Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how Nexalyx Tattoo Studio (“we”, “us”, or “our”) collects, uses, and protects personal data when you visit our website and when you contact us for consultations, bookings, tattoos, piercing, or custom art enquiries. It applies to data processed through our website, our contact forms, and related communications.

For the purposes of the General Data Protection Regulation (GDPR) and the UK GDPR, the data controller is Nexalyx Tattoo Studio LLC, 20-22 Wenlock Road, Hoxton, London N1 7GU, United Kingdom.

If you have questions about this Privacy Policy or how we handle your data, contact us at [email protected].

Effective Date: March 12, 2026.

2. Personal Data We Collect

We collect personal data that you choose to provide, as well as limited technical data that is automatically processed when you use the website. The categories below reflect the typical information needed to respond accurately to studio enquiries and to keep the site secure and functioning.

• Identity and contact details: name, email address, telephone number.
• Form and message content: the details you write in the enquiry form (such as placement area, approximate size, preferred style, time constraints, and general project notes).
• Technical data: IP address, browser type and version, device information, operating system, language, and approximate location derived from IP (country/city-level).
• Usage data: pages visited, time spent on pages, referrer/source, click paths, and interaction events used to understand site performance.
• Cookies and identifiers: consent state and other cookie identifiers described in Section 4 and in our Cookie Policy.
• Conversion events: signals that an enquiry form was submitted or that a key action occurred (for example, reaching the thank-you page after a successful submission).

We do not intentionally collect special-category data (such as health data, biometric identifiers, religious or political opinions), financial account details, or government identification numbers through the website. Please do not send sensitive personal information through website forms.

3. Why We Process Personal Data & Legal Bases (GDPR Art. 6)

We process personal data only where there is a lawful basis to do so. The lawful basis may differ depending on the activity.

• Responding to enquiries and arranging consultations/bookings: processing is necessary for steps you request prior to entering into a service arrangement (GDPR Art. 6(1)(b)) and, where applicable, based on your consent to be contacted (GDPR Art. 6(1)(a)).
• Analytics: if enabled via cookie preferences, we process usage data to understand how the site is used and to improve pages (GDPR Art. 6(1)(a) consent).
• Marketing and remarketing: if enabled via cookie preferences, we process data to measure advertising performance and improve relevance (GDPR Art. 6(1)(a) consent).
• Security and fraud prevention: we process technical data and logs to protect the website and prevent abuse, including automated spam submissions (GDPR Art. 6(1)(f) legitimate interests).
• Legal obligations: where required, we may process data to comply with applicable laws (GDPR Art. 6(1)(c)).

Automated Decision-Making (GDPR Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

4. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the site, remember your consent choices, and (if you allow it) measure usage and advertising effectiveness. Cookie categories and examples are aligned with our Cookie Policy.

Essential cookies (always active)

Essential cookies are required for basic site functionality and consent management. These do not require consent under applicable rules in the UK/EEA when used strictly for necessary purposes.

• _site_session: supports basic session continuity.
• cookie_consent: stores your cookie preference choices.
• Security-related tokens: used to reduce abuse and protect form endpoints where applicable.

Typical retention: session up to 12 months depending on cookie type.

Analytics cookies (consent required)

If you opt in, analytics cookies help us understand which pages are useful and how visitors navigate the site. We may use Google Analytics 4 (GA4) with IP anonymization where available. Example cookies include:

• _ga (typically 2 years)
• _ga_XXXXXXXXXX (GA4 session state; typically 2 years)

Analytics data retention is typically 14 months (configuration dependent).

Marketing cookies (consent required)

If you opt in, marketing cookies help us measure ad performance and build audiences for relevant advertising. Cookies may include:

• _gcl_au (Google Ads conversion linker; typically 90 days)
• _fbp (Meta Pixel browser identifier; typically 90 days)
• _fbc (Meta Pixel click identifier; typically 90 days when a click ID is present)

Beyond cookies, some advertising measurement may use pixel tags or server-side signals (for example, hashed identifiers) where you have provided consent for marketing cookies.

5. Consent (EEA/UK)

Users in the EEA and the UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie (typically 12 months).

You may withdraw or adjust consent at any time via the “Manage cookie preferences” link in the footer, or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.

6. Sharing With Advertising & Service Partners

We may share limited data with service providers and advertising partners when necessary to operate the site, respond to enquiries, and (if consented) measure advertising effectiveness. We do not sell personal data.

• Google LLC (Google Analytics 4, Google Ads, Tag Manager, remarketing): cookie identifiers, usage data, conversions, and audience signals where consented. Reference: https://policies.google.com/privacy
• Meta Platforms, Inc. (Pixel, Custom/Lookalike Audiences, Conversion API): page views, conversions, audience membership, and hashed identifiers where consented. Reference: https://www.facebook.com/privacy/policy
• Cloudflare, Inc. (CDN and security services): IP-based threat detection and performance optimization. Reference: https://www.cloudflare.com/privacypolicy/

We do not permit these providers to use site data for their own independent commercial purposes beyond providing services to us, subject to their contractual terms and applicable law.

7. International Transfers

Some providers may process data outside the UK/EEA, including in the United States. Where applicable, transfers may rely on the EU–US Data Privacy Framework (DPF) and the UK Extension to the DPF (where a provider is certified), with Standard Contractual Clauses (EU 2021/914) and/or the UK IDTA used as fallback safeguards where appropriate.

We apply reasonable safeguards to protect personal data in line with applicable requirements for cross-border transfers.

8. Data Retention

We retain personal data only for as long as needed to achieve the purposes described in this policy, unless a longer retention period is required or permitted by law. Typical retention periods include:

• Contact submissions and booking enquiries: up to 2 years from the last interaction.
• Email correspondence: for the duration of the relationship, plus up to 1 year for follow-up and record-keeping.
• Analytics data: typically 14 months (configuration dependent).
• Marketing cookies: per cookie lifetime (for example, 90 days for common advertising cookies).
• Server and security logs: typically up to 90 days, unless needed longer to investigate security incidents.
• Cookie consent record: up to 3 years for audit and compliance documentation.
• Legal and tax records: as required by law (often 6–10 years depending on the record type).

9. Your Rights (GDPR & UK GDPR)

Depending on your location and applicable law, you may have the following rights:

• Right of access (GDPR Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise a right, contact us at [email protected]. We typically respond within 30 days. This may be extended by up to 60 additional days for complex requests, in which case we will inform you.

Supervisory authority references (depending on your location) include: the European Data Protection Board (https://edpb.europa.eu) and the UK Information Commissioner’s Office (https://ico.org.uk).

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we become aware that a child under 16 has submitted personal data without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own approaches to DNT and similar controls.

12. Data Deletion Requests

You can request deletion of personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may ask for additional information to verify your identity and to locate the relevant data. We aim to complete requests within 30 days after verification, except where retention is required by law.

13. Business Transfers

In the event of a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor entity as part of the transaction. If such a transfer materially changes how personal data is used, we will provide notice on the website.

14. California Privacy Notice (CCPA/CPRA)

This section applies to California residents to the extent the California Consumer Privacy Act, as amended by the CPRA, is applicable. In the past 12 months, we may have collected the following categories of personal information:

• Identifiers: name, email, IP address, cookie identifiers.
• Internet or network activity: browsing interactions, usage metrics.
• Inferences: preferences inferred from site usage for advertising relevance (where consented).

We do not sell personal information as defined by CCPA. We may share personal information for cross-context behavioral advertising where marketing cookies are enabled. California residents may opt out of sharing for targeted advertising via our cookie preferences panel (accessible through “Manage cookie preferences” in the footer).

Subject to applicable exceptions, California residents may have the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. Requests can be submitted by emailing [email protected] with the subject line “California Privacy Request”. We will take reasonable steps to verify your identity before responding. Authorized agents must provide written proof of authorization.

15. Virginia Privacy Notice (VCDPA)

Where applicable, Virginia residents may have rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising. We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects.

Requests can be submitted by emailing [email protected] with the subject line “Virginia Privacy Request”. If we decline a request, you may appeal by emailing with the subject line “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada Privacy Notice

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject line “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via a site notice at least 14 days before they take effect. The “Last Updated” date at the top of this page reflects the most recent revision.

18. Contact

If you have questions or requests regarding privacy, contact:

Nexalyx Tattoo Studio LLC

20-22 Wenlock Road, Hoxton, London N1 7GU, United Kingdom

Email: [email protected]