BLINK B.V.
Wavrr — Privacy Policy
This Privacy Policy explains how Blink B.V. collects, uses, and protects personal data in connection with the Wavrr software-as-a-service platform, including the studio dashboard, the consent-waiver and ink-passport tools, and any related services for studios and artists.
Contact:Blink B.V.
Herengracht 242A, 1016 BT Amsterdam, the Netherlands
hello@wavrr.app
Article 1 — Introduction
This Privacy Policy explains how Blink B.V. ("Blink", "we", "us", or "our") collects, uses, and protects personal data when you visit our website (wavrr.app), use the Wavrr platform, the waiver-signing flow, or the ink-passport feature embedded by a tattoo studio or artist.
This Policy applies to:
- Studios and Artists (our direct B2B clients) who use Wavrr to manage their bookings, waivers, and ink-passport records;
- Clients of those Studios and Artists, whose data is entered into Wavrr by the Studio, by the Client themselves via a signing or upload link, or both; and
- Website visitors to wavrr.app.
Roles under data-protection law
Blink B.V. acts as data controller in respect of personal data of Studios, Artists, Studio staff, website visitors, support contacts, and marketing contacts.
Blink B.V. acts as data processor in respect of personal data of Clients that is entered into, uploaded to, or generated through Wavrr by or on behalf of a Studio. In that case, the Studio is the data controller and is responsible for determining the purpose and means of the processing, for collecting any required consents, and for complying with local tattoo, health, age-verification, and consent rules. Blink B.V. processes such data only on the Studio's instructions and as further described in this Policy.
Article 2 — Information We Collect
We collect the following categories of personal data.
2.1 Studio and Artist account data
When a Studio or Artist signs up and uses the platform, we collect:
- name, email address, phone number;
- studio or business name, address, city, postal code, country;
- Instagram or social-media handles, language preference;
- login credentials and authentication metadata;
- Subscription status, plan, and Stripe customer/subscription identifiers;
- invoicing and tax information.
2.2 Client data
On behalf of a Studio, the Services collect personal data of Clients in connection with bookings, consent waivers, and ink-passport records, including:
- name, email address, phone number, date of birth;
- address, city, postal code (where requested by the Studio);
- medical conditions, pregnancy or breastfeeding status, allergies, and other health-related disclosures requested in the waiver;
- legal-guardian name and contact details where the Client is a minor;
- Client, guardian, and Artist Electronic Signatures;
- the content of the signed waiver, the signed PDF, and signing metadata (timestamp, IP address);
- appointment date, time, service description, price, deposits;
- ink-passport entries (procedures performed, products and inks used, related notes);
- optional photographs of identity documents (such as ID card, passport, or driver's licence) where the Studio requests them.
In respect of Client data, the Studio is the controller and Blink B.V. is the processor. Clients should generally exercise their data-subject rights through the Studio that collected their data; we will assist the Studio in responding.
2.3 Technical and analytics data
When you use the platform or visit our website, we automatically collect:
- IP address, browser type, device information, operating system, language, time zone;
- session and authentication cookies;
- locale and sidebar/UI preference cookies;
- page views, events, feature usage, and click data;
- error and performance data.
2.4 Communications data
- emails and chat messages with our support team;
- contact-form submissions on our website;
- marketing-automation events (such as opens, clicks, and unsubscribes).
Article 3 — Special Category and Sensitive Data
The Services are designed to allow Studios to collect consent waivers and related records. As part of those workflows, the platform may process special-category and sensitive personal data, including:
- health data (medical conditions, allergies, pregnancy or breastfeeding status, medication, and similar disclosures);
- date of birth and minor/guardian status;
- Electronic Signatures;
- photographs of identification documents where the Studio uses that feature.
Blink B.V. processes this data only as a processor on behalf of the Studio. The Studio is the controller and is responsible for establishing the appropriate legal basis under Article 6 GDPR (typically performance of a contract or legitimate interests) and the appropriate condition under Article 9 GDPR (typically explicit consent under Article 9(2)(a), or, where relevant, the establishment, exercise, or defence of legal claims under Article 9(2)(f)).
The Studio must:
- collect only such medical, identification, or other sensitive data as is strictly necessary for the lawful provision of the tattoo service and the Studio's regulatory or insurance obligations;
- inform Clients about how their data will be used and obtain any required consents (in particular explicit consent for health data) before submission;
- apply appropriate access controls within the Studio so that sensitive data is accessible only to staff with a legitimate need to know;
- not use the Services to make decisions producing legal or similarly significant effects on a Client based solely on automated processing of sensitive data;
- not use the Services in a manner that could constitute discrimination on the basis of health, pregnancy, age, or any other protected characteristic.
