CoilShift Privacy Policy

This Privacy Policy explains how CoilShift handles personal data. It covers both our marketing website at coilshift.com and the CoilShift software used by tattoo studios, artists, and convention organizers (the "Service"). Please read it together with any agreement between your studio and CoilShift.

Who we are

The controller and operator of CoilShift is:

• Wilde Performance Systems — a Belgian sole proprietorship (eenmanszaak), the operator of CoilShift
• Belgium — full postal address available on request
• Enterprise & VAT number: BE 0676.855.607
• Email: hello@coilshift.com
• Website: coilshift.com

You can use the email address above for any privacy question or to exercise your rights. We are based in Belgium and the General Data Protection Regulation (EU 2016/679, "GDPR") applies.

Controller and processor: who is responsible for what

CoilShift plays two different roles depending on whose data is involved. This split matters, so we state it clearly.

• For your studio's or artist's account data, CoilShift is the controller. This includes the name, email, and login details you create when you sign up and use CoilShift as a customer. We decide how this data is used to run and bill the Service.
• For a studio's own client data, CoilShift is the processor. When a studio uses CoilShift to manage its clients (bookings, consent forms, health intake, reminders, and so on), the studio is the controller of that client data and CoilShift processes it only on the studio's instructions. In that case the studio decides why and how the data is used; CoilShift simply provides the tools. A Data Processing Agreement (DPA) between CoilShift and each studio governs this relationship and is required.

If you are a tattoo client and you have a question about your data, your first point of contact is usually the studio you booked with, because the studio is the controller of that data. CoilShift will support the studio in answering your request.

The data we collect

We only collect what we need to provide the Service. The categories below describe everything processed in the product app and on the marketing site.

Studio and artist account data (CoilShift is controller)

• Name of the studio or artist
• Email address
• Login credentials
• Account, billing, and subscription details

Client data managed by studios (CoilShift is processor)

• Client name, email address, and phone number
• Reference images uploaded for a tattoo
• Booking details (date, time, artist, service, notes)
• Health intake information provided before tattooing. This is special-category data concerning health under Article 9 GDPR and is the most sensitive item we handle. See the dedicated section below.
• Digital consent and waiver forms, including the client's signature
• Payment and deposit data. Card payments are processed by Stripe, and full card data never touches CoilShift servers.
• SMS and email notification content and delivery logs (for example, appointment reminders and their delivery status)

Convention and organizer data (CoilShift is processor for the organizer)

• Vendor government-issued IDs
• Bloodborne-pathogen certificates
• Booth floor-plan assignments and walk-in check-in records

Vendor IDs and bloodborne-pathogen certificates are sensitive documents and are stored in a restricted compliance vault.

Marketing website data

The marketing site at coilshift.com is informational only. It sets no cookies, runs no analytics, and uses no tracking. There are no forms on the site that collect personal data. The only data generated is the standard server and access logs kept by our hosting provider (such as IP address and request time), which are used to keep the site secure and available.

Why we use your data and our lawful basis

Under the GDPR we must have a lawful basis for each use of personal data. The table of purposes below explains what we do and why we are allowed to do it.

• Creating and running studio/artist accounts. Basis: performance of a contract (Article 6(1)(b)). We need account data to give you access to the Service and keep it working.
• Managing bookings and taking deposits. Basis: performance of a contract. For a studio's clients, this processing is carried out on the studio's behalf and rests on the studio's contract with its client; CoilShift acts as processor.
• Processing payments and deposits. Basis: performance of a contract, and compliance with a legal obligation (Article 6(1)(c)) for keeping financial and tax records.
• Health intake before tattooing. Basis: the client's explicit consent under Article 9(2)(a), collected by the studio through the digital intake form. See the next section.
• Digital consent and waiver forms. Basis: performance of a contract and the studio's legitimate interest in documenting informed consent before a procedure.
• Sending SMS and email reminders and service messages. Basis: performance of a contract; for the studio's clients this is done on the studio's instructions as processor.
• Keeping the Service secure, preventing fraud and abuse, and debugging. Basis: legitimate interest (Article 6(1)(f)) in running a safe and reliable platform.
• Convention compliance (vendor IDs and certificates, check-in). Basis: the organizer's legitimate interest and, where applicable, legal obligation in verifying that vendors meet health and safety requirements; CoilShift acts as processor for the organizer.
• Marketing communications from CoilShift to studios/artists. Basis: consent (Article 6(1)(a)), or legitimate interest for limited messages to existing customers about similar services. You can opt out at any time.
• Standard server and access logs on the marketing site. Basis: legitimate interest in security and availability.

Health intake: special-category data

Health intake data is the most sensitive information in CoilShift and we treat it with special care. Under Article 9 GDPR, data about a person's health is a special category that may only be processed under strict conditions.

