Privacy Policy

Last updated: 12.05.2026

We take the protection of your data seriously. This Privacy Policy explains what personal data we collect when you use AI Florian, how we process it and what rights you have. Switzerland is our primary jurisdiction; the Swiss Federal Act on Data Protection (revFADP / revDSG, in force since 1 September 2023) applies. For users located in the European Union, the General Data Protection Regulation (GDPR) also applies and we comply with both regimes in parallel.

1. Controller

Tattoomii AG, Badenerstrasse 541, 8048 Zurich, Switzerland.
Contact: Noa Walser, hello@tattoomii.com

We have not appointed a representative in the EU under Art. 27 GDPR because the threshold for mandatory appointment is not met. EU residents can reach us directly at the email above.

2. What data we process

  • Account data: name, email, studio name, password hash, multi-factor secret, locale and theme preferences.
  • Email content: through the Gmail OAuth connection, incoming and outgoing customer emails are read, stored encrypted in our database and used to generate reply drafts.
  • Attachments and images: tattoo references are stored in a private storage bucket and served only through signed URLs.
  • Customer data of your studio: name, email, phone, tags, notes, appointment history, free-text notes you enter for that customer.
  • Usage data: technical logs (IP, browser, timestamp) to ensure operation, debug issues, and detect abuse.
  • Consent records: timestamp and version of the Terms and Privacy Policy you accepted, used as evidence of consent.
  • Waitlist data: email address, locale and browser user agent when signing up to the waitlist.

3. Purpose of processing

We process your data exclusively to deliver the Service: generating reply drafts, managing appointments, updating customer profiles, securing the platform. We do not train our own AI models on your data. We do not sell, rent, or share your data with third parties for advertising or profiling purposes.

4. Legal bases

Under Swiss revDSG processing of personal data does not generally require a specific legal basis, but it must be lawful, proportionate and transparent. For EU users (GDPR) the following legal bases apply:

  • Performance of contract (Art. 6(1)(b) GDPR): account, email content, appointments, drafts.
  • Legitimate interest (Art. 6(1)(f) GDPR): technical logs, abuse detection, security.
  • Consent (Art. 6(1)(a) GDPR): Gmail mailbox connection, waitlist enrolment. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR): retention of billing and tax records.

5. Processors and third parties

We use the following processors:

  • Supabase (database, storage, auth) - EU region (Ireland).
  • Vercel (web hosting) - global edge, US-headquartered.
  • Inngest (background jobs) - US-headquartered.
  • OpenRouter (LLM routing) and downstream model providers (DeepSeek, xAI, Google Gemini etc.) - mainly US-based.
  • Google (Gmail API for mailbox connection) - global, US-headquartered.
  • Upstash (Redis cache and rate-limiting) - EU region.

We have data processing agreements (DPA / AVV) with all processors. Studios can request a copy of the DPA chain at hello@tattoomii.com.

6. International data transfers

Because we are based in Switzerland, transfers of personal data into Switzerland are considered transfers under Art. 16 revDSG and Chapter V GDPR for EU users. Switzerland has an adequacy decision from the EU Commission, so EU-to-Switzerland transfers do not require additional safeguards. For transfers to the United States (Vercel, Inngest, OpenRouter, Google, LLM providers) we rely on the EU Standard Contractual Clauses and on the Swiss FDPIC-recognised mechanisms. We do not transfer data to jurisdictions without adequate protection without additional safeguards in place.

7. Automated processing and AI

We use Large Language Models to extract structured fields from incoming customer emails and to draft replies. Drafts are NEVER sent automatically: a studio member reviews and approves each draft manually. No automated individual decision-making with legal effect in the sense of Art. 22 GDPR or Art. 21 revDSG takes place.

8. Retention period

We retain your data for as long as your account is active. Within 30 days after termination, personal data is deleted or anonymised, subject to statutory retention obligations (e.g. ten-year retention of accounting records under Swiss CO Art. 958f).

9. Your rights

You have the rights of access (Art. 25 revDSG / Art. 15 GDPR), rectification (Art. 32 revDSG / Art. 16 GDPR), erasure (Art. 17 GDPR), restriction (Art. 18 GDPR), data portability (Art. 28 revDSG / Art. 20 GDPR), and objection (Art. 21 GDPR). You may withdraw any consent at any time with effect for the future. Contact hello@tattoomii.com.

You may lodge a complaint with the competent supervisory authority. In Switzerland this is the Federal Data Protection and Information Commissioner (FDPIC, www.edoeb.admin.ch). EU residents may also complain to the supervisory authority of their habitual residence.

10. Cookies

We use only strictly necessary cookies (auth session, language and theme preferences, filter selection). No tracking or advertising cookies. No cookie banner is required because none of our cookies require consent under EU ePrivacy / Swiss FADP.

11. Changes to this policy

We may update this Privacy Policy. The current version is available on this page; the version identifier is shown under 'Last updated'. We will notify you by email of any material changes.

12. Governing law

This Privacy Policy is governed by Swiss law. Mandatory data protection rights granted by the law of your habitual residence remain unaffected. The English version of this Policy prevails in case of any discrepancy with translations.