Privacy Policy

Last updated: February 2026

1. Introduction

Syyn ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital waiver and customer management service for body art businesses (tattoo studios, piercing studios, and related services).

We comply with the Australian Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), and handle all personal information in accordance with these requirements. This policy applies to all users of our Service, including Studio Operators and their Customers.

In addition to the federal Privacy Act 1988, state and territory health information legislation may apply to the handling of health data through the Service (e.g., Health Records Act 2001 (VIC)). Studio Operators who operate as health service providers may have additional obligations under state health information laws.

2. Definitions

  • "Studio Operator" means any tattoo studio, piercing studio, body art business, or individual artist who subscribes to use Syyn
  • "Customer" or "Client" means any individual who signs a waiver through the Syyn platform
  • "Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable
  • "Sensitive Information" means personal information about health, genetics, biometric information, or other categories defined in section 6 of the Privacy Act 1988
  • "Minor" means any individual under 18 years of age

3. Information We Collect

3.1 Studio Operator Information

When you register as a Studio Operator, we collect:

  • Business name and ABN (if applicable)
  • Contact name and email address
  • Phone number
  • Business address and state/territory
  • Payment information (processed by our payment provider; we do not store full card details)
  • Branding assets you upload (logo, banner images, colour preferences)
  • Social media links (Instagram, Facebook, TikTok, etc.)
  • Referral program information (referral codes, credits)

3.2 Team Member Information

For team members added to a Studio Operator account, we collect:

  • Name and role (owner, artist, piercer, apprentice)
  • Email address (if provided)
  • Specialties and profile photo (optional)

3.3 Customer Information (Waiver Signatories)

When Customers sign waivers through our platform, the following information is collected on behalf of the Studio Operator:

  • Full name and date of birth
  • Contact details (email, phone, address)
  • Emergency contact information (name, phone, relationship)
  • Digital signature image
  • Photo (if captured during signing)
  • Client Profile ID (unique identifier for returning clients)

3.4 Health and Sensitive Information

Waiver forms collect sensitive health information necessary for safe body art services. This includes:

  • Allergies: Latex, metals (nickel, titanium), topical anesthetics, tattoo inks/dyes, adhesives
  • Medical conditions: Diabetes, epilepsy, heart conditions, bleeding disorders (hemophilia), skin conditions (eczema, psoriasis, keloid tendency)
  • Current health status: Pregnancy or breastfeeding, substance influence (alcohol/drugs), current medications (especially blood thinners)
  • Health alerts: Persistent health notes that carry across visits (part of Client Profiles feature)

3.5 Guardian/Parental Consent Information

For Minors (where permitted by law), we collect:

  • Guardian full name and relationship to Minor
  • Guardian phone number
  • Guardian digital signature
  • Tattoo type and location (required for WA parental consent)

3.6 Service Session Data

Studio Operators may record technical procedure details:

  • Tattoo details: Ink brand, colours, batch/lot numbers, needle configuration (liner, shader, magnum)
  • Piercing details: Jewelry type, material, gauge, length, brand
  • Procedure information: Body placement, description, style, size
  • Photos: Before, after, and healed images
  • Healing notes and skin reaction observations

3.7 Technical and Audit Information

We automatically collect certain technical information to support the evidentiary integrity of signed waivers:

  • IP address and approximate location (for waiver audit trails)
  • Signing method (QR code scan, studio device, or direct link)
  • Device type (mobile, tablet, desktop)
  • Browser name and version, operating system name and version
  • Screen dimensions and touch screen capability
  • Studio device acknowledgement timestamp (when applicable)
  • Timestamps for all signatures and consent actions
  • Page visit information and feature usage

3.8 Communication Logs

We maintain logs of communications sent through the Service:

  • Email logs: recipient, subject, send status, timestamp
  • SMS logs (Pro+ only): recipient phone, message content, delivery status, timestamp

3.9 SMS Credit Purchase Data

For Studio Operators who purchase SMS credit packs, we collect:

  • Purchase history (pack size, price, date, resulting balance)
  • Credit consumption logs (included vs purchased credit source)

This data is retained for the duration of the account plus 7 years for tax and accounting purposes.

