This Privacy Policy explains how Tendō Club (owned by Mday AS), collects, uses and protects your personal data when you visit our website, book a class or event, contact us, attend a session, sign up for marketing, or otherwise interact with us.

We process personal data in accordance with the EU General Data Protection Regulation, as incorporated into Norwegian law, and other applicable Norwegian privacy rules.

1. What personal data we collect

We may collect the following personal data:

Booking and contact information
Name, email address, phone number, booking details, ticket details, session/event selected, package purchased and attendance status.

Payment information
Payment status, transaction reference, amount paid, refund status and invoice/accounting information. Payments are processed by our payment provider. We do not store your full card details.

Communication with us
Emails, requests, cancellation or transfer requests, feedback, complaints and other messages you send us.

Optional health and safety information
Information you choose to share with us about injuries, pregnancy, allergies, sensitivities, accessibility needs or other conditions relevant to your participation. Please only share health or safety information that is necessary for us to help you participate safely.

Marketing preferences
Whether you have signed up for newsletters, events, launch updates or other marketing, and whether you have unsubscribed.

Photos and video
Photos or video from classes, events or workshops, where you have consented or where we have informed you and the use is otherwise lawful.

Website and cookie data
IP address, device type, browser type, approximate location, pages visited, cookie identifiers, consent choices and website usage data.

2. How we use your personal data

We use your personal data for the following purposes:

To manage bookings and tickets
We use your data to process bookings, send confirmations and tickets, manage attendance, handle changes, respond to questions and deliver the class, event or package you purchased.

To process payment and accounting
We use payment and transaction data to complete purchases, issue receipts, manage refunds where relevant and comply with bookkeeping, tax and accounting obligations.

To communicate with you
We use your email address to send practical information about your booking, including confirmations, reminders, schedule changes, cancellation notices and important updates. These service emails are not marketing.

To help keep sessions safe
If you voluntarily provide health, pregnancy, allergy or injury information, we use it only to assess whether a session is suitable, adapt the experience where possible, or respond to safety concerns. Health-related information is treated with extra care.

To send marketing where allowed
We may send newsletters, launch updates, event invitations or other marketing if you have consented, or where we are otherwise allowed to do so under applicable marketing rules. You can unsubscribe at any time.

To improve our website and services
With your consent where required, we may use analytics to understand how visitors use our website and improve the booking experience, content and services.

To document and promote Tendō
Where you have consented, we may use photos, videos, testimonials or other content featuring you for social media, website, press or marketing.

To protect legal rights and security
We may process data where necessary to prevent misuse, document incidents, handle complaints, establish or defend legal claims, or comply with legal obligations.

3. Legal bases for processing

We rely on the following legal bases:

• Contract: to process bookings, payments, tickets and service communication.
• Legal obligation: to comply with accounting, tax and consumer law obligations.
• Consent: for newsletters, certain cookies, marketing images/videos and optional health information where required.
• Explicit consent: where you voluntarily provide health-related information, such as injury, pregnancy, allergy or medical information.
• Legitimate interest: to respond to enquiries, improve our services, protect our business, handle complaints and ensure basic website security, provided your rights do not override our interests.
• Vital interests: in rare cases, if processing is necessary to protect someone’s life or health in an emergency.

4. Marketing

We only send electronic marketing where we have a lawful basis to do so. You can unsubscribe from marketing at any time by clicking the unsubscribe link in the email or contacting us at hello@tendoclub.com.

Unsubscribing from marketing does not stop necessary service emails about bookings you have made.

5. Who we share personal data with

We do not sell your personal data.

We may share personal data with trusted service providers who help us run Tendō, including:

• website and hosting providers;
• booking, calendar and ticketing providers;
• payment providers;
• email and newsletter providers;
• analytics and cookie consent providers;
• accounting and bookkeeping providers;
• IT, security and support providers.

These providers may only process personal data on our behalf and according to our instructions, unless they act as independent data controllers for their own services.

For partner events, we may share limited booking or attendance information with the relevant partner where necessary to deliver the event, for example name, ticket type or dietary/allergy information you have chosen to provide. Where a partner is an independent data controller, we will make this clear where relevant.

We may also share data with public authorities, courts, legal advisors, accountants or insurers where required by law or necessary to protect our rights.

6. International transfers

We aim to use providers located in Norway, the EU or the EEA where possible.

If personal data is transferred outside the EU/EEA, we will ensure that appropriate safeguards are in place, such as an adequacy decision, standard contractual clauses or other lawful transfer mechanisms.

7. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy.

Typical retention periods are:

Booking and attendance data:
Kept for up to 12 months after the relevant pop-up period or event, unless we need it longer to handle a complaint, legal claim or accounting obligation.

Payment and accounting data:
Kept for the period required under Norwegian bookkeeping and tax rules, normally 5 years after the end of the financial year.

Customer support and cancellation requests:
Kept for up to 12 months, unless needed longer for a dispute or legal claim.

Marketing data:
Kept until you unsubscribe or withdraw your consent.

Health, injury, pregnancy, allergy or safety information:
Deleted as soon as it is no longer needed, normally within 30 days after the relevant class or event, unless an incident, complaint or legal obligation requires longer retention.

Photos and videos:
Kept for as long as we have a valid purpose and legal basis. If the use is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect use that took place before consent was withdrawn.

Cookie consent records:
Kept for as long as necessary to document your consent choices and comply with applicable rules.

8. Your privacy rights

You have rights under privacy law, including the right to:

• request access to the personal data we hold about you;
• ask us to correct inaccurate or incomplete data;
• ask us to delete your data;
• ask us to restrict certain processing;
• object to processing based on legitimate interests;
• receive certain data in a portable format;
• withdraw consent where processing is based on consent; and
• complain to the Norwegian Data Protection Authority, Datatilsynet.

Some rights may be limited, for example where we must keep information to comply with legal obligations or handle legal claims.

To exercise your rights, contact us at [EMAIL]. We may need to verify your identity before responding.

9. Cookies and similar technologies

Cookies are small files stored on your device when you visit a website. Similar technologies may also be used to store or access information on your device.

We use cookies and similar technologies to:

• make the website work;
• enable booking and checkout;
• remember your cookie choices;
• improve website performance;
• understand website traffic; and
• carry out marketing only where you have consented.

10. Types of cookies we may use

Strictly necessary cookies
These are required for the website, booking flow, payment flow, security or cookie consent tool to work. They cannot usually be switched off through our cookie banner.

Preference cookies
These remember choices such as language, region or display preferences. We only use these where allowed and, where required, with your consent.

Analytics cookies
These help us understand how visitors use the website, which pages are visited and whether the booking flow works well. We only use analytics cookies with your consent where required.

Marketing cookies and pixels
These may be used to measure campaigns or show relevant content on platforms such as Instagram, Facebook, Google or similar platforms. We only use marketing cookies or pixels with your consent.

11. Managing cookies

When you visit our website, you should be able to accept, reject or manage non-essential cookies through our cookie banner.

You can withdraw or change your cookie consent at any time through [INSERT COOKIE SETTINGS LINK / BUTTON NAME].

You can also block or delete cookies in your browser settings. If you block strictly necessary cookies, some parts of the website or booking flow may not work properly.

Before publishing this Privacy Policy, we will update this section with a current cookie list showing cookie name, provider, purpose, expiry period and category.

12. Security

We use reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.

No digital service is completely secure, but we work to ensure that personal data is handled carefully and only by people or providers who need access.

13. Children

Our website and services are mainly intended for adults.

We do not knowingly collect personal data from children under 13. Participants under 18 may only attend where permitted under our Terms & Conditions and with any required parent or guardian consent.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website.

If we make material changes, we may notify you by email or through a notice on our website.

15. Contact

If you have questions about this Privacy Policy, your personal data or your rights, please contact: hello@tendoclub.com

You also have the right to complain to Datatilsynet, the Norwegian Data Protection Authority.