Skip to main content

Privacy Policy

Last Updated: March 14, 2026

1. Introduction & Controller Identity

This Privacy Policy explains how omnelyx (“we”, “us”, “our”) collects, uses, and protects personal data when you visit this website and when you contact the studio for tattooing or piercing enquiries. It also explains your rights and how you can exercise them.

Data Controller: Omnelyx Tattoo Studio LLC, 30 St John Street, Clerkenwell, London EC1M 4AY, United Kingdom. Contact email: [email protected]. Telephone: +44 20 7946 2839.

Effective Date: March 14, 2026. If you have questions about this policy or how your data is handled, contact us using the details above.

2. Personal Data We Collect

We collect personal data that you provide directly, as well as limited technical data that your browser sends when you view a website. The categories below describe what we may collect depending on how you interact with us.

  • Identity and contact data: name, email address, phone number, and any other details you choose to include in your message.
  • Booking and enquiry content: information you enter in a contact or booking request form, such as placement, size, style references, preferred dates, or other scheduling details.
  • Technical data: IP address, device type, operating system, browser type and version, language settings, approximate location derived from IP, and diagnostic data about site performance.
  • Usage data: pages viewed, time spent on pages, referral source, click paths, and interaction events that help us understand site usage (where you have consented to analytics cookies).
  • Cookies and identifiers: cookie identifiers and consent status stored in your browser, as described in Section 4.
  • Conversion events: signals that a message was sent or that a page was viewed, used to measure marketing performance (only where marketing consent is given).

We do not intentionally collect special-category personal data (for example, data revealing health conditions, religion, political opinions, or sexual orientation), and we do not request government identification numbers or financial account details through this website. Please avoid including sensitive information in free-text message fields.

3. Why We Process Personal Data & Legal Basis

We process personal data for specific purposes and rely on recognized legal bases under GDPR/UK GDPR where applicable. The legal basis depends on the context of the processing.

  • Responding to enquiries and arranging appointments: to reply to your message, propose appointment times, confirm service details, and keep a record of our correspondence. Legal basis: Article 6(1)(b) (steps prior to entering into a contract) and, where required by local law, Article 6(1)(a) (consent).
  • Analytics and performance measurement: to understand how the site is used and to improve usability and stability. Legal basis: Article 6(1)(a) (consent) where analytics cookies are used.
  • Marketing and remarketing: to measure advertising performance and deliver relevant advertising to users who have opted in. Legal basis: Article 6(1)(a) (consent) where marketing cookies are used.
  • Security and fraud prevention: to protect the site from abuse, bot traffic, and suspicious activity, and to keep systems secure. Legal basis: Article 6(1)(f) (legitimate interests), balanced against your rights.
  • Legal compliance: to comply with applicable laws, respond to lawful requests, and retain records where required. Legal basis: Article 6(1)(c) (legal obligation).

Automated Decision-Making (GDPR Article 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for you.

4. Cookies & Tracking Technologies

Cookies are small text files stored by your browser. We also use similar technologies such as pixel tags and server-side event signals, depending on your consent settings. Cookies on this site fall into three categories: Essential, Analytics, and Marketing. Essential cookies are required for the site to function; analytics and marketing cookies are optional and depend on your preferences.

Essential (always active)

Essential cookies support basic site operations and consent storage. Examples include _site_session (session continuity) and cookie_consent (your consent preferences). Retention ranges from session duration to up to 12 months depending on the cookie.

Analytics (consent required)

If you opt in, we may use Google Analytics 4 (GA4) to understand traffic patterns and improve the site. GA4 typically sets cookies such as _ga and _ga_XXXXXXXXXX. Where configured, IP addresses are processed in a manner consistent with GA4 settings and may be anonymized or truncated depending on your region and configuration. Analytics data retention is typically set to 14 months.

Marketing (consent required)

If you opt in, marketing cookies may be used to measure conversions and support relevant advertising. Examples include Google Ads cookies (such as _gcl_au) and Meta cookies (such as _fbp and _fbc, where a click identifier exists). These technologies can support remarketing, audience building (including custom and lookalike audiences), and conversion attribution.

Beyond cookies, tracking may also involve pixel tags (for example, gtag.js and Meta Pixel) and server-side event sharing (for example, Meta Conversion API or Google server-side tagging), where implemented and where consent allows. If server-side tracking is enabled, some identifiers may be hashed before transmission.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (Article 6(1)(a)). Your consent choice is recorded in the cookie_consent cookie (typically for 12 months).

