Privacy Policy

Effective Date: 1 May 2026 Last Updated: 1 May 2026

1. Introduction

This Privacy Policy explains how Global Ink Alliance Ltd ("GIA", "we", "us", "our") collects, uses, stores, and protects your personal data when you use our mobile application, our websites (getgia.app, globalinkalliance.com, learn.getgia.app), and any related services (collectively, the "Services").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.

In plain English: This document tells you what data we collect about you, why, who we share it with, how long we keep it, and what control you have. We've kept the legal language to a minimum and added "in plain English" summaries throughout.

2. Who We Are

Data Controller:

Global Ink Alliance Ltd (a private company limited by shares)
Registered in England and Wales under company number 17173898
Registered office: Suite RA01, 195-197 Wood Street, London, E17 3NU, United Kingdom
D-U-N-S Number: 234771768
Director: Denys Humen

Privacy Contact (Data Protection Inquiries):

Email: privacy@globalinkalliance.com
General contact: hello@globalinkalliance.com / ceo@globalinkalliance.com

For all data protection questions, requests, or complaints, please write to privacy@globalinkalliance.com. We aim to respond within 30 calendar days as required by law.

3. Where We Are Based

GIA is operated by Global Ink Alliance Ltd, a company established in the United Kingdom. We process personal data in compliance with the UK GDPR and the EU GDPR.

For all data protection inquiries — regardless of where you are based — please contact us at privacy@globalinkalliance.com. We respond to all EU/EEA and UK residents in line with their statutory rights under the applicable GDPR.

4. What Personal Data We Collect

We collect different categories of data depending on how you use our Services. We aim to collect only what is necessary.

4.1 Data You Provide During Registration

Full name or pseudonym
Phone number (verified by SMS code)
Email address (verified by email code, optional in some flows)
Role: Artist, Studio, Client, or Festival
Country (auto-detected from your IP and confirmed by you)
Date of birth or self-declared age (you must be 18 or older)
Profile photo (optional)

4.2 Profile Data

Bio / "About me" text
Tattoo styles you work with or are interested in
Experience level (Junior / Middle / Senior / Master)
Portfolio photographs
Studio address (for Studio, Artist, and Festival roles only)
City and approximate location (only updated when you explicitly tap "Detect location")
Per-role contact handles: WhatsApp, Telegram, Instagram, additional phone numbers, additional email addresses, with their own verification status

4.3 Communications and User-Generated Content

Direct messages between you and other users
"Let's Talk" public comments on profiles
Deal calendars, ticket photographs, and address-exchange records you upload
Public posts, advertisements, and announcements
Reactions, likes, and similar engagement signals

4.4 AI Sketch Data

When you use our AI Sketch (Tattoo Design AI) feature:

The text prompts you submit
The images generated for you
Timestamps and your account ID linked to each generation

We pass your prompt to Replicate Inc. (our AI sub-processor — see Section 9) and receive back a generated image. Replicate processes the prompt only to generate the image and does not retain it after delivery, in line with their published policy.

4.5 Health and Aftercare Data

If you use our Aftercare feature, we collect:

The date of your tattoo session (or self-reported equivalent)
General body zone (e.g. "forearm", "back") — never specific medical detail
The reminders schedule you opt into

We do not collect symptoms, medical history, photographs of healing tattoos, or any clinical data. Aftercare is a reminder and education tool only — see Section 17.

4.6 Transactional and Subscription Data

App Store / Google Play subscription receipts (we receive a transaction ID, not your card details)
For purchases on our website (learn.getgia.app, getgia.app), payment is processed by Stripe. We never store your full card number — we only see the last 4 digits, expiration, and country
Refund requests and dispute history

4.7 Verification Data

When you verify a contact channel:

Phone number, WhatsApp number, Telegram handle, Instagram handle, or email address
The OTP (one-time password) you enter to confirm ownership
The verification status flag attached to that handle

We do not ask for or collect government-issued ID documents, passport scans, professional certificates, training diplomas, work videos, or selfies with documents.

