Privacy Policy

DREMONPRO handles intimate data — portraits, body measurements, and an artist's creative output. We treat your information the way we'd want ours treated: processed on-device where possible, encrypted everywhere, never sold, and deletable in one click.

1. Introduction

In short: DREMONPRO is a professional studio software platform for tattoo artists. This policy explains who we are, what data we process, and how we protect it.

DREMONPRO is an AI-powered studio platform built for tattoo artists and studios. Our product includes 3D body scanning, AI-assisted design tools, smart stencils, AR placement previews, and client management features. Because our product works with sensitive creative and biometric data, we hold ourselves to the highest data-protection standards.

This Privacy Policy explains what personal data we collect when you use DREMONPRO, how we use it, with whom we share it, how long we keep it, and what rights you have over it. It applies to all users of DREMONPRO — whether you are an individual artist, a studio owner, or a client whose information is uploaded by your tattoo artist.

This policy covers the DREMONPRO website (dremonpro.com), the DREMONPRO web application, mobile applications, and any related APIs or integrations. It does not apply to third-party services linked from DREMONPRO — those services have their own privacy policies.

By creating an account or using the Service, you confirm that you have read and understood this policy. If you do not agree, please do not use DREMONPRO.

2. Definitions

In short: Plain-language glossary of key terms used throughout this policy.

Throughout this policy the following terms have the meanings set out below:

"DREMONPRO", "we", "us", "our" — DREMONPRO B.V. and its affiliated entities.
"Service" — the DREMONPRO software platform, website, web application, mobile application, APIs, and any related products or features.
"You", "user" — any person who accesses or uses the Service, including artists, studio owners, and clients whose data is processed through the Service.
"Personal Data" — any information relating to an identified or identifiable natural person.
"Special Category Data" — data revealing racial or ethnic origin, health information, biometric data used to uniquely identify a person, and similar sensitive categories under Article 9 GDPR.
"Processing" — any operation performed on Personal Data, including collection, storage, use, transfer, and deletion.
"Controller" — the entity that determines the purposes and means of Processing.
"Processor" — an entity that Processes Personal Data on behalf of a Controller.
"EEA" — the European Economic Area.
"GDPR" — EU General Data Protection Regulation 2016/679.
"UK-GDPR" — the UK GDPR as retained in UK law by the European Union (Withdrawal) Act 2018.
"CCPA/CPRA" — the California Consumer Privacy Act as amended by the California Privacy Rights Act.

3. Data controller

In short: DREMONPRO B.V. is your data controller for account and billing data. For content you upload about your clients, you are the Controller and DREMONPRO acts as your Processor.

DREMONPRO B.V. is the Data Controller for Personal Data collected in connection with account registration, billing, communications, and platform analytics.

For content you upload through the product — including designs, scan data, and client records — DREMONPRO acts as a Data Processor on your behalf. You are the Controller of that content and are responsible for having a lawful basis for processing it. Our Data Processing Addendum (DPA) governs that relationship and is available for Studio and Enterprise customers.

DREMONPRO B.V.
Wilhelminakade 308, 3072 AR Rotterdam, The Netherlands
KvK (Chamber of Commerce): 94821705
VAT: NL867432918B01
Email: privacy@dremonpro.com

4. Data we collect

In short: We collect what you give us (account info, designs, scans) and a small amount of technical telemetry — never more than what is necessary to operate the Service.

4.1 Account and identity data

Name, email address, and hashed password
Profile photo (optional)
Studio or business name, country, and VAT number (Pro and Studio plans)
IP address and approximate geolocation (city-level) at sign-up and login, for security purposes
Social login identifiers, if you choose to sign in with Apple or Google

4.2 Billing and payment data

Billing name and address
Payment method — processed exclusively by Stripe; we store only a tokenised card reference and the last four digits. We never see or store raw card numbers.
Invoice history and subscription status
VAT identification numbers (for EU businesses, as required for tax compliance)

4.3 Content you upload

Tattoo designs, stencils, reference images, flash art, and portfolio assets
3D body-scan meshes and optional photographs used for placement previews — see Section 7 for the special handling of this data
Client booking information, appointment notes, and messages routed through DREMONPRO's studio management features
AI-generated artwork and design outputs created using the DREMONPRO tools
Any comments, annotations, or other content you add within the platform

4.4 Usage and technical data

Feature usage events — collected only with your explicit consent (e.g. "opened 3D preview", "exported stencil")
Crash logs and performance traces, stripped of all content data before collection
Device type, operating system version, app version, and screen resolution
Session tokens and authentication logs, retained for security and fraud prevention
Referral source and UTM campaign parameters at first visit, if you arrived via a marketing link

4.5 Waitlist and communications data

Email address and any optional information you provide when joining the waitlist
Your referral code and the codes of any users you referred
Email open and click events processed by our transactional email provider
Responses to surveys or feedback forms, where you choose to complete them

4.6 Data we do not collect

We do not collect social media profiles or cross-site browsing history.
We do not buy or ingest third-party data about you from data brokers or advertising networks.
We do not run advertising pixel trackers or retargeting scripts.
We do not collect data from children under 18.

5. How we use your data

In short: We use your data to run the Service, process payments, send transactional emails, keep the platform secure, and — only with your consent — to improve the product through anonymous analytics.

Providing the Service. To create and maintain your account, store your content, process your designs, and operate the full functionality of the DREMONPRO platform.
Payment processing. To handle subscription billing, issue invoices, and process refunds in compliance with financial and tax law.
Transactional communications. To send you account-related emails such as password resets, billing notifications, subscription renewals, and security alerts. These are not optional — they are part of the Service.
Security and fraud prevention. To detect, investigate, and prevent fraud, abuse, account takeover, and other harmful activity.
Product improvement. With your consent, to analyse how features are used in order to fix bugs, prioritise development, and improve the user experience. We use only anonymised and aggregated data for this purpose.
Legal compliance. To comply with applicable laws, including tax obligations, data protection regulations, and responses to lawful requests from authorities.
Marketing. With your explicit opt-in consent, to send you product updates, early access invitations, and other promotional communications. You can opt out at any time.
Support. To respond to your support requests and maintain a record of interactions for quality assurance.

6. Lawful basis for processing (GDPR)

In short: We process your data to perform your contract with us, to comply with legal obligations, and — only where necessary and with appropriate safeguards — on the basis of our legitimate interests.

Purpose	Data category	Lawful basis (GDPR)
Provide the Service	Account, content, billing	Art. 6(1)(b) — contract performance
Process payments	Billing, identity	Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation
Transactional emails	Email, account	Art. 6(1)(b) — contract performance
Security and fraud prevention	Auth logs, IP address	Art. 6(1)(f) — legitimate interest
Product analytics	Usage telemetry (anonymised)	Art. 6(1)(a) — consent
Tax and accounting records	Invoices, billing data	Art. 6(1)(c) — legal obligation
3D body scan processing	Biometric mesh data	Art. 9(2)(a) — explicit consent
Marketing emails	Email address	Art. 6(1)(a) — consent (explicit opt-in)
Support correspondence	Email, account, content	Art. 6(1)(f) — legitimate interest

Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interests do not override your rights and freedoms. You may request a copy of that assessment by emailing privacy@dremonpro.com.

7. Body scan data — special category

In short: Body scans are biometric data and receive our highest level of protection. Processing is on-device by default, cloud sync is opt-in, data is encrypted end-to-end, and we never use scan data for AI model training without your explicit per-scan consent.

Body-scan data — including LiDAR meshes, depth maps, and associated photographs captured for placement purposes — constitutes biometric data and, where it reveals information about physical characteristics linked to identity, falls within the definition of Special Category Data under Article 9 GDPR. We treat it accordingly, applying the strictest standards in our data protection programme.

7.1 On-device processing

All body scans are processed locally on your device. The mesh is generated, displayed, and used for placement previews entirely on-device. No scan data is transmitted to DREMONPRO servers unless you explicitly opt in to cloud synchronisation for a specific scan.

7.2 Cloud synchronisation (opt-in only)

If you enable cloud sync for a scan, the data is encrypted client-side using a per-user key derived from your credentials before transmission. DREMONPRO's servers receive and store only the encrypted ciphertext. We cannot decrypt or access the contents of your scans. Sync can be disabled per-scan or globally at any time in Settings.

7.3 Storage location

Cloud-stored scans are held exclusively in AWS EU regions (eu-west-1, Dublin and eu-central-1, Frankfurt). Scan data is never transferred outside the EEA except at your explicit instruction.

7.4 No foundation-model training

Scan data is never used to train DREMONPRO's foundation models, any third-party AI models, or any general-purpose machine-learning system. This is an absolute commitment.

7.5 Personal style models (opt-in only)

With your explicit, per-artist consent — collected as a separate opt-in from your general account agreement — you may choose to train a private style model that only you can access. You may revoke this consent and request deletion of any derived model at any time. Upon revocation, the model will be deleted within 30 days.

7.6 Client consent requirement

Our Terms of Service require you, as the artist or studio, to obtain and document informed consent from your clients before scanning them. Scanning a person without consent violates our Terms, applicable data protection law, and in some jurisdictions may constitute a criminal offence. If a client requests deletion of their scan data from your workspace, you should fulfil that request without undue delay using the deletion tools in your DREMONPRO dashboard.

8. Data retention

In short: We keep your data only as long as we need it. Delete your account and most data is gone within 30 days. Invoices are kept 7–10 years for legal compliance.

Data category	Retention period	Reason
Account and profile data	Duration of account + 30 days after deletion request	Service provision
Content (designs, scans)	Duration of account + 30 days; removed from backups within 90 days	Service provision
Invoices and billing records	10 years from invoice date	Dutch Tax Authority obligation; EU VAT rules
Security and authentication logs	12 months	Fraud prevention and incident response
Analytics (aggregated, anonymised)	24 months, then anonymised further or deleted	Product improvement
Support correspondence	3 years from resolution	Quality assurance and legal claims
Waitlist data	Until you unsubscribe or request deletion, or 36 months of inactivity	Pre-launch communications; legitimate interest

After account deletion, we remove Personal Data from all production systems within 30 days and from encrypted backups within 90 days. Data subject to legal retention obligations (e.g. invoices) is isolated from your general data and inaccessible via the platform.

9. Your rights

In short: You have strong rights over your data. Most can be exercised directly in-app. We respond to any request within 30 days.

Depending on where you are located, you hold some or all of the following rights. We will respond to all valid requests within 30 calendar days (extendable by a further 60 days in complex cases, with written notice).

Rights under GDPR and UK-GDPR

Right of access (Art. 15) — obtain a copy of your Personal Data and information about how we process it.
Right to rectification (Art. 16) — correct inaccurate or incomplete data at any time.
Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data, subject to legal retention obligations.
Right to restriction of processing (Art. 18) — limit how we use your data in certain circumstances, for example while a dispute is being resolved.
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON or CSV) and transfer it to another service.
Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing.
Rights related to automated decision-making (Art. 22) — DREMONPRO does not make any solely automated decisions with significant legal or similarly significant effects.
Right to withdraw consent — withdraw any consent at any time without affecting the lawfulness of processing that occurred before withdrawal.

Rights under CCPA/CPRA (California residents)

Right to know — what Personal Information we collect, use, and share.
Right to delete — request deletion of Personal Information we hold, subject to certain exceptions.
Right to correct — correct inaccurate Personal Information.
Right to opt out of sale or sharing — we do not sell Personal Information or share it for cross-context behavioural advertising.
Right to non-discrimination — we will never discriminate against you for exercising your privacy rights.
Right to limit use of sensitive personal information — you may limit our use of sensitive categories (such as biometric data) to what is strictly necessary for the Service.

How to exercise your rights

Most rights can be exercised directly in-app: Settings → Privacy → My Data. You can export all your data, correct your profile, and delete your account from there. For rights that cannot be fulfilled in-app, or for rights exercised on behalf of another person, email privacy@dremonpro.com with your request and account email. We may ask you to verify your identity before acting on a request.

Supervisory authorities: EU residents may lodge a complaint with their national data protection authority. In the Netherlands: Autoriteit Persoonsgegevens. UK residents: Information Commissioner's Office (ICO). You are also entitled to lodge a complaint in the EU member state of your habitual residence.

In short: We share data only with a small, carefully vetted list of sub-processors. We never sell your data. We never share it with advertising networks.

We do not sell Personal Data. We do not share Personal Data with advertising networks, data brokers, or social media companies for advertising purposes. We share data only with the sub-processors listed below, each bound by a Data Processing Agreement and appropriate transfer safeguards.

Sub-processor	Purpose	Location	Transfer mechanism
Vercel	Website hosting and serverless API functions	US / EU edge	SCCs + Vercel DPA
Resend	Transactional email delivery	US	SCCs
Plausible Analytics	Privacy-first website analytics (cookieless, no personal data, no fingerprinting)	EU (Germany)	In-EEA — no transfer
Stripe	Payment processing	US / EU	SCCs + Stripe DPA; PCI-DSS Level 1
Amazon Web Services (AWS)	Cloud hosting and storage (scan data, backups)	EU (Ireland, Frankfurt)	DPA; no transfer outside EEA for user content
Cloudflare	DDoS protection, CDN, DNS	Global edge / EU PoPs	SCCs + Cloudflare DPA
Vercel KV (Upstash)	Waitlist queue and rate-limiting storage	EU	SCCs

We may also disclose Personal Data to legal and regulatory authorities where required by applicable law, a court order, or to protect our legal rights or the safety of our users. We will notify you of such disclosures where permitted by law.

