Skip to main content

Privacy Policy

Last Updated: March 12, 2026

This Privacy Policy explains how Avenixor Tattoo Studio (“we”, “us”, “our”) collects, uses, and protects personal data when you visit this website, contact us, or request a consultation.

1. Introduction & Controller Identity

Avenixor Tattoo Studio is the brand name used by Avenixor Tattoo Studio LLC (the “Data Controller” for the purposes of applicable data protection laws, including the UK GDPR and the EU GDPR where relevant).

Controller details:

  • Legal entity: Avenixor Tattoo Studio LLC
  • Registered address: WeWork, 10 York Rd, Waterloo, London SE1 7ND, United Kingdom
  • Contact email: [email protected]
  • Phone: +44 20 7946 3817

If you have questions about this policy, or you wish to exercise your privacy rights, you can contact us using the email address above. If we appoint a dedicated Data Protection Officer (DPO) in the future, we will publish the DPO contact details on this page.

2. Personal Data We Collect

The types of personal data we may collect depend on how you interact with our website and studio. We aim to collect only what is reasonably necessary for clear communication, booking coordination, and site operations.

  • Identity and contact data: name, email address, phone number (if you provide it).
  • Form content: messages, booking preferences, placement notes, and any information you voluntarily submit in the contact form.
  • Technical data: IP address, browser type and version, device identifiers, operating system, and language settings.
  • Usage data: pages viewed, time spent on pages, referrer/source, click paths, and interaction events (for example, opening an FAQ accordion or navigating to another page).
  • Cookies and similar identifiers: information stored via cookies or local storage, including your cookie preferences and session continuity.
  • Conversion events: actions such as a form submission, which may be used to measure performance of marketing campaigns (only where you have granted the relevant consent).

We do not intentionally collect special-category data (such as health data, religious or political opinions) through this website. We also do not request financial account details or government identification through the website contact forms.

If you choose to include sensitive information in a message you send to us, you do so voluntarily. We encourage you to keep messages focused on scheduling and design direction rather than personal or medical details.

3. Why We Process Personal Data & Legal Basis

We process personal data for specific purposes and rely on lawful bases under GDPR/UK GDPR. The lawful basis depends on the context of the processing.

  • Consultation requests and communications: to respond to enquiries, discuss design direction, and coordinate appointment logistics. Legal basis: performance of a contract or steps prior to entering into a contract (Art. 6(1)(b)) and, where applicable, consent (Art. 6(1)(a)).
  • Analytics (optional): to understand how visitors use the site and improve content and navigation. Legal basis: consent (Art. 6(1)(a)).
  • Marketing and remarketing (optional): to measure ad performance, build audiences, and deliver relevant advertising. Legal basis: consent (Art. 6(1)(a)).
  • Security and fraud prevention: to protect the website from abuse, automated attacks, and suspicious traffic. Legal basis: legitimate interests (Art. 6(1)(f)).
  • Legal compliance: to comply with applicable legal obligations and handle legal claims if they arise. Legal basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

Automated decision-making (Art. 22): we do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you.

4. Cookies & Tracking

We use cookies and similar technologies to keep the site functional, to understand usage, and (when permitted) to support advertising measurement. Cookies can be first-party (set by this site) or third-party (set by service providers). Some tracking can also occur via pixel tags or server-side measurement, depending on the tools used and your consent preferences.

Essential cookies (always active)

Essential cookies are required for basic site functionality and to record your cookie preferences. They do not require your consent. Examples include:

  • _site_session: supports session continuity and basic security controls. Retention: session to up to 30 days depending on configuration.
  • cookie_consent: stores your cookie preferences choice. Retention: 12 months.
  • Security-related controls (for example, anti-forgery tokens) where applicable.

Analytics cookies (optional, consent-based)

If you enable analytics cookies, we may use Google Analytics 4 (GA4) to understand traffic patterns and site performance. Where configured, IP anonymization is applied. Example cookies include:

  • _ga: GA4 user identifier. Retention: 2 years.
  • _ga_XXXXXXXXXX: GA4 session state. Retention: 2 years.

Analytics data retention in GA4 is typically set to 14 months. You can disable analytics cookies at any time via the cookie preferences panel.

Marketing cookies (optional, consent-based)

If you enable marketing cookies, we may use measurement and remarketing tools such as Google Ads and Meta Pixel. These tools help attribute conversions, build remarketing audiences, and measure campaign performance. Example cookies include:

  • _gcl_au: Google Ads conversion linker. Retention: 90 days.
  • _fbp: Meta Pixel browser identifier. Retention: 90 days.
  • _fbc: Meta Pixel click identifier (set when click ID is present). Retention: 90 days.

Beyond cookies, marketing measurement can use pixel tags (for example, gtag.js or Meta Pixel) and, in some setups, server-side signals (for example, via Meta Conversion API or server-side tag management). Where used, identifiers may be derived from browser signals such as IP address and user-agent, and may also include hashed contact details if you provide them, but only when implemented and only where consent applies.

