Camena Tattoo

Book Consultation
Book Consultation

Privacy Notice and Data Consent

Version 2.0Tattoo Booking System

What data we collect and why

When you use our booking form:

  • Contact information (name, email, phone number) - to process your booking request and communicate with you about your appointment
  • Booking preferences (tattoo design details, placement on body, size specifications) - to prepare for your tattoo session and provide accurate quotes
  • Technical data (IP address, browser information, form submission timestamp) - for security purposes and to maintain consent records as required by law

Email data retention:

  • Booking confirmation emails sent to you: Retained indefinitely for customer service purposes
  • Booking details sent to tattoo artists: Retained indefinitely in artist email systems for appointment preparation, follow-up work, and future service requests
  • You can request deletion of any emails containing your personal data at any time by contacting us
  • Upon your deletion request, we will immediately notify the relevant tattoo artist to delete emails from their systems
  • AWS SES delivery logs and metadata: Automatically deleted after 90 days

How we process and store your data

Our booking system workflow:

  • Your form data is securely processed on Vercel's servers (cloud hosting platform)
  • Booking details are automatically forwarded to your assigned tattoo artist via email
  • You receive a confirmation email with your booking details
  • All emails are sent through Amazon Web Services (AWS) Simple Email Service for reliable delivery
  • Your consent records are securely stored in Neon PostgreSQL database (serverless database with encryption) for legal compliance

How long we keep your data:

Booking information and related emails
Retained indefinitely to support ongoing customer service, touch-ups, warranty work, and future tattoo continuation requests. You may request deletion at any time.
AWS SES email delivery logs
90 days (automatically deleted for security and system maintenance)
Consent records
Stored permanently as legal proof of your agreement to data processing

Legal basis for processing your data

  • Consent (GDPR Article 6(1)(a))
    You explicitly agree to this data processing by submitting the booking form
  • Legitimate interests (GDPR Article 6(1)(f))
    Retaining booking records and related emails indefinitely to provide ongoing customer service, touch-up work, warranty services, and support for future tattoo additions or modifications
  • Contract performance (GDPR Article 6(1)(b))
    Processing necessary to provide tattoo consultation and booking services

Your data protection rights under GDPR

You have the right to:

Access: request a copy of all personal data we hold about you
Rectification: correct any inaccurate or incomplete information
Erasure: request deletion of your data at any time, including emails sent to tattoo artists (we will notify them to delete immediately upon your request)
Restrict processing: limit how we use your data in certain circumstances
Data portability: receive your data in a structured, machine-readable format
Object: to processing based on legitimate interests
Withdraw consent: at any time for consent-based processing (contact us to exercise this right)

Where your data is processed and shared

Within Norway:
Your tattoo artist receives booking details to prepare for your appointment
Within EU/EEA:
No data processing currently occurs in other EU/EEA countries
Outside EU/EEA (with adequate protection):
Vercel (USA) - hosting platform with GDPR compliance measures and Standard Contractual Clauses; AWS SES (USA) - email service with Standard Contractual Clauses; Neon (USA) - serverless PostgreSQL database with SOC 2 Type II and ISO 27001 certifications, encrypted storage (AES-256), and GDPR-compliant data processing agreements

We never sell, rent, or share your personal data for marketing purposes. Booking emails containing your personal data are shared only with your assigned tattoo artist to provide services, and we maintain the ability to request deletion from their systems upon your request. Data is only shared with the processors listed above who are contractually bound to protect your privacy.

Security measures

We implement industry-standard security measures to protect your data:

  • All data transmissions are encrypted using TLS 1.2+ protocol
  • Database access is restricted to authorized systems only with encrypted credentials
  • Consent records are stored in encrypted format (AES-256) in our database
  • Regular security audits and monitoring for unauthorized access
  • All data processors are SOC 2 and ISO 27001 certified

Data Controller Information

Simen Larsen Johansen
Folke Bernadottes vei 44-46, 5147 Fyllingsdalen

For any privacy-related questions, to exercise your rights, or to lodge a complaint, contact us using the information above. You also have the right to lodge a complaint with Datatilsynet (Norwegian Data Protection Authority) at datatilsynet.no.

Last updated: October 5, 2025 | Version 2.0