inktboek
This is an English translation of the Dutch original. In case of any conflict between the two versions, the Dutch text prevails. View the Dutch original here.
Data Processing Agreement (DPA)

We process, you are the controller

Last updated: May 2, 2026

This Data Processing Agreement (DPA) is an addendum to our terms of service and governs how inktboek processes personal data of your customers on your behalf.

1. Roles

For the data of your customers (end customers of the tattoo studio) you (the studio) are the controller in the sense of GDPR. inktboek is the processor: we process that data only on your instructions and under this agreement.

For your own account data (your studio name, your artist profiles, your login) we are the controller. The privacy statement applies to that.

2. What we process

CategoryExamples
IdentifyingName, email, phone
Intake / requestDescription, desired body area, size, color, budget
Medical (special category)Allergies, medication use, first tattoo yes/no
Image materialCustomer-uploaded reference photos, healed photos
CommunicationChat messages between customer and artist
FinancialDeposit amount, status, transaction IDs (card/bank number sits at Stripe)
AuditTimestamps of booking creation, status changes, payments
Ink and compliance (NEN-EN 17169)Per-session registered inks (brand, product name, color code, batch number, expiry, REACH conformity) and the generated ink passport as PDF, linked to customer and session

3. For whom and how long

  • Customers of studios using inktboek
  • Retention: as described in the privacy statement (account data until cancellation + 30d, customer data 7 years fiscal)
  • On your (studio's) request we delete customer data earlier, to the extent legal retention allows

4. Sub-processors

For execution we engage the following sub-processors. This list was updated on May 2, 2026. Material changes are announced at least 30 days in advance so you can object.

Sub-processorFunctionLocation
Stripe Payments Europe Ltd.Our payments partner: processing deposits, money goes straight to the artistEU (Ireland)
Strato AGHosting of app server, database and S3 file storage (intake photos, project files, healed photos and NEN-EN 17169 ink passport PDFs)Germany (EU)

For sending confirmations, reminders and login links we run our own mail server at Strato. No external mail service sits between us and the recipient.

Additional one-time technical service providers (e.g. monitoring) we only use if they get no access to personal data.

5. Our obligations as processor

  • We process personal data only on your instructions and under this agreement.
  • We take appropriate technical and organizational measures (see section 7).
  • We assist you in answering data subjects' access, rectification and deletion requests.
  • We notify you without delay in case of a data breach involving your customers' data. At the latest within 24 hours of discovery.
  • We assist you with notifications to the Dutch Data Protection Authority and data subjects where legally required.
  • After cancellation we delete the data within 30 days, except where legal retention requires otherwise.

6. Your obligations as controller

  • You inform your customers about their privacy rights and how you process their data. For example via a privacy page on your own website.
  • You use inktboek only for purposes for which you have a valid legal basis (performance of the contract for tattoo work, or consent).
  • You give us instructions via the inktboek app itself (e.g. a deletion request for a specific customer). For deviating instructions: in writing by email.

7. Security measures

  • Traffic between browser and inktboek runs encrypted over HTTPS
  • Passwords are stored encrypted; nobody at our side can read them
  • Sign-in works via a secure session cookie
  • Abuse limiting on login and API calls
  • Stripe payments are verified before we update status
  • Daily database backups, encrypted, kept for 30 days
  • Server access strictly restricted, no password logins
  • Logs of login and payment moments are kept for 30 days

8. Audit right

You may carry out (or have carried out) an audit once per year on our compliance with this agreement, with 30 days' notice and at your own cost. We cooperate reasonably. As an alternative we provide on request copies of relevant certifications or audit reports.

9. Liability

The liability limitation from the terms of service also applies to this DPA, except where mandatory law (such as GDPR for specific fines) requires otherwise.

10. Term and termination

This DPA runs for as long as you have an active inktboek account. On termination of your subscription this DPA ends automatically. Our obligations for data export and deletion remain in force per section 5.

Questions or need an adjusted DPA for your situation? Email privacy@inktboek.nl. For larger studios or chains we can provide a signed paper copy.