For more detail about categories and how to manage them, please also read our Cookie Policy.

5. Consent (EEA/UK)

Users in the EEA and the UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (Art. 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie and is typically stored for 12 months.

You can withdraw or change consent at any time via “Manage cookie preferences” in the footer or by clearing cookies in your browser. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.

6. Sharing With Advertising & Service Partners

We share personal data only when needed to operate the site, respond to enquiries, and (where you have provided consent) measure marketing performance. We do not sell personal data.

Depending on configuration and your consent choice, we may share data with:

  • Google LLC (Google Analytics 4, Google Ads, tag management, remarketing): cookie identifiers, usage data, conversion events, and audience signals. Policy: https://policies.google.com/privacy
  • Meta Platforms (Meta Pixel, Custom/Lookalike Audiences, Conversion API where used): page views, conversions, audience membership, and (where implemented) hashed identifiers for attribution. Policy: https://www.facebook.com/privacy/policy
  • Cloudflare (CDN and security): IP-based threat detection and performance routing. Policy: https://www.cloudflare.com/privacypolicy/

We do not permit these providers to use site data for their own independent commercial purposes. They process data under their own terms and may act as independent controllers for some processing (for example, advertising measurement). Your choices in our cookie panel control whether analytics and marketing tools are activated on this site.

7. International Transfers

Some of our service providers (such as Google and Meta) may process data outside the UK or EEA, including in the United States. Where international transfers occur, we rely on appropriate safeguards. These may include:

  • EU–US Data Privacy Framework (DPF) and the UK Extension to the DPF (where applicable).
  • Swiss–US DPF (where applicable).
  • Standard Contractual Clauses (EU 2021/914) as a fallback mechanism.
  • UK International Data Transfer Addendum / UK IDTA as a fallback mechanism.

When required, we also assess the risks of international transfers and apply supplementary measures where appropriate.

8. Retention

We keep personal data only for as long as needed to fulfil the purpose for which it was collected, and to meet legal, security, or operational obligations. Typical retention periods are:

  • Contact form submissions and consultation enquiries: up to 2 years from the last interaction.
  • Analytics data: typically 14 months (as configured in GA4).
  • Marketing cookies: per cookie lifetime (for example, 90 days for certain advertising cookies).
  • Email correspondence: duration of the relationship plus up to 1 additional year for continuity and dispute handling.
  • Server and security logs: typically up to 90 days.
  • Cookie consent record (audit purposes): up to 3 years.
  • Legal and tax records: as required by law (often 6–10 years, depending on record type).

9. Your Rights (GDPR & UK GDPR)

Depending on your location and applicable law, you may have rights regarding your personal data, including:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent at any time (Art. 7(3))
  • Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise your rights, email [email protected]. We will respond within 30 days. For complex requests, we may extend by up to 60 additional days and will tell you why.

Supervisory authority resources:

  • EU guidance: https://edpb.europa.eu/
  • UK ICO: https://ico.org.uk/
  • Germany (BfDI): https://www.bfdi.bund.de/
  • France (CNIL): https://www.cnil.fr/
  • Poland (UODO): https://uodo.gov.pl/
  • Spain (AEPD): https://www.aepd.es/

10. Children

This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that personal data from a child under 16 has been collected without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Some third-party providers may have their own policies regarding DNT and similar controls.

12. Data Deletion Requests

You can request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may need to verify your identity before completing the request. Where we must keep certain records for legal reasons, we will restrict processing and retain only what is required.

In most cases we can complete deletion requests within 30 days after identity verification.

13. Business Transfers

If we are involved in a merger, acquisition, financing, restructuring, asset sale, or insolvency, personal data may be transferred as part of that transaction. If a transfer materially changes how personal data is used, we will provide notice on this website.

14. California (CCPA / CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act as amended by the CPRA. In the past 12 months, we may have collected the following categories of personal information:

  • Identifiers: name, email address, IP address, cookie IDs, device identifiers.
  • Internet or network activity: browsing interactions, pages viewed, session events.
  • Inferences: interests or preferences derived from site interactions for advertising measurement (only if marketing consent is enabled).

We do not sell personal information as defined by CCPA. We do share certain data for cross-context behavioral advertising when marketing cookies are enabled. You may opt out via the cookie preferences panel (“Manage cookie preferences” in the footer).

California rights may include the right to know, delete, correct, and opt out of sale/sharing, as well as non-discrimination for exercising those rights. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your identity before responding. Authorized agents may submit requests with written permission.

15. Virginia (VCDPA)

If you are a Virginia resident, you may have rights under the Virginia Consumer Data Protection Act (VCDPA), including rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising.

We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects. To submit a request, email [email protected] with the subject “Virginia Privacy Request”.

If we deny a request, you can appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, service providers, or how the website operates. Material changes will be announced via a notice on the homepage at least 14 days before they take effect. The “Last Updated” date at the top of this page will change whenever this policy is revised.

18. Contact

For privacy questions, requests, or complaints, contact: