Privacy Policy

Effective Date: May 22, 2026 (Version: 2026-05-22)

This Privacy Policy explains how 23 Daggers collects, uses, and shares information about you. It applies to anyone using the 23 Daggers platform: artists, shops, customers, and visitors. By using or accessing 23 Daggers, you agree to the practices described here, subject to applicable law and together with any other policies or notices we make available in connection with specific services or features.

1. Who we are

23 Daggers is operated by Laughing Dragon Incorporated, a Delaware corporation doing business as "23 Daggers". We are headquartered in the United States. You can reach us at support@23daggers.com or at the mailing address in Section 12.

2. Information we collect

Information you give us

• Account registration: name, email address, password (stored as a bcrypt hash, never as plain text), optional Instagram handle.
• Profile information: display name, handle, studio location, bio, portfolio links, and any flash artwork you upload, as well as other profile content, settings, or business-related information you choose to make available through the platform.
• Booking information: tattoo description, placement, size, scheduled date, customer name and contact details.
• Payment information: payment is processed by Stripe. We do not see, store, or transmit credit card numbers, bank account numbers, or other payment credentials. Stripe holds that information directly. We store only the booking-side payment metadata (amount, currency, status, and Stripe's opaque PaymentIntent id).
• Identity verification (artists/shops): collected entirely by Stripe through their hosted Connect onboarding flow. We never see SSN, EIN, ID documents, or bank account numbers. Stripe shares back only a verification status (pass/fail/pending), account status, onboarding-related signals, and other limited information reasonably necessary to manage artist/shop accounts, compliance, fraud prevention, and platform operations.
• Communications: messages you send to other users through the platform, support emails, service-related correspondence, dispute-related communications, and records of interactions reasonably necessary for support, security, fraud prevention, compliance, and enforcement of our Terms.

Information we collect automatically

• Device and usage data: IP address, browser type and version, device type, operating system, referring URL, pages visited, time spent, interactions with the platform, including log data, approximate location derived from IP address, session activity, diagnostic information, crash reports, device identifiers, and other technical information reasonably necessary to operate, secure, troubleshoot, improve, and support the platform.
• Cookies and similar technologies: we use strictly necessary session cookies to keep you signed in and to protect sign-in security (CSRF). We may also use similar technologies, logs, or local storage reasonably necessary for authentication, security, fraud prevention, performance, platform functionality, and service reliability. We use a privacy-focused, cookieless analytics tool to understand how visitors use the platform and to improve it. It does not set advertising cookies, does not track you across other sites, and does not build an advertising profile of you. We do not load analytics on pages that render intake-form or waiver data (see Section 5). If we add cookie-based analytics in the future, we will update this policy and, where required, ask for your consent first.
• Page-view tracking: when a customer views a public artist or flash piece page, we record the view so the artist can see traffic to their work. We do not store your IP address or build a profile of you; views are de-duplicated using a short-lived, non-reversible fingerprint that we do not use to identify you.

Information from third parties

• OAuth providers (Google, Microsoft): if you sign up with Google or Microsoft, we receive your name, email address, profile picture, a stable provider account id, authentication-related tokens, account status information, and other limited information made available by the provider consistent with your permissions and the provider's integration settings. We do not access your Gmail, calendar, or any other account data unless you explicitly grant calendar access during the calendar-sync step (see Section 4).
• Stripe: we receive payment status, Connect account status, dispute notifications as well as payout-related status, onboarding and verification signals, chargeback or refund-related information, fraud or risk indicators, and other limited transaction or account information reasonably necessary to facilitate payments, support accounts, maintain compliance, investigate abuse, and operate the platform.

3. How we use information

We use the information we collect to:

• Provide the platform: create your account, display your profile and flash, process bookings, route deposits to artists through Stripe, facilitate account administration, provide customer support, enable integrations, maintain platform functionality, and otherwise operate, deliver, and improve the services and related features.
• Communicate with you: send booking confirmations, dispute and refund notifications, password resets, verification emails, and (with your consent) marketing emails, as well as service-related notices, security alerts, administrative updates, policy changes, support communications, and other transactional or operational messages.
• Improve the platform: analyze usage patterns, debug errors, develop new features.
• Protect the platform and users: detect and prevent fraud, unauthorized access, and abuse; enforce these Terms, investigate disputes, monitor misuse, maintain security, protect rights and property, and prevent illegal, harmful, or unauthorized activities.
• Comply with legal obligations, enforce contractual rights, respond to lawful requests, support audits, resolve disputes, maintain business records, protect against legal claims, and support mergers, acquisitions, restructuring, financing, or other legitimate business transactions where permitted by law.

4. Calendar integration (artists only)

If an artist connects a Google or Microsoft calendar to 23 Daggers, we read free/busy times to prevent double-booking and write new bookings to the artist's calendar. We do not read calendar event titles, descriptions, or attendees beyond what we need to detect a busy slot. We do not share calendar data with anyone else.

You can disconnect your calendar at any time from Settings. Disconnecting revokes our access immediately.

5. Health-related information from artist intake forms

Artists on 23 Daggers may add their own questions to the intake form a client fills out before a booking. Some artists choose to ask about medical history, medications, allergies, pregnancy status, skin conditions, or other health information that is relevant to safe tattooing or piercing. These questions and their answers are defined and used by the artist, not by 23 Daggers, except to the limited extent necessary to route, store, secure, and facilitate the booking and intake workflow through the platform.

23 Daggers is not a healthcare provider, health plan, or HIPAA-covered entity, and the answers you give to these questions are not Protected Health Information under HIPAA. We treat this information as sensitive nonetheless, because we know clients expect it to be handled carefully and because several state laws (including Washington's My Health My Data Act, Nevada SB 370, and the consumer-health provisions of California, Connecticut, Colorado, and similar statutes) may regulate the collection, processing, storage, disclosure, or handling of such information.

How we handle your intake answers.

• Encryption. Intake answers are encrypted in transit (HTTPS) and, at rest, are encrypted at the application level (AES-256-GCM) before being written to our access-controlled database, which is itself also encrypted at rest by our hosting provider.
• Access. Intake answers are routed exclusively to the artist whose form you filled out. 23 Daggers does not provide platform staff with a tool to read intake answers, and no 23 Daggers employee has routine or general-access rights to them. If responding to a specific support request, security incident, court order, legal obligation, fraud investigation, platform integrity issue, or other reasonably necessary operational or compliance-related event ever requires platform-level engineering access, we treat that as a limited, need-based action with a written record kept on file, subject to our internal security and access-control procedures.
• No advertising use. We do not use your intake answers (or any health information collected through the platform) to target advertising, to share with any advertising network, or to build advertising profiles. We do not place third-party advertising or analytics pixels on pages that render intake-form data.
• No model training. We do not use your intake answers, including any health information, to train machine-learning or AI models.
• No sale. We do not sell or share your intake answers with any third party for any commercial purpose unrelated to delivering your booking. Service providers we use to operate the platform (database hosting, encrypted file storage, transactional email) are contractually limited to that purpose; we do not give them access for their own use.
• Deletion. When you delete your 23 Daggers account, or request deletion of your personal information by emailing support@23daggers.com from the email on your account, we scrub your intake answers and other identifying personal data from our active systems within a reasonable period, generally within 30 days of verifying your request, subject to technical limitations, system integrity, backup cycles, and legal or operational retention requirements. Certain records are retained under the legal-claims exception described below.

Records we retain after deletion (legal-claims exception). U.S. privacy laws including the California Consumer Privacy Act and Washington's My Health My Data Act allow us to retain certain records when they are needed to exercise or defend against legal claims. To protect both you and the artist if a question ever arises about a tattoo or piercing service and to support legal, compliance, fraud-prevention, audit, and record-retention obligations, we retain the following after a deletion request, in anonymized form where possible:

• Signed consent waivers, including the signed PDF, your signature, and your answers, for the statute-of-limitations window for body-art-related personal injury claims (we use seven years as a default that covers this window in essentially every U.S. state). We may keep them longer where a dispute, claim, or legal proceeding involving the booking is pending or reasonably anticipated, or where reasonably necessary for legal, regulatory, fraud-prevention, audit, or recordkeeping purposes, and delete them once that need has passed.
• Photo of identification submitted at signing: the image is deleted on a short schedule after your appointment (we use thirty days by default). We do not verify your identity or age from this image (your artist is responsible for that in person), so we do not keep it long-term. After the image is deleted we retain only a record that an ID was collected on a given date, not the image itself or any personal detail from it. At signing, a copy of the signed waiver (including the ID image, when one was collected) is emailed to you and to your artist so each of you keeps a copy. The signed waiver we retain for the legal-claims window described above does not include the ID image. How your artist stores their emailed copy is governed by the artist's own practices (see below).
• Booking and payment records (appointment date, artist, amount paid, Stripe payment id), for at least seven (7) years for tax and financial-audit purposes as required by the IRS and state tax authorities. Customer-identifying fields on these records are anonymized to "Deleted Customer" where the underlying record allows.
• Conversations between you and the artist, anonymized so the artist retains their record of what was agreed without your identifying information.

Everything else (your account profile, email, phone number, intake answers, reference photos, login credentials, IP and device logs) is scrubbed in the same 30-day window, subject to technical limitations, backup cycles, system integrity, disaster-recovery processes, and other legal or operational retention requirements.

The artist's separate responsibilities. Once an intake answer is delivered to the artist, the artist may also store it in their own records (printed file, their own software, etc.). How the artist stores, uses, and retains health information off-platform is the artist's responsibility and is governed by the artist's own privacy practices and any state law that applies to them. 23 Daggers does not control and is not responsible for the artist's independent off-platform handling, storage, security, disclosure, or compliance practices with respect to such information. If you have a question about what the artist does with your answers after you submit the form, ask the artist directly before submitting.

Washington residents (My Health My Data Act). You may exercise your rights under MHMDA (including the right to confirm whether we are collecting your consumer health data, the right to access it, the right to withdraw consent, and the right to deletion) by emailing support@23daggers.com from the email on your account. We respond to verified requests within 45 days, the period allowed under the My Health My Data Act, and may extend once where reasonably necessary with notice to you.

Declining to answer. You may decline to answer any intake question. The artist may, in turn, decline to accept the booking if the artist needs the information for safety or service-eligibility reasons. That decision is the artist's, not 23 Daggers'.

6. How we share information

We share information in a few specific ways:

• Between platform users: when a customer books an artist, the artist sees the customer's name, email, phone, booking details, and any reference photos attached. The customer sees the artist's display name, location, public profile, and policy. Communications between users are visible to those users, and may be processed or retained as reasonably necessary to support bookings, disputes, safety, fraud prevention, customer support, and enforcement of our Terms.
• With service providers: we use Stripe (payments), Resend (transactional email), Cloudflare (image storage, content delivery, network security, and privacy-focused cookieless traffic analytics, excluded from intake-form and waiver pages), Render (hosting), Sentry (error monitoring), Anthropic / Replicate (image parsing), and Behold (Instagram feed integration, for artists who connect their Instagram). These providers process information on our behalf under their own privacy commitments and are contractually limited to the purposes we engage them for.
• For legal reasons: we may disclose information when required by law (subpoena, court order, other legal process), to protect the rights and safety of users or the public, to investigate fraud or abuse, enforce contractual rights, respond to lawful requests, protect platform integrity, prevent illegal activity, or defend against legal claims.
• In a business transaction: if 23 Daggers is acquired, merged, or sold, your information may transfer to the acquirer. We will notify you of any such transfer when required by applicable law.

We do not sell your personal information. We do not share your information with third-party advertisers.

7. Data retention

We keep account information for as long as your account is active. When you delete your account:

• Your public profile (display name, handle, flash) is removed from public view immediately.
• We scrub identifying information from your account record (email replaced with a tombstone value, name nulled). The row itself is retained for booking, payment, and tax history purposes.
• Booking records, payment records, and dispute records are retained as required by law and our service providers (Stripe, generally 7 years for tax and chargeback purposes).

You can request hard deletion of your information by emailing support@23daggers.com. We will delete what we can within a reasonable period, generally within 30 days, subject to legal and audit retention requirements, technical limitations, system integrity, backup cycles, fraud prevention, security, dispute resolution, and other legitimate operational or compliance-related need.

If the service shuts down. If we ever discontinue 23 Daggers, we will give notice and a window during which artists can export their account data (including their client records and signed waivers) before we delete it. After that window, personal data is deleted on the same schedule described above, except records we are required to retain by law.

8. Your rights

Depending on where you live, you may have rights under the California Consumer Privacy Act (CCPA), the EU/UK General Data Protection Regulation (GDPR), and similar laws.

You may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your information (subject to legal retention requirements; see Section 7).
• Restrict or object to certain processing.
• Receive a copy of your information in a portable format.
• Withdraw consent for any consent-based processing.

To exercise any of these rights, email support@23daggers.com from the address on your account. We may need to verify your identity before acting on a request. We respond within 45 days (the period allowed under the CCPA) and may extend once where reasonably necessary with notice to you. We aim to act sooner where we can.

California residents: we do not sell or share personal information for cross-context behavioral advertising. You have the right to opt out of any sale; see the link above.

Sensitive Personal Information (California). Some information we handle is "Sensitive Personal Information" under the CCPA/CPRA, including government-identification photos collected at waiver signing and health-related answers from artist intake forms. We collect it only as needed to deliver your booking (including related authentication, security, fraud prevention, compliance, recordkeeping, and other reasonably necessary service-related purposes consistent with applicable law), encrypt the health answers and ID image at rest, delete the ID image on a short schedule after your appointment, use it only for those service-related and legally permitted purposes, and do not use or disclose it to infer characteristics about you except as reasonably necessary to operate, support, or comply with legal obligations relating to the platform, and not for cross-context behavioral advertising or unrelated commercial profiling. You have the right to limit our use of Sensitive Personal Information to those service purposes; we already restrict it that way by default, and you can email support@23daggers.com to confirm or request limits. Health data is covered in detail by our separate Consumer Health Data Privacy Policy.

9. Security

We use industry-standard security measures: HTTPS for all transport, bcrypt for password storage, signed and short-lived access tokens for API authorization, and IP allowlisting for sensitive endpoints, as appropriate to the relevant systems, services, and risk profile. We monitor for unauthorized access through error tracking and audit logs.

No system is fully secure. If you become aware of a security issue with 23 Daggers, please report it to security@23daggers.com. We will acknowledge good-faith and legitimate reports within five business days, although resolution timing may vary depending on the nature, severity, and complexity of the issue.

10. Children's privacy

23 Daggers is not intended for children under 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected information from a person under 18, we will delete it. If you believe a minor has provided information to 23 Daggers, please contact us at support@23daggers.com.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy with a new version date and provide reasonable notice through email, postings on this page, in-platform notifications, or other reasonable means, as appropriate under the circumstances and where required by applicable law. If you keep using 23 Daggers after the changes take effect, you accept the updated policy.

12. Contact

Laughing Dragon Incorporated (DBA 23 Daggers)
8 The Green, Suite B
Dover, Delaware 19901

Email: support@23daggers.com
Privacy questions: support@23daggers.com

← Back to home