• Health intake is collected by the studio from the client, before tattooing, through CoilShift's digital intake form.
• It is processed only on the client's explicit consent under Article 9(2)(a), which the client gives through the form.
• CoilShift acts only as processor for this data, on the studio's instructions. The studio, as controller, is responsible for obtaining and recording that explicit consent.
• Access to health intake records is restricted, the data is encrypted, and it is never used for marketing or any purpose other than the tattoo appointment and the studio's legal record-keeping.

Sub-processors

We use a small number of trusted service providers to run CoilShift. Each acts as a sub-processor, processes data only on our documented instructions, and is bound by a Data Processing Agreement (DPA) with appropriate confidentiality and security obligations.

• Vercel — website and application hosting and content delivery
• Supabase — database, authentication, and file storage
• Stripe — payment and deposit processing (card data is handled entirely by Stripe)
• Twilio — SMS message delivery
• Resend — transactional email delivery

Fonts on our site are self-hosted, so no data is shared with font providers such as Google Fonts. We will keep this list current and update it when sub-processors change.

International transfers

CoilShift is based in the EU and we keep data within the EU/EEA wherever we can. Some of our sub-processors may transfer or store data in the United States or other countries outside the EEA. Where that happens, the transfer is protected by appropriate safeguards under the GDPR, namely the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF). You can ask us for more information about the safeguards in place for a specific provider.

How long we keep data

We keep personal data only for as long as we need it, then delete or anonymize it. Our default retention periods are:

• Studio/artist account data: kept for as long as the account is active, and for a limited period after the account is closed (typically up to 90 days) to allow recovery and to wind down the relationship, after which it is deleted.
• Client records (bookings, contact details, reference images): kept while the studio's account is active, and deleted in line with the studio's instructions as controller after that. The studio sets the exact period for its own clients.
• Payment and deposit records: kept for around 7 years to meet Belgian and EU tax and accounting law.
• Health intake and consent/waiver records: kept for as long as the studio is required to keep them under its own legal obligations (for example, health and safety record-keeping duties). The studio, as controller, sets this period; CoilShift holds the records on the studio's behalf.
• SMS and email content and delivery logs: kept for a short operational period to confirm delivery and troubleshoot, then deleted.
• Convention vendor IDs and certificates: kept for the duration of the event and a limited compliance window afterwards as set by the organizer, then deleted.
• Marketing-site server logs: kept for a short period by the hosting provider for security and then rotated out.

Your rights

If your data is processed in connection with CoilShift, the GDPR gives you the following rights:

• Access — ask whether we hold your data and get a copy of it.
• Rectification — have inaccurate or incomplete data corrected.
• Erasure — ask us to delete your data ("right to be forgotten"), where no legal reason requires us to keep it.
• Restriction — ask us to limit how we use your data in certain situations.
• Portability — receive data you provided in a structured, commonly used, machine-readable format, and have it sent to another provider where technically possible.
• Objection — object to processing based on legitimate interest, and object at any time to direct marketing.
• Withdraw consent — where we rely on your consent (including the explicit consent for health intake or for marketing), you can withdraw it at any time, without affecting processing done before you withdrew.

To exercise any of these rights for data where CoilShift is the controller (your studio/artist account), email us at hello@coilshift.com. If your request concerns client data held by a studio, the studio is the controller and you should contact the studio first; we will assist the studio in responding. We will reply within one month, as required by the GDPR.

Complaints to the supervisory authority

If you believe your data has been handled unlawfully, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données). You can also contact the supervisory authority in your own EU country of residence. We would, of course, appreciate the chance to address your concern first.

Cookies and tracking on the marketing site

The coilshift.com marketing site sets no cookies, uses no analytics, and runs no tracking of any kind. The only data created when you visit is the standard server and access log kept by our hosting provider for security and availability. Because we do not track you, no cookie banner or consent prompt is needed on the marketing site.

How we keep data secure

We take appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit and at rest
• Authentication and access controls, with sensitive records (health intake, consent forms, vendor IDs and certificates) kept in restricted areas
• Card data handled entirely by Stripe, so it never reaches CoilShift servers
• Reputable hosting and infrastructure providers bound by DPAs
• Limiting access to personal data to what is necessary to run the Service

No system can be guaranteed perfectly secure, but we work to protect your data and to respond quickly if anything goes wrong, including notifying the relevant authority and affected people where the law requires.

Children

CoilShift is a service for tattoo professionals and adult clients. Tattoo clients must be 18 or older. The Service is not directed at children and we do not knowingly collect data from anyone under 18. If you believe a child's data has reached us, contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time, for example when we add a feature or change a sub-processor. For significant changes, we take reasonable steps to let affected users know. The current version always governs our processing.

Contact us

For any privacy question, or to exercise your rights, contact Wilde Performance Systems, established in Belgium (full postal address available on request), at hello@coilshift.com.