Privacy Policy

When you sign up: your email address, the username and display name you choose, and the shop name you add to your profile (if you give us one). Authentication is handled by Supabase.

When you complete checkout: your shipping address, so we can mail you the physical NFC tag. Payment information is collected by Stripe and never touches our servers — we receive only the subscription status and the last four digits of your card so we can show it back to you in the billing portal.

When clients tap your chair tag: an anonymized view session (timestamp, IP, country code, user-agent string). We don’t tie this back to the person tapping — they aren’t signed in, and we don’t profile them.

We use this information to provide the service: ship your tag, bill your subscription, render your flash gallery when a tag is tapped, send you transactional emails about your tag’s status (shipped, delivered, activated), and surface usage analytics back to you in your dashboard.

We don’t use it for advertising. We don’t sell it to data brokers. We don’t share it with marketing partners, because we don’t have any.

To run FlashTap we rely on a small set of services. Each one sees only the data it needs to do its job:

• Supabase — hosts our database, authentication, and file storage. They see everything we store: email, username, display name, shipping address, flash images, NFC tag records, view session metadata.
• Stripe — processes subscription billing and one-time charges (additional tags, lifetime license). They handle all payment information; FlashTap never receives or stores card data.
• Shippo — generates shipping labels and reports tracking events. They receive your shipping address and the tracking number for each shipment.
• Resend — delivers our transactional emails (welcome, tag shipped, tag delivered, tag activated). They see your email address and the email body.
• Vercel — hosts the website and runs our serverless functions. Standard request logs (IP, user-agent, path) retained for 24 hours.
• Apple— distributes the iOS App Clip via the App Store. They see standard App Store telemetry per Apple’s policies.

We set two cookies. One is the Supabase session cookie that keeps you logged in. The other is a 30-day referral attribution cookie that remembers if you arrived via someone’s referral link — so they get credit if you subscribe.

We don’t use analytics cookies, tracking pixels, or any third-party advertising tags.

You can see, correct, or delete your account at any time. Email hello@flashtap.ink and we’ll handle it — we don’t hide behind portals for this. Deletion removes your account, flash, and shipping address; we retain anonymized view-session totals for analytics aggregates and billing records as required by US tax law.

California residents have additional rights under the CCPA; residents of the EU/UK have rights under GDPR/UK-GDPR. To exercise them, write to hello@flashtap.ink.

FlashTap is intended for use by tattoo artists, who are adults by definition of their craft. We do not knowingly collect data from anyone under 18. If you believe we have, email us and we’ll delete the account.

When we change this policy materially, we’ll email every active artist before the change takes effect. The effective date at the top of the page always reflects the current version.

We’re a small team. Email hello@flashtap.ink and a human reads it.