4. How We Collect Information

We collect personal information:

  • Directly from you: When you register, sign a waiver, or communicate with us
  • From Studio Operators: Customer information entered by studios
  • Automatically: Technical data collected when you use the Service
  • From third parties: Payment status from Stripe, authentication data from Clerk

5. Consent for Sensitive Information

Health and other sensitive information is collected only with express consent. This information is:

  • Collected only with explicit consent obtained during the waiver signing process
  • Used solely for the purpose of providing body art services safely and maintaining Client Profiles
  • Shared only with the Studio Operator who collected it (and their authorised team members)
  • Stored securely with appropriate access controls
  • Retained only for as long as necessary to fulfil legal and business requirements

You may withdraw consent for processing of sensitive information at any time by contacting the relevant Studio Operator or us directly. Withdrawal may affect the Studio Operator's ability to provide services safely.

6. How We Use Your Information

We use the collected information to:

  • Provide, operate, and maintain the Service
  • Process digital waivers and store consent records
  • Generate PDF copies of signed waivers
  • Maintain Client Profiles linking waiver history and health alerts across visits
  • Process payments and manage subscriptions
  • Send transactional communications (waiver confirmations, account notifications)
  • Send SMS communications on behalf of Studio Operators (Pro+ only, with consent). Consent for aftercare communications is captured during the waiver signing process (aftercare acknowledgement checkbox). Customers may contact the Studio Operator to opt out of future aftercare communications; Studio Operators are responsible for respecting Customer opt-out requests.
  • Provide audit export functionality for compliance purposes
  • Send aftercare SMS and email communications to Customers on behalf of Studio Operators as part of service delivery
  • Improve and develop the Service based on usage patterns
  • Comply with legal obligations
  • Protect against fraud and ensure security of the Service

7. Information Sharing and Disclosure

We do not sell, trade, or rent personal information. We may share information as follows:

7.1 With Studio Operators

Customer waiver data is shared with the Studio Operator that collected it. Studio Operators are data controllers for their Customer data and are responsible for their own compliance with privacy laws.

7.2 With Service Providers

We use third-party service providers to operate our platform. These providers have access to personal information only as necessary to perform their functions and are contractually obligated to protect it:

ProviderPurposeData Location
ConvexDatabase and backend infrastructureUnited States
ClerkAuthentication and user managementUnited States
Stripe (via Autumn)Payment processingUnited States
ResendEmail deliveryUnited States
ClickSendSMS delivery (Pro+ only)Australia / United States
GoogleAddress autocomplete (Maps API)Global
VercelWebsite hostingAustralia (Sydney)

7.3 Legal Requirements

We may disclose personal information when required by law, court order, or government request, or when we believe disclosure is necessary to:

  • Comply with legal obligations
  • Respond to lawful requests by public authorities
  • Protect the rights, property, or safety of Syyn, our users, or others
  • Enforce our Terms and Conditions

7.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal information may be transferred to the acquiring entity. We will notify affected users before their personal information becomes subject to a different privacy policy.

8. Cross-Border Data Transfer

Our Service uses cloud infrastructure that stores data in locations outside Australia, primarily in the United States. In accordance with Australian Privacy Principle 8 (APP 8), we take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the APPs by:

  • Using service providers that maintain equivalent or stronger privacy protections
  • Entering into data processing agreements with providers
  • Selecting providers that comply with recognised data protection frameworks

By using the Service, you consent to the transfer of your personal information to these overseas locations. You acknowledge that overseas recipients may not be subject to the Privacy Act 1988 and you may not be able to seek redress under the Privacy Act in relation to their handling of your information.

9. Data Security

We implement appropriate technical and organisational measures to protect personal information, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication mechanisms with multi-factor authentication options
  • Regular security assessments and monitoring
  • Access controls limiting data access to authorised personnel
  • Audit logging of access to sensitive information
  • Secure deletion procedures when data is no longer required

While we take reasonable steps to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988, if we experience a data breach that is likely to result in serious harm to affected individuals, we will:

  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
  • Notify affected individuals as soon as practicable, including details of the breach and recommended steps to take
  • Notify affected Studio Operators so they can inform their Customers where appropriate

We will notify affected parties within 30 days of becoming aware of a qualifying breach.