4.8 Technical Data (Collected Automatically)

IP address (used for country auto-detection, anti-fraud, abuse prevention)
Device type, operating system, and app version
Browser type and language
Approximate timezone
Crash and error reports (collected via our self-hosted GlitchTip instance — see Section 9)
Page views, screen visits, and feature usage timestamps (functional only — no third-party analytics on launch)

4.9 Local Device Storage

We use localStorage and sessionStorage in your browser or app to store:

Your authentication token
Your settings and preferences
Cached profile data for offline use
Locale (language, e.g. RU/EN)

localStorage is functionally equivalent to cookies under EU/UK law and is covered by our Cookie Policy.

4.10 Push Subscription Data (If You Opt In)

If you allow push notifications, we store:

Your Web Push subscription endpoint
The encryption keys associated with that endpoint

Push notifications are sent from our own servers in Germany. We do not use Firebase Cloud Messaging or similar third-party push providers on launch.

In plain English: We collect what's needed for the app to work — your name, phone, role, content you create. We don't ask for your passport. We don't track you with third-party analytics on launch. AI prompts go through Replicate; payments go through Apple, Google, or Stripe.

5. Why We Process Your Data (Lawful Basis)

Under UK and EU GDPR, we must have a lawful basis for every processing activity. Here's how we map ours:

Processing Activity	Lawful Basis
Creating and operating your account	Performance of a contract (our Terms of Service)
Sending you transactional messages (booking confirmations, OTP codes, receipts)	Performance of a contract
Operating profile search, Network feed, matching	Performance of a contract
Anti-fraud, anti-abuse, security monitoring	Legitimate interests (protecting users and the platform)
Crash reporting and product improvement	Legitimate interests (running a stable service)
Sending push notifications	Consent (you opt in)
Marketing emails or promotional content	Consent (you opt in; you can opt out at any time)
Storing chat archives for evidentiary purposes (Blacklist archive — see Section 18)	Legitimate interests (industry safety, fraud prevention)
Geolocation (only when you tap "Detect location")	Consent (you tap)
AI Sketch generation	Performance of a contract (you request the generation)
Compliance with legal requests, tax, and regulatory obligations	Legal obligation
Children-related deletion requests from parents	Legal obligation + vital interests of the child

You can withdraw any consent-based processing at any time without affecting prior lawful processing.

6. Special Categories of Personal Data

We do not intentionally collect special-category data (health, biometrics, religion, political views, sexual orientation, etc.).

Some content uploaded by users may inadvertently include sensitive information — for example, a tattoo photograph that reveals scars or religious symbols. You are responsible for what you upload. By uploading, you confirm you have all necessary consents from any other people depicted (see Section 18).

If you accidentally upload sensitive content and want it removed, contact privacy@globalinkalliance.com.

7. Children's Data

GIA is for users 18 years and older. We do not knowingly collect data from anyone under 18.

Age gate: All registration flows require self-declaration of age 18+. Profiles where the user declares age below 18 are blocked from completion.
Parental requests: If you are a parent or guardian and believe your child has registered, write to privacy@globalinkalliance.com. We will delete the account and all associated data within 30 calendar days, with no further verification required from you, in line with EU GDPR Article 8 best practice.
Reporting: If you suspect another user is under 18, please report them through the in-app report feature or to privacy@globalinkalliance.com.

8. How We Use Your Data

We use your personal data to:

Provide and operate the Services — host your profile, run search and matching, enable chats, deliver AI generations, send aftercare reminders, etc.
Communicate with you — confirm bookings, deliver receipts, send OTP codes, respond to support tickets.
Personalize your experience — show relevant feed items, suggest matches by city/styles, surface upcoming festivals.
Maintain safety and integrity — detect fraud, prevent abuse, enforce our Acceptable Use Policy, operate the Blacklist archive (Section 18), respond to DMCA notices (Section 19).
Improve the Services — analyze aggregated, anonymized usage trends. We do not use your AI prompts or chat content to train AI models.
Comply with legal obligations — tax, anti-money-laundering, lawful government requests.
Notify you of important changes — to this policy, to our Terms, or to the Services.

We do not:

Sell your personal data to anyone, ever.
Share your data with advertisers (we do not run advertising on launch).
Use your data for automated decision-making with legal effects.

9. Who We Share Your Data With (Sub-processors)

We use the following third-party providers (sub-processors) to operate the Services. We share with each only the minimum data they need.

Sub-processor	Purpose	Data shared	Location
Replicate Inc.	AI image generation for AI Sketch	Your text prompt	United States
ipapi.co	Country auto-detection at registration	Your IP address	United States
OpenStreetMap Foundation	Map tiles (Leaflet) and reverse geocoding (Nominatim)	Your IP and approximate coordinates	Various (EU, UK)
Apple App Store / Google Play	In-app purchases and subscriptions	Transaction tokens, account ID	Various
Stripe Inc.	Payments on our website	Card last 4, billing country, amount	Ireland (EU) / United States
Self-hosted GlitchTip	Crash and error reports	Stack traces, device info, anonymized session ID	Germany (our server)
Self-hosted Web Push	Push notification delivery	Subscription endpoint, encryption keys	Germany (our server)

We do not currently use:

Google Analytics, Firebase Analytics, or similar
Third-party advertising networks
Sentry SaaS, Mixpanel, Amplitude, Segment, or similar

If we add a new sub-processor, we will update this section and, where required by law, notify you in advance.

10. International Transfers

Most of your personal data is stored on our servers physically located in Germany (European Union), hosted by IONOS SE.

Some sub-processors are located outside the UK and EEA — primarily in the United States. For transfers to the US, we rely on:

The EU-US Data Privacy Framework (where the receiving party is certified)
Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner
UK International Data Transfer Addendum (IDTA) where applicable

You can request copies of these safeguards by writing to privacy@globalinkalliance.com.

11. How Long We Keep Your Data (Retention)

We keep your data only as long as necessary for the purpose it was collected. After that we delete or anonymize it.

Type of data	Retention
Active account profile	While your account is active
Inactive accounts	Deleted automatically after 3 years of no activity
Direct messages and chat history	Indefinitely while the account is active; deleted with the account
Quick Link guests (people who joined a chat without registering)	12 months from last activity, with reminders sent at 60, 30, and 7 days before deletion
AI Sketch prompts and outputs	Indefinitely until you delete them; we may revisit retention based on usage statistics
Blacklist archive entries	While supported by user reports; 3 years with no new reports → moved to internal archive (super-admin only)
Crash reports	90 days
Server access logs	30 days
Backups	90 days
Tax and accounting records	7 years (UK statutory requirement)
Law-enforcement preservation requests	As legally required

You can delete your account at any time via Settings → Delete Account. We act on the request immediately. Backup copies are purged within 90 days. See Section 12 for your full rights.

12. Your Rights

Under UK GDPR and EU GDPR, you have the following rights:

12.1 Right of Access (DSAR)

You can request a copy of all personal data we hold about you. We respond within 30 days and provide the data in a portable format (typically JSON or CSV).

12.2 Right to Rectification

You can correct any inaccurate data via your profile settings or by writing to us.

12.3 Right to Erasure ("Right to Be Forgotten")

You can request deletion of your data. The fastest way is Settings → Delete Account in the app — this immediately deletes all your data on your device and queues a server-side deletion. You can also request deletion by writing to privacy@globalinkalliance.com.

Important exception: Some Blacklist archive entries may be retained where there is a legitimate interest (industry safety, prevention of fraud), as permitted by Article 17(3) GDPR. You always retain the right to add a public reply to any entry about you.

12.4 Right to Restriction

You can ask us to pause processing of your data while we investigate a dispute about its accuracy or our use.

12.5 Right to Data Portability

You can ask for a machine-readable copy of the data you provided directly to us, transferable to another service.

12.6 Right to Object

You can object to processing based on legitimate interests (including profiling).

12.7 Right to Withdraw Consent

For any consent-based processing (push notifications, marketing, geolocation), you can withdraw consent in your settings at any time.

12.8 Right to Lodge a Complaint

If you believe we have mishandled your data, you can complain to your data protection regulator:

United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
Germany: Your state DPA (e.g. BfDI for federal matters)
EU: Your national supervisory authority (list at edpb.europa.eu)

We'd appreciate the chance to address concerns first — please write to us before lodging a complaint.

12.9 How to Exercise Your Rights

Email privacy@globalinkalliance.com with:

The right you want to exercise
Enough information for us to identify your account (registered email or phone)
Any additional context

We may ask for verification (such as confirming the OTP on your registered email) before acting, to protect against impersonation.

We respond within 30 calendar days. Requests are free of charge unless they are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse).

13. Security

We protect your data with technical and organizational measures appropriate to the risk:

Encryption in transit: All data exchanged with our servers uses TLS 1.2 or higher (HTTPS).
Encryption at rest: Database and backups are encrypted on disk.
Access controls: Only authorized personnel can access production systems, on a need-to-know basis. Admin actions are logged.
Server location: Germany (EU) — physically and legally within the EU data protection regime.
Self-hosted error tracking: We do not send crash data to third-party SaaS providers.
Regular updates: We keep dependencies and operating systems patched.
Vetted payments: We do not store full card numbers; payment processing is delegated to Apple, Google, and Stripe.

No system is perfectly secure. If you suspect unauthorized access to your account, change your password and contact privacy@globalinkalliance.com immediately.

Data Breach Notification

If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
Notify affected users without undue delay where the risk is high

14. Cookies, Local Storage, and Similar Technologies

GIA uses minimal tracking technology. Details are in our Cookie Policy, but in summary:

Strictly necessary technologies (authentication, session, preferences) — used without consent, as permitted by law
Functional technologies (your settings, locale, last-seen profile) — used without consent, you can clear them in your browser
Analytics or marketing cookies — none on launch

The first time you visit our website from the EU/UK, you will see a cookie banner giving you choices. You can change these choices at any time via the "Cookie Settings" link in the website footer.

15. Push Notifications

We use Web Push delivered from our own servers (no Firebase, no APNs intermediary on launch). Categories:

Direct messages: when someone messages you
Booking and deal updates: when an agreement is changed, confirmed, or canceled
Aftercare reminders: if you opted in to a tattoo aftercare schedule
Important account notifications: changes to terms, deletion warnings (e.g. for Quick Link guests)

You can disable push notifications in your device system settings or in Settings → Notifications.

16. AI-Generated Content (AI Sketch)

When you use AI Sketch:

Your text prompt is sent to Replicate Inc. (US) for image generation
The generated image is returned to your account
We store the prompt and image so you can revisit your history

About the output:

AI-generated images are clearly labelled (a small "AI" indicator) in line with the EU AI Act transparency obligations
The model is trained on third-party data we do not control. You are responsible for verifying the originality of any tattoo you ultimately get inked.
You retain the rights to the prompts you write and to the images generated for you, subject to Replicate's underlying model terms

We do not use your prompts to train AI models. We may analyze aggregated, anonymized prompt themes to improve the service in the future — and if we do, we will update this policy and offer an opt-out.

In plain English: Type a prompt → we send it to Replicate → you get an image. We mark it as AI-made. You own it. You're the one responsible for not copying someone else's work.

17. Health and Aftercare Disclaimer

The Aftercare feature is not medical advice. It provides general reminders and educational suggestions about caring for a fresh tattoo (such as cleaning frequency or sun exposure). It is not a substitute for professional medical care.

