Privacy Policy

1. Introduction

Welcome to inkStar ("Platform", "we", "us", "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the inkStar mobile application, web application, and all related services.

inkStar is a business management platform that enables businesses to manage appointments, customers, employees, contracts, payments, and day-to-day operations. We take the protection of your personal data seriously and are committed to transparency about our data practices.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy should be read in conjunction with our Terms of Service. If you do not agree with our data practices as described in this Privacy Policy, please do not use the Platform.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, and IP addresses.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Data Controller" means the entity that determines the purposes and means of processing Personal Data. inkStar acts as Data Controller for account and platform data.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. inkStar acts as Data Processor for business data managed by Users on the Platform.
• "User" refers to any individual or business entity that registers for and uses the Platform to manage their business operations.
• "End Customer" refers to any person who interacts with a User's business through the Platform, including booking appointments, signing contracts, or making payments.
• "Business Data" refers to all data that Users upload, create, store, or manage through the Platform in connection with their business operations, including appointment records, customer information, employee data, contracts, and payment records.

3. Information We Collect

We collect different types of information depending on how you interact with our Platform:

3.1 Account and Identity Data

• Full name, business name, and professional title
• Email address and verified contact information
• Phone number(s) for account verification and communications
• Business information including address, industry, business type, and operating hours
• Account credentials (passwords are hashed and never stored in plain text)

3.2 Business Operations Data

• Appointment scheduling data including dates, times, services, and assigned staff
• Customer relationship data including client profiles, contact details, appointment history, and preferences
• Employee and staff information including names, roles, schedules, availability, and assigned services
• Contract and agreement data (stored with end-to-end encryption)
• Payment transaction records including amounts, dates, and payment methods (processed through encrypted channels)
• Business analytics and reporting data generated from your usage of the Platform

3.3 Technical and Usage Data

• Device information including hardware model, operating system, browser type and version, and unique device identifiers
• Usage data including pages visited, features used, session duration, and interaction patterns
• IP address and approximate geolocation derived from your IP address
• Cookie identifiers and similar tracking technologies (see Section 11)
• Crash reports and performance diagnostics to help us improve the Platform

3.4 Financial Data

When you subscribe to a paid plan or process payments through the Platform, our third-party payment processors collect and handle your financial information (such as credit card numbers and bank account details). inkStar does not directly store your full payment card information. We only retain limited transaction references, amounts, and the last four digits of payment methods for record-keeping purposes. All payment data is processed through encrypted channels in compliance with PCI DSS standards.

4. How We Collect Information

• Directly from you: When you create an account, fill out forms, enter business data, use features, contact support, or communicate with us.
• Automatically: Through cookies, log files, device identifiers, and similar technologies when you access and use the Platform.
• From third parties: From payment processors, authentication providers (e.g., social login services), and analytics services that help us operate the Platform.
• Through integrations: When you connect third-party services or tools to the Platform, we may receive data from those services as necessary to provide the integration functionality.

5. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Platform and its features, including appointment scheduling, customer management, employee management, contract creation, and business analytics.
• To process subscription payments and facilitate payment processing between Users and their End Customers through our third-party payment integrations.
• To communicate with you about your account, respond to inquiries, provide customer support, and send important service-related notifications.
• To analyze usage patterns, diagnose technical issues, and continuously improve the Platform's functionality, performance, and user experience.
• To protect the security and integrity of the Platform, detect and prevent fraud, unauthorized access, and other malicious activity.
• To generate aggregated, anonymized analytics and insights that help us understand how the Platform is used and inform product development.
• To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to enforce our Terms of Service.
• To provide technical support and troubleshoot issues reported by Users.
• To power AI-assisted features within the Platform, such as intelligent suggestions and automated assistance, using only non-sensitive, non-personally-identifiable data (see Section 7 for details).

6. Our Role: Data Controller vs. Data Processor

Understanding our role in data processing is important for your rights and our obligations:

inkStar as Data Controller:

We act as the Data Controller for data we collect directly for our own purposes, including your account information, subscription and billing data, technical and usage data, and communications with our support team. For this data, we determine the purposes and means of processing.

inkStar as Data Processor:

We act as the Data Processor for Business Data that Users create and manage on the Platform, including client records, appointment data, employee information, contracts, and payment records. For this data, the User (the business) is the Data Controller and determines how the data is used. We process it solely on the User's behalf and in accordance with their instructions. If you are an End Customer and wish to exercise your data rights regarding Business Data, please contact the business (the User) that manages your data directly.

