Privacy Policy

Effective Date: 13/05/2024
Last Updated: 15/04/2026

Thank you for choosing Apex Tattooz. This Privacy Policy describes how we collect, use, and disclose personal information received from users of our website www.apextattooz.com (the “Site”) and our services. By using the Site, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

We may collect personal information when you visit our Site, register for an account, book an appointment, subscribe to our newsletter, respond to a survey, or fill out a form. The types of personal information we may collect include your name, email address, mailing address, phone number, and payment information.

2. Additional Information We May Collect

Depending on how you interact with us, we may also collect:

• Date of birth (for age verification — tattoo services require customers to be 18 or older)
• Health and medical questionnaire responses (allergies, medical conditions, medications) required for tattoo safety
• Photographs of body placement, existing tattoos, and reference imagery you share with us
• Messages sent via WhatsApp, Instagram Direct, Messenger, email, or contact forms
• Signed digital consent forms prior to any tattoo procedure
• Reviews, testimonials, and social-media tags
• IP address, device type, browser, operating system, pages visited, and time spent
• Cookies and similar tracking technologies, including Meta Pixel identifiers (_fbp, _fbc) and Google Analytics identifiers
• Approximate geolocation (derived from IP address)
• Engagement signals from our Facebook Page, Instagram profile, WhatsApp business number, and Messenger

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Book, confirm, reschedule, and deliver tattoo and related services
• Verify age and medical eligibility prior to any procedure
• Process payments, issue GST-compliant invoices, and handle refunds
• Provide aftercare instructions and follow-up reminders
• Communicate with you via WhatsApp, Instagram, Messenger, SMS, and email
• Send marketing communications and offers (only if you opt in; you can unsubscribe at any time)
• Run advertising campaigns on Meta platforms (Facebook, Instagram, WhatsApp) and Google
• Measure ad performance and attribute conversions using Meta Pixel, Meta Conversions API, and similar tools
• Build custom and lookalike audiences on Meta using hashed, pseudonymised data
• Retarget users who have visited the Site, engaged with our pages, or messaged us
• Detect, prevent, and address technical issues
• Comply with legal obligations under Indian law, including the DPDP Act 2023, the GST Act 2017, the Information Technology Act 2000, and consumer-protection laws

4. Apex Tattooz Enterprise Application

Our staff use an internal enterprise application (the “App”) to manage appointments, client records, commission tracking, inventory, and business analytics. Client information processed through the App is collected solely to deliver our services and is protected by:

• Role-based access control (RBAC) with branch-scoped data isolation
• JWT-based authentication with token rotation
• Phone-number masking for privacy-sensitive roles
• Encrypted storage of sensitive fields
• Immutable audit logging of all critical actions

When published to the Apple App Store and Google Play Store, the App will be governed by this Privacy Policy together with the App Store and Play Store privacy disclosures at the time of listing.

5. Legal Basis for Processing (DPDP Act 2023)

• Consent — when you voluntarily share information or opt in to marketing
• Legitimate use — for service delivery, booking management, safety, and internal operations
• Legal obligation — for tax, regulatory, and compliance purposes (including GST, TDS, and statutory record-keeping)
• Contractual necessity — to deliver the services you book

6. Meta Platforms — Facebook, Instagram, WhatsApp, Messenger

We use Meta products to advertise our services, communicate with clients, and measure ad performance. We share the following categories of information with Meta:

• Hashed (irreversibly encrypted) email and phone number for audience matching
• Page views, button clicks, form submissions, and WhatsApp-click events
• Booking and deposit events with transaction value, in aggregated form, through the Meta Conversions API
• Content of messages you send us via Click-to-WhatsApp advertisements and Messenger, which are processed by Meta’s infrastructure

Meta’s processing of this data is governed by:

• Meta Privacy Policy — facebook.com/privacy/policy
• Meta Business Tools Terms — facebook.com/legal/terms/businesstools
• WhatsApp Business Solution Terms — whatsapp.com/legal/business-solution-terms

You may manage your Meta ad preferences here:

• Facebook — facebook.com/ads/preferences
• Instagram — instagram.com/accounts/ads/ads_interests
• WhatsApp — faq.whatsapp.com/privacy-policy

7. Other Third-Party Processors

• Google (Analytics, Ads, Firebase) — anonymised usage analytics and push notifications. Governed by Google Privacy Policy.
• Razorpay and other payment gateways — payment processing under RBI regulations and their own privacy policies. We do not store full card numbers or CVV.
• Amazon Web Services — secure cloud storage for images and backups.
• Cloudflare / hosting providers — CDN, performance, and security.

