Privacy Policy

DojoSensei ("we", "our", or "us") is committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the Norwegian Personal Data Act (Personopplysningsloven), and applicable data protection laws.

Data Controller: Terry James Thorpe Publishing (Enkeltpersonforetak)
Org.nr: 928 134 636
Address: Sørlibakken 1A, 4073 Randaberg, Norway
Privacy Contact: privacy@dojosensei.com

This Privacy Policy explains how we collect, use, process, and safeguard your personal data when you use our karate class planning application.

We collect and process the following categories of personal data:

• Account Information: Email address, name, profile details (dojo name, role, belt rank, teaching preferences)
• Class Plans and Content: Karate class plans, drills, templates, and curriculum data you create
• Usage Data: How you interact with the application, features used, and performance metrics
• Authentication Data: If you sign in with Google, we receive your basic profile information (email, name) from Google
• Communication Data: Messages sent through Sensei AI chat features, including conversation history retained for up to 90 days to provide continuity and personalization
• Voice Data: When you use voice chat features, audio from your microphone is streamed in real-time to Deepgram for transcription, and text responses are sent to ElevenLabs for speech synthesis. Audio is processed in real-time and is not stored by DojoSensei or our processors beyond the active session
• Health Information (Special Category): If you choose to provide information about physical injuries or limitations, this is classified as special category data under GDPR Article 9. This data is only collected with your explicit consent and is used solely to ensure AI-generated training suggestions account for your safety. You may withdraw this consent and remove this data at any time
• AI-Inferred Preferences: Our AI Sensei may infer information about your karate experience, interests, and training preferences from your chat conversations. These inferences are stored with confidence levels and you can review, confirm, or reject them at any time (see Section 12)
• Technical Data: IP address, browser type, device information, and access logs
• Consent Records: Timestamps, versions of policies you have accepted, and IP address at time of consent for GDPR compliance verification
• Payment Data: Subscription tier, billing interval, and payment processor identifiers. Payment card details are processed exclusively by LemonSqueezy and are never stored by DojoSensei

When you create an account and accept our Terms of Service and Privacy Policy, we record certain information to demonstrate your consent as required by GDPR:

• Timestamp: The exact date and time you accepted the terms
• Policy Version: Which version of the Privacy Policy and Terms of Service you accepted
• Marketing Preference: Whether you opted in to receive marketing communications

Purpose: This information is collected for legal compliance and consent verification under GDPR Article 6(1)(c).

Retention: Consent records are retained for 3 years from the date of consent, or 1 year after account deletion, to demonstrate compliance with applicable data protection laws.

We process your personal data based on the following legal bases:

• Contractual Necessity (Art. 6(1)(b)): To provide and maintain the DojoSensei service, save and sync your class plans, process payments, and fulfill our terms of service
• Legitimate Interests (Art. 6(1)(f)): To improve our service, ensure security, prevent fraud, analyze usage patterns, and personalize your AI Sensei experience through preference inference
• Consent (Art. 6(1)(a)): For optional features like marketing communications (you can withdraw consent at any time)
• Explicit Consent for Special Category Data (Art. 9(2)(a)): For processing health-related data (injuries and physical limitations) that you voluntarily provide. You may withdraw this consent at any time by removing this information from your profile or in Privacy Settings
• Legal Obligation (Art. 6(1)(c)): To comply with applicable laws, tax obligations, and data protection regulations, including maintaining consent records

We process your personal data for the following purposes:

• Providing and maintaining the DojoSensei application and services
• Saving, syncing, and managing your class plans across devices
• Providing AI-powered features including Sensei chat assistance
• Improving and personalizing your user experience
• Ensuring security and preventing unauthorized access
• Complying with legal obligations and responding to legal requests
• Sending important service updates and notifications (essential communications)
• Analyzing usage patterns to improve our service (anonymized where possible)

We retain your personal data only for as long as necessary:

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion request
• Class Plans and Content: Retained while your account is active. Deleted when you delete your account
• Sensei Chat Conversations: Retained for up to 90 days to provide continuity and personalization, then automatically deleted
• Chat Analytics Logs: Redacted of personally identifiable information (PII) before storage. Retained for up to 90 days for service improvement, then automatically deleted
• AI Cost and Usage Data: Retained for up to 12 months for billing and service monitoring, then deleted
• Voice Data: Processed in real-time only. No audio recordings are stored by DojoSensei
• Consent Records: Retained for a minimum of 3 years from the date of consent, or 1 year after account deletion, to demonstrate compliance with applicable data protection laws
• Legal Obligations: Some data may be retained longer if required by law or for legitimate business purposes (e.g., tax records, fraud prevention)

Your data is stored securely using Supabase (PostgreSQL database) with:

• Encryption in transit (TLS/SSL) and at rest
• Row Level Security (RLS) policies ensuring data isolation between users
• Industry-standard security measures and access controls
• Regular security audits and monitoring

Your class plans and personal data are private and only accessible to you unless you explicitly choose to share them.

We use the following third-party services (data processors) that may process your data:

• Supabase (Supabase Inc.): Database and authentication services. Data may be stored in the United States. GDPR-compliant with Standard Contractual Clauses (SCCs)
• Resend (Resend Inc.): Email delivery for transactional and marketing emails. Email addresses and email content are processed. GDPR-compliant with data processing agreement
• Google (Google LLC): Optional sign-in authentication and AI chat (Google Gemini). Chat conversations and user context are processed by Gemini to provide AI Sensei features; data is not used for model training under API terms. Data transfers covered by Google's EU-US Data Privacy Framework certification
• Deepgram (Deepgram Inc.): Speech-to-text transcription. When you use voice features, audio from your microphone is streamed to Deepgram for real-time transcription. Audio is not stored beyond the transcription session. US-based; transfers covered by SCCs
• ElevenLabs (ElevenLabs Inc.): Text-to-speech generation. Text responses are sent to ElevenLabs to produce spoken audio for voice features. No long-term storage by ElevenLabs. US-based; transfers covered by SCCs
• OpenAI (OpenAI LLC): Text embeddings for knowledge search. Search queries are processed to generate semantic embeddings that power search functionality. Not used for model training under API terms. US-based; transfers covered by SCCs
• LemonSqueezy (Lemon Squeezy LLC): Payment processing and subscription management. Processes email, billing information, and payment card details. DojoSensei never receives or stores your payment card details. US-based; PCI DSS compliant; transfers covered by SCCs
• Sentry (Functional Software Inc.): Error monitoring and performance tracking. Collects technical error data and browser information. All personally identifiable information is stripped before transmission; session replays (if enabled) mask all text and block all media. US-based; transfers covered by SCCs
• Vercel (Vercel Inc.): Application hosting and serverless functions. Request logs and IP addresses may be processed. GDPR-compliant with data processing agreement
• Cloudflare (Cloudflare Inc.): Content delivery and security services. IP addresses may be processed for bot protection and performance optimization. GDPR-compliant

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or reliance on adequacy decisions such as the EU-US Data Privacy Framework.

You have the following rights regarding your personal data:

• Right of Access (Article 15): Request a copy of your personal data and information about how it is processed
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), subject to legal obligations
• Right to Restrict Processing (Article 18): Request limitation of processing in certain circumstances
• Right to Data Portability (Article 20): Receive your data in a structured, commonly used format and transmit it to another controller
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint (Article 77): File a complaint with your local supervisory authority if you believe your data protection rights have been violated

To exercise these rights, please contact us at privacy@dojosensei.com. We will respond to your request within one month.

You can withdraw your marketing consent at any time by:

• Clicking "Unsubscribe" in any marketing email
• Visiting Settings → Privacy in the app and updating your preferences
• Contacting us at support@dojosensei.com

Withdrawal of marketing consent does not affect the lawfulness of processing based on consent before its withdrawal, nor does it affect your account access or the core functionality of DojoSensei.

You can request complete deletion of your account and all associated data by:

• Visiting Settings → Account → Delete Account in the app
• Contacting us at support@dojosensei.com

Upon deletion, we will erase all personal data within 30 days, except:

• Consent Records: Retained for 1 year after account deletion for legal compliance (see Data Retention above)
• Anonymized Data: Aggregated, non-identifiable data may be retained for analytics
• Legal Requirements: Data required by law to be retained longer

DojoSensei uses AI-assisted profiling to personalize your experience:

• Conversation Analysis: Our AI Sensei may infer information about your karate experience, interests, and preferences from your chat conversations (e.g., your interest in kata vs. kumite, your experience level, training goals)
• Inferred Profile: These inferences are stored with confidence levels (low, medium, high) and are visible to you. You can confirm or reject any inference at any time
• Sentiment and Topic Tracking: Conversation sentiment and topics are analyzed to improve the relevance of AI responses and detect knowledge gaps where you may need more help
• Purpose: These inferences are used solely to personalize your AI Sensei conversations and provide more relevant training suggestions
• No Legal or Significant Effects: These profiles do not produce legal effects or significantly affect you. They do not determine pricing, access to features, or service availability

Your Control: You can view all AI-inferred data, confirm or reject individual inferences, and disable AI profiling entirely in Privacy Settings. When profiling is disabled, no new inferences will be stored. The legal basis for this processing is legitimate interest (Art. 6(1)(f)); you have the right to object at any time under Art. 21.

We use the following types of cookies:

• Essential Cookies: Required for authentication, session management, and core functionality. These cannot be disabled
• Functional Cookies: Remember your preferences and settings to enhance your experience

We do not use advertising cookies or third-party tracking cookies. You can manage cookie preferences through your browser settings.

DojoSensei is designed for karate instructors and adult practitioners (18+). While the application includes class planning features for various age groups (including youth and teen classes), these features are used by adult instructors to plan lessons — they are not intended for direct use by minors.

We do not knowingly collect personal information from children under 13 (the digital consent age in Norway under the Personal Data Act / Personopplysningsloven). If a user between 13 and 18 wishes to use DojoSensei, parental or guardian consent should be obtained in accordance with applicable law.

If you are a parent or guardian and believe a child under 13 has provided us with personal information, please contact us immediately at privacy@dojosensei.com and we will promptly delete such information.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date
• Sending you a notification if the changes materially affect your rights

Your continued use of DojoSensei after changes become effective constitutes acceptance of the updated policy.

For questions, requests, or concerns about this Privacy Policy or your personal data, please contact us:

Data Controller: Terry James Thorpe Publishing
Org.nr: 928 134 636
Address: Sørlibakken 1A, 4073 Randaberg, Norway
Privacy Email: privacy@dojosensei.com

We will respond to data subject requests within one month, as required by GDPR Article 12.

Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with the Norwegian Data Protection Authority:

Datatilsynet
Postboks 458 Sentrum, 0105 Oslo, Norway
Phone: +47 22 39 69 00
Web: www.datatilsynet.no

If you are located in another EEA country, you may also lodge a complaint with your local data protection supervisory authority. A list of authorities is available at edpb.europa.eu.