What we do with your data — in plain language.
Tensō builds decision products for governments and institutions, so we hold trust to a higher standard than the law requires. This notice explains exactly what we collect through this website, why, and how you stay in control. It is written to satisfy both POPIA (South Africa) and the GDPR (EU/EEA).
- Effective
- 11 June 2026
- Version
- 2026-06-11
- Review
- every 12 months or on material change
1. Who we are
Tensō Analytics(“Tensō”, “we”, “us”) is the responsible party / data controller for the personal information described here. We are based in South Africa.
We have a named owner who is accountable for how we handle personal information and for answering your requests. You can reach them at privacy@tensoanalytics.com.
2. What we collect
This is a marketing website, not a product you log into. We collect very little, and only when you choose to give it or when it is technically unavoidable to serve the page:
Information you give us
When you submit the contact form to request a discovery call, we collect your name, work email, and — if you choose to add them — your organisation and a free-text message. We also record the page you submitted from, to understand which content prompts enquiries.
The required fields are the minimum we need to reply — if you do not provide them, we simply cannot respond to your enquiry. Please keep what you share accurate, and do not include special or sensitive personal information (such as health, religious, or political details) in your message — we neither need nor want it.
Information collected automatically
Like every website, our hosting provider records standard technical data (such as your IP address and request metadata) in short-lived server logs for security and reliability. If you accept analytics, we also measure aggregate traffic with Google Analytics — see §8.
3. Why, and on what basis
We only process your information where the law gives us a basis to. Under POPIA (§11) and the GDPR (Art. 6), our bases are:
- Responding to your enquiry — to read your message, reply, and assess whether an engagement is a fit. Basis: your consent in submitting the form, and our legitimate interest in responding to people who contact us.
- Keeping the site secure and working — server logs and abuse prevention. Basis: our legitimate interest in operating a safe, reliable site.
- Understanding what content is useful — aggregate analytics via Google Analytics. Basis: your consent, given through the banner. Decline and no analytics cookie is set and no analytics data is collected about you.
Where we rely on legitimate interest, we have weighed that interest against your rights and concluded that responding to and managing genuine business enquiries does not override your privacy. You can withdraw consent or object to legitimate-interest processing at any time — see §7.
No automated decisions. We do not use your information for automated decision-making or profiling. A person reads and handles every enquiry.
4. Who we share it with
We do not sell your information and we do not share it for anyone else’s marketing. We use a small set of carefully chosen sub-processors to run the site and deliver your message. Each is bound by a data-processing agreement and may only act on our instructions.
| Sub-processor | What we use it for | Data it touches | Location | Transfer basis |
|---|---|---|---|---|
| Resend | Delivers the transactional email notification when you submit the contact form. | Your name, work email, organisation, and message | United States / EU | Standard Contractual Clauses + vendor DPA |
| Vercel | Hosts the website and serves it from a global edge network. | IP address and request metadata in short-lived server logs | Global edge network; serverless compute in the US (iad1 / us-east-1) | Standard Contractual Clauses + vendor DPA |
| Google Analytics 4 (Google Ireland Ltd.) | Aggregate traffic measurement under Consent Mode — loads denied by default and sets a measurement cookie only after you accept the consent banner. | Truncated IP address, device/browser metadata, and — only with your consent — a first-party analytics cookie identifier | European Union / United States | Standard Contractual Clauses + Google Ads Data Processing Terms |
We may also disclose information where we are legally required to (for example, a lawful request from a regulator), and to professional advisers under a duty of confidence. We will keep any such disclosure to the minimum required.
5. International transfers
Some of our sub-processors operate outside South Africa. Where your information crosses a border, we rely on a lawful transfer mechanism — Standard Contractual Clauses, an adequacy decision, or the sub-processor’s binding commitments — so your protection travels with the data. Our hosting is served from a global edge network, with serverless compute in the us (iad1 / us-east-1); its transfer basis is standard contractual clauses + vendor dpa.
