Privacy Policy

This Privacy Policy explains how we collect and use your personal data when you contact us, make a booking, or visit our website.

Controller: Martyna Zapora trading as ‘Rabbit Lab’, 8 Hicks St, Neepsend, Sheffield S3 8BL, United Kingdom.
Email: contact@rabbitlab.co.uk

Who is responsible for your data?

The controller of your personal data is Martyna Zapora trading as ‘Rabbit Lab’ (referred to as “Rabbit Lab”, “we”, “us”).
For any questions about this Policy or your data, contact contact@rabbitlab.co.uk or write to the postal address above.

What data we process

Depending on how you interact with us, we may process:

• Identification data – first name, last name; company name and VAT number (if an invoice is requested).
• Contact details – email address, phone number, and postal address.
• Service-related information – design preferences, placement on the body, size, booking details, consent forms and declarations.
• Health information (special category data) – health questionnaire details you voluntarily provide so we can assess contraindications and perform the service safely.
• Billing and booking data – payment information (limited to what we receive from your provider), booking history, bank account number if you provide it for a refund.
• Technical and usage data (website) – IP address, cookie identifiers, server logs, and device/browser information.
• Images – photographs or videos of your tattoo/body only if you give separate, explicit consent for promotional use.

Purposes and legal bases for processing

We process your data under the UK GDPR and Data Protection Act 2018 on the following bases:

• To enter into and perform a contract (e.g. quotes, bookings, and carrying out the tattoo service) – Article 6(1)(b) UK GDPR.
• To comply with legal obligations (e.g. invoicing, accounting, responding to complaints) – Article 6(1)(c) UK GDPR.
• Legitimate interests (our interest in managing the studio, preventing abuse, keeping records, analysing visits to our site, and defending or pursuing claims) – Article 6(1)(f) UK GDPR. We consider your interests and rights and will provide details on request.
• Consent – for: health questionnaire data (special category data), marketing by email/SMS, publishing your image, and non-essential cookies – Article 6(1)(a) and Article 9(2)(a) UK GDPR. You can withdraw consent at any time.

Do you have to provide your data?

Providing the data we need to book and perform the service is necessary for the contract.
Providing health information is voluntary, but without it we may not be able to proceed safely.
Data for marketing, image use, and non-essential cookies is optional and based on your consent.

Who receives your data

We share data only when needed, with appropriate safeguards, including:

• IT/hosting providers, website maintenance, email, and booking systems.
• Accountants/tax advisers.
• Payment processors (when you pay online/bank transfer).
• Postal/courier services (if we send documents/vouchers).
• Subcontractors/guest artists working with Rabbit Lab (to the extent necessary to deliver your booking).
• Public authorities or regulators when required by law.

We do not sell your personal data.

International transfers

If a service provider stores data outside the UK (or the EEA), we rely on an adequacy regulation or appropriate safeguards (e.g. the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or equivalent). Details of specific safeguards are available on request.

How long we keep your data

• Contract and billing records: for the duration of our relationship and then for as long as required by law (typically up to 6 years for tax/accounting).
• Complaints/claims records: until the relevant limitation periods expire.
• Data processed on the basis of consent: until you withdraw your consent.
• Server logs and technical data: for the period necessary for security and administration purposes.

We apply retention schedules and securely delete or anonymize data when it is no longer needed.

Your rights

You have the right to:

• Access your data (Article 15).
• Rectification (Article 16).
• Erasure (‘right to be forgotten’, Article 17).
• Restriction (Article 18).
• Data portability (Article 20).
• Object to processing based on our legitimate interests (Article 21).
• Withdraw consent at any time when processing is based on consent – this does not affect the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). See ico.org.uk for contact options.

To exercise your rights, email contact@rabbitlab.co.uk. We may need to verify your identity before responding.

Automated decision-making and profiling

We do not make decisions about you based solely on automated processing (including profiling) that produce legal effects or similarly significant effects.

Data security

We use appropriate technical and organisational measures proportionate to the risks, including encrypted connections (HTTPS), access controls, system updates, backups, and contracts with our service providers.

Cookies and similar technologies

Our site uses necessary cookies to function, and—if you agree—functional/analytics/marketing cookies. You can change or withdraw your consent at any time via the cookie banner or your browser settings. This is done in line with the UK GDPR and PECR.

Cookie categories

• Necessary – core site functionality (legal basis: our legitimate interests).
• Functional / Analytics – improved experience and traffic insights (legal basis: your consent).
• Marketing – personalized content/ads (legal basis: your consent).

Information about specific tools we use (e.g. analytics, maps, embedded media) and their providers is shown in the cookie banner and is available on request.

Social media

We run profiles on platforms such as Instagram and Facebook. We process data to manage the profiles, interact with users, and view aggregated statistics. These platforms are independent controllers of your data; their own privacy policies apply.

Image rights and promotional materials

We may capture and publish images or videos of your tattoo only with your separate, explicit consent. You can withdraw that consent at any time for future use.

Complaints, claims, and correspondence

We process the data contained in inquiries, complaints, and other correspondence to handle them properly and then retain it in line with legal limitation periods and record-keeping duties.

Changes to this Policy

We may update this Policy from time to time, for example to reflect legal or operational changes. The latest version will be posted on our website with the effective date shown at the top.

Contact us

Questions about your personal data?
Email: contact@rabbitlab.co.uk
Post: Martyna Zapora, ‘Rabbit Lab’, 8 Hicks St, Neepsend, Sheffield S3 8BL, United Kingdom

Note on age: Our services are intended for adults (18+). We do not knowingly collect children’s data.