Privacy Policy

About Ink Booking

This Privacy Policy describes how Ink Booking ("Ink Booking," "we," "us," or "our") collects, uses, stores, shares, protects, and deletes information when you use our tattoo booking and studio management application at inkbooking.app and related services. It applies to artists and customers who use Ink Booking.

Information we collect

We collect information you provide when using Ink Booking, including:

• Account details (name, email, role, profile information)
• Booking and scheduling data (appointments, notes, pricing, status)
• Customer records you create or manage as an artist
• Design files, documents, and messages related to bookings
• Payment and deposit records processed through the service
• Preferences and settings you configure in the product

We also collect technical information needed to operate and secure the service, such as session identifiers, authentication metadata, and application logs.

Google user data

If you are an artist and choose to connect Google Calendar, Ink Booking accesses Google user data only with your explicit consent through Google's OAuth flow. We request the following OAuth scopes:

• https://www.googleapis.com/auth/calendar.readonly — to list your calendars and read events from the calendar you select
• https://www.googleapis.com/auth/userinfo.email — to display which Google account is connected

What Google user data we collect

When you connect Google Calendar, we may access and store:

• Your Google account email address (for display as "Connected as …")
• Calendar list metadata (calendar IDs and display names)
• Event data from the calendar you select, including event title, description, location, start and end dates/times, all-day status, event ID, and event link
• Encrypted OAuth access and refresh tokens, token expiry time, and selected calendar ID and name
• When you convert a Google event into an Ink Booking appointment, we store the Google event ID on the booking record to avoid duplicates

How we use Google user data

We use Google user data solely to provide and improve the Google Calendar integration features you request:

• Authenticate and maintain your Google Calendar connection
• Let you choose which Google Calendar to use
• Fetch calendar events within a date range you specify
• Display events so you can review and convert them into Ink Booking appointments
• Link converted bookings to the original Google event ID

We do not use Google user data for advertising, credit decisions, selling to data brokers, training general-purpose AI models, or any purpose unrelated to providing or improving this integration.

Ink Booking does not create, edit, or delete events in your Google Calendar. Access is read-only.

How we share Google user data

We do not sell Google user data. We do not share Google user data with third parties for their own marketing, advertising, or data-broker purposes.

Google user data is processed on our servers and stored in our database hosted by our infrastructure providers (for example, Supabase for application data storage) only as needed to operate the integration. These providers act as service processors under our instructions and are not permitted to use your Google user data for their own purposes.

How we use other information

We use non-Google information to provide Ink Booking, operate booking workflows, process payments where enabled, send service-related communications, provide customer support, maintain security, and improve reliability and performance.

Data protection for sensitive information

We apply technical and organizational safeguards designed to protect sensitive data, including Google OAuth tokens, account credentials, booking records, customer information, payment-related data, and uploaded design files:

• Encryption in transit: Connections to Ink Booking use HTTPS (TLS) to encrypt data in transit between your browser and our servers.
• Encryption at rest for Google tokens: Google OAuth access and refresh tokens are encrypted with AES-256-GCM before being stored in our database. Tokens are decrypted only on the server when needed to call the Google Calendar API on your behalf.
• Server-side-only secrets: OAuth refresh tokens and encryption keys are never exposed to the browser or client-side application code.
• Access controls: Database row-level security limits each user to their own data. Google Calendar connection records are accessible only to the artist who created them.
• Authentication: Sign-in sessions are managed through our authentication provider with industry-standard session handling.
• OAuth security: Google OAuth uses a state parameter validated via an HTTP-only cookie to help prevent cross-site request forgery during connection.
• Role-based permissions: Artist and customer roles restrict which features and records each account can access.
• Operational security: We limit access to production systems, monitor for abuse, and apply updates to address security issues.

No method of transmission or storage is completely secure. If you believe your account has been compromised, contact us promptly at the address below.

Data retention

We retain personal information for as long as your account is active and as needed to provide the service, comply with legal obligations, resolve disputes, and enforce our agreements.

Google Calendar connection data (encrypted access and refresh tokens, token expiry time, selected calendar ID and name, and connected Google account email) is retained while your Google Calendar integration remains connected. When you disconnect Google Calendar, we delete your connection record and stored OAuth tokens from our database.

Google event data in bookings: If you convert a Google Calendar event into an Ink Booking appointment, fields derived from that event (such as title, schedule, location, description, and the Google event ID) may remain on the booking record until you delete or update that booking through normal product workflows, even after you disconnect Google Calendar.

Transient Google event data: Event details fetched for display during a sync or fetch session are used to show results in the app; we do not maintain a separate long-term archive of raw Google event payloads beyond what is stored on booking records you create or update.

When retention periods expire or deletion is requested and no longer required for legal or operational purposes, we delete or anonymize data in accordance with our data lifecycle practices.

Data deletion and your choices

You can control your data in the following ways:

• Disconnect Google Calendar: From the Calendar page in Ink Booking, disconnect your integration to delete stored OAuth tokens and connection settings. You can also revoke Ink Booking's access at Google Account permissions.
• Delete converted bookings: Remove individual bookings created from Google events using standard booking management features in the app.
• Update profile and booking data: Edit information you have entered at any time through the product.
• Request account or data deletion: Email support@inkbooking.app to request deletion of your account or specific personal data. We will verify your request and respond within a reasonable timeframe, subject to legal retention requirements.

Disconnecting Google Calendar stops future access to your Google data but does not automatically delete booking records already created from imported events.

Sharing and selling data

We do not sell your personal data or Google user data. We may share information with service providers (such as hosting, authentication, email delivery, and payment processors) only as needed to operate Ink Booking, under contractual obligations that limit their use of your data.

Policy updates

We may update this Privacy Policy when our practices change, including how we use Google user data. We will post the revised policy on this page with an updated "Last updated" date. If changes materially affect how we use Google user data, we will provide additional notice within the product where appropriate.