1. Data Controller Solomon Simsa Independent Tattoo Artist, Creative Consultant & Project Mediator Bergisch Gladbach, Germany 📧 info@solomonsimsa.com 🌐 www.solomonsimsa.com 2. General Principles Protecting your personal data is extremely important to me. All personal information is processed in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable EU and German laws. “Personal data” refers to any information relating to an identified or identifiable natural person, such as name, address, contact details, photos, ID data, digital signatures, or online identifiers. I collect and process personal data only as necessary to provide my services, communicate with clients, and fulfill contractual, legal, and artistic obligations. 3. Categories of Data Collected I may collect and process the following categories of personal data: • Identification data (name, date of birth, address) • Contact details (email, telephone, WhatsApp number) • Digital form data (online inquiries, consent forms, signatures) • Uploaded files or scanned ID documents (for age and identity verification) • Tattoo-related photos, videos, and body references • Payment information (amount, method, transaction ID, billing details) • Social-media data (profile name, messages, interactions) • Technical website data (IP address, browser type, access times) 4. Purpose and Legal Basis of Processing Data are processed for the following purposes: • managing inquiries, bookings, and client communication, • preparing, performing, and documenting tattoo projects, • managing invoices, credits, and payment transactions, • sending aftercare information and consent copies by email, • executing consulting, training, or mediation agreements, • creating artistic and promotional materials (photos/videos), • fulfilling tax and legal documentation duties. The legal bases are: • Art. 6 (1)(a) GDPR – Consent, • Art. 6 (1)(b) GDPR – Performance of a contract, • Art. 6 (1)(c) GDPR – Legal obligation, • Art. 6 (1)(f) GDPR – Legitimate interests (e.g. artistic documentation, marketing, data security). 5. Online Services and Hosting My website and booking forms are hosted via OnePage.io, which acts as a data processor under GDPR. Personal data entered through these forms (names, contact details, project descriptions) are transmitted securely via SSL encryption and stored on servers within the EU. Technical access logs (IP address, browser information, time of visit) are used solely to maintain website functionality and security. 6. Communication Channels and Social Media I use several communication and social-media platforms operated by third parties: • Meta Platforms Ireland Ltd. (Instagram, Facebook, WhatsApp Business) • Google Ireland Ltd. / YouTube • TikTok Technology Ltd. (Ireland) When you contact me via these services, data such as profile name, messages, or photos are processed according to the respective platform’s privacy policy. I have no control over how these platforms process your data. Communication via these channels is voluntary and at your own responsibility. Links to privacy policies: • Meta (Instagram/Facebook/WhatsApp): https://privacycenter.meta.com • Google & YouTube: https://policies.google.com/privacy • TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en 7. Payment Service Providers Payments for services and credit vouchers may be processed via: • Stripe Payments Europe Ltd. (Ireland) • PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) • SumUp Limited (United Kingdom) • Credit card or bank transfer Relevant data (payer name, contact details, payment amount, transaction ID) are transmitted securely and processed by these providers exclusively for payment purposes. Legal basis: Art. 6 (1)(b) GDPR (contract performance). Their privacy policies apply: • Stripe: https://stripe.com/privacy • PayPal: https://www.paypal.com/privacy • SumUp: https://www.sumup.com/en-gb/privacy 8. Photo, Video and Media Processing During tattoo sessions, photo and video recordings may be created documenting the process, the artwork, the studio environment, and, where applicable, the client. The client expressly agrees that these materials may be used by the Provider without limitation in time, territory, or medium for artistic, documentary, and promotional purposes. This includes publication on: • the Provider’s website, • social-media platforms (Instagram, TikTok, Facebook, YouTube), • print and online media, exhibitions, magazines, or television. Consent is based on Art. 6 (1)(a) GDPR in conjunction with §§ 22–23 KunstUrhG (German Art Copyright Act). Once published, the consent cannot be withdrawn except where overriding legitimate privacy interests exist (§ 23 (2) KUG). The Provider undertakes to use all images respectfully and in an artistically appropriate way. 9. Data Storage and Retention Personal data are stored only as long as necessary to fulfill their purpose or as required by law. • Contract and tax-related data: 10 years (German tax law) • Consent forms and identification data: up to 5 years • Photos/videos: may be stored indefinitely for artistic or archival use When retention periods expire, data are deleted or anonymized. 10. Data Disclosure to Third Parties Personal data are shared only when: • required to fulfill contractual or legal obligations, • explicitly consented to by the data subject, or • necessary for legitimate business or legal interests. Data are never sold or disclosed to unauthorized third parties. 11. Rights of Data Subjects Under Articles 15–21 GDPR, you have the following rights: • Right of access – to know what data are stored about you, • Right to rectification – to correct inaccurate data, • Right to erasure (“right to be forgotten”), • Right to restriction of processing, • Right to data portability, • Right to object to certain processing activities, • Right to withdraw consent at any time. Requests may be submitted at any time via: 📧 info@solomonsimsa.com You also have the right to lodge a complaint with the competent supervisory authority, for example the Data Protection Authority of North Rhine-Westphalia (LDI NRW). 12. Security and Encryption The website www.solomonsimsa.com uses SSL encryption (HTTPS) to protect data during transmission. All technical and organizational security measures are reviewed regularly to ensure compliance with Art. 32 GDPR. 13. International Data Transfers Some service providers (e.g. Meta, Google, TikTok) may process data outside the EU/EEA. Such transfers occur only where the provider ensures an adequate level of data protection through EU Standard Contractual Clauses or equivalent safeguards under Art. 46 GDPR. 14. Updates to this Privacy Policy This Privacy Policy may be updated periodically to reflect legal, technical, or business changes. The latest version is always available on www.solomonsimsa.com. Legal references: Regulation (EU) 2016/679 (GDPR) · BDSG (Germany) · Telemedia Act (TMG) · Art Copyright Act (KUG). This policy is drafted in compliance with German and EU data-protection law and can be used for both national and EU-wide operations.