InkDesk

Privacy Policy

Last updated: 04 May 2026

InkDesk (“we”, “us”, “our”) is operated by [Registered Entity Name], having registered office at [Registered Address, India]. This policy explains what we collect, why, how we use it, and your rights under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

1. Who this policy applies to

This policy applies to studio owners and staff who sign up to InkDesk (the “Studio”), and to clients whose information flows through our platform via Instagram DMs, WhatsApp, and bookings (the “Client”).

1A. Our role under the DPDP Act

For personal data of Studio owners and staff (account email, name, phone, billing details), InkDesk is the Data Fiduciary and processes such data for the purposes set out in this policy.

For personal data of Clients processed via the Studio's use of our platform (client name, phone, Instagram handle, booking details, message content, deposit references), the Studio is the Data Fiduciary and InkDesk acts as a Data Processor on behalf of the Studio. The Studio is responsible for obtaining lawful consent from its Clients, for honouring Client rights requests under the DPDP Act, and for meeting all obligations of a Data Fiduciary in respect of such data. Our processing of Client data is limited to providing the SaaS to the Studio and is governed by these terms in lieu of a separate Data Processing Addendum.

A Client wishing to exercise rights under the DPDP Act in respect of data held by their Studio should contact the Studio directly. InkDesk will assist the Studio in fulfilling such requests on a commercially reasonable basis.

2. Data we collect

  • Account data: name, email, phone, studio name, legal name, GSTIN (optional), city, billing address, billing state.
  • Booking and client data: client names, phone numbers, Instagram handles, appointment slots, deposit amounts, design references uploaded by the studio or client.
  • Communication data: Instagram DM content (when you connect Instagram), WhatsApp message content (inbound + outbound), message status (delivered, read), opt-out signals.
  • Payment data (when v2 in-app payments ship): payment IDs, subscription IDs, customer IDs returned by the licensed Payment Aggregator. Card and UPI credentials are never seen or stored by us — they are handled by the Payment Aggregator. In v1 (current), no payment data is collected because deposits are collected by the studio offline.
  • Technical data: IP address, browser type, device type, pages visited, action timestamps, cookie identifiers.
  • Compliance data: signed consent forms (where applicable), invoice records, audit logs.

3. Why we collect it

  • To provide the booking, deposit, messaging, and invoicing features of InkDesk.
  • To detect fraud, abuse, and platform misuse.
  • To comply with Indian tax law (GST invoices, audit retention).
  • To respond to lawful requests from regulators and law enforcement.
  • To improve product quality (aggregate, de-identified usage analytics only).

4. How we share data

  • Payment Aggregator (when v2 ships): payment processing. Subject to that provider's privacy policy.
  • Meta (Instagram, WhatsApp): when you connect these channels, message data flows through their APIs under their terms.
  • Supabase: hosted Postgres + auth. Data stored in their managed infrastructure.
  • Vercel: web hosting. Standard request logs.
  • We do not sell your data. We do not share with third-party advertisers.

4A. Meta platform data (Instagram + WhatsApp)

When a Studio connects its Instagram Business account or WhatsApp Cloud API number to InkDesk via Meta's OAuth flow, we receive and store the following from the Meta Graph API:

  • Instagram: connected Instagram User ID, the linked Facebook Page ID, the page access token (encrypted at rest), inbound DM message content, message IDs, sender IDs, timestamps, and outbound replies sent on behalf of the Studio.
  • WhatsApp: WhatsApp Business Account ID, Phone Number ID, system access token (encrypted at rest), inbound message content, message IDs, sender phone numbers, timestamps, and delivery / read status events for outbound messages.

We use this data only to (a) display message threads in the Studio's InkDesk dashboard, (b) send automated replies and reminders that the Studio configures, and (c) tie messages to bookings. We do not use Meta platform data for advertising, do not share it with third parties for advertising, and do not sell it. Storage and processing of Meta platform data complies with the Meta Platform Terms and the Instagram Platform Policy.

You can disconnect Instagram or WhatsApp at any time from Settings → Channels or directly from your Meta account. On disconnect, we delete the page/account access tokens immediately and mark all received Meta platform data for deletion within 30 days. See Data Deletion Instructions for details.

5. Where data is stored

Primary data stores are hosted by Supabase. Region: [ap-south-1 / us-east-1]. Backups are encrypted at rest. We aim to keep all personal data of Indian customers within India where the underlying provider supports it.

6. Retention

Account data is retained for the lifetime of your subscription plus 90 days after cancellation. Invoice and payment records are retained for 8 years to comply with Indian tax law. Message logs are retained for 12 months. You can request earlier deletion (see Section 8).

7. Security

Data in transit is encrypted using TLS 1.2+. Data at rest is encrypted by our infrastructure providers. Access to production data is limited to authorised personnel and audited. We follow OWASP Top 10 guidelines and run security reviews on every release.

8. Your rights under the DPDP Act

  • Access — request a copy of the personal data we hold about you.
  • Correction — correct inaccurate data.
  • Erasure — ask us to delete your data, subject to legal retention obligations.
  • Withdraw consent — revoke previously granted consent at any time.
  • Grievance — raise a complaint with our Grievance Officer (Section 11) or the Data Protection Board of India.

Exercise these rights by emailing [privacy@your-domain.in]. We will respond within 30 days.

9. Cookies

We use first-party cookies for authentication (Supabase Auth session) and analytics (PostHog). No third-party advertising cookies. You can clear cookies in your browser; doing so will log you out.

10. Children

InkDesk is for businesses. We do not knowingly collect data from individuals under 18. Tattoo studios using InkDesk are responsible for verifying age of consent for their own clients per Indian law.

11. Grievance Officer

Per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, our Grievance Officer is:

[Officer Name]
Email: [grievance@your-domain.in]
Address: [Registered Address]

12. Changes

We may update this policy. The “Last updated” date at the top reflects the latest revision. Material changes will be communicated via email to account holders at least 14 days before they take effect.

Privacy Policy · InkDesk