to Data Portability (Art. 20)
6.6 Right to Object (Art. 21)
6.7 Automated Decision-Making (Art. 22)
How to Exercise: Email [email protected]
Response Time: Within 30 days (extendable to 90)
7. California Consumer Privacy Act (CCPA) Rights
7.1 Categories of Information Collected
- Identifiers
- Commercial info
- Internet/app usage
- Geolocation (user-provided)
- Professional info
- Communication data
7.2 Sources
- User input
- Interactions
- Third parties (with consent)
7.3 Purposes
- Service delivery
- Communication
- Security
- Legal compliance
- Analytics
7.4 Shared Categories
- Operational providers
- Legal bodies
- Advisors
7.5 Rights
- Know
- Delete
- Opt-out (Tatyou does not sell data)
- No discrimination
How to Exercise: Email [email protected]
8. Security Measures and Data Protection
8.1 Technical Safeguards
- Row Level Security (RLS)
- Admin MFA
8.2 Organizational Measures
- Access controls
- Breach response
8.3 Data Breach Protocol
- Notify regulators in 72 hours
- Notify users if risk is high
- Document and mitigate
9. Data Retention and Deletion
9.1 Principles
- Data retained as needed
- Periodic review
- Prompt deletion on request
- Legal retention upheld
9.2 Specific Retention
- Account: +7 years
- Portfolio: Until deleted
- Communications: 7 years
- Logs: 2 years
- Financial: 7 years
10. Cookies and Tracking Technologies
10.1 Essential Cookies
- Session auth
- Preferences
- Security
10.2 Analytics and Performance
- Anonymized analytics
- Performance tracking
- Error logs
Control: Via device or app settings
11. Age Restrictions and Child Protection
TATYOU is for users 18+ only.
Underage data is deleted on discovery.
12. Changes to Privacy Policy
12.1 Notification
- Email and in-app notices
- 30-day notice for major changes
- Continued use = acceptance
- Account deletion option provided
12.2 Version Control
- Archived versions
- Change logs on request
- Reviewed regularly
13. Contact Information and Complaints
13.1 Privacy Inquiries
Email: [email protected]
Initial Response: Within 5 business days
13.2 DPO
Email: [email protected]
13.3 Complaints to Authorities
- UK: ICO
- EU: Local DPA
- California: CPPA
- Canada: OPC
Last Updated: 06/06/2025