A current sub-processor list is available in our Data Processing Addendum and by emailing privacy@dremonpro.com.

11. Cookies and tracking

In short: We use strictly necessary session cookies and — only with your consent — optional analytics cookies. We use Plausible for analytics, which is cookieless and collects no personal data. Full details and your preference controls are in our Cookie Policy.

We use cookies and similar technologies to keep you logged in, remember your preferences, and — with your consent — to understand how people use DREMONPRO so we can improve it.

Our analytics tool is Plausible Analytics, which is cookieless, collects no personal data, performs no cross-site tracking, and is GDPR-compliant by design. We do not use Google Analytics, Facebook Pixel, or any other advertising tracker.

For a full breakdown of every cookie we set, including duration and purpose, and to manage your preferences, see our Cookie Policy.

12. International data transfers

In short: Your data stays in the EU by default. Where we use US-based processors (Vercel, Resend, Stripe), we apply Standard Contractual Clauses as the transfer mechanism.

DREMONPRO is headquartered in the Netherlands and stores most data within the EEA. Where we engage sub-processors in third countries — primarily the United States — we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and, where applicable, the UK International Data Transfer Agreement (IDTA) as the transfer mechanism.

We have completed transfer impact assessments for all third-country transfers and are satisfied that the safeguards in place are adequate to protect your rights. Copies of relevant SCCs are available on request by emailing privacy@dremonpro.com.

13. Security measures

In short: Industry-standard encryption in transit and at rest, strict access controls, MFA for all staff with production access, and regular security reviews.

In transit: TLS 1.3 for all network communication between clients and servers.
At rest: AES-256 encryption for all stored data. Client-side encryption for body-scan data means we cannot decrypt it.
Access control: Production access requires multi-factor authentication, is role-based (least privilege), and is logged to an immutable audit trail.
Vulnerability management: Continuous dependency scanning, automated security testing in CI/CD pipelines, and regular manual penetration tests.
Responsible disclosure: We operate a responsible disclosure programme. If you discover a security vulnerability, please report it to security@dremonpro.com. We will respond within 72 hours.
Breach notification: In the event of a personal data breach that poses a risk to your rights, we will notify affected users and relevant supervisory authorities within 72 hours of discovery, as required by GDPR Article 33.

Despite our best efforts, no system is perfectly secure. If you have concerns about the security of your account, contact us immediately at security@dremonpro.com.

14. Children's privacy

In short: DREMONPRO is for adults aged 18 and over. We do not knowingly collect data from minors, and we delete any such data promptly if discovered.

DREMONPRO is not intended for, and does not knowingly collect Personal Data from, individuals under the age of 18. By creating an account, you represent that you are at least 18 years old. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us at privacy@dremonpro.com and we will delete that data without undue delay.

If we learn that we have inadvertently collected data from a minor, we will delete the account and all associated data within 72 hours of discovery.

15. Changes to this policy

In short: We'll email you at least 30 days before any material change takes effect. Minor changes (fixing typos, clarifying wording) take effect immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes — changes that significantly affect your rights or how we use your data — we will:

Notify registered account holders by email at least 30 days before the change takes effect.
Show a prominent notice within the DREMONPRO application.
Update the "Last updated" date and version number at the top of this page.

Non-material changes (such as clarifications, corrections, or reorganisation of existing content without changing substance) may take effect immediately and will be reflected in the "Last updated" date. We encourage you to review this policy periodically.

16. Contact and Data Protection Officer

In short: Reach our privacy team or DPO directly. We aim to respond to all privacy requests within 30 days.

General privacy enquiries and data subject requests:
Email: privacy@dremonpro.com
Response time: within 30 calendar days (complex requests may take up to 90 days, with notice)

Data Protection Officer:
Email: dpo@dremonpro.com
Post: DPO, DREMONPRO B.V., Wilhelminakade 308, 3072 AR Rotterdam, The Netherlands

For legal service of process or formal legal correspondence, please address it to the postal address above, marked "Legal Department — Confidential".