Privacy Policy

How we collect, use, and protect your personal information

Last updated: 9 February 2026

1. Who We Are

Blackbird Studios ("we", "us", "our") operates tattoo and laser removal services in Lymington, Hampshire, UK. We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contact: For any privacy-related queries, please email us at britt@blackbirdstudio.co.uk

2. Information We Collect

We collect the following types of personal information:

Account Information

  • Full name
  • Email address
  • Phone number
  • Date of birth (to verify you are 18+)

Booking Information

  • Tattoo placement and size preferences
  • Design descriptions and reference images
  • Appointment requests and history

Health & Consent Information

  • Medical conditions relevant to tattooing/laser procedures
  • Allergies and skin conditions
  • Medications
  • Pregnancy status
  • Digital signatures on consent forms

3. Legal Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

  • Contract (Article 6(1)(b)): To provide our tattooing and laser removal services, manage bookings, and communicate with you about appointments.
  • Legal Obligation (Article 6(1)(c)): To comply with health and safety regulations and maintain records as required by law.
  • Legitimate Interests (Article 6(1)(f)): To protect our business against legal claims and maintain records for insurance purposes.
  • Consent (Article 6(1)(a)): Where we send marketing communications (you can withdraw consent at any time).

Special Category Data (Health Information)

We process health-related information under Article 9(2)(f) of UK GDPR - processing is necessary for the establishment, exercise, or defence of legal claims. This is essential for tattooing and laser procedures where medical history affects treatment safety.

4. Data Retention

⚠️ Important: Consent Form Retention

Consent forms are retained indefinitely. This is required because:

  • Tattooing and laser procedures may result in claims many years after the procedure
  • Under the Limitation Act 1980, personal injury claims can be brought up to 3 years from when an injury is discovered (not when the procedure occurred)
  • Insurance companies require proof of informed consent for any claims
  • This retention is lawful under UK GDPR Article 17(3)(b) and (e) - exceptions to the right to erasure for legal obligations and defence of legal claims

Other Data Retention Periods

  • Account data: Retained while your account is active, plus 7 years after closure
  • Booking records: 7 years after the appointment date
  • Reference images: Deleted within 12 months of appointment completion, or on request
  • Marketing preferences: Until you withdraw consent

5. Your Rights

Under UK GDPR, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data (subject to legal retention requirements - see Section 4 regarding consent forms)
  • Right to Restrict Processing: Request limitation of how we use your data
  • Right to Data Portability: Receive your data in a portable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Where processing is based on consent

To exercise any of these rights, please contact us at britt@blackbirdstudio.co.uk. We will respond within one month.

6. Data Security

We take appropriate technical and organisational measures to protect your personal data:

  • All data is encrypted in transit (HTTPS/TLS)
  • Data is stored on secure cloud infrastructure with encryption at rest
  • Access is restricted to authorised personnel only
  • We use strong authentication and access controls
  • Regular security reviews and updates

7. Data Sharing

We do not sell your personal data. We may share data with:

  • Service providers: Cloud hosting (Supabase/AWS), email services - under strict data processing agreements
  • Legal requirements: If required by law, court order, or regulatory authority
  • Insurance: In response to claims or potential claims
  • Professional advisers: Lawyers, accountants where necessary

8. Cookies

We use only essential cookies required for the website to function:

  • Authentication cookies: To keep you logged in
  • Theme preference: To remember your light/dark mode choice

We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Complaints

If you have concerns about how we handle your data, please contact us first. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

https://ico.org.uk/make-a-complaint/

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes by email or by posting a notice on our website. The "last updated" date at the top of this policy indicates when it was last revised.

← Back to Home