Tendy AB - Privacy Policy
Effective date: 8.05.2026   •    Version 2.1

This Privacy Policy describes how Tendy AB (“Tendy”, “we”, “our”, or “us”) collects, uses, shares, and protects personal data across all of our channels and services, including the tendy.se website and online store, the Tendy mobile application (iOS and Android), our connected IoT devices, the public scan pages on links.tendy.se, our customer support, and our marketing communications.

We process personal data in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”), the Swedish Data Protection Act (2018:218), the Electronic Communications Act (2022:482), and the Marketing Act (2008:486).

This policy applies to anyone who visits our website, creates a Tendy account, uses our app or web-plattform, scans a Tendy QR label, contacts our customer support, subscribes to our newsletter, or interacts with us as a business partner.

1. Data Controller and Contact Information

The data controller responsible for the processing of your personal data is:

Company name: Tendy AB
Registration No.: 559477-9778
VAT No.: SE559477977801
Address: Roslagsgatan 32, 113 55 Stockholm, Sweden
General contact: hello@tendy.se
Data protection / privacy questions: eric@tendy.se

Contact person for data protection matters

We have appointed Eric Larsson, CEO, as our internal contact person for data protection matters. While Tendy is not formally required to designate a Data Protection Officer (DPO) under Article 37 GDPR, this contact ensures that you have a clear point of communication for any privacy-related questions, requests or concerns.
Contact: Eric Larsson, CEO – eric@tendy.se

2. Scope of this Policy

This Privacy Policy covers personal data processed across the following Tendy channels:

• The Tendy website and online store at tendy.se (operated on the Shopify platform), including checkout, account creation, and product information pages.

• The Tendy mobile application for iOS and Android, including all features (animal profiles, inventory, tenderizing, hunting teams, label printing, producer profile, in-app purchases).

• Tendy IoT devices (including the Tendy Nemus smart thermometer, Tendy Lucus 4G, and other connected hardware) and the cloud services that support them.

• Public scan pages on links.tendy.se generated when a user prints and shares a Tendy QR label.

• The Tendy blog and content pages at tendy.se/blogg and related marketing pages.

• Customer support and customer communications via email, in-app chat, and other channels.

• Marketing communications, including newsletters and promotional campaigns.

• Business-to-business interactions with retailers, distributors, suppliers, and other commercial partners.

3. Categories of Personal Data We Collect

Depending on how you interact with Tendy, we may collect and process the following categories of personal data:

3.1 Account and contact data

Name, address, postal code, city, country, email address, telephone number, login credentials (encrypted), display name, profile photo, language preference.

3.2 Order and transaction data (Shopify store)

Purchase history, order numbers, billing and shipping addresses, payment method, order value, currency, order status, returns and complaints history. Card details and other sensitive payment data are processed directly by our payment providers and are not stored by Tendy.

3.3 Subscription data (mobile app)

Active entitlements, subscription tier, renewal status, platform-level subscription identifiers from the Apple App Store and Google Play, and validation tokens from RevenueCat. Tendy never receives your full payment card or store account login from Apple or Google.

3.4 Customer interaction data

Support requests, communication history, in-app chat transcripts, feedback, survey responses, complaint records.

3.5 Harvest, inventory, and tenderizing data (mobile app)

Animal profiles you create (species, date and approximate location of harvest, hunter name, facility, live/carcass weights, photos, free-text comments, lead-free bullet flag), inventory items derived from those profiles, custom cuts and templates (names, prices, best-before settings, images), and the readings, durations, and outcomes of tenderizing processes from connected devices.

3.6 Hunting team data

Team membership, invitations, and the records you choose to share with team members.

3.7 IoT device data

Sensor readings (temperature, humidity, motion, acceleration), device identifiers (IMEI, IMSI, Bluetooth ID, serial numbers), real-time location data (GPS, geofencing) where the relevant feature is activated, device usage logs, and error reports.

3.8 Approximate location data

The municipality (kommun) and region (län) you select when registering an animal in the app. We do not continuously track your location through the mobile app.

3.9 Marketing data

Newsletter subscription status, opt-ins and opt-outs, campaign engagement (opens, clicks), preferences, and segmentation tags.

3.10 Technical and analytical data

IP address, browser type, operating system, device model, app and OS version, device identifiers, language settings, cookies and similar technologies, app and website usage events, login timestamps, crash reports, performance diagnostics.

3.11 User-uploaded content

Photos, images, documents and other media you choose to upload, including animal photos, label images, custom cut images, producer profile images, and free-text notes.

3.12 Business partner data

For our retailers, distributors, suppliers, and other B2B partners, we process the contact details of relevant employees: name, business email address, business telephone number, role, employer, and communication history. This data is processed for the purpose of managing the commercial relationship.

3.13 Event and trade-show data (future use)

If you provide your contact details at industry events, trade shows, or via business networking platforms (such as LinkedIn lead forms), we may process those details to follow up on your interest in our products. Tendy does not currently operate active lead-capture forms outside the website and app, but this section applies should we introduce them.

4. Sources of Data

We collect personal data primarily from the following sources:

• Directly from you, when you create an account, place an order, contact support, subscribe to communications, or use our products.

• Automatically from your devices, through the website, the mobile app, and connected IoT hardware.

• From our service providers, including payment, logistics, marketing, analytics and IoT cloud partners (see Section 10).

• From public registers, business directories, and other lawful sources, where applicable for B2B contacts.

5. Purposes and Legal Bases for Processing

We process your personal data only when we have a lawful basis under the GDPR. The table below summarises the main purposes and the corresponding legal basis.

Where we rely on legitimate interest, we have carried out a balancing test to ensure that our interests are not overridden by your fundamental rights and freedoms. You may request more information about this assessment by contacting us.

Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

6. Marketing Communications

We send marketing communications (newsletters, product news, promotions and similar) via our newsletter provider Klaviyo, Inc. The legal basis depends on how you came to receive them:

• Existing customers who have purchased a similar product or service from Tendy receive marketing communications about our own similar products on the basis of our legitimate interest, in accordance with the “soft opt-in” rule in chapter 19 § 19 of the Swedish Marketing Act (Marknadsföringslagen 2008:486). At the time of purchase you are given a clear and easy opportunity to object, and every subsequent message contains a one-click unsubscribe link.

• All other recipients (for example people who sign up via a newsletter form on tendy.se without having purchased anything) receive marketing communications based on their explicit consent, given when they sign up. They can withdraw consent at any time via the unsubscribe link.

In both cases, you can object to or unsubscribe from marketing communications at any time, with no effect on your ability to use Tendy's products and services.

7. The Tendy Mobile App

7.1 Account and login

To use the Tendy app you create an account using an email address and password, or sign in via supported third-party identity providers. We process your account data to authenticate you, sync your records across devices, and provide the features you have access to under your subscription.

7.2 Harvest, inventory, and tenderizing records

All animal profiles, inventory items, custom cuts, templates, and tenderizing processes that you create are stored under your account. By default, this data is private to you and is only visible to other users when you actively choose to share it (for example with a hunting team or by publishing a QR label).

7.3 Hunting teams

If you join or create a hunting team, the records you mark as shared (animal profiles, tenderizing processes, and connected devices) become visible to other members of the same team while the team relationship exists. Records you keep private are not visible to team members. You can leave a team or remove a member at any time, after which previously shared records are no longer visible to that team.

7.4 Subscriptions and in-app purchases

Subscriptions to premium features are sold through the Apple App Store and Google Play. Tendy uses RevenueCat to validate your entitlements and synchronise your subscription state across devices. Tendy never receives your payment card details, Apple ID password, or Google account password – those remain with the respective platform.

7.5 Producer profile

If you enable the optional “public producer profile”, your producer name, municipality, profile image, caption, and description are shown on the public scan page next to your products. You can disable the producer profile at any time in your account settings; once disabled, your profile information will no longer be displayed publicly.

7.6 Push notifications and in-app messaging

With your permission, we may send push notifications about device alerts, tenderizing process status, subscription information, and product news. You can disable notifications at any time in your device settings.

8. IoT Devices and Connected Hardware

Tendy IoT devices, including the Tendy Nemus, Tendy Lucus 4G and other connected hardware, collect sensor readings and may transmit data to our cloud services.

• Data collected: sensor readings (temperature, humidity, motion, acceleration), device logs, error reports, device identifiers, and (for cellular and GPS-enabled devices) location data.

• Purposes: providing real-time notifications and alerts, enabling tracking features where applicable, troubleshooting, firmware updates, and product improvement.

• Legal basis: performance of contract for the core functionality you have purchased, and explicit opt-in consent for optional features such as continuous location tracking.

8.1 Retention of IoT data

• Real-time sensor and IoT data – retained only for as long as needed to provide the service to you, typically the duration of an active session or process.

• Diagnostic and error logs – retained for up to 30 days, unless a longer period is required by law or to investigate a security incident.

• After these periods, IoT data is deleted or anonymised.

8.2 Hosting and processing

IoT data is processed on secure cloud infrastructure operated by our sub-processors (see Section 11), primarily within the EU/EEA. Where data is transferred outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses are used.

9. QR Labels and Public Scan Pages on links.tendy.se

Important: When you generate and print a Tendy QR label, the resulting URL on links.tendy.se becomes a publicly accessible web page. Anyone in possession of the printed label or the URL can scan or open it to view the information you have chosen to publish.

9.1 What is shown on a public scan page

You control which fields are exposed via the sharing settings on each animal profile. Available fields include, for example: shot-by name, date of harvest, facility, municipality, live and carcass weight, free-text comment, lead-free bullet status, days tenderized, and temperature data. Fields you do not enable are not returned by the lookup.

9.2 Your responsibility as publisher

When you choose to publish information through a QR label, you are deciding which information to make publicly available. Tendy provides the technical platform that hosts the page, but the decision to share specific personal data – including names of other hunters, locations, or photographs that may identify a person – is yours.

You should only publish information you are entitled to share, and you must obtain the necessary consent from any other identifiable person (for example, the named hunter) before enabling fields that contain their personal data. Tendy disclaims responsibility for the lawfulness of the choices you make about which fields to publish via QR labels.

9.3 Stopping public access

You can stop a public scan page from rendering at any time by archiving the linked animal profile, deleting the inventory item, or revoking sharing in the app. Once stopped, the public page will no longer return your data, although cached copies may exist temporarily on third-party servers (e.g. search engines or proxies) outside our control.

10. Automated Decision-Making, Profiling, and AI

Tendy may use data analytics and, in the future, AI-based tools to:

• Personalise your experience in the app and on the website (for example, tailored content and recommendations).

• Analyse uploaded images for product features that we may introduce in the future.

• Present insights and trends based on aggregated usage data.

Tendy does not currently operate any AI-based meat or image analysis feature in production. If we introduce such features in the future, we will update this policy, identify the processors involved, and obtain your consent where legally required.

We do not use automated decision-making that produces legal or similarly significant effects without human involvement, as defined in Article 22 GDPR.

You can opt out of personalisation features at any time in the app settings.

11. Sub-processors and Recipients of Data

We share personal data with carefully selected service providers (sub-processors) under data processing agreements that meet GDPR requirements. The table below lists the main categories of recipients.

11.1 Platform, hosting, and product infrastructure

11.2 Payment providers

When you make a purchase, the payment provider receives the information needed to complete the transaction (typically first name, last name, address, email, phone number; and, where you choose invoice payment, your personal identity number). Tendy does not store your full payment card data.

Payment providers we use: Adyen, Klarna, Stripe, Swish, MobilePay, PayPal, Apple App Store, Google Play Store.

11.3 Logistics and shipping providers

To deliver your orders, we share your name, shipping address, and (where required) email address and mobile number for delivery notifications.

Logistics providers we use: DHL, UPS, PostNord, Budbee, Bring, Posti, Instabox, Deutsche Post.

11.4 Other recipients

• Public authorities where we are legally required to disclose data (e.g. tax authorities, law enforcement, courts).

• Professional advisors such as auditors, lawyers and accountants, bound by confidentiality.

• Acquirers in business transactions: in the event of a merger, acquisition, restructuring or sale of assets, personal data may be transferred to the acquiring entity, subject to GDPR-compliant safeguards.

We do not sell your personal data, and we do not share it with third parties for their own marketing purposes without your consent.

12. International Transfers

Personal data processed via the Tendy app is primarily stored in Google Cloud regions within the European Union. Some sub-processors (notably Intercom, RevenueCat, Klaviyo, Vercel and certain Shopify infrastructure) are based in or operate from the United States or other countries outside the EU/EEA.

Where personal data is transferred outside the EU/EEA, we rely on at least one of the following safeguards:

• An adequacy decision adopted by the European Commission for the recipient country.

• EU Standard Contractual Clauses (SCCs) signed with the recipient, where applicable supplemented by additional measures (such as encryption and access controls).

• Other valid transfer mechanisms recognised under Chapter V of the GDPR.

You can request more information about the safeguards used for a specific transfer by contacting eric@tendy.se.

13. Data Retention

We keep your personal data only for as long as necessary for the purposes described in this policy, after which we delete or anonymise it. The main retention periods are:

When you delete your Tendy account, your harvest and inventory records, custom cuts, and producer profile are removed from our systems within a reasonable period, except where retention is required by law (for example tax records related to subscription payments).