7. AI and Automated Features

inkStar offers AI-powered features to enhance your experience, including intelligent suggestions, automated assistance, and smart business insights. These features are powered by third-party AI providers, including OpenAI (ChatGPT) and potentially other AI model providers.

We are committed to protecting your privacy when using AI features. The following data is never shared with AI providers:

• Sensitive personal information such as health data, religious beliefs, or biometric data is never transmitted to AI providers.
• Personally identifiable information (names, email addresses, phone numbers, physical addresses) of your clients or employees is never sent to AI services.
• Financial data including payment card details, bank account numbers, and complete transaction records are never shared with AI providers.
• Contract contents and signed agreements, which are protected by end-to-end encryption, are never accessible to AI services.
• Your data is not used to train AI models. We use AI providers that do not retain or learn from the data processed through our Platform.

Only non-sensitive, contextual information — such as general service categories, scheduling patterns, or anonymized business metrics — may be processed by AI providers to deliver intelligent features. All data transmitted to AI providers is sent through encrypted channels.

You may use AI features at your discretion. Where AI features involve automated decision-making that may significantly affect you, we will provide information about the logic involved and ensure you have the ability to request human review, in accordance with Article 22 of the GDPR.

8. Data Security and Encryption

We employ industry-leading security measures to protect your data at every level:

• End-to-end encryption for contracts: All contracts and agreements created on the Platform are protected with end-to-end encryption, meaning only authorized parties can access the content. Not even inkStar can read encrypted contract data.
• Encrypted payment processing: All payment data is processed through encrypted channels via PCI DSS-compliant third-party payment processors. Full payment credentials are never stored on our servers.
• Multi-layer encryption: We employ a multi-layer encryption architecture for most data stored on the Platform, combining encryption at rest and encryption in transit to provide defense in depth.
• Transport layer security: All data transmitted between your device and our servers is protected using TLS (Transport Layer Security) encryption, ensuring data cannot be intercepted in transit.
• Strict access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. All access is logged, monitored, and subject to regular audits.
• Continuous monitoring: We maintain security monitoring systems that detect and alert on suspicious activity, unauthorized access attempts, and potential vulnerabilities.

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We continuously review and update our security practices to address emerging threats, but we cannot guarantee absolute security. In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authorities in accordance with applicable laws.

9. Payment Processing

inkStar integrates with third-party payment processors to facilitate payment transactions. When you or your End Customers make payments through the Platform, the payment data is collected and processed directly by our payment processor partners. These partners are PCI DSS-compliant and maintain their own privacy policies governing the handling of financial data.

inkStar does not have access to full credit card numbers, CVV codes, or complete bank account details. We retain only limited payment references (such as transaction IDs, amounts, dates, and the last four digits of payment methods) for the purpose of providing transaction history and business reporting.

You are responsible for reviewing the privacy policies of our payment processor partners. Payment processing is subject to the terms and policies of these third-party processors in addition to this Privacy Policy.

10. Who We Share Information With

We do not sell your personal data. We may share your information with the following categories of recipients only as necessary to operate and improve the Platform:

• Service providers: Cloud hosting, infrastructure, email delivery, and communication service providers who help us operate the Platform, bound by data processing agreements.
• Payment processors: Third-party payment providers who process financial transactions on behalf of you and your End Customers, operating under their own privacy policies and PCI DSS compliance.
• AI service providers: Third-party AI model providers (including OpenAI) who power our AI features, receiving only non-sensitive, non-personally-identifiable data as described in Section 7.
• Analytics providers: Services that help us understand Platform usage and performance through aggregated, anonymized data.
• Legal and regulatory authorities: When required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of inkStar, our Users, or the public.
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity, who will be bound by this Privacy Policy.
• With your consent: We may share your information with other third parties when you have given us explicit consent to do so.

We never sell, rent, or trade your personal data to third parties for their marketing purposes.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Platform. These technologies fall into the following categories:

• Strictly necessary cookies: Required for the Platform to function properly, including authentication, security, and session management. These cannot be disabled.
• Functional cookies: Remember your preferences and settings (such as language and timezone) to provide a personalized experience.
• Analytics cookies: Help us understand how the Platform is used, which features are most popular, and where we can improve. This data is collected in aggregate.
• Marketing cookies: Used to deliver relevant communications about inkStar and measure the effectiveness of our outreach. These are only placed with your consent.

