Dawnbringer Tattoo · Kansas City

Privacy Policy

Effective: 2026-05-27 · Last reviewed: 2026-05-27 · 3914 Washington Street, Kansas City, Missouri 64111

1. Who we are

Dawnbringer Tattoo is a Missouri-licensed body art establishment operating at 3914 Washington Street, Kansas City, Missouri 64111. Our practitioners are individually licensed by the Missouri Office of Tattooing, Body Piercing and Branding.

For purposes of this policy, "we," "us," and "our" mean Dawnbringer Tattoo and its independent-contractor practitioners working at the 3914 Washington Street location. "You" means anyone who visits our website, books an appointment, signs a consent form, sends us a message, or creates a customer account.

2. What we collect

When you visit our public website

• Pages you load (standard web server logs, kept 30 days for security and debugging)
• Your IP address and browser type (same logs)
• Two functional cookies that remember you between pages of our booking flow (dawn_book_token and dawn_flash_token) — these expire after 7 days and contain only a session identifier
• Google Analytics 4 (GA4) cookies: _ga (2 years, unique visitor), _ga_ (2 years, session state), _gid (24 hours, daily unique), and _gat (1 minute, rate throttle). GA4 also reports your approximate city-level location, device type, and page paths. Google Signals is disabled — no cross-site advertising identifiers are collected. We do not run Google Ads or remarketing. See Section 7 for how to opt out.
• We do not use Facebook Pixel, Meta tracking, TikTok pixel, heatmap tools, session-replay tools, or any other tracking provider. If we ever add one, this policy will be updated before the tool goes live.

When you submit a contact form or booking inquiry

• Your name, email address, phone number
• A description of the tattoo you want, placement, size, budget range
• Up to 5 reference images you upload
• Whether this is your first tattoo

When you pay a deposit

• Everything from the inquiry, plus your IP address at submission (for chargeback defense)
• A complete snapshot of your intake data, linked to the Stripe transaction
• Stripe handles the actual payment information — your card number never touches our servers

When you complete the consent form

This is the most sensitive collection point. The consent form is required by Missouri 20 CSR 2267-5.020 before any procedure can begin. We collect:

• Your full legal name, date of birth, address, phone number
• A photo of the front and back of your government-issued ID
• Health and medical attestations (Y/N answers per Missouri regulation)
• Your emergency contact name, phone, and relationship
• Your photo-release preference
• Your typed signature, IP address, and timestamp
• Parsed data from your driver's license barcode (auto-fill only — see Section 4)

When you upload a healing photo, create an account, or apply to join

• Healing photo (`/heal/`): a photo of your healed tattoo and the timestamp of upload
• Customer account (`/web/signup`): an email address, password, and optional profile fields you choose to fill in
• Artist application (`/join`): name, email, phone, portfolio URL, years of experience, style summary, and up to 5 portfolio uploads

3. Why we collect this

To run your appointment

Name, contact information, appointment details, reference images, and intake answers exist so your artist knows what you want, how to reach you, and how to plan the session.

To comply with Missouri law and Kansas City ordinance

The consent form record is required by Missouri 20 CSR 2267-5.020 (Patrons) and 20 CSR 2267-3.010 (Establishments). The minimum retention period in Missouri is two (2) years.

Kansas City Ordinance Sec. 50-239 prohibits tattooing anyone under 18, and we use date of birth and ID to verify age before any procedure begins.

We are also required by 20 CSR 2267-5.010 to record pigment lot numbers used in each tattoo — that record stays indefinitely for product-recall traceability.

To defend ourselves against payment disputes

If a customer disputes a deposit charge with their bank, we have a window (up to about 18 months) to defend it. The IP address you submit from, the timestamp, and the full intake snapshot exist specifically as chargeback evidence.

To communicate with you about your appointment

Booking confirmation, day-before reminder, aftercare instructions, follow-up requests for review or healing photos — all of these are transactional emails specific to your appointment. They are not marketing — you receive them because you have an active booking with us.

To re-engage with patrons and send (opt-in) marketing communications

If you affirmatively opt in to marketing communications — a clearly-labeled checkbox at signup or booking, unchecked by default, never assumed from your visit alone — we may send you:

• Promotional email about upcoming flash days, guest artists, holiday hours, or special events. These are not appointment-related; every message has a clear Unsubscribe link.
• Abandoned-cart recovery email if you started a deposit checkout but did not finish. At most one polite reminder within 24 hours, with a link back to resume. Only sent to email addresses you provided during the inquiry step.

