Privacy Policy

1. Introduction & Controller Identity

Black Lantern Tattoo Studio values privacy and expects clarity from any business that requests personal information. This Privacy Policy is written to be readable and specific. It applies to information collected through our website and through the forms and communications initiated from this website.

Data Controller: Black Lantern Tattoo Studio LLC.
Registered address: 520 8th Ave, 16th Floor, Midtown Manhattan, New York, NY 10018, United States.
Contact email: [email protected].
Phone: +1 646 762 4398.

We do not appoint a dedicated Data Protection Officer (DPO) as a matter of course. If you have privacy questions, contact us using the details above and we will route your request to the person responsible for privacy handling.

Effective Date: March 12, 2026.

2. Personal Data We Collect

The information we collect depends on how you use the site. Some data is provided by you (for example, when you contact us), and some is collected automatically (for example, technical logs and cookie identifiers). We aim to collect only what we need to respond to requests, operate the website securely, and understand overall site performance.

• Identity and contact details: name, email address, phone number, and any information you include in your message.
• Form content and request details: placement, approximate size, style references, preferred artist, scheduling constraints, and any other notes you choose to share.
• Technical data: IP address, browser type/version, device type, operating system, language settings, and approximate location derived from IP (city/region level).
• Usage data: pages visited, time spent on pages, interactions with navigation elements, referrer and campaign parameters, and aggregated conversion events (for example, a successful form submission redirect).
• Cookies and identifiers: first-party cookies for session continuity and your cookie choice, plus optional third-party identifiers for analytics and marketing if you provide consent.

We do not intentionally request special-category personal data (such as health information, religious beliefs, political opinions), financial account details, or government-issued identification numbers through our website forms. If you include such information in a message, we will treat it as provided voluntarily and will handle it with care, but we recommend you avoid sharing sensitive information unless it is necessary for your inquiry.

3. Why We Process Data & Legal Bases (GDPR Article 6)

Where GDPR or similar privacy laws apply, we rely on the following legal bases to process personal data. Different bases may apply simultaneously depending on the context of the processing.

• Responding to contact and booking requests: to review your request, answer questions, and coordinate consultation and session planning. Legal basis: GDPR Art. 6(1)(b) (steps prior to entering into a contract) and Art. 6(1)(a) (consent), depending on your jurisdiction and the nature of the request.
• Analytics: to understand traffic patterns and improve page performance and content clarity. Legal basis: GDPR Art. 6(1)(a) (consent), where required.
• Marketing and remarketing: to measure advertising performance and, where enabled, build audiences for remarketing or lookalike targeting. Legal basis: GDPR Art. 6(1)(a) (consent), where required.
• Security and fraud prevention: to protect the site from abuse, bot traffic, scraping, and malicious activity. Legal basis: GDPR Art. 6(1)(f) (legitimate interests) in maintaining the integrity and security of our services.
• Legal compliance: to meet applicable legal obligations (for example, maintaining records where required). Legal basis: GDPR Art. 6(1)(c) (legal obligation).

Automated decision-making and profiling (GDPR Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you. If we use marketing audiences (for example, remarketing lists) this is used to show relevant ads and measure campaign performance, not to make decisions about eligibility or outcomes.

4. Cookies & Tracking Technologies

Cookies are small text files stored on your device. Some cookies are essential for basic site functionality (for example, remembering your cookie choice), while others are optional and used for analytics or marketing. We may also use pixel tags and server-side event forwarding where consent applies. Cookie choices are controlled through our cookie banner and preferences panel.

4.1 Essential Cookies (Always Active)

Essential cookies are required for the website to function and cannot be switched off from the preferences panel. They include the session cookie and the cookie that stores your consent decision. Essential cookies may also support security features such as CSRF protection and basic bot mitigation.

• _site_session (first-party): maintains session continuity. Retention: session.
• cookie_consent (first-party): stores your cookie preferences. Retention: 12 months.

4.2 Analytics Cookies (Consent Required Where Applicable)

If you accept analytics cookies, we may enable Google Analytics 4 (GA4) to understand how visitors use the site (for example, which pages are visited and where users drop off). Where supported, we use privacy-oriented settings such as IP anonymization and shorter data retention.

• _ga (third-party): GA4 user identifier. Retention: 2 years.
• _ga_XXXXXXXXXX (third-party): GA4 session state. Retention: 2 years.

Analytics data is used in aggregate to improve content, navigation clarity, and performance. It is not intended to identify you personally.

4.3 Marketing Cookies (Consent Required Where Applicable)

If you accept marketing cookies, we may enable measurement and remarketing tools associated with advertising platforms such as Google Ads and Meta. These tools may use cookies or similar identifiers to attribute conversions, measure ad performance, and create audiences for remarketing or lookalike modeling.

• _gcl_au (third-party): Google Ads conversion linker. Retention: 90 days.
• _fbp (third-party): Meta Pixel browser identifier. Retention: 90 days.
• _fbc (third-party): Meta Pixel click identifier, set when a click ID is present. Retention: 90 days.

Beyond cookies, advertising tools can rely on pixel tags and (where enabled) server-side event forwarding. If server-side events are used, they may include technical details and, where applicable, hashed identifiers to support attribution. We do not use these systems to infer sensitive traits about you.

5. Consent (EEA/UK)

Users in the EEA and the UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent browser cookie for 12 months.

