Ir al contenido principal
← Back

Privacy Policy

Last updated: 20/05/2026

1. Data controller

  • Name: Iker Jurado
  • Postal address: Carrer Ignasi Mas, s/n, Barcelona
  • Email: hola@bryana.es
  • Data Protection Officer (DPO): Not applicable. Given the volume of data processed and the nature of the processing, appointing a Data Protection Officer is not mandatory under Article 37 GDPR.

2. Data we collect and purposes

We distinguish two sets of personal data depending on who the data subject is and who acts as controller under the GDPR.

2.1. Tattoo artist or studio data (Bryana's direct customer)

Bryana is the controller of this data.

  • Identification and account: email address, name, studio name, contact phone number if provided — to create and maintain the account, billing, support, and operational communications related to the service.
  • Payment data: processed by Stripe Payments Europe, Ltd. as payment processor. Bryana does not store full bank card numbers.
  • Technical and usage data: IP address, browser type, access logs, aggregated or pseudonymised usage events — for security, abuse prevention, diagnostics, and product improvement.

2.2. End-customer data (people who contact the tattoo artist)

The tattoo artist or subscribing studio is the controller of this data. Bryana processes it as a processor, under the Data Processing Agreement (DPA) — request it by email at hola@bryana.es — accepted when the studio administrator registers at https://app.bryana.es.

  • Identification and contact: name, Instagram handle or other public identifiers, phone or email if provided.
  • Conversations: messages and metadata associated with connected channels (e.g. Instagram/WhatsApp via Unipile).
  • Preferences and operations: tattoo type, body area, appointments, budget, reference photos, or other content the data subject sends to the studio.

3. Legal basis

  • Tattoo artist data: performance of the subscription contract or terms of use (Art. 6(1)(b) GDPR); compliance with legal obligations in tax and commercial matters (Art. 6(1)(c)); legitimate interest in security and service improvement (Art. 6(1)(f)), with a balancing of interests assessment; and, where applicable, consent for newsletters or other non-essential commercial communications (Art. 6(1)(a)).
  • End-customer data: the processing agreement between the studio and Bryana (Art. 28 GDPR) on the basis of the service contract between the tattoo artist and their end customer, and/or consent or another basis as applicable according to the information the studio has provided to its own customers. It is the studio's responsibility to have an adequate legal basis.

4. Retention period

  • Tattoo artist and billing data: for the duration of the account and, after closure, for as long as necessary to handle claims and the statutory retention period for accounting and tax records (approximately up to 4 years or another period required by applicable law).
  • Conversations and operational end-customer data: by default 24 months from the last interaction recorded on the platform, unless the studio requests earlier deletion when technically feasible and no legal retention obligation applies, or unless a different period is contractually enabled by Bryana.
  • Payment data in Stripe: according to Stripe's retention policy. Bryana retains customer/billing identifiers necessary for the contractual relationship.
  • Technical logs: short periods focused on security and support (e.g. weeks or months, unless incidents require limited extended retention).

5. Processors and sub-processors

Bryana uses providers that process personal data on Bryana's behalf. In each case, contractual measures apply and, where relevant, Standard Contractual Clauses (SCCs) or other Chapter V GDPR safeguards for transfers outside the EEA.

  • Vercel Inc. (United States) — application hosting and deployment. Privacy policy. Transfers outside the EU covered by SCCs or other appropriate measures.
  • Supabase, Inc. (infrastructure in the European Union) — database and authentication. Privacy policy.
  • Stripe Payments Europe, Ltd. — payments. Privacy policy. May involve processing in third countries with GDPR safeguards.
  • Unipile (France) — Instagram/WhatsApp integration. Privacy policy.
  • OpenAI, LLC (Delaware, USA) — text processing for AI features. Privacy policy. May involve transfers to the USA with SCCs or other safeguards.
  • Resend, Inc. (United States) — transactional email delivery. Privacy policy.
  • Upstash, Inc. (United States) — cache storage / rate limiting. Privacy.
  • Functional Software, Inc. (Sentry) (United States) — only if the owner enables Sentry or equivalent monitoring. Privacy policy.

6. International transfers

Some of the processors listed above process data in the United States or other third countries. In those cases, Bryana seeks to base the transfer on adequacy decisions, SCCs approved by the European Commission, or supplementary measures where required by case law or guidance from supervisory authorities.

7. Data subject rights

You may exercise the rights of access, rectification, erasure, objection, restriction of processing, portability and, where applicable, not to be subject to decisions based solely on automated processing, when applicable under the GDPR.

To exercise them, write to privacidad@bryana.es stating your request and a reasonable means of verification. End customers of a studio should primarily contact the tattoo artist as controller; Bryana will assist the studio to the extent contractually provided.

8. Complaint to the AEPD

If you believe the processing violates applicable law, you have the right to lodge a complaint with the Spanish Data Protection Agency: www.aepd.es.

9. Cookie policy

Detailed information about cookies and similar technologies on the public website is available at /cookies.

10. Changes

We reserve the right to modify this policy. Material changes will be communicated with at least 15 days' notice by email to the main account associated with the service and, where applicable, via notice in the application panel.

11. Last update date and history

Published version: 20/05/2026. Significant previous versions may be retained and made available to the data subject upon reasonable request to privacidad@bryana.es.

12. Security and automated decisions

Appropriate technical and organisational measures are applied (encryption in transit, access controls, backups, etc.). The service may include AI-assisted features; the studio retains final control over its relationship with its customers.

← Back