top of page

PRIVACY / POLICY
 

Preamble

With the following Privacy Policy, we would like to inform you about the types of personal data (hereinafter also referred to as "data") we process, the purposes for which we process them, and the scope of such processing.

This Privacy Policy applies to all processing of personal data carried out by us, both in connection with the provision of our services and, in particular, on our website, within mobile applications, and on external online platforms such as our social media profiles (hereinafter collectively referred to as the "Online Services").

The terms used are gender-neutral.

Last updated: June 26, 2026

 

Data Controller

Myra Brodsky Fine Tattoos
Amalienstr. 39
80799 Munich
Germany

Authorized Representative:
Myriam Brotzki

Email:
hello@myra-brodsky.com

Website:
www.myra-brodsky.com

 

Data Protection Contact

Email: hello@myra-brodsky.com

 

Representative in the European Union

Email: hello@myra-brodsky.com

 

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and the categories of individuals affected.

 

Types of Data Processed

  • Master data

  • Employee data

  • Contact data

  • Content data

  • Usage data

  • Meta, communication, and procedural data

 

Categories of Data Subjects

  • Employees

  • Users

  • Third parties

  • Whistleblowers

 

Purposes of Processing

  • Communication

  • Feedback management

  • Whistleblower protection

  • Public relations

 

Applicable Legal Bases

 

Legal Bases under the GDPR

The following overview outlines the legal bases under the General Data Protection Regulation (GDPR) on which we process personal data.

Please note that, in addition to the GDPR, national data protection regulations may apply in your country of residence or our country of establishment. Where more specific legal bases apply in individual cases, these will be communicated in this Privacy Policy.

 

Consent

(Art. 6(1)(a) GDPR)

The data subject has given consent to the processing of their personal data for one or more specific purposes.

 

Legal Obligation

(Art. 6(1)(c) GDPR)

Processing is necessary for compliance with a legal obligation to which the controller is subject.

 

Legitimate Interests

(Art. 6(1)(f) GDPR)

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.

 

National Data Protection Regulations in Germany

In addition to the provisions of the GDPR, national data protection regulations apply in Germany.

These include, in particular, the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific provisions regarding rights of access, deletion, objection, the processing of special categories of personal data, processing for other purposes, transfers of personal data, and automated decision-making, including profiling.

Additional state-level data protection laws may also apply.

 

Applicability of the GDPR and Swiss Data Protection Act (FADP)

These data protection notices serve both to provide information under the Swiss Federal Act on Data Protection (FADP) and under the General Data Protection Regulation (GDPR).

For reasons of broader international applicability and clarity, the terminology used in the GDPR is applied throughout this Privacy Policy.

For example, instead of the terms used in Swiss law such as "processing of personal data," "overriding interest," or "particularly sensitive personal data," the GDPR terms "processing," "legitimate interest," and "special categories of personal data" are used.

However, where Swiss law applies, the legal meaning of these terms continues to be determined by the Swiss Federal Act on Data Protection.

 

Applicability of Data Protection Laws in the Country of Establishment

In the country where the controller is established, national data protection laws apply in addition to the GDPR.

 

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.

These measures are designed to ensure a level of protection appropriate to the risk.

Such measures include, in particular, safeguarding the confidentiality, integrity, and availability of data through control of physical and electronic access to data, as well as control of access, input, transfer, availability, and segregation of data.

Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of personal data, and responses to data security incidents.

We also consider the protection of personal data during the development and selection of hardware, software, and processing procedures, in accordance with the principles of privacy by design and privacy by default.

 

Protection of Online Connections through TLS/SSL Encryption (HTTPS)

To protect the data transmitted by users through our online services from unauthorized access, we use TLS/SSL encryption technology.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet.

These technologies encrypt information exchanged between a website or application and the user's browser (or between servers), thereby protecting data from unauthorized access.

TLS, as the more advanced and secure successor to SSL, ensures that all data transmissions meet current security standards.

When a website is protected by an SSL/TLS certificate, this is indicated by the display of "HTTPS" in the website address. This serves as an indication to users that their data is transmitted securely and in encrypted form.
 

General Information on Data Retention and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the consent on which the processing is based is withdrawn or no further legal basis for processing exists.

This applies in cases where the original purpose of processing no longer applies or the data is no longer required.

Exceptions apply where statutory obligations or overriding legitimate interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the establishment, exercise, or defense of legal claims, or for the protection of the rights of other natural or legal persons, will be archived accordingly.

Our privacy notices may contain additional information regarding the retention and deletion of data that applies specifically to individual processing activities.

Where multiple retention periods or deletion deadlines apply, the longest period shall always prevail.

Data that is no longer required for its original purpose but is retained due to legal obligations or other reasons will only be processed for the purposes justifying its retention.

 

Retention and Deletion Periods

The following general retention periods apply under German law:

 

10 Years

Retention period for:

  • Accounting records and books

  • Annual financial statements

  • Inventories

  • Management reports

  • Opening balance sheets

  • Organizational documents and work instructions necessary for understanding the above records

(Section 147 German Fiscal Code (AO), Section 14b German VAT Act (UStG), Section 257 German Commercial Code (HGB))

 

8 Years

Retention period for:

  • Accounting vouchers

  • Invoices

  • Expense receipts

 

6 Years

Retention period for:

  • Business correspondence

  • Commercial letters received and sent

  • Tax-relevant documentation

  • Payroll records not classified as accounting vouchers

  • Cash register receipts and similar business records

 

3 Years

Data necessary for the assertion, exercise, or defense of warranty claims, damages claims, or comparable contractual rights are generally retained for the duration of the statutory limitation period of three years.

 

Rights of Data Subjects

As a data subject, you have the following rights under the GDPR, particularly under Articles 15–21 GDPR:

 

Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is based on Article 6(1)(e) or (f) GDPR.

This also applies to profiling based on those provisions.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes, including profiling related to direct marketing.

 

Right to Withdraw Consent

You have the right to withdraw any consent previously given at any time.

 

Right of Access

You have the right to obtain confirmation as to whether personal data concerning you is being processed and, where that is the case, access to that data together with additional information as required by law.

 

Right to Rectification

You have the right to request the correction of inaccurate personal data concerning you and the completion of incomplete personal data.

 

Right to Erasure and Restriction of Processing

You have the right to request the immediate deletion of personal data concerning you or, alternatively, the restriction of processing in accordance with legal requirements.

 

Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller.

 

Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.

 

Use of Cookies

The term "cookies" refers to technologies that store information on users' devices and retrieve information from those devices.

Cookies may be used for a variety of purposes, including ensuring the functionality, security, and convenience of online services, as well as analyzing visitor behavior.

We use cookies in accordance with applicable legal requirements.

Where necessary, we obtain users' consent before using cookies.

Where consent is not required, processing is based on our legitimate interests.

This applies where the storage and retrieval of information is strictly necessary to provide content and functions expressly requested by users, such as saving preferences or ensuring the functionality and security of our online services.

Consent may be withdrawn at any time.

We provide clear information regarding the scope of consent and the cookies used.

 

Legal Basis for Cookie Processing

Whether personal data is processed using cookies depends on whether consent has been granted.

Where consent has been obtained, it serves as the legal basis for processing.

In the absence of consent, processing is based on our legitimate interests as described in this Privacy Policy.

 

Cookie Retention Periods

 

Temporary Cookies (Session Cookies)

Temporary cookies are deleted no later than when the user leaves the online service and closes their browser or device.

 

Permanent Cookies

Permanent cookies remain stored after the device has been closed.

For example, login status or user preferences may be saved and automatically displayed when the user revisits the website.

Data collected through cookies may also be used for audience measurement and analytics.

Unless explicitly stated otherwise, users should assume that permanent cookies may remain stored for up to two years.

 

Withdrawal of Consent and Objection (Opt-Out)

Users may withdraw previously granted consent at any time and may object to processing in accordance with applicable legal requirements, including through the privacy settings of their browser.

 

Categories of Data Processed

  • Meta data

  • Communication data

  • Procedural data

  • IP addresses

  • Time stamps

  • Identification numbers

 

Data Subjects

  • Users

  • Website visitors

  • Online service users

 

Legal Bases

  • Legitimate Interests (Art. 6(1)(f) GDPR)

  • Consent (Art. 6(1)(a) GDPR)

 

Social Media Presence

We maintain online presences within social networks and process user data in this context in order to communicate with users active on those platforms and to provide information about our services.

Please note that user data may be processed outside the European Union.

This may result in risks for users, as the enforcement of their rights may become more difficult.

In addition, user data is often processed by social networks for market research and advertising purposes.

For example, user profiles may be created based on usage behavior and resulting interests. These profiles may then be used to display advertisements both within and outside the respective platforms that are likely to match users' interests.

Cookies are generally stored on users' devices for these purposes.

Furthermore, data may be stored within user profiles regardless of the devices used, particularly where users are members of the respective platforms and are logged in.

For detailed information regarding data processing and available opt-out options, please refer to the privacy policies of the respective platform providers.

Requests for access to personal data and the exercise of data subject rights can usually be handled most effectively by the platform providers themselves, as only they have direct access to the relevant user data.

Should you nevertheless require assistance, please feel free to contact us.

 

Instagram

We maintain a presence on Instagram.

Instagram allows users to share photos and videos, comment on and like content, exchange messages, and subscribe to profiles and pages.

Service Provider:
Meta Platforms Ireland Limited
Merrion Road
Dublin 4
D04 X2K5
Ireland

Website:
https://www.instagram.com

Privacy Policy:
https://privacycenter.instagram.com/policy/

Legal Basis:
Legitimate Interests (Art. 6(1)(f) GDPR)

International Data Transfers:
Data Privacy Framework (DPF)

 

Changes and Updates

We kindly ask you to review this Privacy Policy regularly.

We will update this Privacy Policy whenever changes to our data processing activities make this necessary.

We will inform you whenever changes require your cooperation (for example, providing consent) or any other individual notification.

Where this Privacy Policy contains addresses and contact details of companies or organizations, please note that such information may change over time. We therefore recommend verifying the information before contacting the respective organization.

 

Last updated: June 26, 2026

​

bottom of page