You can withdraw consent at any time by using “Manage cookie preferences” in the footer or by clearing cookies in your browser. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We use a limited set of service partners to operate and measure the website. Depending on your cookie choices, personal data (or identifiers linked to device/browser activity) may be shared with:

• Google LLC (GA4, Google Ads, Tag Manager, remarketing): cookie identifiers, usage data, and conversion events. Privacy information: https://policies.google.com/privacy.
• Meta Platforms (Pixel, Custom/Lookalike Audiences, Conversion API): page views, conversions, and audience signals where enabled. Privacy information: https://www.facebook.com/privacy/policy/.
• Cloudflare (CDN and security): IP-based threat detection and performance delivery. Privacy information: https://www.cloudflare.com/privacypolicy/.

We do not sell personal data. Where we use advertising and analytics providers, we configure them to process data on our behalf and for the purposes described in this Privacy Policy. These providers may process data under their own terms when acting as independent controllers in certain contexts; their privacy notices explain those details.

7. International Transfers

If you are located in the EEA/UK, your information may be transferred to and processed in countries outside your jurisdiction, including the United States, where some of our service providers operate. For such transfers, we rely on recognized transfer mechanisms, including:

• EU-US Data Privacy Framework (DPF) (primary, where applicable, since July 2023), including the UK Extension and Swiss-US DPF where relevant.
• Standard Contractual Clauses (EU 2021/914) as a fallback mechanism.
• UK IDTA as a fallback mechanism for UK transfers where required.

We also take reasonable steps to minimize transfer impact through data minimization and consent-based activation for non-essential tracking.

8. Data Retention

We keep personal data only as long as needed for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Typical retention periods are:

• Contact submissions: up to 2 years from the last interaction, to support follow-ups and scheduling context.
• Analytics data: typically 14 months (platform setting), where enabled by consent.
• Marketing cookies: per cookie lifetime (for example, 90 days for common marketing identifiers), where enabled by consent.
• Email correspondence: duration of the relationship plus up to 1 year where needed for continuity and record-keeping.
• Server and security logs: typically 90 days, unless needed longer for investigating abuse or maintaining security.
• Cookie consent record: up to 3 years for audit and compliance needs.
• Legal and tax records: as required by applicable law (often 6–10 years for invoicing or accounting records).

9. Your Rights (GDPR & UK GDPR)

Depending on your location, you may have the following rights regarding your personal data:

• Right of access (GDPR Art. 15)
• Right to rectification (GDPR Art. 16)
• Right to erasure (GDPR Art. 17)
• Right to restriction of processing (GDPR Art. 18)
• Right to data portability (GDPR Art. 20)
• Right to object (GDPR Art. 21)
• Right to withdraw consent at any time (GDPR Art. 7(3))
• Right to lodge a complaint with a supervisory authority (GDPR Art. 77)

To exercise your rights, contact us at [email protected]. We may need to verify your identity before completing a request. We aim to respond within 30 days, and may extend by up to 60 days for complex requests.

Supervisory authority references:

• EU: https://edpb.europa.eu
• UK (ICO): https://ico.org.uk
• Germany (BfDI): https://www.bfdi.bund.de
• France (CNIL): https://www.cnil.fr
• Poland (UODO): https://uodo.gov.pl
• Spain (AEPD): https://www.aepd.es

10. Children

This website is not directed to individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has provided personal data without verifiable parental consent, contact us and we will delete the information promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own DNT handling. If you want to limit tracking, use our cookie preferences panel and your browser privacy controls.

12. Data Deletion Requests

You can request deletion of personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may require identity verification. If deletion is requested, we will complete the request within 30 days where feasible, with limited retention only where required by law.

13. Business Transfers

In a merger, acquisition, asset sale, financing, or insolvency, personal data may be transferred to a successor entity as part of the transaction. If such a transfer materially changes how your personal data is used, we will provide notice on the website.

14. California (CCPA / CPRA)

If you are a California resident, you may have rights under the CCPA/CPRA. Over the last 12 months, we may have collected: (a) identifiers such as name, email, IP address, and device identifiers; (b) internet or network activity such as pages visited and interaction signals; and (c) inferences such as general interests derived from browsing patterns where marketing cookies are enabled by consent.

We do not sell personal information as defined by CCPA. We may share information for cross-context behavioral advertising when marketing cookies are enabled. California residents can opt out by using our cookie preferences panel and rejecting marketing cookies.

California rights may include the right to know, delete, correct, and opt out of sale/sharing, as well as the right to non-discrimination. To submit a request, email [email protected] with the subject line “California Privacy Request”. We may require identity verification. Authorized agents must provide proof of authorization.

15. Virginia (VCDPA)

If you are a Virginia resident, you may have rights to access, correct, delete, and obtain a copy of your personal data, and to opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject line “Virginia Privacy Request”. If we decline a request, you may appeal by emailing with the subject line “Appeal of Refusal — Privacy Request”. We will respond within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject line “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or site functionality. If changes are material, we will provide a notice on the homepage at least 14 days before the changes take effect. The “Last Updated” date at the top of this page indicates when the policy was last revised.

18. Contact

For privacy questions, data requests, or concerns, contact:

Black Lantern Tattoo Studio LLC
520 8th Ave, 16th Floor, Midtown Manhattan, New York, NY 10018, United States
Email: [email protected]
Phone: +1 646 762 4398