Blink B.V. applies appropriate technical and organisational measures (see Article 9) to protect this data.
Article 4 — How We Use Your Information
As controller, we use Studio, Artist, website-visitor, and contact data to:
- provide, operate, and maintain the platform;
- process Subscription payments via Stripe, manage Subscriptions, enforce plan limits, and recover unpaid amounts;
- communicate with Studios about their account, billing, service updates, and important notifications;
- respond to enquiries, contact-form submissions, and customer-support requests;
- send lifecycle and marketing communications, where permitted by law and based on consent or a soft-opt-in;
- understand how the platform and website are used and improve the Services through analytics;
- maintain platform security, prevent fraud and abuse, and protect the integrity of the Services;
- comply with legal obligations and enforce our Terms and Conditions.
As processor for Client data, we use that data only to:
- present and store waivers, capture Electronic Signatures, generate signed PDFs, and make signed documents available to the Studio and (on request) to the Client;
- maintain ink-passport records as configured by the Studio;
- send transactional booking and waiver communications to Clients on behalf of the Studio (such as booking confirmations, reminders, signing links, and cancellation notices);
- provide audit and integrity controls (such as signing timestamps and IP addresses);
- any other purpose specifically instructed by the Studio in writing.
Article 5 — Legal Basis for Processing (EEA)
Where we process personal data of individuals in the European Economic Area as controller, we rely on the following legal bases under Article 6 GDPR:
- Performance of a contract: to provide the Services, manage the Studio's account, process Subscription payments, and deliver functionality requested by the Studio.
- Legitimate interests: for platform security, fraud prevention, improving the Services, analytics, managing client relationships, defending legal claims, and limited direct B2B marketing — where those interests are not overridden by the data subject's rights and freedoms.
- Consent: for certain marketing communications and optional features where consent is the appropriate basis. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
- Legal obligation: to comply with applicable laws, including Dutch fiscal and administrative requirements.
In respect of Client data processed by us as processor, the Studio establishes the appropriate legal basis under Article 6 and (where applicable) the condition under Article 9, as set out in Article 3.
Article 6 — Sub-processors and Data Sharing
We do not sell or rent personal data. We share personal data only as necessary to provide the Services, and we use the following sub-processors and service providers:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Authentication, database, and file storage (including signed waivers, PDFs, and uploaded ID photographs). | EU |
| Stripe | Subscription billing, payment processing, and customer billing records. Stripe acts as an independent controller for its own fraud-prevention and compliance purposes. | EU / global |
| Postmark | Transactional email delivery, including booking confirmations, signing links, and signed-PDF attachments. | EU / US |
| PostHog | Product analytics and error tracking on the platform and website. | EU |
| Google Tag Manager | Tag management on our website. Currently used to load Google and Meta tags for analytics and advertising. | EU / global |
| Intercom | Customer support and in-product messaging. | EU / US |
| Loops | Lifecycle and marketing email automation for Studios and Artists. | US |
| Slack | Internal operational notifications (for example, signup or onboarding alerts). | US |
Each sub-processor is bound by appropriate contractual safeguards (including, where applicable, a written data-processing agreement and Standard Contractual Clauses for transfers outside the EEA). We work, where reasonably possible, with EU-hosted providers and EU regions.
In addition to sub-processors, we may share personal data:
- With the relevant Studio: Client booking and waiver data is shared with (and made available in the dashboard of) the Studio that received it.
- Where you authorise an integration: we share the data needed to operate that integration.
- To comply with legal obligations: where required by applicable law, regulation, or legal process, or to protect the rights, property, or safety of Blink B.V., our clients, or others.
- In the context of business transfers: in the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users in advance where required by law.
Article 7 — Cookies and Tracking Technologies
We use cookies and similar tracking technologies to operate the Services, secure them, analyse usage, and remember your preferences. This Article describes the cookies and trackers in use.
7.1 Cookies and trackers on our website (wavrr.app)
When you visit wavrr.app, the cookies and trackers listed below are loaded and read from your browser automatically. We do not currently display a cookie consent banner. You can block, restrict, or delete cookies through the browser controls described in Article 7.3.
The following cookies and trackers are in use on wavrr.app:
- Strictly necessary: session, security, and authentication cookies. These are required for the website to function.
- Functional: locale, sidebar, and other UI preference cookies.
- Analytics: PostHog product-analytics cookies and identifiers, used to understand how the website is used.
- Tag management and advertising: Google Tag Manager, which currently loads Google tags (for analytics and advertising measurement) and Meta tags (for advertising measurement and audience building).
- Support: Intercom cookies used to enable in-product and on-site support chat.
7.2 Cookies in the platform and waiver flow
The studio dashboard, and the waiver-signing flow use only cookies that are strictly necessary to operate the Services, including:
- Supabase authentication and session cookies;
- language/locale and sidebar/UI preference cookies;
- security cookies.
