Language. This document is published in English, which is the authoritative version. For an accessibility-friendly version or a Portuguese translation, please email info@tattoofactory.eu. In case of any discrepancy between translations and the English version, the English version prevails to the maximum extent permitted by mandatory consumer-protection law applicable to you.
This Privacy Policy explains how Trendy Texture Unipessoal Lda, NIF / VAT PT519181816, with registered office at Largo Barão de São Martinho, nº 13, 4º, sala H, 4700-306 Braga, Portugal (operating the storefront under the trade name “Tattoo Factory”; hereafter “we”, “us”, “our”, “the Company”) collects, uses, discloses and safeguards personal data when you use our storefront at tattoofactory.io (the “Site”) and any related services (collectively, the “Services”).
We are the data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679(the General Data Protection Regulation, “GDPR”), as supplemented by Portuguese Law n.º 58/2019 of 8 August (Lei de Execução do RGPD). This Policy is intended to satisfy our information obligations under Articles 12, 13 and 14 GDPR. Defined terms used in the GDPR have the same meaning here.
1. Controller and contact
The data controller is Trendy Texture Unipessoal Lda (NIF / VAT PT519181816). You may contact us in writing at the registered office above, or by email at info@tattoofactory.eu.
We have not appointed a Data Protection Officer because we do not meet the mandatory criteria of Article 37(1) GDPR. We have nevertheless designated a privacy contact who handles all data-protection matters; reach them at the address above.
2. Categories of personal data we process
2.1 Identification & contact data
- Full name, email address, postal billing & shipping address, phone number (optional)
- For B2B accounts: company name, EU VAT number, business address, contact-person name and position
- Account credentials: hashed password (we never store the plaintext), session tokens, email-verification tokens
- Customer-service correspondence and any attachments you send us
2.2 Order & transaction data
- Items ordered, sizes, quantities, total price, currency, applicable taxes
- Order timestamp, fulfilment status, dispatch tracking number, delivery proof
- Invoice number and invoice PDF (issued via our certified billing software, in compliance with Portuguese tax law)
- Payment metadata: payment method type (card brand / wallet / SEPA), last 4 digits of card, transaction reference, refund reference. We never see or store full card numbers — they are tokenised and processed by our payment service providers (see §4).
2.3 Custom-design content
- Artwork files you upload to our customizer (PNG, SVG, PDF, etc.)
- Optional briefing notes, references, and approvals you submit during the design flow
- If you use the AI tattoo generator: the text prompt you submit, the parameters you choose, and the resulting image. Prompts are not used to train any third-party model.
2.4 Technical & usage data
- IP address, browser type and version, operating system, device type, screen resolution, referrer URL, language and country preference
- Logs of pages viewed, products clicked, time on page, and search terms entered on the storefront (in aggregated and pseudonymised form via our privacy-first analytics provider — see §4)
- Cookie identifiers and similar technologies — see our separate Cookie Policy for the full list
- Server logs containing IP, timestamp, requested URL, response code and user-agent string (retained for 30 days for security and debugging)
2.5 Marketing data
- Newsletter subscription status, the date and source of subscription, and your IP address at the moment of opt-in (kept as proof of consent under Article 7(1) GDPR)
- Email open / click events at the campaign level (aggregated; we do not build behavioural profiles)
2.6 Special categories of data
We do not intentionally process special categories of personal data within the meaning of Article 9 GDPR (such as health, biometric, racial or religious data). Please do not include such information in the artwork, prompts, or messages you send us. If we become aware that we hold such data without a lawful basis, we will delete it.
3. Purposes of processing and lawful bases
We process your personal data only for the purposes listed below, each on the legal basis identified next to it (Article 6 GDPR).
| Purpose | Categories used | Lawful basis |
|---|---|---|
| Process and fulfil your orders, ship products, manage returns and refunds | Identification, order, transaction | Performance of contract — Art. 6(1)(b) GDPR |
| Operate user accounts, secure the login, and provide customer support | Identification, account credentials, technical, correspondence | Performance of contract — Art. 6(1)(b) GDPR |
| Issue legally compliant invoices and meet tax / accounting obligations | Identification, order, transaction, VAT | Legal obligation — Art. 6(1)(c) GDPR (Portuguese Decree-Law 28/2019, Tax General Law) |
| Detect, prevent and investigate fraud, abuse, chargebacks and security incidents | Technical, transaction, IP, device | Legitimate interest — Art. 6(1)(f) GDPR; balanced against your interest in privacy. We use only the minimum data needed and do not profile you for any other purpose. |
| Send transactional emails (order confirmation, dispatch, refund, password reset, account notices) | Identification, order | Performance of contract — Art. 6(1)(b) GDPR |
| Send the marketing newsletter and product news | Identification, marketing | Consent — Art. 6(1)(a) GDPR (you can withdraw at any time via the unsubscribe link or in account settings) |
| Send marketing emails to existing customers about similar products to those they have already bought | Identification, order, marketing | Legitimate interest in direct marketing — Art. 6(1)(f) GDPR + Recital 47, in line with Article 13(2) of the ePrivacy Directive 2002/58/EC and Portuguese Law 41/2004. You can object at any time, free of charge. |
| Aggregated, pseudonymised analytics about how the Site is used (via Plausible — no cookies set) | Technical (no personal identifiers) | Legitimate interest — Art. 6(1)(f) GDPR. No personal data is collected; the processing falls outside Article 5(3) of the ePrivacy Directive. |
| Optional functional cookies and personalisation features (e.g. recently-viewed products) | Cookie identifiers, click history | Consent — Art. 6(1)(a) GDPR + Article 5(3) ePrivacy Directive |
| Custom-design fulfilment and the AI tattoo generator | Custom-design content, prompts, identification | Performance of contract — Art. 6(1)(b) GDPR (when ordered) or pre-contractual measures (when previewed) |
| Defend or pursue legal claims and respond to lawful requests from authorities | Any of the above as needed | Legitimate interest — Art. 6(1)(f) GDPR / Legal obligation — Art. 6(1)(c) GDPR |
4. Recipients and processors
We share personal data only with carefully selected service providers (“processors” under Article 28 GDPR) acting on our documented instructions, and only to the extent necessary for the purposes above. A current list of processors is below. Each is bound by a written data-processing agreement that meets Article 28(3) GDPR.
| Service | Provider | Country / location | Purpose |
|---|---|---|---|
| Hosting / app runtime | Render Services, Inc. | USA — EU region (Frankfurt) | Run the Site and APIs |
| Database | Render Postgres / Neon | EU (Frankfurt) | Persist account, order and product data |
| Object storage | Cloudflare R2 | EU | Store product images and uploaded design files |
| CDN / DDoS protection | Cloudflare, Inc. | Global edge | Deliver the Site quickly and protect against attacks |
| Card & wallet payments | Stripe Payments Europe Ltd. | Ireland | Process card / Apple Pay / Google Pay payments. Stripe is an independent controller for fraud prevention. |
| PayPal payments | PayPal (Europe) S.à r.l. et Cie, S.C.A. | Luxembourg | Process PayPal payments. PayPal is an independent controller for its own anti-money-laundering checks. |
| Shipping — Portugal | CTT — Correios de Portugal, S.A. | Portugal | Domestic dispatch and tracking |
| Shipping — international | DHL Parcel Iberia / DHL Express, UPS | EU, UK, USA | International dispatch and tracking |
| Transactional email | Resend, Inc. | USA — EU sub-processor (AWS Frankfurt) | Send order, account and password emails |
| Marketing email | Resend, Inc. (or successor) | USA — EU sub-processor | Send the opt-in newsletter |
| Analytics | Plausible Insights OÜ | Estonia (servers in Germany) | Cookieless, privacy-first traffic analytics |
| Billing & invoicing | Moloni (Cloudware Lda.) | Portugal | Issue certified Portuguese invoices and submit SAF-T to AT |
| AI tattoo generator | Replicate, Inc. | USA | Generate preview images from your prompt (covered by SCCs; prompts are not used to train models) |
| Customer support tooling | Internal admin app + email inbox | EU | Handle support tickets |
We may additionally disclose personal data to: (i) our professional advisers (lawyers, accountants, auditors) bound by professional confidentiality; (ii) public authorities and courts when required by law, a binding order, or to defend legal claims; (iii) a buyer in the event of a corporate transaction (merger, sale of assets), subject to confidentiality and continuity of this Policy.
We do not sell your personal data, and we do not share it with advertising networks or data brokers.
5. International transfers
Some of our processors are established outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we rely on the safeguards set out in Chapter V of the GDPR:
- Adequacy decision — for transfers to recipients in countries the European Commission has formally recognised as providing an adequate level of protection (e.g. United Kingdom).
- EU-US Data Privacy Framework (DPF) — for transfers to certified US providers (e.g. Stripe, Cloudflare, Render where certified). You can verify certification at dataprivacyframework.gov.
- Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 — together with supplementary technical and organisational measures (TLS in transit, AES-256 at rest, strict access controls).
You may obtain a copy of the relevant safeguards by emailing info@tattoofactory.eu.