6. How long we keep it
We keep personal information only as long as we have a reason to. In practice:
- Contact-form enquiries. Kept only as long as needed to respond and, where relevant, to progress an engagement; reviewed periodically and deleted when no longer required. We need your message to reply to it and to assess fit for an engagement.
- Server & edge logs. Short-lived — retained by our hosting provider on a rolling basis (typically up to 30 days). Operational security, abuse prevention, and debugging.
- Analytics (Google Analytics 4). Only collected if you accept analytics. Event-level data is retained by Google for the property retention window (no more than 14 months); reporting is aggregate. Understanding which pages are useful, on the basis of your consent.
7. Your rights
You are in control of your information. Both POPIA and the GDPR give you the following rights, which we honour for everyone regardless of where you live.
| Your right | POPIA | GDPR | What it means |
|---|---|---|---|
| Access | POPIA §23 | GDPR Art. 15 | Ask what personal information we hold about you and get a copy. |
| Correction / Rectification | POPIA §24 | GDPR Art. 16 | Have inaccurate or incomplete information about you fixed. |
| Deletion / Erasure | POPIA §24 | GDPR Art. 17 | Ask us to delete your information where we have no lawful reason to keep it. |
| Objection | POPIA §11(3) | GDPR Art. 21 | Object to a particular use of your information. |
| Restriction | POPIA §14 | GDPR Art. 18 | Ask us to pause processing while a question about your data is resolved. |
| Portability | — | GDPR Art. 20 | Receive the information you gave us in a portable, machine-readable form. |
| Complain to a regulator | Information Regulator (South Africa) | Your EU/EEA supervisory authority | Lodge a complaint with the relevant data-protection authority at any time. |
To exercise any of these, email privacy@tensoanalytics.com. We will verify your identity, respond within the timeframes the law requires, and never charge you for a reasonable request.
8. Cookies & analytics
We use Google Analytics 4to understand which content is useful. It runs under Google’s Consent Mode, set to denied by default — so until you choose, it sets no analytics cookie and collects no analytics data about you. The first time you visit, a banner asks whether you accept analytics.
If you accept, Google Analytics sets a first-party analytics cookie to measure repeat visits in aggregate. We configure it to truncate IP addresses, and we do not use it for advertising, cross-site tracking, or profiling. If you decline, no analytics cookie is set and nothing is measured about you. You can change your mind by clearing this site’s storage in your browser, which makes the banner reappear.
We never set advertising cookies. The only other storage we use is strictly necessary — for example, remembering your analytics choice so we don’t ask again — and needs no consent of its own.
9. Direct marketing
Contacting us does not add you to a marketing list. We will not use your details for direct electronic marketing without your consent, and any marketing message we ever send will identify us clearly and carry a one-click way to opt out — as POPIA (§69) and the GDPR require. You can tell us to stop at any time by emailing privacy@tensoanalytics.com.
10. How we keep it secure
We protect your information with appropriate technical and organisational measures — as POPIA’s security-safeguards condition (§19) and the GDPR (Art. 32) require: encryption in transit, least-privilege access, sub-processors bound by data-processing agreements, and — above all — collecting as little as possible in the first place. We set out the detail, and how to report a concern, in our security posture.
11. Children's data
This site is aimed at professionals and institutions. We do not knowingly collect personal information from children. If you believe a child has contacted us, email privacy@tensoanalytics.com and we will delete it.
12. Changes to this notice
We review this notice every 12 months or on material change. When we make a material change, we update the effective date and version at the top of the page. The version shown is the one your contact-form submission is recorded against, so you always know which notice applied when you shared your details.
13. Contact & complaints
Questions, requests, or concerns go to privacy@tensoanalytics.com. We would always rather hear from you first.
You also have the right to complain to a data-protection authority. In South Africa that is the Information Regulator; in the EU/EEA it is your local supervisory authority. For how we secure this information, see our security posture.
Exercise a right or ask a question
Your data, your call.
Email privacy@tensoanalytics.com and a named owner will respond — typically within a few working days.