You can opt out at any time by clicking Unsubscribe in any marketing email, by emailing admin@dawnbringertattoo.com, or by editing your patron-portal preferences at /my/profile. Opting out of marketing never affects transactional appointment messages.

4. Specific handling of sensitive data

Your ID photo

We store the photo of the front and back of your ID in our database. Access is restricted to your assigned artist and shop ops staff. After a daily automated process, ID photos older than 7 years from your last visit are permanently deleted.

Your driver's license barcode data

When your artist scans the barcode on your ID to auto-fill your name, date of birth, and license number on the consent form, the scanner decodes a structured chunk of data that includes more than just those three fields (it can include height, weight, eye color, sex, address, etc.). We do not need or want to keep that extra information.

Our policy: the parsed barcode data is cleared from your record shortly after your artist clicks "Mark Reviewed" on your consent form. We retain the photo of the ID and the specific fields used to fill out the form (your name, date of birth, license number, license expiration); the rest of the parsed dictionary is discarded. The clearing process is currently being automated; until automation completes, the same clearing happens during routine record-review by shop ops.

Your healing photo

If you upload a photo at `/heal/`, it gets stored attached to your booking record. We keep it for 2 years from upload, then auto-delete. Use of that photo is governed by the photo-release choice you made on your original consent form.

5. Who we share data with

We share data with the small group of vendors needed to operate our website, process payments, and notify our shop. These are the only third parties that receive your data.

Vendor	What they receive	Why
Stripe	Name, email, billing details, transaction amount, deposit checkout session contents	Stripe processes your card payment via Stripe Connect Direct Charges. Stripe also issues 1099-K forms to artists at year-end. See stripe.com/privacy.
Google Calendar	Appointment time and duration only (no personal info)	If your artist has connected Google Calendar, we sync appointment block-out times. No client name, no procedure details, no consent data.
Google Analytics 4 (GA4) — only if you accept cookies	A pseudonymous visitor identifier (in the _ga cookie), the page paths you visit on our site, approximate city-level geographic location, device type, basic timing data. No name, email, phone, address, or ID photo is ever sent to Google.	Aggregate website analytics — helps us see where visitors arrive from and where they get stuck in the booking flow. Google Signals is disabled; no cross-site advertising association. policies.google.com/privacy.
ntfy.sh	Short event notifications ("New booking · $300 deposit received") — no client name	Push notifications to shop ops staff when bookings, refunds, or rent events occur.
Our transactional email provider (SMTP relay)	Your email address, the message body of each transactional or marketing email we send you, basic delivery telemetry	Delivers booking confirmations, reminders, aftercare instructions, and opt-in marketing email.

We do not currently share data with advertising networks or retargeting providers, Facebook/Meta/TikTok tracking pixels, heatmap or session-replay tools, data brokers (we do not sell or rent your data), or anyone else — except when required by law (a valid court order or subpoena). If we ever add a vendor outside the table above, this policy will be updated and prominently disclosed before the change takes effect.

6. How long we keep it

Full details are in our retention practices. The short version:

• Consent records and ID photos: 7 years after your last visit, then auto-deleted
• Driver's license barcode parsed data: cleared shortly after Mark Reviewed
• Booking records: 7 years from session completion
• Reference images you uploaded: 2 years from session completion (18 months if the inquiry never becomes a booking)
• Healing photos: 2 years from upload
• Customer portal account: as long as your account is active, or until you ask us to delete it
• Transactional email logs: 3 years
• Server access logs: 30 days

7. Your rights

Right to access

You can ask us what information we have on file about you. Email admin@dawnbringertattoo.com with "Data access request" in the subject line. We will acknowledge your request within 5 business days and aim to fulfill it within 60 days. We currently fulfill requests through manual review of our records; an automated request portal is in development.

Right to deletion

You can ask us to delete your data. Email admin@dawnbringertattoo.com with "Delete my data" in the subject line. We will acknowledge your request within 5 business days and delete what we are legally allowed to delete within 60 days.

We cannot delete:

• Consent form records before the 2-year statutory minimum has passed (Missouri 20 CSR 2267-5.020)
• ID photos for the same period
• Stripe transaction IDs (needed for tax and dispute records)
• Pigment lot records (required by Missouri 20 CSR 2267 for product-recall traceability)

After those legal minimums pass, deletion requests also apply to those items.

Right to correction

If something on your account or in your consent record is wrong, email us and we'll fix it.

Right to opt out of marketing email

If you previously opted in to marketing email (promotional announcements, abandoned-cart reminders, event invites), you can opt out at any time:

• Click the Unsubscribe link at the bottom of any marketing email — one click, takes effect immediately.
• Email admin@dawnbringertattoo.com with "Unsubscribe" in the subject line.
• Edit your patron portal preferences at /my/profile and uncheck "Send me occasional updates and event invites".

Opting out of marketing does not unsubscribe you from transactional appointment messages — you will still receive booking confirmations, reminders, and aftercare instructions.

Right to opt out of website analytics

We use Google Analytics 4 to measure aggregate website traffic — what pages people visit, where the booking flow gets stuck, approximate city-level geography. We do not show a cookie consent banner because we do not currently serve EU customers (where one is legally required), and US-based shops have no federal cookie-consent obligation. To opt out, install Google's Analytics Opt-out Browser Add-on, block third-party cookies for googletagmanager.com in your browser settings, or enable your browser's tracking-protection / private-browsing mode. We do not run Google Ads, remarketing pixels, social-media trackers, or any cross-site tracking, so there is nothing else to opt out of. Opting out of analytics does not affect your ability to book, fill consent forms, or use any feature of our site.

How to make a complaint

If you're not happy with how we handled your data, contact us first at admin@dawnbringertattoo.com. If we can't resolve the issue, you can contact:

• Missouri Office of Tattooing, Body Piercing & Branding — 573-526-8288 / pr.mo.gov/tattooing.asp
• Kansas City Health Department — (816) 513-6008
• Missouri Attorney General Consumer Protection — ago.mo.gov/civil-division/consumer

8. Security

We take reasonable steps to protect your data. Our website runs on a server that:

• Binds the Odoo application only to local network
• Uses HTTPS for all customer-facing pages
• Has a firewall enabled (UFW) allowing only ports 22, 80, and 443
• Uses fail2ban to block brute-force login attempts
• Receives security-related Linux kernel updates as released
• Backs up the database before any risky deployment

Card numbers never touch our servers. Stripe (our payment processor) is independently certified PCI-DSS Level 1 — the highest payment-processor compliance level. We rely on Stripe's hosted checkout for all card handling.

Despite these measures, no online system is 100% secure. If we ever discover a breach affecting Missouri residents, we will notify affected individuals as required by Missouri Revised Statutes § 407.1500.

9. Minors and children

We do not tattoo anyone under 18 years of age. Kansas City Ordinance Sec. 50-239 prohibits this absolutely, with no parental-consent exception. Missouri state law (RSMo 324.520) is less strict, but Kansas City's stricter standard governs our location.

We do not knowingly collect data from anyone under 13 years of age (Children's Online Privacy Protection Act / COPPA). If you believe a minor has submitted information to us, contact admin@dawnbringertattoo.com immediately.

10. Cookies

We use two categories of cookies: functional cookies (necessary for the website to work) and analytics cookies (set by Google Analytics 4). We do not use advertising, retargeting, or social-media tracking cookies of any kind.

Functional cookies

Required for the website to operate.

Cookie	Purpose	Lifespan
dawn_book_token	Remembers your booking inquiry between pages	7 days
dawn_flash_token	Remembers your flash-piece inquiry between pages	7 days
Odoo session cookie	Keeps you logged into your customer account between visits	Up to 30 days (cleared when you log out)

Analytics cookies — Google Analytics 4

We use Google Analytics 4 to measure aggregate website traffic. The cookies below are set by Google when you visit any page on our site. To opt out, see Section 7.

Cookie	Purpose	Lifespan
_ga	Distinguishes unique visitors (pseudonymous random ID)	2 years
_ga_	GA4 session state for our property	2 years
_gid	Daily unique-visitor counter	24 hours
_gat	Throttles GA4 request rate	1 minute

Google Signals is disabled on our GA4 property — your visit is not associated with any cross-site advertising identifier, and demographic/interest reporting is off. We do not run Google Ads, remarketing pixels, or any retargeting.

You can refuse all cookies in your browser settings. Refusing functional cookies breaks the booking flow. Refusing analytics (via your browser settings or Google's Analytics Opt-out Browser Add-on) does not affect the rest of the site.

11. Changes to this policy

We may update this policy from time to time. When we do, we update the "Last reviewed" date at the top and post the new version at this URL. Material changes will also be communicated to customers with an active account by email.

12. Contact

For privacy questions, data access requests, or deletion requests:

admin@dawnbringertattoo.com
Dawnbringer Tattoo
3914 Washington Street
Kansas City, Missouri 64111

13. Governing law

This policy is governed by the laws of the State of Missouri. Any dispute is venued in the courts of Jackson County, Missouri. Where Missouri state law and Kansas City municipal ordinance both apply, the stricter rule governs.