Skip to main content

Privacy Policy

Last updated: May 2026

Your privacy matters. This page explains, in plain language, what personal data PMU Retouch collects, why we collect it, who we share it with, and what rights you have. We do not sell personal data, and we never will.

PMU Retouch is currently a pre-launch waitlist. The product itself is not yet available. This policy reflects what that scope means for your data: very little is collected, and most of it exists only because you chose to join the waitlist.

Who is the controller

The data controller is PMU Retouch, operated as an individual business based in Georgia. You can reach the controller at hello@pmuretouch.comfor any privacy question or to exercise the rights described below. The operator's full legal name and postal mailing address are available on request via that email; we keep them off this public page as a personal-safety choice for a sole operator.

What we collect and why

Waitlist email

When you join the waitlist, we collect the email address you submit. We use it solely to email you when PMU Retouch opens, to share occasional pre-launch updates, and to issue your free launch credits. The lawful basis for this processing is your consent, given when you submit the form. You can withdraw consent at any time by emailing hello@pmuretouch.com.

Account data, if you sign in

Some routes will require a Clerk-hosted account in the future. If you sign in, Clerk will collect the email address (and any optional profile details you choose to provide) on our behalf so that authentication works. The lawful basis is contract performance: we cannot operate the authenticated parts of the service without it.

Server logs and technical data

Our hosting provider (Vercel) automatically logs information needed to operate the site: IP address, user agent, requested URL, response status, and timing. We use these logs for security, abuse prevention, and reliability monitoring. The lawful basis is our legitimate interest in keeping the site secure and operational.

Product analytics

We use PostHog (EU-hosted) to understand how visitors use the site so we can improve it. We capture pageviews and a small set of named product events such as joining the waitlist. Inputs are masked, session recording is disabled, and we do not put personal data in event properties. For anonymous visitors, PostHog uses a pseudonymous identifier assigned in the browser. If you sign in, we link events to your Clerk user id so analytics stay consistent across sessions; that id is personal data, but we still avoid copying your email or profile fields into event payloads. Analytics traffic is routed through our own domain as a reverse proxy at /ingest. The lawful basis is legitimate interest in measuring and improving the product. If you prefer to limit this kind of measurement, privacy extensions and similar browser controls can block requests to our analytics endpoint at /ingest. The marketing site and waitlist still work when that traffic is blocked.

Voluntary correspondence

If you email us, we keep the message and your address so that we have a record of past correspondence to reference if you reach out again.

Who processes your data on our behalf

We use a small number of vetted subprocessors to operate the service. Each handles a specific function under a written contract:

  • Clerk (Clerk.com, Inc., United States): hosts the waitlist form and any future authentication; stores submitted email addresses on our behalf.
  • Vercel (Vercel Inc., United States): hosts the website, serves all pages, and provides Web Analytics that record aggregated, IP-truncated traffic patterns.
  • PostHog (PostHog Inc., EU region): receives pageviews and product events through our reverse proxy for product analytics. Session recording is disabled on our account.

We will update this list before adding a new subprocessor that processes your personal data.

When we disclose data

We disclose personal data only in narrow circumstances:

  • To the subprocessors listed above, strictly for the operational purposes described.
  • When required by law, such as a valid legal order or government request that we are legally compelled to comply with. We will notify you before disclosing your data unless we are legally prohibited.
  • If PMU Retouch is ever transferred to another operator, we will notify you in advance and you will be free to delete your data before any transfer takes effect.

International data transfers

Clerk and Vercel are based in the United States. PostHog is processed in the EU. If you are located in the European Union or the United Kingdom, your data may be transferred to the United States in the course of using the service. Where required, these transfers rely on Standard Contractual Clauses or other lawful transfer mechanisms with the receiving processor.

Your rights

Regardless of where you live, we apply the following data rights to all visitors:

  • Right of access. You can ask what personal data we hold about you.
  • Right to rectification. You can ask us to correct inaccurate data.
  • Right to erasure. You can ask us to delete your data. For a waitlist email, we will remove the address from our system as soon as reasonably practicable, and at the latest within the time limits required by applicable law.
  • Right to restrict processing. You can ask us to stop using your data while a question about it is being resolved.
  • Right to object. You can object to processing based on legitimate interest, including our analytics.
  • Right to portability. You can request a copy of the personal data you provided, in a portable format.
  • Right to complain. If you are in the European Union or the United Kingdom, you have the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, email hello@pmuretouch.com. We respond as promptly as we reasonably can, and within the timeframes required by applicable law (typically within one month under GDPR, with possible extension for complex requests). We may need to verify your identity before acting on a request, typically by confirming the email address from which you originally signed up.

How long we keep your data

We retain personal data only for as long as necessary for the purposes described above, after which we delete or anonymize it. Indicative retention periods, which may be adjusted as the project evolves:

  • Waitlist email: kept while the waitlist is active or until you ask us to delete it. We may also remove inactive or undeliverable addresses periodically.
  • Server logs: retained for a short, operationally necessary period.
  • Analytics events: retained for as long as needed for product analysis, then aggregated or deleted.
  • Email correspondence: retained while needed for ongoing communication, then deleted on request.

How we secure data

Data is encrypted in transit using TLS. Subprocessors store data on their own encrypted infrastructure. Access to operator-side data is limited to the controller and protected by strong authentication. If we ever experience a personal-data breach that affects you, we will notify you and any relevant supervisory authority where and when we are required to do so by applicable law.

Children

PMU Retouch is intended for permanent makeup professionals and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a minor has submitted data to us, please contact us and we will delete it.

Changes to this policy

We may update this policy as the product evolves or as regulations change. When we make a material change, we will refresh the date at the top of this page and, where appropriate, notify you by email.

Questions

Have a question, comment, or concern? Email us at hello@pmuretouch.com.