14. Security of Processing

We implement appropriate technical and organisational measures to protect your personal data, including:

• SSL/TLS encryption for data in transit between your devices and our services.

• Encrypted storage and one-way hashing of passwords and other sensitive credentials.

• Access controls limited to authorised personnel bound by confidentiality obligations.

• Logical and physical security at our datacenters and cloud providers, including firewalls and intrusion detection.

• Regular review of security practices, sub-processors, and incident response procedures.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Swedish Authority for Privacy Protection (IMY) and, where required, affected individuals, in accordance with Articles 33 and 34 GDPR.

15. Children's Privacy

Our services are directed at adults, and the use of firearms and the practice of hunting are subject to age requirements under Swedish and other national laws. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have inadvertently collected such data, we will delete it without undue delay.

16. Cookies and Similar Technologies

We use cookies and similar technologies on tendy.se and on links.tendy.se for functional, analytical, and marketing purposes.

16.1 Categories of cookies we use

• Strictly necessary cookies are required for the website to function (login, shopping cart, security, fraud prevention). These are set without consent because they are essential to the service you have requested.

• Functional/preferences cookies remember choices you make (such as language, country, currency).

• Analytics cookies help us understand how visitors use the site so we can improve it.

• Marketing cookies are used to deliver relevant advertising and to measure the performance of our marketing campaigns.

16.2 Consent

Non-essential cookies (functional, analytics and marketing) are only set after you give consent through our cookie banner, which is implemented using Shopify's Customer Privacy API. The banner offers three equal options: “Godkänn” (accept all), “Avslå” (reject all) and “Hantera inställningar” (manage settings). You can change or withdraw your consent at any time by re-opening the banner from the link in the website footer.

16.3 Detailed cookie list

A detailed, regularly updated list of every cookie we use – including name, purpose, lifetime, category, and recipient – is available in our separate Cookie Policy at tendy.se/cookies. You can also manage cookies in your browser settings. For more information about cookies and your rights, see the Swedish Post and Telecom Agency (PTS) at pts.se.

17. Your Rights under the GDPR

As a data subject, you have the following rights:

• Right of access (Article 15) – obtain confirmation that we process your personal data and a copy of that data.

• Right to rectification (Article 16) – have inaccurate or incomplete data corrected.

• Right to erasure (Article 17, the “right to be forgotten”) – request deletion of your data when it is no longer necessary or you withdraw consent.

• Right to restriction of processing (Article 18).

• Right to data portability (Article 20) – receive your data in a structured, commonly used, machine-readable format.

• Right to object (Article 21) – object to processing based on legitimate interest, including direct marketing profiling.

• Right to withdraw consent (Article 7(3)) – at any time, without affecting the lawfulness of prior processing.

• Right to opt out of direct marketing – unsubscribe via the link in any marketing email or in your app settings.

• Right to lodge a complaint with a supervisory authority (see Section 18).

17.1 In-app self-service

You can also exercise many of these rights directly in the app. You can:

• Edit or delete any animal profile, inventory item, custom cut or template.

• Toggle sharing settings on each animal profile to control what a QR scan reveals.

• Disable your public producer profile.

• Leave or remove yourself from a hunting team.

• Cancel a subscription through the App Store or Google Play settings.

• Request export or deletion of your account by contacting us.

17.2 How to make a request

To exercise your rights, send a request to eric@tendy.se. We will respond within one month, with the possibility of a two-month extension for complex requests, in which case we will inform you within the first month. We may need to verify your identity before processing your request.

18. Complaints and Supervisory Authority

If you have concerns about how we process your personal data, please first contact us at eric@tendy.se so we can address your concern.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY):

Integritetsskyddsmyndigheten (IMY)

Box 8114, 104 20 Stockholm, Sweden

Email: imy@imy.se

Website: imy.se

If you reside in another EU country, you may also lodge a complaint with the supervisory authority in your country of residence or place of work, or where the alleged infringement took place.

For consumer disputes, you can also turn to the Swedish National Board for Consumer Disputes (Allmänna reklamationsnämnden, ARN) at arn.se, or to the European Commission's Online Dispute Resolution platform at http://ec.europa.eu/consumers/odr.

19. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our services, our processing practices, or applicable law. The updated version will be published in the app and on tendy.se with a new effective date. For material changes, we will provide additional notice (for example by email or in-app notification) where required by law.

20. Governing Law

This Privacy Policy is governed by Swedish law. Any dispute relating to the processing of your personal data may be brought before competent Swedish courts, without prejudice to your right to lodge a complaint with a supervisory authority or to seek other remedies available under EU law.