You can manage your cookie preferences through your browser settings or through our cookie consent controls. Disabling certain cookies may affect the functionality of the Platform. For more information, you may refer to our cookie consent banner upon first visit.

12. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data based on the following legal grounds:

• Performance of a contract: Processing necessary to provide you with the Platform and its services as outlined in our Terms of Service, including account management, service delivery, and subscription billing.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Platform, ensuring security, preventing fraud, and conducting analytics — provided these interests are not overridden by your fundamental rights.
• Consent: Processing based on your explicit, freely given consent, such as receiving marketing communications, using optional AI features, or enabling non-essential cookies. You may withdraw your consent at any time.
• Legal obligation: Processing necessary to comply with applicable laws and regulations, including tax reporting, anti-money-laundering requirements, and responding to lawful requests from public authorities.

13. International Data Transfers

inkStar is based in Germany and primarily stores data within the European Economic Area (EEA). However, some of our service providers and AI partners may process data outside the EEA. When your data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.

By using the Platform, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, which may have different data protection laws. We take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

14. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Active account data: Retained for the duration of your active account and ongoing use of the Platform.
• Post-account closure: After account deletion, we retain certain data for up to 6 years as necessary for legal obligations, dispute resolution, and enforcement of our agreements.
• Financial and payment records: Retained for up to 10 years as required by tax, accounting, and regulatory obligations.
• Anonymized and aggregated data: May be retained indefinitely for analytics, research, and Platform improvement purposes, as it is no longer linked to any individual.
• Backup data: Encrypted backup copies are retained for a limited period as part of our disaster recovery procedures and are securely deleted according to our backup rotation schedule.

When data is no longer needed, it is securely deleted or anonymized. You may request deletion of your personal data at any time by contacting us (see Section 21), subject to our legal retention obligations.

15. Your Rights and Choices

Depending on your location and applicable data protection laws, you may have the following rights regarding your personal data:

• Right of access: You have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification: You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
• Right to erasure: You have the right to request deletion of your personal data, subject to certain legal exceptions (such as data required for legal compliance or contract fulfillment).
• Right to restrict processing: You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object: You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@inkstar.com. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

16. Children's Privacy

The Platform is not intended for use by individuals under the age of 18 (or the age of legal majority in their jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at privacy@inkstar.com.

17. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You have the right to know what personal information we collect, use, disclose, and sell (if applicable), and the purposes for such collection.
• Right to delete: You have the right to request deletion of the personal information we have collected from you, subject to certain exceptions.
• Right to opt out: You have the right to opt out of the sale or sharing of your personal information. inkStar does not sell personal information, but you may exercise this right at any time.
• Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights, including by denying services, charging different prices, or providing a different quality of service.
• Right to correct: You have the right to request correction of inaccurate personal information we hold about you.

To exercise your California privacy rights, please contact us at privacy@inkstar.com or submit a request through your account settings. We will verify your identity and respond within 45 days as required by law.

18. European Economic Area and United Kingdom

If you are located in the EEA or UK, your personal data is protected under the General Data Protection Regulation (GDPR) and the UK GDPR respectively. inkStar, based in Weißenhorn, Germany, is the Data Controller for account and platform data as described in Section 6.

You have all the rights listed in Section 15, plus the right to lodge a complaint with your local supervisory authority. In Germany, this is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) or the relevant state data protection authority for your location.

Where we rely on legitimate interests as a legal basis for processing, you have the right to object. We will cease processing your data for that purpose unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where the processing is necessary for the establishment, exercise, or defense of legal claims.

19. Third-Party Links and Services

The Platform may contain links to or integrations with third-party websites, applications, and services that are not operated by inkStar. These include payment processors, calendar integrations, social media platforms, and other tools you may connect to your account.

We are not responsible for the privacy practices of these third-party services. We encourage you to review the privacy policies of any third-party services before providing them with your personal data. Your interactions with third-party services are governed by their respective terms and privacy policies.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or Platform features. When we make material changes, we will notify you by posting the updated Privacy Policy on the Platform with a revised "Last Updated" date, and where appropriate, by sending you an email notification or displaying a prominent notice within the Platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.

21. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: