Privacy Policy

The data controller for the Bokat platform is Bokat (contact details are listed at the end of this policy). Artists who use Bokat to manage bookings act as separate controllers for their own client relationships; we process data on their behalf only where described below.

Depending on how you use Bokat, we may collect:

• Account data for artists: email address, display name, profile details (bio, location, social handles, avatar), and booking settings.
• Booking and request data: name, email, phone number, tattoo description, placement and size preferences, reference images, availability notes, and health disclosure responses submitted through booking forms.
• Communications: messages sent through booking request threads between artists and clients.
• Technical data: IP address, browser type, device information, and cookies or similar technologies needed to operate and secure the service.
• Waitlist sign-ups: email address and optional source tag when you join our marketing waitlist.

We use personal data to:

• Provide booking intake, request management, messaging, and related notifications.
• Authenticate artists and, where applicable, clients via magic links.
• Send transactional emails (for example booking confirmations, proposals, and appointment reminders) through our email provider.
• Improve security, prevent abuse, and verify submissions (including bot protection where enabled).
• Operate analytics in aggregate form to understand how the service is used.
• Comply with legal obligations and enforce our Terms of Service.

For users in the European Economic Area, we rely on:

• Contract — to perform the booking and account services you request.
• Legitimate interests — to secure the platform, prevent fraud, and improve the product, balanced against your rights.
• Consent — where required (for example optional marketing or non-essential cookies, when offered).
• Legal obligation — where we must retain or disclose data under law.

We do not sell your personal data. We share data with trusted service providers who process it on our instructions, including hosting and database (Supabase), email delivery (Resend), payment processing when enabled (Stripe), and infrastructure providers (for example Vercel). These providers are bound by appropriate data protection terms.

Artists receive client data submitted to their booking page so they can respond to requests. Clients may see limited artist profile information on public pages.

Some processors may store or process data outside the EEA. Where that occurs, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms required under GDPR.

We keep personal data only as long as needed for the purposes above, including while an account or booking relationship is active and for a reasonable period afterward for legal, accounting, or dispute resolution purposes. Artists may export or delete certain data through the product as features become available.

If you are in the EEA or UK, you may have the right to access, rectify, erase, restrict, or object to processing of your data, and to data portability where applicable. You may also lodge a complaint with your local supervisory authority (in Sweden: Integritetsskyddsmyndigheten, IMY).

To exercise your rights, contact us using the details below. We may need to verify your identity before responding.

We use technical and organisational measures appropriate to the risk, including encryption in transit, access controls, and row-level security in our database. No online service can guarantee absolute security.

Bokat is not directed at children under 18. Tattoo booking flows require clients to confirm they are 18 or older. We do not knowingly collect data from minors.

We may update this policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may be communicated where appropriate.

Questions about privacy: privacy@bokat.app

Postal address: Bokat, Sweden (full address available on request for legal correspondence).