LEGAL

Privacy Policy

Effective Date: March 26, 2026

InkReef ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the InkReef platform (the "Service").

This policy applies to all users of the Service, including Tenants (print shop operators) and End Customers (customers of Tenants who interact with the customer portal or online storefront).

1. Data Roles

Under applicable privacy laws (including GDPR):

  • InkReef as Data Controller: InkReef is the data controller for information we collect directly from Tenants for the purpose of providing the Service (account information, billing, usage analytics).
  • InkReef as Data Processor: InkReef acts as a data processor for Tenant Data, including End Customer information stored by Tenants on the Platform. Tenants are the data controllers for their End Customer data and are responsible for obtaining appropriate consent and providing privacy notices to their customers.

For details on our data processing obligations, see our Data Processing Agreement.

2. Information We Collect

2.1 Account Information (Tenants)

When you create an InkReef account, we collect:

  • Full name and contact information
  • Email address
  • Company/business name
  • Phone number (optional)
  • Business address (optional)
  • Chosen subdomain/URL slug
  • Selected subscription plan

2.2 Payment Information

Payment processing is handled entirely by Stripe. InkReef does not store, process, or have access to your full credit card numbers, debit card numbers, or bank account details. We receive only:

  • Last four digits of your card (for display purposes)
  • Card brand and expiration date
  • Billing address
  • Stripe Customer ID (a reference identifier)

2.3 Usage Data

We automatically collect information about how you interact with the Service, including:

  • Pages and features accessed
  • Date and time of access
  • Browser type and version
  • Device type and operating system
  • IP address
  • Referring URL
  • Actions performed within the Platform (for audit logging)

2.4 Tenant Data (End Customer Information)

Tenants store information about their end customers on the Platform. This data is controlled by the Tenant. InkReef processes this data solely on the Tenant's behalf. Tenant Data may include:

  • End customer names, email addresses, and phone numbers
  • Order and quote details
  • Invoice and payment records
  • Design files and artwork
  • Communication history (emails, messages)

Tenant Data is stored in an isolated, per-tenant database. Data from one tenant is never shared with, visible to, or accessible by another tenant.

2.5 Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Preference Cookies: Store your settings such as theme preferences (light/dark mode).
  • Analytics Cookies: Help us understand how users interact with the Service to improve functionality and user experience.

We do not use cookies for advertising or cross-site tracking.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information (invoices, receipts, confirmations)
  • Send administrative messages, updates, and security alerts
  • Respond to customer support requests
  • Monitor and analyze usage patterns to improve the Service
  • Detect, prevent, and address fraud, abuse, and security issues
  • Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising purposes.

4. Data Sharing

We share your information only in the following circumstances:

4.1 Sub-Processors

We use the following third-party services to operate the Platform:

ServicePurposeData Processed
CloudflareHosting, CDN, DDoS protection, database (D1)All platform data (encrypted at rest and in transit)
StripePayment processingPayment and billing information
Resend / Brevo / MailerSendTransactional email deliveryEmail addresses, email content
Twilio / MessageBird / VonageSMS notificationsPhone numbers, message content

Each Tenant selects their own email and SMS provider through InkReef's settings. Only the providers actively configured by a Tenant receive that Tenant's data.

4.2 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information is subject to a different privacy policy.

5. Data Retention

  • Active Accounts: We retain Tenant Data for as long as your account is active.
  • Closed Accounts: After account termination, we retain data for 30 days to allow for data export or account reactivation. After 30 days, all Tenant Data is permanently deleted.
  • Audit Logs: Audit log entries are retained for 12 months for security and compliance purposes. When an account is deleted, audit logs are anonymized (personally identifiable information is removed) rather than deleted outright.
  • Billing Records: Payment and invoice records are retained for 7 years to comply with tax and accounting regulations.

6. Your Rights

6.1 Rights Under GDPR (European Economic Area)

If you are located in the EEA, you have the following rights under the General Data Protection Regulation:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Restriction: Request restriction of processing of your personal data.
  • Right to Object: Object to processing of your personal data for certain purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

For End Customer data stored by Tenants: End Customers should direct GDPR requests to the Tenant (data controller) who manages their data. Tenants may use InkReef's platform features to fulfill these requests.

6.2 Rights Under CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: Request deletion of your personal information.
  • Right to Opt-Out of Sale: We do not sell personal information. There is no need to opt out, but you may submit a request for confirmation.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

6.3 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

7. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.3 via Cloudflare)
  • Encryption at rest for stored credentials (AES-256-GCM)
  • Bcrypt password hashing with per-user salts
  • Multi-factor authentication (TOTP) support
  • Role-based access control with granular permissions
  • Audit logging of all administrative actions
  • Per-tenant database isolation
  • DDoS protection via Cloudflare

For more details, see our Security Overview.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information. If you believe we have collected information from a child under 18, please contact us at [email protected].

9. International Data Transfers

InkReef is based in the United States. The Service is hosted on Cloudflare's globally distributed network. If you access the Service from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where Cloudflare operates data centers.

For data transfers from the EEA to the US, we rely on Cloudflare's Data Processing Addendum and Standard Contractual Clauses (SCCs) as approved by the European Commission. See our Data Processing Agreement for details.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Effective Date" at the top of this page indicates when the policy was last updated. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at: