Privacy Policy
Last updated: April 25, 2026
This Privacy Policy explains how TatBrief (“TatBrief,” “we,” “us”) collects, uses, shares, and protects information when you use our website, the artist dashboard, and the consultation tool we provide to tattoo artists and their clients (together, the “Service”).
By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.
1. Who we are
The Service is operated by TatBrief, a sole proprietor based in the Province of Alberta, Canada, doing business as “TatBrief.” For privacy or data-protection inquiries, contact us at hello@tatbrief.com.
2. Scope and roles
TatBrief serves two kinds of users:
- Artists — tattoo professionals who create an account, manage submissions, and share a public consultation link with their clients.
- Clients — the end users (tattoo customers) who complete a consultation through an Artist’s public link.
For Artist account data, TatBrief acts as the data controller. For data Clients submit through an Artist’s consultation link, the Artist is the controller of the resulting brief and TatBrief acts as a processor on the Artist’s behalf to collect, transmit, and store it.
3. Information we collect
3.1 Artist account information
- Account credentials managed by our authentication provider (Supabase Auth): email address and a hashed password.
- Profile details you enter: display name, public profile slug, notification email, and language preference.
- Operational metadata: account creation and update timestamps, account status.
3.2 Client information collected through consultations
When a Client completes a consultation through an Artist’s public link, we collect the following on the Artist’s behalf:
- Contact details — first name and email address (required to send the completed brief to the Artist).
- Consultation responses — free-text descriptions of the desired tattoo, placement, sizing, style preferences, intent, hard rules, budget, timeline, prior tattoo experience, artist familiarity, and concerns.
- Body and skin context — placement on the body, skin tone, scarring or coverup context, and a self-reported pain tolerance rating. This information is used to produce the brief and is general preference data, not medical records.
- Reference images — images you upload, reference URLs you share (for example, links to public boards), and any annotations you make on those images.
- Conversation log — the back-and-forth exchange between you and our AI-assisted consultation flow, used to compile the final brief and to improve the experience.
3.3 Information collected automatically
- Authentication session storage — our authentication provider stores a session token in your browser’s local storage so you can stay signed in. This is required for the Service to function and is not used for advertising.
- Server logs — our servers may record basic operational events (request paths, error messages, and timestamps) for troubleshooting and security monitoring.
3.4 Signup and contact information
If you create an account or email us, we collect the email address you provide and the contents of your message so we can respond and provide the Service.
3.5 What we do not collect
We do not run third-party advertising, tracking pixels, or cross-site analytics on our website. We do not collect payment card numbers directly — if and when we offer paid plans, payments will be handled by a PCI-compliant processor (such as Stripe), and we will only receive limited transaction metadata.
4. How we use information
- To create and operate Artist accounts.
- To run consultations, generate structured briefs, and deliver those briefs to the Artist.
- To send service-related notifications (such as completed brief emails, password resets, and security alerts).
- To improve the Service, debug issues, and protect against fraud or abuse.
- To comply with legal obligations.
We do not sell personal information, and we do not use Client consultation content to train third-party advertising models.
5. Legal bases (where applicable)
For users in jurisdictions that require a legal basis for processing (such as the EEA or UK), we rely on:
- Contract — to provide the Service you have requested.
- Legitimate interests — to secure, maintain, and improve the Service.
- Consent — where we ask for it explicitly (for example, to receive marketing emails).
- Legal obligation — to comply with applicable law.
6. Service providers and subprocessors
We rely on a small number of trusted third parties to operate the Service. These providers process information only on our instructions and under contractual confidentiality and security obligations.
| Provider | Purpose | Data processed |
|---|---|---|
| Supabase | Authentication and primary database (PostgreSQL). | Account credentials, Artist profiles, sessions, conversation logs, and submitted briefs. |
| Cloudflare R2 | Object storage for uploaded reference images. | Reference image files attached to submissions. |
| Mailgun | Transactional and notification email delivery. | Recipient email addresses and the contents of brief and account emails. |
| Anthropic (Claude API) | AI processing for the consultation flow. | Consultation messages, image content, and structured session state required to generate the next question or the final brief. Anthropic processes inputs under its commercial API terms and does not train its models on API inputs. |
| Serper | Image search to surface reference inspiration. | Search queries derived from your consultation preferences (no Client identity is sent). |
| Railway | Application hosting. | All data passes through our hosted backend, which runs on Railway. |
We may add, remove, or change subprocessors as the Service evolves and will update this list when we do.
7. International data transfers
The providers above operate in Canada, the United States, and other regions. By using the Service you understand that your information may be processed and stored outside of the country in which you reside, including in jurisdictions whose data protection laws differ from your own. Where required, we rely on contractual safeguards (such as standard contractual clauses) provided by our subprocessors.
8. Data retention
We retain personal information for as long as is necessary to provide the Service, satisfy the purposes described in this policy, comply with our legal obligations, and resolve disputes. Artists may request deletion of their account and the associated submissions at any time by contacting us. Clients may request that we work with the relevant Artist to delete a specific submission they made through that Artist’s consultation link.
When information is no longer required, we delete it or render it anonymous. Backups containing deleted information are overwritten as part of our normal backup rotation.
9. Security
We use industry-standard safeguards to protect personal information, including encrypted transport (HTTPS/TLS), encrypted storage at rest through our database and object storage providers, hashed passwords, and access controls that limit who can see Client data to the relevant Artist and our authorized operators. No method of electronic transmission or storage is perfectly secure; we cannot guarantee absolute security. If we become aware of a security incident affecting your information, we will notify you as required by applicable law.
10. Your rights
Depending on where you live, you may have rights to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Request deletion of your personal information.
- Object to or restrict certain processing, or withdraw consent where we rely on it.
- Receive a portable copy of information you provided to us.
- Lodge a complaint with your local data protection authority. In Canada, that is the Office of the Privacy Commissioner of Canada.
To exercise any of these rights, email us at hello@tatbrief.com. We may need to verify your identity before responding. If you are a Client and your request relates to a brief you submitted through an Artist’s link, we will coordinate the request with that Artist.
11. Children
The Service is intended for adults (18 years of age or older). We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided personal information to us, please contact us so we can delete it.
12. Cookies and similar technologies
We use a small number of strictly necessary storage mechanisms to keep Artists signed in (such as authentication tokens stored in your browser’s local storage). We do not use cookies or similar technologies for advertising, profiling, or cross-site tracking.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or in-product notice. Your continued use of the Service after the changes take effect means you accept the updated policy.
14. Contact
Questions, requests, or complaints about privacy can be sent to hello@tatbrief.com.
See also our Terms of Service.