6. Retention periods
We keep personal data only for as long as necessary for the purpose for which it was collected, plus any retention period required by law. Specifically:
| Data | Retention | Reason |
|---|---|---|
| Invoices and order records | 10 years | Article 123(2) Portuguese CIRC + Decree-Law 28/2019 (mandatory tax retention) |
| Order shipping data | 3 years after delivery | Statute of limitations for consumer claims (Decree-Law 84/2021) |
| Account profile (when active) | For the life of the account | Performance of contract |
| Account profile after deletion request | 30 days “cool-off”, then deletion within 90 days from backups | To allow reversal and complete backup rotation |
| Custom-design files | 90 days after order completion | To handle reprints & warranty; deleted automatically thereafter |
| AI generator prompts and images | 30 days from generation, unless you save the design to your account | Operational debugging and abuse prevention |
| Marketing list | Until you unsubscribe; opt-in proof retained 3 years thereafter | Compliance with Article 7(1) GDPR (proof of consent) |
| Customer-service correspondence | 3 years after last contact | Statute of limitations for consumer claims |
| Server & security logs | 30 days | Security monitoring & debugging (Art. 6(1)(f)) |
| Web analytics | 26 months, in pseudonymised form | Industry standard for trend analysis |
| Cookie consent records | 12 months | Proof of valid consent |
After expiry, data is irreversibly deleted or anonymised in such a way that it can no longer be associated with an identified or identifiable natural person.
7. Your rights
Subject to the conditions and exceptions in the GDPR, you have the following rights free of charge:
- Right of access (Art. 15) — confirmation of whether we process your data and a copy of it.
- Right to rectification (Art. 16) — correction of inaccurate or incomplete data.
- Right to erasure (Art. 17, “right to be forgotten”) — subject to exemptions for legal retention obligations and the establishment, exercise, or defence of legal claims.
- Right to restriction (Art. 18) — limit how we use your data while a dispute is being resolved.
- Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object (Art. 21) — object to processing based on legitimate interest, including direct marketing. Marketing objections are absolute — we will stop immediately.
- Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Right not to be subject to automated decision-making (Art. 22) — see §10 below.
- Right to lodge a complaint (Art. 77) — see §8.
To exercise any of these rights, email info@tattoofactory.eu or write to us at the registered office above. We respond within one month of receiving your request (extendable by up to two further months for complex requests, in which case we will tell you within the first month). We may need to verify your identity before complying — typically by asking you to confirm the request from your account email address.
8. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. The Portuguese supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD):
- Address: Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa, Portugal
- Phone: +351 213 928 400
- Website: www.cnpd.pt
You may also lodge a complaint with the supervisory authority of your EU country of residence or workplace.
9. Security
We implement appropriate technical and organisational measures proportionate to the risk, in line with Article 32 GDPR. These include:
- Encryption — TLS 1.3 for all data in transit; AES-256 for data at rest in the database, object storage and backups.
- Hashing — passwords are hashed with a memory-hard algorithm (Argon2 / bcrypt) with per-user salts.
- Access control — role-based access, principle of least privilege, multi-factor authentication for all staff with access to personal data.
- Tokenisation — payment card numbers never reach our servers; only a Stripe / PayPal token is stored.
- Logging & monitoring — admin actions on personal data are logged; logs are reviewed for anomalies.
- Backups — daily encrypted backups, retained for up to 30 days, with periodic restore testing.
- Vendor management — Article 28 contracts with all processors; security review before onboarding.
- Vulnerability management — dependency scanning, security patches deployed promptly, periodic penetration testing.
10. Automated decision-making and profiling
We do not make decisions about you based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR. Stripe and PayPal may run automated anti-fraud checks on payments under their own privacy policies; the outcome of those checks is reviewed by a human at Tattoo Factory before any order is refused.
11. Personal-data breaches
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the CNPD without undue delay, and where feasible within 72 hours, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay in accordance with Article 34 GDPR.
12. Children
The Site and Services are intended for adults aged 18 and over. We do not knowingly collect personal data from children under 16 (Article 8 GDPR; the age of digital consent in Portugal is 13 by default but the Site is not directed at minors). If we learn that we have collected data from a child without verified parental consent, we will delete it. If you believe a minor has submitted data to us, please contact info@tattoofactory.eu.
13. Cookies
Our use of cookies and similar technologies is described in our Cookie Policy, which forms an integral part of this Privacy Policy.
14. Job applicants and visitors
If you apply for a job with us, we will use your CV and contact details only to evaluate your application; we keep candidate data for 12 months from the last interaction (or longer with your consent). If you visit our office, we may keep a name in a visitor log for up to 30 days for security.
15. Links to third-party sites
The Site may contain links to third-party sites (e.g. Instagram, couriers’ tracking pages). We are not responsible for the privacy practices of those sites; please review their privacy notices.
16. Changes to this Policy
We may update this Policy to reflect changes in our practices, the services we offer, or applicable law. The latest version is always available on this page, marked with the “Last updated” date above. Material changes will be communicated by email to registered customers at least 14 days before they take effect, or by a prominent notice on the Site.
17. Contact
For any privacy-related question, request, or to exercise any of your rights, please contact:
- Email — info@tattoofactory.eu
- Post — Trendy Texture Unipessoal Lda, Largo Barão de São Martinho, nº 13, 4º, sala H, 4700-306 Braga, Portugal