Privacy Policy

Last Updated: May 2026

This Privacy Policy explains how Melt.Tattoo ("we", "us", or "our") collects, uses, and protects your personal information when you use our AI-powered tattoo visualization and video service at melt.tattoo.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address — used for account creation, login, and transactional emails (e.g., video-ready notifications, password reset)
Password — stored securely using industry-standard hashing (bcrypt)

We also record timestamps for your acceptance of the Terms of Service and your consent to receive emails, in users.tos_accepted_at and users.email_consent_accepted_at.

1.2 Skin Photos

When you upload a skin photo:

For still-image tattoo previews, your photo is processed temporarily and the raw upload is discarded promptly after rendering.
For the video pipeline, your photo — along with the tattoo sketch, the composite of the two, and the AI-baked frame — is stored in our Supabase storage bucket so that your video continues to play from its share link.
Photos are sent to third-party AI services solely for rendering (see Section 4).
Tattoo sketches you save are stored until you delete your account.

1.3 Generated Previews & Videos

Tattoo preview images and the final two-clip MP4 video are stored in our Supabase Storage bucket. The MP4 and the bake frame are served from a public, unguessable URL via /v/<token>. They are deleted when you delete your account or when you email info@melt.tattoo to request takedown of a specific video.

1.4 Usage Data

We collect usage data including IP address, device type, approximate location, referrer URL, and a device fingerprint hash (SHA-256 derived from canvas, WebGL, and user-agent signals, used to enforce the per-device daily video quota) for service improvement and abuse prevention. We also receive a Cloudflare Turnstile token, which we verify server-side and then discard — we do not retain it. Usage events (page views, button clicks, feature usage) are associated with your user ID.

2. How We Use Your Information

Account management — creating and authenticating your account
Service delivery — processing your photos, generating tattoo previews, and rendering your video
Transactional emails — video-ready notifications, password resets, and account administration via Resend
Service improvement — understanding usage patterns to improve features
Security — preventing abuse, fraud, and unauthorized access

We do not sell your personal data. We do not share your data with third parties for advertising or marketing purposes.

3. Cookies & Local Storage

We use browser local storage (not traditional cookies) for:

JWT access and refresh tokens — these keep you signed in across sessions and are stored in localStorage
UTM parameters — tracking which ad campaign brought you to us

We do not use third-party tracking cookies. Cloudflare Turnstile may set first-party challenge tokens to prevent abuse.

4. Third-Party Services

To operate the service, your data may be processed by:

Service	Purpose	Data Shared
OpenAI	Tattoo bake (gpt-image-1, gpt-image-2) and content moderation	Skin photo, tattoo design
Anthropic (Claude)	Vision analysis and prompt generation for the video pipeline	Skin photo, tattoo design
fal.ai	Image-to-video rendering via Alibaba Happy Horse models	Baked frame, generated prompts
Cloudflare Turnstile	Anti-abuse challenge	Turnstile token only, no PII
Supabase	Database, file storage, and public viewer URLs	Account data, all video artifacts
Resend	Transactional email	Email address
ip-api.com	Coarse geolocation for analytics and abuse triage	IP address

Each third-party service is governed by its own privacy policy. We only share the minimum data necessary for each service to function.

5. Data Retention & Deletion

Skin photos (still-image preview flow) — discarded promptly after rendering
Video artifacts (skin photo, sketch, composite, bake frame, MP4) — retained while the video and your account exist; deleted on account deletion or per-video takedown request
Account data — retained while your account is active
Usage events — retained for analytics purposes

Data already processed by third-party AI services (OpenAI, Anthropic, fal.ai) is subject to their respective retention policies and may not be fully recoverable by us.

5.1 Account Deletion

You may delete your account at any time using the "Delete Account" option in the app footer (visible when logged in). When you delete your account:

Your email, profile data, and account credentials are permanently removed
Your saved tattoo sketches are permanently deleted from storage
All video artifacts (skin photos, sketches, composites, bake frames, MP4s) are permanently deleted from storage, and the corresponding share links stop working
Your usage history is deleted

You can also request account deletion or per-video takedown by contacting us at info@melt.tattoo.

6. Your Rights (GDPR & International Users)

If you are located in the European Union or other jurisdictions with data protection laws, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Portability — request your data in a machine-readable format
Restriction — request we limit how we process your data
Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at info@melt.tattoo. We will respond within 30 days.

7. Data Security

We implement industry-standard security measures including:

HTTPS encryption for all data in transit
Bcrypt password hashing
JWT-based authentication with expiration
Environment-variable-based secret management
Cloudflare Turnstile challenges and per-device-fingerprint daily quotas to deter abuse

8. Children's Privacy

Our service is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact Us

For any privacy-related questions or requests:

Email: info@melt.tattoo

Website: melt.tattoo