Privacy.

coil is a software product for tattoo artists. The site is operated from the United States. References to “we” and “coil” mean the operator of coil.tattoo.

We collect the minimum we need to run your shop on coil:

• Account data: email address, display name, handle, IG handle if you connect Instagram, and any profile copy you save.
• Portfolio data: images you upload or that we pull from your linked Instagram, plus AI-generated tags / bio drafts that you keep or discard.
• Inquiry data from your clients: name, contact info, body-location selection, references, the description of what they want. They give this directly when filling out your inquiry form.
• Payment metadata: Stripe handles all card data. We store Stripe customer / subscription / Connect account IDs, deposit amounts in cents, and timestamps. We never see card numbers.
• Logs and analytics: Sentry for errors, PostHog for product analytics (page views, button clicks, web vitals). IP addresses, user-agents, and session timestamps are part of these.

• To run your account, your site, and the inquiry inbox.
• To send transactional email (magic links, receipts, aftercare reminders) and SMS (phone verification, aftercare).
• To generate AI drafts (bio, FAQ replies) — only on prompts you trigger, only on your own data.
• To detect abuse, fix bugs, and improve the product.
• We do not sell your data, your clients' data, or your portfolio. We don't train external AI on your work without your direct opt-in.

These vendors process data on our behalf. Each one has its own privacy policy you can read.

• Vercel — hosting, edge runtime
• Supabase — database, auth, file storage
• Stripe — payments + Connect onboarding
• Anthropic (Claude) — AI generation
• Resend — transactional email delivery
• Twilio — phone verification + aftercare SMS
• Sentry — error monitoring
• PostHog — product analytics
• Cloudflare — bot mitigation (Turnstile)

• All multi-tenant data is protected by row-level security policies enforced at the database, not the application.
• HTTPS everywhere, HSTS preload, SameSite cookies.
• Stripe Elements / Checkout — we are PCI SAQ-A scope.
• Client funds for deposits flow Stripe-Connect direct to the artist's bank. coil never holds money for artists.

You can update, export, or delete your data at any time from the dashboard, or by emailing us. Account deletion clears every record we hold within 30 days.

California residents (CCPA) and EU/UK residents (GDPR) have additional rights — request, correction, deletion, portability, objection. Email us and we'll handle it. We don't sell data, so the standard CCPA “do not sell” toggle is moot here.

We use first-party cookies for sign-in and a small number of third-party analytics cookies (PostHog). No advertising cookies. No cross-site retargeting.

coil is not for anyone under 18. Tattooing minors is regulated separately wherever you operate; please follow your local rules.

We'll update this page when the substance changes and bump the date at the top. For account-affecting changes, we'll email you.

hello@coil.tattoo