This Privacy Policy explains how we handle your personal information in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable European data protection laws.

By accessing or using our Website, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

Controller:
Bruno Lattuada (trading as Lattuada Tattoo).

Contact Information:

  • Email: tattoolattuada@gmail.com

2. Information We Collect

We collect and process the following categories of personal data:

  • Identity & Contact Data: name, email address, phone number, postal address.

  • Booking & Appointment Data: tattoo design preferences, consultation notes, scheduling information.

  • Payment Data: billing information, invoices (processed securely via third-party payment providers).

  • Communications: inquiries, emails, forms, messages.

  • Technical Data: IP address, browser type, operating system, pages visited, cookies, analytics data.

  • Marketing Data: newsletter sign-ups, marketing preferences.

3. Purposes & Legal Bases for Processing

We process your personal data under GDPR on the following lawful bases:

  • Consent (Art. 6(1)(a) GDPR): sending newsletters or marketing updates.

  • Contract (Art. 6(1)(b) GDPR): managing bookings, consultations, and providing tattoo services.

  • Legal Obligation (Art. 6(1)(c) GDPR): complying with tax, accounting, and regulatory obligations.

  • Legitimate Interest (Art. 6(1)(f) GDPR): maintaining Website security, preventing fraud, improving services, limited marketing (where appropriate).

You can withdraw consent at any time without affecting the lawfulness of prior processing.

4. Data Sharing

Your personal data may be shared with:

  • Service Providers: hosting providers, analytics (e.g., Google Analytics), email platforms (e.g., Mailchimp), booking/payment processors (e.g., PayPal, Stripe).

  • Legal & Regulatory Authorities: if required by law.

  • Business Transfers: if part of a merger, acquisition, or restructuring.

We do not sell your data to third parties.

5. International Transfers

We primarily process data within the EU/EEA. If data is transferred outside the EU/EEA (e.g., U.S.-based providers), we ensure adequate safeguards such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • Transfers only to countries with an Adequacy Decision.

6. Data Retention

We retain your personal data only for as long as necessary:

  • Bookings & Client Records: up to 5 years (or as required by national tax laws in Finland, Spain, or Germany).

  • Marketing Data: until you unsubscribe or withdraw consent.

  • Technical/Analytics Data: typically up to 24 months.

Once no longer needed, data is securely deleted or anonymized.

7. Cookies & Tracking

We use cookies in line with the EU ePrivacy Directive and national implementations (e.g., Spain’s LSSI, Germany’s TTDSG).

  • Necessary cookies: essential for site functionality.

  • Analytics cookies: used with consent (e.g., Google Analytics).

  • Marketing cookies: used with explicit consent.

You can manage cookies via our cookie banner or browser settings.

8. Your GDPR Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15 GDPR).

  • Rectify inaccurate or incomplete data (Art. 16 GDPR).

  • Erase data (“Right to be Forgotten,” Art. 17 GDPR).

  • Restrict processing (Art. 18 GDPR).

  • Data portability (Art. 20 GDPR).

  • Object to processing (Art. 21 GDPR), including direct marketing.

  • Withdraw consent at any time (Art. 7 GDPR).

  • Lodge a complaint with a supervisory authority (Art. 77 GDPR).

Relevant Supervisory Authorities:

  • Finland: Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)

  • Spain: Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD)

  • Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI)

You may contact the authority in your country of residence or where you believe an infringement occurred.

9. Security Measures

We implement strong technical and organizational measures:

  • SSL/TLS encryption on all Website traffic.

  • Restricted data access and secure storage.

  • Regular updates and security audits.

  • Use of trusted service providers with GDPR-compliant practices.

10. Children’s Data

Our Website and services are not intended for individuals under 18 years of age. If we become aware that we have collected personal data of a child without parental consent, we will delete it immediately.

11. Updates to This Policy

We may update this Privacy Policy to reflect changes in services, legal requirements, or operations. Updates will be posted here with a revised “Effective Date.”

12. Contact

For questions, requests, or exercising your rights under GDPR:

  • Email: tattoolattuada@gmail.com