Privacy Policy

1. Introduction

Welcome to WithDerma ("we," "our," or "us"). We provide payment processing, client management, appointment scheduling, and business tools for tattoo studios and artists. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our platform.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, business name, and profile details
• Payment Information: Bank account details for payouts (processed securely by our payment partner Finix)
• Client Data: Client names, contact information, appointment history, project notes, and payment records when you add clients to your studio
• Business Details: Studio information, commission rates, business address, tax identification details
• Communication Data: Messages, support requests, and correspondence with us

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, and interaction patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies and Tracking: Session data, authentication tokens, and preference settings
• Fraud Prevention Data: Session IDs and device fingerprinting to prevent fraudulent transactions

2.3 Google OAuth and Calendar Data

When you choose to connect Google Calendar to WithDerma, we access:

• Google Profile Information: Your name and email address for account authentication
• Google Calendar Events: Read and write access to sync appointments between WithDerma and your Google Calendar
• Calendar Metadata: Event titles, descriptions, start/end times, attendees, and locations

We only access Google data necessary for calendar synchronization. You can revoke this access at any time through your Google Account settings or within the WithDerma dashboard.

3. How We Use Your Information

• Service Delivery: Process payments, manage appointments, maintain client records, and provide platform features
• Payment Processing: Facilitate transactions, process payouts to artists, calculate commissions, and handle refunds
• Calendar Integration: Sync appointments with Google Calendar when you enable this feature
• Communication: Send transactional emails, payment notifications, appointment reminders, and support responses
• Security and Fraud Prevention: Detect and prevent fraudulent transactions, unauthorized access, and policy violations
• Platform Improvement: Analyze usage patterns to improve features, fix bugs, and optimize performance
• Compliance: Meet legal obligations, enforce our terms, and comply with payment industry standards

4. How We Share Your Information

4.1 Payment Processing Partner

We use Finix as our payment processor. When you make or receive payments:

• Payment card data is collected directly by Finix through secure hosted forms (we never store full card numbers)
• Bank account information for payouts is transmitted securely to Finix and tokenized
• Transaction data is shared with Finix to process payments, handle disputes, and comply with financial regulations

4.2 Google Services

When you connect Google Calendar, we exchange appointment data with Google's servers to enable synchronization. This connection uses OAuth 2.0 and can be revoked at any time.

4.3 Service Providers

We may share data with trusted service providers who help us deliver our services, including:

• Database hosting (Supabase)
• Email delivery services
• Customer support tools
• Analytics and monitoring services

4.4 Legal Requirements

We may disclose information when required by law, to respond to legal processes, protect our rights, prevent fraud, or ensure the safety of our users.

4.5 Within Your Studio

If you're part of a multi-artist studio, other members may see shared client data, appointments, and transaction information necessary for studio operations.

5. Data Retention

We retain your data for as long as necessary to:

• Provide services to you while your account is active
• Comply with legal obligations (financial records are kept for 7 years per industry standards)
• Resolve disputes and enforce agreements
• Prevent fraud and abuse

When you close your account, we will delete or anonymize your personal data within 90 days, except where we must retain records for legal or regulatory purposes.

6. Your Rights and Choices

6.1 Access and Correction

You can access and update your account information at any time through your dashboard settings. To request a copy of all data we hold about you, contact us at privacy@withderma.com.

6.2 Data Deletion

You can request deletion of your account and associated data by contacting support. Note that we may retain certain transaction records as required by financial regulations.

6.3 Google Data Access

You can revoke WithDerma's access to your Google account at any time:

• Visit your Google Account permissions page
• Find "WithDerma" in the list of connected apps
• Click "Remove Access"

Or disconnect within WithDerma by going to Settings → Integrations → Google Calendar → Disconnect.

6.4 Marketing Communications

You can opt out of promotional emails by clicking "unsubscribe" in any marketing email. Note that you will still receive transactional emails related to your account and payments.

6.5 Do Not Track

Some browsers have "Do Not Track" features. We do not currently respond to these signals, but we use minimal tracking focused on providing and improving our services.

7. Security Practices

We implement industry-standard security measures including:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
• Access Controls: Role-based permissions and row-level security in our database
• Payment Security: PCI DSS compliant payment processing through Finix
• Authentication: Secure password hashing and session management
• Monitoring: Automated fraud detection and audit logging
• Regular Security Reviews: Vulnerability assessments and security updates

Despite our best efforts, no system is completely secure. If you suspect unauthorized access to your account, change your password immediately and contact us at security@withderma.com.

8. Children's Privacy

WithDerma is not intended for users under 18 years of age. We do not knowingly collect information from minors. If you believe a child has provided us with personal information, please contact us immediately so we can delete it.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable data protection laws.

10. Third-Party Links

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on our platform. Your continued use after changes indicates acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

13. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your information, and the right to opt out of the sale of your information. We do not sell personal information. To exercise your rights, contact us at support@withderma.com.

14. Google Limited Use Disclosure

WithDerma's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request access to Google user data necessary for implementing calendar synchronization features
• We do not use Google user data for serving advertisements
• We do not allow humans to read Google user data unless necessary for security, compliance, or with explicit user consent
• We do not transfer Google user data to third parties except as necessary to provide our calendar features or as required by law