Online store

This Privacy Policy applies to all of TBL Medical’s channels and services: the website tblmedical.no, the TBL Medical app for iOS, and all other forms of contact (email, phone, in-person visits). The Policy explains what personal data we process, why we process it, which data processors we use, and what rights you have.

Certain sections of the statement apply specifically to the app, as it processes health-related information (images of the body) that requires a stricter legal basis than the website. These sections are clearly marked.

1. Contact Information

TBL Medical
Marken 32, 5017 Bergen
Phone: +47 464 26 421
Email: info@tblmedical.no

2. Data Controller

TBL Medical, represented by its managing director, is the data controller for all personal data processed through the website, the app, and other contact channels. Inquiries regarding privacy should be directed to the email address above.

3. What information we collect

3.1 From the website and general inquiries

When you submit a request via the contact form, email, or phone, we store:

  • Name
  • Email address
  • Phone number
  • Address (if provided)
  • The content of your inquiry

3.2 From the TBL Medical app

Profile information (from login and registration):

  • Apple ID (from Sign in with Apple)
  • Full name
  • Email address
  • Phone number
  • Date of birth

Consultation data (from the form you fill out in the app):

  • Description of the tattoo (body part, size, age, technique, colors, previous removal attempts)
  • Your own free-form comments
  • Deadlines for submission, responses, and communication

Images (health-related information):

  • Photographs of tattoos and the affected skin areas
  • Date and time the photo was taken (from the photo's EXIF metadata during library import, or the time the camera was used)
  • Any markings you draw on the image to indicate what should be removed

Technical information:

  • An anonymous device identifier generated by Firebase Cloud Messaging (used to send push notifications to your device)
  • Timing of system events (storage, response, deletion)

3.3 Data We Do Not Collect

Neither the website nor the app collects:

  • Location / GPS data
  • Address books, calendar, contacts
  • Advertising identifiers or tracking data
  • Marketing cookies

This website uses only functional cookies that are necessary for the site to work. Learn more about our cookies and how they work.

4. Legal Basis

Response to general inquiries (website, email, phone): Contract / preparation for a contract — GDPR Art. 6(1)(b).

Handling of consultations and treatment plans (the app): Appointment / preparation for an appointment — GDPR Art. 6(1)(b).

Health images stored and processed in the app: Express consent pursuant to GDPR Article 9(2)(a). Consent is actively given the first time you submit a consultation or save a progress image. It may be withdrawn at any time by deleting your account (see section 8).

Invoicing and accounting: Legal obligation — Sections 13–14 of the Bookkeeping Act.

5. Where the data is stored

5.1 General Contact and Billing

Written correspondence and accounting data are stored in TBL Medical’s own systems and with Norwegian service providers. All data is kept within the EEA.

5.2 The App

All personal data is stored on Google Cloud (Firebase) in the Europe region (europe-west1 / Belgium). This includes:

  • Firestore database (profile, consultations, progress logs)
  • Firebase Storage (images and PDFs)
  • Firebase Authentication (login credentials)
  • Firebase Cloud Messaging (device registrations for push notifications)
  • Firebase Cloud Functions (processing, delete requests, automatic customer matching)

Data does not cross the EEA border. Google Ireland Limited acts as a data processor and has signed the EU’s Standard Data Protection Clauses with TBL Medical.

Certain information from the app is automatically shared with TBL Suit (the medical record system used internally by TBL Medical) to link your app account to your existing customer profile if you are already a customer of ours.

6. Data processors

Google Ireland Ltd. (Firebase): Infrastructure, database, storage, and push notifications for the app. Location: EU (Belgium).

Apple Inc. (Sign in with Apple): Authentication and identity verification for the app. Location: U.S. / EU.

Apple only shares your email address and name when you sign in—never your password or other account information.

7. How long is the data retained?

  • General inquiries submitted via the website, email, or phone: Deleted no later than one year after you are no longer considered an active user.
  • Invoicing data: 10 years in accordance with Section 13 of the Accounting Act.
  • Consultations and Responses (the app): Until the case is closed or you delete your account. If the case leads to treatment, case data will be stored as medical records in accordance with health legislation regarding record-keeping (for a minimum of 10 years after the last treatment).
  • Progress images and timeline (the app): Until you delete the log or your account.
  • Profile and login information (app): As long as the account is active. Deleted within 30 days of your request to delete the account.
  • Inactive accounts: If you haven’t used the app in two years and there are no pending cases, we’ll contact you before deleting your account.

8. Your rights

Under the GDPR, you have the right to:

  • Access: Request a copy of all the personal information we have about you.
  • Correction: Correcting incorrect information.
  • Deletion: Have the information deleted unless required retention periods dictate otherwise.
  • Restriction: Limit treatment for a period of time.
  • Data portability: Receive your data in a structured, machine-readable format.
  • Objection: To protest the decision.
  • Withdrawal of consent: Withdraw your consent to the processing of health data at any time.

The app has a built-in "Delete Account" feature under "Me" → "Delete Account " that deletes all personal data and photos from Firebase within 30 days. If you wish to exercise your right of access or other rights, please contact us at info@tblmedical.no.

You also have the right to file a complaint with the Norwegian Data Protection Authority (postkasse@datatilsynet.no, +47 22 39 69 00) if you believe we have processed your personal data in violation of the regulations.

9. Data Security

  • All data transfers between the website/app and our data processors are encrypted using TLS (HTTPS).
  • Stored data is encrypted on Google's servers.
  • Access to patient data is limited to you (via Sign in with Apple and Firestore security policies) and TBL Medical’s authorized practitioners (via TBL Suit accounts with access permissions).
  • We do not collect more information than is necessary for the purpose.

10. Push notifications (the app)

When you log in to the app, you implicitly consent to receiving push notifications regarding case processing (e.g., “The practitioner has responded to your consultation”). You can turn off push notifications at any time via iOS Settings → TBL Medical → Notifications. We never send marketing or promotional content via push notifications.

11. Children under 18

TBL Medical's services are not intended for minors. Laser tattoo removal requires users to be at least 18 years old in Norway, and the app does not allow users under the age of 18 to register. If we discover that an account belongs to a minor, it will be deleted immediately.

12. Changes to the Privacy Policy

We may update this statement as needed. In the event of significant changes that affect your rights, we will notify you via the app and/or through a clear message on the website before the changes take effect.

13. Governing Law and Jurisdiction

Norwegian law applies. Disputes shall be settled by the Norwegian courts, with the Bergen District Court as the venue of jurisdiction in the first instance.

Questions about privacy? Send an email to info@tblmedical.no.