Back to Home

Privacy Policy

Last updated: September 6, 2025

Introduction

At NeedleFlow, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our tattoo studio management platform. We are committed to protecting your personal information and maintaining transparency about our data practices.

This policy applies to all users of NeedleFlow, including studio owners, staff members, and clients who interact with our platform.

1. Information We Collect

Personal Information We Collect Directly

Studio Owners and Staff:

  • Full name and contact information (email, phone number)
  • Business information (studio name, address, business license)
  • Account credentials and security information
  • Professional certifications and licenses
  • Payment and billing information

Clients:

  • Name and contact information
  • Appointment details and booking history
  • Digital waiver information and signatures
  • Design preferences and consultation notes
  • Payment information for deposits and services

Technical Information We Collect Automatically

  • IP addresses and device information
  • Browser type, operating system, and version
  • Usage analytics and platform interaction data
  • Login timestamps and session duration
  • Error logs and performance metrics
  • Location data (with explicit consent only)

Information from Third Parties

  • Payment information from Stripe (payment processing)
  • Email delivery confirmation from our email service provider
  • Analytics data from Google Analytics (anonymized)
  • Social media information if you choose to connect accounts

2. How We Use Your Information

Service Delivery and Management

  • Account creation, authentication, and security
  • Appointment scheduling and calendar management
  • Communication between studios and clients
  • Processing payments and managing billing
  • Digital waiver collection and storage
  • Design portfolio management and sharing

Platform Improvement and Analytics

  • Analyzing usage patterns to improve user experience
  • Developing new features and functionality
  • Monitoring system performance and security
  • Conducting user research and satisfaction surveys
  • Providing business analytics and insights to studios

Legal and Compliance

  • Complying with legal obligations and regulations
  • Protecting against fraud and security threats
  • Resolving disputes and enforcing our Terms of Service
  • Responding to law enforcement requests when required

3. Information Sharing and Disclosure

We Never Sell Your Data

NeedleFlow does not sell, rent, or lease personal information to third parties for marketing purposes. Your data is used solely to provide and improve our service.

Third-Party Service Providers

  • Stripe: Payment processing and billing (PCI DSS compliant)
  • Email Service Providers: Transactional and notification emails
  • Analytics Providers: Platform usage analytics (anonymized data)
  • Cloud Infrastructure: Secure data hosting and backup services
  • Customer Support: Help desk and support ticket management

Legal Requirements

We may disclose your information when required by law, such as to comply with subpoenas, court orders, or legal processes. We will notify you of such requests unless prohibited by law or court order.

Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction. We will notify users via email and through our platform of any such change in ownership.

4. Data Security Measures

Technical Safeguards

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication for all accounts
  • Regular automated security scans and penetration testing
  • Secure backup systems with 30-day retention
  • Access logging and monitoring for all systems

Administrative Safeguards

  • Employee security training and background checks
  • Role-based access controls with principle of least privilege
  • Regular security policy reviews and updates
  • Incident response procedures and breach notification protocols
  • Annual third-party security audits and certifications

Compliance Certifications

  • SOC 2 Type II compliance for security controls
  • GDPR compliance for European Union users
  • CCPA compliance for California residents
  • PIPEDA compliance for Canadian users

5. Your Rights and Controls

Data Access and Control

  • Access: Request a copy of all personal information we hold about you
  • Correction: Update or correct inaccurate personal information
  • Deletion: Request deletion of your account and associated data
  • Portability: Export your data in machine-readable formats
  • Restriction: Limit how we process your personal information

Communication Preferences

  • Opt-out of marketing communications at any time
  • Control notification settings for appointments and messages
  • Manage email frequency and content preferences
  • Unsubscribe from newsletters and promotional content

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@needleflow.com or through your account settings. We will respond to your request within 30 days and may require identity verification to protect your information.

EU Residents

If you are located in the European Union, you have additional rights under GDPR, including the right to lodge a complaint with your local data protection authority.

6. Data Retention

We retain personal information only as long as necessary to provide our services and comply with legal obligations. Specific retention periods vary by data type:

  • Account Information: Until account deletion + 30 days
  • Appointment History: 7 years for business records compliance
  • Payment Information: 7 years for tax and audit purposes
  • Digital Waivers: 7 years for legal protection
  • Technical Logs: 90 days for security and troubleshooting
  • Marketing Data: Until opt-out or 3 years of inactivity

7. Children's Privacy

NeedleFlow is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected such information, we will take steps to delete it promptly. Tattoo services require adult consent in most jurisdictions, and our platform is designed for professional studio management.

8. International Data Transfers

NeedleFlow is based in the United States, and your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) for EU data transfers
  • Adequacy decisions for transfers to approved countries
  • Binding Corporate Rules for intra-company transfers
  • Explicit consent for transfers where required

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by email and through our platform at least 30 days before the changes take effect. Your continued use of NeedleFlow after such modifications constitutes acceptance of the updated Privacy Policy.

10. Contact Us

Privacy Questions?

If you have questions about this Privacy Policy or our data practices, please contact us:

Privacy Officer: privacy@needleflow.com

General Support: support@needleflow.com

Address: NeedleFlow, Inc.
1234 Tech Avenue, Suite 100
San Francisco, CA 94102

Phone: +1 (555) 123-4567

EU Representative

For EU-related privacy matters:

eu-privacy@needleflow.com