11. Data Retention

We retain personal information for as long as necessary to provide services and comply with legal obligations. Retention periods vary by data type:

Data TypeRetention PeriodReason
Signed waiversMinimum 7 yearsAustralian business records, state health regulations, statute of limitations
Client ProfilesDuration of Studio account + 7 yearsBusiness records requirement
Service Session recordsMinimum 7 yearsHealth audit requirements, product recall traceability
Communication logs2 yearsService operation and troubleshooting
Account dataDuration of account + 90 days after closureAllow data export and account recovery
Payment records7 yearsTax and accounting requirements

"Minimum 7 years" means 7 years from the date of creation (e.g., date of waiver signing). "Duration of Studio account + 90 days" means 90 days after account closure for export and recovery. Where legal retention requirements (7 years) exceed the account retention period (90 days), the longer period applies.

After the applicable retention period, data will be securely deleted or de-identified. Studio Operators may request earlier deletion of specific data, subject to minimum legal retention periods.

12. Children's Data and Minors

The Service may collect personal information from Minors (under 18) in the context of body art services where permitted by law. We apply additional protections for Minor data:

  • Parental consent required: Guardian consent is collected for Minors in accordance with state/territory requirements
  • Limited collection: We collect only information necessary for the waiver and service
  • Age verification: Age is calculated from date of birth and flagged in records
  • State-specific rules: The Service enforces age warnings based on state-specific legal requirements

Guardians may request access to or deletion of their child's information by contacting the relevant Studio Operator or us directly.

13. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service:

  • Essential cookies: Required for authentication and security (via Clerk)
  • Functional cookies: Remember your preferences and settings
  • Analytics: We may collect anonymised usage data to improve the Service

Most web browsers allow you to control cookies through settings. Disabling essential cookies may prevent you from using parts of the Service.

14. Marketing Communications

We may send you marketing communications about our Service if you have opted in or where permitted by law. You can opt out of marketing communications at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Contacting us at privacy@syyn.app
  • Updating your communication preferences in your account

Opting out of marketing will not affect transactional communications (e.g., billing notices, security alerts).

15. Your Rights Under the Privacy Act

Under the Australian Privacy Principles, you have the right to:

  • Access: Request access to personal information we hold about you
  • Correction: Request correction of inaccurate, incomplete, out-of-date, or misleading information
  • Deletion: Request deletion of your information (subject to legal retention requirements)
  • Withdraw consent: Withdraw consent for processing of sensitive information at any time
  • Complain: Lodge a complaint if you believe we have breached the Privacy Act

15.1 Exercising Your Rights

To exercise your rights, contact us at privacy@syyn.app. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

For Customers: Your personal information is primarily controlled by the Studio Operator who collected it. We recommend contacting them first. If you cannot resolve your request with the Studio Operator, you may contact us directly.

15.2 Data Portability

Studio Operators may export their data at any time through the audit export feature. Upon account closure, you may request a complete data export within 30 days. Exports are provided in standard formats (CSV, PDF).

16. Referral Program Data

If you participate in our referral program, we collect and store:

  • Your unique referral code
  • Referral relationships (who referred whom, without sharing personal details between parties)
  • Referral status (pending, converted, credited) and timestamps
  • Credit balances and redemption history

We do not share personal information between referrers and referees beyond confirming a referral relationship exists.

17. Automated Decision-Making

The Service does not use automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. Age verification calculations and state-specific warnings are based on factual data (date of birth, location) and serve as information only; final decisions rest with Studio Operators.

18. Data Controller and Processor Roles

For clarity on responsibilities:

  • Syyn as processor: We process Customer personal information on behalf of Studio Operators. Studio Operators determine what data to collect and how to use it.
  • Studio Operators as controllers: Studio Operators are responsible for their own compliance with privacy laws regarding Customer data they collect.
  • Syyn as controller: We are the controller for Studio Operator account information and data we collect for our own purposes (analytics, billing).
  • Custom waiver templates: Custom template content created by Studio Operators is controlled by the Studio Operator. Syyn stores but does not review, moderate, or validate the substantive content of custom templates. Studio Operators are responsible for ensuring custom template content complies with applicable laws.

19. Making a Complaint

If you believe we have breached the Privacy Act 1988 or mishandled your personal information:

  • Step 1: Contact us at privacy@syyn.app with details of your complaint
  • Step 2: We will investigate and respond within 30 days
  • Step 3: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

OAIC contact details:
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au

20. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification to Studio Operators for significant changes
  • Displaying a notice within the Service for material changes

We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

21. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:

Privacy Officer

Email: privacy@syyn.app

Website: https://syyn.app

We will respond to privacy enquiries within 30 days.