The waiver-signing flow do not set advertising or cross-site tracking cookies on Clients.
7.3 Browser controls
You can block, restrict, or delete cookies through your browser settings, and you can use browser-level controls such as private/incognito mode or extensions that block trackers. Disabling strictly-necessary cookies may affect the functionality of the Services.
Article 8 — Where Your Data Is Stored and International Transfers
Blink B.V. is established in the Netherlands (Amsterdam). Our primary infrastructure (Supabase, including the database and file storage) is hosted within the European Union, and we work, where reasonably possible, with EU-based service providers and EU regions of multi-region providers.
Some of our sub-processors (in particular Loops and Slack, and to varying extents Stripe, Postmark, Intercom, and Google Tag Manager) may process limited personal data outside the EEA, including in the United States. Where personal data is transferred outside the EEA, we ensure that any such transfer is subject to appropriate safeguards under Chapter V of the GDPR, including:
- Adequacy decisions: transfers to countries recognised by the European Commission as providing an adequate level of data protection.
- Standard Contractual Clauses (SCCs): where no adequacy decision applies, we rely on the standard contractual clauses adopted by the European Commission under Article 46(2)(c) GDPR, supplemented where necessary by additional technical and organisational measures.
Details of the transfer mechanisms applicable to each sub-processor are available on written request at hello@wavrr.app.
Article 9 — Data Security
We take the security of personal data seriously and implement appropriate technical and organisational measures, including:
- encryption of personal data in transit (TLS) and at rest where applicable;
- access controls so that personal data is accessible only to authorised personnel on a need-to-know basis;
- confidentiality obligations for all staff and contractors with access to personal data;
- secure handling and storage of credentials, signing tokens, and any third-party access tokens;
- logging and monitoring of access to sensitive data;
- regular review and testing of our security measures;
- pseudonymisation of personal data where appropriate and reasonably practicable.
In the event of a personal data breach, we will notify affected parties and the relevant supervisory authority in accordance with our obligations under the GDPR. No method of transmission over the internet or electronic storage is completely secure; while we apply industry-standard measures to protect data, we cannot guarantee absolute security.
Article 10 — Data Retention
We retain personal data for as long as necessary to provide the Services, defend legal claims, and meet our legal obligations. Specific retention periods include:
| Category | Retention |
|---|---|
| Studio / Artist account data | Retained for the duration of the account. After verified account closure, deleted or anonymised within a reasonable period, subject to any legal retention obligations. |
| Signed waivers, signed PDFs, and ink-passport records | Retained for the duration of the Studio's account and, after closure, for as long as is necessary to defend or assert legal claims relating to the underlying tattoo service. Under Dutch law, limitation periods for personal-injury and medical claims can extend up to 20 years (Article 3:310 of the Dutch Civil Code). The Studio remains responsible for retention obligations applicable to it. |
| Client contact and booking data | Retained for the duration of the Studio's account or as further instructed by the Studio. Soft-deleted records may be preserved in the database for audit and integrity purposes for a reasonable period before permanent deletion. |
| Identification documents (ID, passport, driver's licence photographs) | Retained for as long as the Studio (as data controller) requires for the purpose for which the data was collected. The Studio is responsible for setting an appropriate retention period consistent with the data-minimisation principle under Article 5(1)(c) GDPR and for deleting identification documents once their purpose has been fulfilled. |
| Subscription and billing records | Retained for seven (7) years in accordance with Dutch fiscal law. |
| Support communications | Retained for two (2) years from the date of last interaction. |
| Analytics and error logs | Retained for up to fourteen (14) months in pseudonymised or aggregated form. |
| Backups | Encrypted backups are retained on a rolling basis and are overwritten or deleted within a maximum of 35 days. Deletion requests are honoured in live systems immediately and propagate through backups within this period. |
| Marketing automation events | Retained for the duration of the marketing relationship plus a reasonable archival period for record-keeping. Unsubscribe requests are honoured immediately. |
To request deletion of your personal data, contact us at hello@wavrr.app. Clients should generally direct deletion requests to the Studio that collected their data; we will assist the Studio in giving effect to such requests.
Article 11 — Your Rights (EEA / UK)
If you are located in the European Economic Area or the United Kingdom, you have the following rights in relation to your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: request deletion of your personal data, subject to any legal retention obligations.
- Restriction: request that we restrict processing of your data in certain circumstances.
- Portability: receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
- Objection: object to processing based on our legitimate interests, including direct marketing.
- Withdraw consent: where processing is based on consent (such as health-data disclosures, ID uploads, or marketing communications), withdraw consent at any time without affecting the lawfulness of prior processing.
- Lodge a complaint: with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or with the supervisory authority in your country of residence.
To exercise these rights, contact us at hello@wavrr.app or, where applicable, via the settings in the Wavrr dashboard. We will respond within one month, in accordance with the GDPR.
If you are a Client, your data is processed by us as processor on the Studio's instructions. You should generally address requests to the Studio that collected your data, since the Studio is the controller. If you contact us directly, we will forward your request to the Studio and assist them in responding.
Article 12 — Minors and Guardian Consent
The Services are designed for use by tattoo studios and artists, who are responsible professionals. They are not directed at children. However, the waiver-signing flow may be used in respect of minors where local law allows tattooing of minors with parental or legal-guardian consent.
Where a Client is a minor, the Studio is responsible for:
- verifying the age of the Client;
- verifying the identity and authority of the parent or legal guardian who signs the waiver;
- complying with the minimum-age and consent rules applicable in the relevant jurisdiction;
- collecting only the minor's data and the guardian's data that is strictly necessary.
Minimum ages and consent rules vary by country and region. Studios should configure their account accordingly and should not use the Services in a manner that breaches local rules. Blink B.V. does not verify the age of any Client or the legal capacity of any guardian.
Article 13 — California Privacy Rights (CCPA / CPRA)
This Article applies to California residents whose personal information is processed by Blink B.V. as a business under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"). Capitalised terms in this Article have the meanings given in the CCPA.
13.1 Categories of personal information collected
In the preceding twelve months, we have collected the following categories of personal information from California residents (whether as Studio/Artist users, website visitors, or Clients on behalf of Studios), as further described in Article 2:
- identifiers (name, email, phone, IP address, account identifiers);
- customer records (billing, address, payment information processed by Stripe);
- commercial information (Subscription details, transactions);
- internet/network activity (usage data, cookies, analytics);
- geolocation (approximate, derived from IP address);
- professional information (studio name, role);
- inferences (limited inferences drawn from usage data for analytics);
- sensitive personal information, where collected through waivers on behalf of Studios: precise health information, government-issued identifiers in ID photographs, and account credentials. We treat sensitive personal information with heightened care and process it only for the purposes described in this Policy and as instructed by the relevant Studio.
13.2 Sale and sharing of personal information
Blink B.V. does not sell personal information for monetary consideration. Through certain advertising and analytics tags loaded on our marketing website (currently Google and Meta tags loaded via Google Tag Manager), some personal information (such as cookie identifiers and online activity) may be shared with these providers for cross-context behavioural advertising; under the CCPA, this can constitute "sharing". We do not share Client waiver data, signed PDFs, or ID photographs with advertising or analytics partners.
13.3 Your California rights
California residents have the right to:
- Know: request that we disclose the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
- Delete: request deletion of personal information we have collected, subject to legal exceptions.
- Correct: request correction of inaccurate personal information.
- Opt out of sale or sharing: opt out of the sharing of personal information for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) browser signal as a valid opt-out request for browsers that send it. To opt out manually, email hello@wavrr.app from the email address associated with your account, or use the browser-level controls described in Article 7.3.
- Limit use of sensitive personal information: request that we limit our use of sensitive personal information to that which is necessary to provide the Services.
- Non-discrimination: we will not discriminate against you for exercising any of these rights.
To exercise these rights, email hello@wavrr.app from the email address associated with your account, or use the relevant in-product setting where available. We will verify your request and respond within the timeframes required by the CCPA. You may designate an authorised agent to make a request on your behalf, subject to our verification.
If your personal information is processed by Blink B.V. as a service provider on behalf of a Studio (for example, your waiver data), you should generally direct CCPA requests to the Studio in the first instance; we will assist the Studio in responding.
Article 14 — Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the Services, legal obligations, or data-processing practices.
Where changes are material — including changes to the purposes for which we process personal data, the categories of data we collect, or the third parties we share data with — we will notify you by email and by posting the updated Policy with a revised effective date.
For minor changes, we will update the Policy and revise the date without separate notification. We encourage you to review this Policy periodically. Continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy.
Article 15 — Controller and Contact
The data controller responsible for personal data of Studios, Artists, Studio staff, website visitors, and support and marketing contacts is:
Blink B.V.Herengracht 242A, 1016 BT Amsterdam, the Netherlands
KvK: 95717013
hello@wavrr.app
In respect of Client personal data processed through the Services on behalf of a Studio, the relevant Studio is the data controller. Blink B.V. acts as data processor on the Studio's documented instructions.
For any questions about this Privacy Policy, your personal data, or to exercise your rights, contact us at hello@wavrr.app. We respond within one month of receiving your request.
Blink B.V. has not appointed a Data Protection Officer. If you have unresolved concerns, you have the right to contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