We do not sell your personal data to any third party for monetary consideration.

8. Cookies and Tracking Technologies

Our Site uses cookies and pixels for the following purposes:

• Essential cookies — site functionality, security, and load balancing
• Analytics cookies — Google Analytics (anonymised traffic measurement)
• Advertising cookies — Meta Pixel and Google Ads remarketing
• Preference cookies — remembering your language and settings

You can disable non-essential cookies through your browser settings. Disabling advertising cookies will not stop you seeing ads, but they may be less relevant.

9. Data Security

The security of your personal information is important to us. While we use commercially acceptable measures to protect your data, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee its absolute security.

10. Data Retention

Data type	Retention period
Booking and client records	Relationship duration + 7 years (GST & Income Tax Act compliance)
Health questionnaires and consent forms	7 years post-service
Payment and invoice records	7 years (GST Act 2017, Section 36)
Marketing opt-in data	Until consent withdrawn, then 30 days
Website analytics	Maximum 26 months
Staff records (Enterprise App)	Employment duration + 1 year
Advertising cookies	Maximum 180 days
Soft-deleted records	Permanently purged after 90 days

11. Your Rights Under the DPDP Act 2023

As a Data Principal, you have the right to:

• Access a summary of your personal data we process
• Correction of inaccurate or incomplete data
• Erasure of your personal data, subject to legal retention requirements
• Withdraw consent for any processing that relies on consent (future processing only)
• Grievance redressal with our Grievance Officer and, if unresolved, with the Data Protection Board of India
• Nominate another person to exercise these rights in the event of your death or incapacity

To exercise any of these rights, email contact@apextattooz.com with the subject “DPDP Request”. We will respond within 30 days.

12. Children’s Data

Our services are intended for individuals 18 years and older. We do not knowingly collect personal data from children under 18, except where a guardian consents for a minor’s medical or consent form. If we learn we have collected data from a child without valid consent, we will delete it promptly.

13. International Data Transfers

Meta, Google, Razorpay, Amazon Web Services, and other processors may process your data on servers located outside India, including in the United States, the European Union, and Singapore. We rely on our processors’ lawful-transfer mechanisms and any restrictions notified by the Indian Government under Section 16 of the DPDP Act.

14. Marketing Communications

If you opt in to receive marketing:

• We may message you via WhatsApp, SMS, email, Instagram Direct, or Messenger
• You can unsubscribe at any time by replying STOP to WhatsApp/SMS, clicking Unsubscribe in an email, or emailing contact@apextattooz.com
• Your opt-out will be honoured within 72 hours

15. Grievance Officer

In accordance with the DPDP Act 2023 and the Information Technology Act 2000, grievances regarding personal data may be submitted to our Grievance Officer at contact@apextattooz.com with the subject line “Grievance”. Grievances will be acknowledged within 48 hours and resolved within 30 days.

16. Business Registration & Licensing

Apex Tattooz is a lawfully registered business in the Republic of India. The following identifiers are in force at the date of this policy:

• GSTIN: 07CXJPR6603L1ZY
• Trade License Number: MGT L10252 756352 778

All invoices issued by Apex Tattooz are GST-compliant and carry our GSTIN. We maintain books of account, invoices, vouchers, and records in accordance with the GST Act 2017 for the statutory retention period.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the updated Privacy Policy on this page with a revised “Last Updated” date.

18. Contact Us

If you have any questions about this Privacy Policy, please email contact@apextattooz.com. Our registered address and contact number are available in the website footer.

This Privacy Policy was last updated on 15/04/2026.