You can withdraw or adjust consent at any time by using the “Manage cookie preferences” link in the footer or by clearing cookies in your browser settings. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.

6. Sharing With Advertising & Service Partners

We may share limited personal data with service providers that help us operate the website and measure performance, subject to your consent settings. We do not sell personal data.

  • Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, and conversion events when enabled by consent. Privacy: https://policies.google.com/privacy.
  • Meta Platforms, Inc. (Meta Pixel, custom/lookalike audiences, Conversion API): page views, conversion events, and audience membership when enabled by consent. Privacy: https://www.facebook.com/privacy/policy.
  • Cloudflare, Inc. (CDN and security): IP-based threat detection and delivery optimization to keep the site reliable. Privacy: https://www.cloudflare.com/privacypolicy/.

We do not permit these providers to use site data for their own independent commercial purposes beyond providing services to us, subject to their role as processors/service providers and your consent choices.

7. International Transfers

Some providers (including Google and Meta) may process data outside the EEA/UK, including in the United States. Where required, we rely on appropriate safeguards for international transfers, such as the EU–US Data Privacy Framework (DPF) and the UK Extension to the DPF (where applicable), and Standard Contractual Clauses (EU 2021/914) as a fallback. UK transfers may also rely on the UK International Data Transfer Agreement (IDTA) as a fallback.

8. Data Retention

We keep personal data only for as long as necessary for the purpose it was collected, and to meet legal and operational requirements. Typical retention periods are:

  • Contact submissions and booking enquiries: up to 2 years from the last interaction, unless a longer period is needed for legal reasons.
  • Email correspondence: for the duration of our relationship and up to 1 additional year for continuity and dispute handling.
  • Analytics data: typically 14 months, subject to configuration and consent.
  • Marketing cookies: retained according to the cookie lifetime (for example, 90 days for some marketing cookies).
  • Server and security logs: typically up to 90 days unless a security investigation requires longer retention.
  • Cookie consent records: up to 3 years for audit and compliance purposes.
  • Legal/tax records: retained as required by applicable law (often 6–10 years for invoices and related records).

9. Your Rights (GDPR & UK GDPR)

Depending on your location, you may have rights under GDPR/UK GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Right to withdraw consent at any time (Article 7(3))
  • Right to lodge a complaint with a supervisory authority (Article 77)

To exercise your rights, email [email protected]. We typically respond within 30 days. For complex requests, we may extend the response period by up to 60 additional days as permitted by law.

Supervisory authorities: EU guidance via https://edpb.europa.eu. UK: https://ico.org.uk. Germany: https://www.bfdi.bund.de. France: https://www.cnil.fr. Poland: https://uodo.gov.pl. Spain: https://www.aepd.es.

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has provided personal data without verifiable parental consent, contact us and we will delete the information promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own handling of DNT or similar signals.

12. Data Deletion Requests

You may request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. For security, we may ask for information to verify your identity. We aim to complete deletion within 30 days where feasible, subject to any legal retention obligations.

13. Business Transfers

In the event of a merger, acquisition, asset sale, financing, reorganization, or insolvency, personal data may be transferred to a successor entity as part of that transaction. If such a transfer materially changes how your personal data is used, we will provide notice on this website.

14. California Privacy Notice (CCPA/CPRA)

This section applies to California residents where the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is applicable.

Categories of personal information disclosed in the past 12 months may include: identifiers (such as name, email, IP address, cookie IDs), internet or network activity (such as pages viewed and interaction events), and inferences (such as interests derived from site interactions, where marketing consent is provided).

We do not sell personal information as defined by CCPA. We may share information for cross-context behavioral advertising where you have opted in via cookie preferences. You may opt out by adjusting marketing cookies using the “Manage cookie preferences” link in the footer.

California residents may have the right to know, delete, and correct personal information, and to opt out of sale/sharing. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your identity before fulfilling a request. Authorized agents may submit requests with written proof of authorization.

15. Virginia (VCDPA)

Where applicable, Virginia residents may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. If we deny a request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond to an appeal within 60 days. If the appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in legal requirements, our practices, or the services we use. Material changes may be announced via a notice on the homepage at least 14 days before taking effect, where appropriate. The “Last Updated” date at the top of this page reflects the most recent revision.

18. Contact

For privacy questions or requests, contact: