Privacy Policy

This policy applies to (a) artists who create an account and connect their Instagram, Telegram, or other channels to tatty, (b) visitors who interact with an artist via any of those channels or via tatty.ink web chat, and (c) anyone who browses our public marketing pages.

From artists, we collect:

• Account details (name, email) provided at sign-up.
• OAuth tokens for connected channels (Instagram, Telegram, Google Calendar, payment processors). Tokens are encrypted at rest.
• Instagram profile metadata (display name, bio, follower count, recent posts) returned by Meta’s API when you connect your account.
• Calendar availability, deposit settings, and pricing rules you configure in your dashboard.

From visitors who message an artist, we receive:

• Their public profile identifier on the channel they used (Instagram handle, Telegram username, email address, etc.).
• The contents of messages sent to the artist’s account.
• Any references, photos, or contact details they choose to share during the booking conversation.

From tatty.ink browsers, we collect:

• Standard server logs (IP, user agent, referrer, timestamps).
• A session cookie when you start a web chat with an artist, so the conversation can resume if you reload the page.

When you connect your Instagram Business or Creator account, TAT receives messages sent to your account by your potential clients. We use these messages solely to: (a) conduct an automated intake conversation that captures booking details, (b) display the conversation to you in your artist dashboard so you can take over and respond manually, and (c) write structured submission records to your account so you have a permanent record of every booking inquiry.

We do not use DM contents to train any AI models. We do not share DM contents with third parties. Conversations are retained for 90 days from last activity, then archived; full deletion within 24 hours of disconnect.

The permissions we request from Meta on your behalf are instagram_business_basic (to read your profile and recent media so we can populate your booking page) and instagram_business_manage_messages (to read incoming DMs and send replies you author or approve). We do not request any other Instagram permissions.

When you click Connect Instagram on our landing page, we receive your Instagram profile and recent media via Instagram’s official OAuth flow, before you create a tatty account. We use this to assemble your booking page preview. If you do not claim the preview by creating a tatty account within 30 days, we automatically delete the preview, the extracted Instagram data, and revoke our access token. You can delete the preview yourself at any time via the “Delete this preview” link on the preview page.

The same intake conversation runs on Telegram and on the artist’s tatty.ink booking page. The data we collect and the way we use it are identical to the Instagram clause above, with one difference: for web chat, the visitor has not authenticated with any third party, so the identifier we record is only what they choose to share (name, email, phone).

We use the data we collect to:

• Provide and improve the tatty booking service.
• Send transactional emails (booking confirmations, deposit receipts, account notifications).
• Detect and prevent abuse, spam, and fraud on the platform.
• Comply with legal obligations (e.g., responding to lawful requests).

We do not sell personal data. We do not use messages exchanged through the platform to train AI models.

Conversation messages (Instagram DM, Telegram, web chat) are retained for 90 days from the last message in the thread, then archived to cold storage for an additional 90 days for dispute resolution, then permanently deleted.

Submission records (the structured booking summary written to the artist’s dashboard) are retained as long as the artist’s account is active. Visitor PII attached to submissions is purged within 24 hours of the artist disconnecting their channel.

OAuth tokens are deleted within 24 hours of disconnect or account closure.

We share data only with the service providers we need to run the platform — Supabase (database), Vercel (hosting), Anthropic and Google (AI inference for the intake conversation), Stripe (payment processing for deposits), and the channel providers themselves (Meta, Telegram). Each is bound by their own data processing agreements; none receive your data for their own purposes.

We may disclose data in response to a valid legal process or to protect the rights, property, or safety of tatty, our users, or the public.

Depending on where you live, you may have the right to access, correct, port, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise any of these rights, request deletion at tatty.ink/data-deletion or email privacy@tatty.ink.

tatty.ink uses a small number of essential cookies: an authentication cookie issued by Clerk when you sign in, and a session cookie that remembers your in-progress web chat. We do not set advertising or third-party tracking cookies.

tatty is not directed at children under 16. We do not knowingly collect data from anyone under 16; if you believe we have, please contact us and we will delete it.

Our primary servers are hosted in the United States. If you access tatty from outside the US, your data will be transferred to and processed there. We rely on standard contractual clauses where required.

We’ll post any material changes on this page and update the “Last updated” date above. For significant changes that affect how we use your data, we’ll also notify connected artists by email.

Questions about this policy or how we handle data: privacy@tatty.ink.