If you experience signs of infection, allergic reaction, severe pain, fever, prolonged swelling, or anything unusual, stop using the reminders and consult a medical professional immediately.

We do not collect symptom reports, photographs of healing skin, or any other clinical information.

Crisis Resources

If you are in distress or experiencing a mental-health crisis, please reach out:

United Kingdom: Samaritans — 116 123 (free, 24/7)
Germany: Telefonseelsorge — 0800 111 0 111
Netherlands: 113 Zelfmoordpreventie — 0800 0113
Poland: Telefon Zaufania — 116 123
Turkey: İntihar Önleme Derneği — 182
United States: 988 Suicide & Crisis Lifeline — 988
EU general: 116 123 (free, available in many EU countries)

These are independent organizations. GIA is not responsible for the services they provide but lists them so you can find help quickly.

18. User-Generated Content, Public Profiles, and the Blacklist Archive

18.1 What's Public, What's Private

When you register, your profile is private by default. As you use GIA:

Your name, role, country, photo, bio, styles, portfolio become visible inside the GIA Network feed once you complete and confirm your profile
Your exact street address is shared only after you and another user have mutually fixed a deal in the in-app checklist
Your phone number, email, WhatsApp remain private to you, except when you choose to share a verified handle on your profile

18.2 Direct Messages

DMs are visible only to participants of the chat. We may access DM content for:

Operating the service (delivering messages, notifications, deal calendar sync)
Investigating reports of abuse, fraud, or violations of our Acceptable Use Policy
Responding to lawful requests from authorities

18.3 The Blacklist Archive

GIA hosts a Blacklist archive: a public record of incidents reported by users in the tattoo industry where verbal commitments were not honoured.

We have built this carefully to protect users without exposing the company or third parties to defamation risk:

Verbatim citations only. Entries quote what users wrote in chats — they do not interpret, judge, or accuse.
Source preserved. Every entry is backed by a screenshot or chat reference.
No editorial control. GIA does not write, rewrite, or characterize entries — the platform hosts them.
Right of reply. Anyone named in an entry can publish their own version of the conversation alongside it.
Removal by mutual agreement. If both parties confirm in chat that the matter is resolved, the entry is removed within 24 hours.
Three-year archival. An entry without new corroborating reports for 3 years is moved to an internal archive (visible only to platform moderators).

The lawful basis for the Blacklist archive is legitimate interest: protecting the tattoo industry from repeated bad-faith actors and helping users make informed decisions. You always retain GDPR rights to access, correct, or object to entries about you.

18.4 Photos with Other People

When you upload portfolio photographs that include other people (e.g. a tattoo on a client's body), you confirm at upload time that you have obtained any necessary consents from the people depicted. If a depicted person contacts us to remove their image, we will act within 30 days.

18.5 Tattoo Authorship (Copyright)

In the UK, EU, and US, the artist who created a tattoo is generally considered its author for copyright purposes. By uploading a photo of a tattoo, you represent that:

(a) You created the tattoo, or
(b) You have the artist's permission to share the image, or
(c) The tattoo is on your own body and you accept the responsibility (knowing the artist may still raise a claim).

19. DMCA and Copyright

GIA respects intellectual property. We respond to valid DMCA notices under the US Digital Millennium Copyright Act and to equivalent notices under UK and EU law.

Our DMCA Designated Agent is registered with the U.S. Copyright Office:

Registration Number: DMCA-1071913
Agent: Denys Humen, Global Ink Alliance Ltd
Address: Suite RA01, 195-197 Wood Street, London, E17 3NU, UK
Email: privacy@globalinkalliance.com

To file a takedown notice, see our Acceptable Use Policy / DMCA Procedure.

20. Geolocation

We process location data only when you take an explicit action:

Tapping the "Detect location" button to fill in your city
Allowing the device-level location prompt (we do not use background location tracking)

We pass coordinates to OpenStreetMap Nominatim to convert them into a city name, and store only the city/country in your profile. The exact coordinates are kept transiently for the lookup and not retained.

We do not run continuous location watchers. We do not sell location data.

21. Quick Link Guests

If you receive a "Quick Link" from a GIA user (a viral chat invitation in the form getgia.app/?q=...) and use it to chat without creating a full account, you become a guest.

As a guest:

We collect: the name and phone number you submit, plus the OTP code you enter
Your data is retained for 12 months from your last activity
We send you reminders at 60, 30, and 7 days before deletion (by SMS or email)
Each return visit resets the 12-month counter
If you install the app and complete registration, your guest data migrates into the full account

22. Online Status and Presence

Your online indicator (the green dot on your avatar and your "last seen" time) is on by default. You can disable it in Settings → Profile Functions → Online Status. When disabled, you appear offline to other users.

23. Promoted and Sponsored Content (Pinned / Boosted)

Some profiles in the GIA Network feed are promoted — meaning the profile owner has paid for higher visibility. These are marked with a "📌 Promoted" or "🚀 Boosted" label, in compliance with the EU Unfair Commercial Practices Directive and the US Federal Trade Commission's endorsement guidelines.

Promotion does not affect the truthfulness of profile information or our verification standards.

24. Marketing Communications

We do not currently run marketing campaigns.

If we begin to send marketing emails, push, or SMS in the future:

We will obtain your explicit consent at registration or via a settings toggle
Every message will contain an unsubscribe link or instruction
You can opt out at any time without affecting your account

25. Government and Law Enforcement Requests

We may disclose personal data to law-enforcement, courts, or regulators where:

We are legally compelled to do so (e.g. a valid court order, subpoena, or statutory request)
Disclosure is necessary to prevent imminent harm to a person
Disclosure is necessary to investigate fraud or violations of our Terms

Where lawful, we will notify the affected user before disclosing data and challenge requests we believe to be overbroad. Disclosures are recorded in our internal log and may appear in a future transparency report.

26. Automated Decision-Making

We do not make decisions that have legal or similarly significant effects on you using automated processing alone.

Examples of routine automation that does not trigger Article 22 GDPR:

Sorting your Network feed by relevance signals
Suggesting matches by city and styles
Detecting suspicious activity for review by humans

A real human reviews any consequential moderation decision (such as suspending an account) before it is finalized.

27. Children's Online Safety (UK Online Safety Act)

GIA is a UGC-hosting platform subject to the UK Online Safety Act 2023. We comply with our duties by:

Restricting registration to users 18+ (Section 7)
Providing in-app reporting tools for harmful content
Maintaining a takedown process for content that violates our Acceptable Use Policy
Conducting periodic risk assessments
Publishing an annual transparency report (starting 1 May 2027)

28. EU Digital Services Act Compliance

GIA is an "online platform" under the EU DSA. We comply by:

Designating privacy@globalinkalliance.com as our Single Point of Contact for authorities and users
Providing a notice-and-action mechanism (see DMCA / AUP)
Issuing a Statement of Reasons when we remove content or restrict accounts
Publishing an annual transparency report

29. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

The "Last Updated" date at the top will change
For material changes, we will notify registered users by email and via an in-app banner at least 14 days before the change takes effect
Continuing to use the Services after a material change means you accept the updated Policy

A history of major changes is available on request.

30. Contact Us

For privacy questions, requests, or complaints:

Global Ink Alliance Ltd Suite RA01, 195-197 Wood Street London, E17 3NU, United Kingdom

Email: privacy@globalinkalliance.com Phone: +49 178 543 2291 Website: globalinkalliance.com / getgia.app

This Privacy Policy is governed by the laws of England and Wales. Any disputes will be resolved by the courts of England and Wales, except where mandatory consumer-protection laws of your country of residence give you a stronger right.

Document prepared for Global Ink Alliance Ltd. Version 1.0 — 1 May 2026