Privacy Policy

How Through The Glass Creatives Global collects, uses, and protects your information.

Version2.1
Effective dateMay 26, 2026
Document IDPP-TTGC-2.1
SHA-256 hashpending — generated at publish
Last updatedMay 26, 2026
Download PDF
PRIVACY POLICYThrough The Glass Creatives Global – FZCO
Version 2.1 · Effective May 26, 2026
Document ID: PP-TTGC-2.1
Supersedes: PP-TTGC-2.0 (effective January 10, 2026)
1. IntroductionThrough The Glass Creatives Global – FZCO ("TTGC", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, share, and protect personal data when you visit ttgcreatives.com (the "Site"), engage our creative services, subscribe to any of our plans, or otherwise interact with us.
By using the Site or our services, you confirm that you have read and understood this Privacy Policy. If you do not agree, please do not use the Site or our services.
Controller details
Legal name: Through The Glass Creatives Global – FZCO
Trade license: 67626 (Dubai Integrated Economic Zones Authority)
Registered office: Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
Data Protection Officer: legal@ttgcreatives.com (see §16)
2. Scope and Applicable LawsThis Privacy Policy is designed to comply with, and is interpreted consistently with:
UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL");
the EU General Data Protection Regulation (GDPR) and the UK GDPR, where you are located in or interacting with us from the EEA or United Kingdom;
the Philippines Data Privacy Act of 2012 (Republic Act 10173), where you are located in the Philippines;
the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA/CPRA"), where you are a California resident;
the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Texas Data Privacy and Security Act (TDPSA), Utah Consumer Privacy Act (UCPA), Oregon Consumer Privacy Act (OCPA), Montana Consumer Data Privacy Act (MCDPA), Iowa Consumer Data Protection Act (ICDPA), and similar U.S. state privacy laws as they take effect, where you are a resident of those states;
the Washington My Health My Data Act (MHMDA), Nevada SB 370, and Connecticut Public Act 22-15 / SB 3 ("Connecticut Consumer Health Data Law"), where applicable to consumer health data;
the United States Health Insurance Portability and Accountability Act (HIPAA), where TTGC has executed a Business Associate Agreement (BAA) with a Covered Entity client (see §12);
the United States Children's Online Privacy Protection Act (COPPA), where children under 13 are involved; and
other applicable privacy laws where we do business.
Where laws conflict, the stricter protection applies to the corresponding data subject.
3. What Data We Collect3.1 Data you provide to us directlyIdentity and contact data: name, email address, mailing address, phone number, job title, company name, country of residence or incorporation.
Account data: username, password (stored hashed), authentication tokens, account preferences.
Project and intake data: briefs, brand assets, content, files, logos, and any other material you share with us to perform the services.
Payment data: payment method, billing address, and transaction records. Full card numbers are processed by our PCI-DSS–compliant payment processors (Stripe and other regulated providers) and are not stored on our servers.
Contractual acceptance data: the information captured at acceptance of our Master Services Agreement or Subscription Terms (company name, signatory name and title, verified email, IP address, user agent, timestamp, SHA-256 hash of the accepted document version, and the state of each acknowledgment checkbox).
Correspondence: emails, chat messages, support tickets, and notes from calls or meetings.
3.2 Data we collect automaticallyTechnical data: IP address, browser type and version, device type, operating system, approximate location derived from IP, referring URLs, pages visited, session duration.
Cookie and similar technology data: see §14 (Cookies).
Analytics data: aggregated usage patterns via privacy-respecting analytics tools.
3.3 Data we receive from third partiesPayment confirmations from Stripe and other processors.
Authentication data where you log in using a third-party identity provider.
Public professional information from platforms such as LinkedIn, only when you have voluntarily made it public.
3.4 Special category / sensitive dataWe do not seek or intentionally collect special category data under GDPR Art. 9 (health, religion, political views, biometric data, data concerning sex life or sexual orientation, etc.) or "sensitive personal information" under CCPA/CPRA (precise geolocation, racial or ethnic origin, citizenship or immigration status, contents of communications, genetic data, biometric data, financial account log-in, etc.).
If special category or sensitive data is present in project material you provide, you authorize its processing solely to perform the services. Processing of patient health data ("Protected Health Information" or PHI under HIPAA) is prohibited unless TTGC and a Covered Entity client have executed a Business Associate Agreement (see §12).
3.5 Sources of personal dataFor CCPA/CPRA disclosure purposes, we collect the categories of personal information listed above directly from you, automatically through your interaction with the Site, and from third parties (payment processors, identity providers, public professional sources).
4. How We Use Your DataWe process your personal data only for specified, explicit, and legitimate purposes, including:
PurposeLegal basis (GDPR / PDPL)
Providing the services you requested, including delivering creative work and supporting your subscriptionContract performance
Processing payments, issuing invoices, recovering debts, handling chargebacksContract performance; legal obligation
Sending operational communications (delivery notifications, approval requests, project updates)Contract performance
Sending marketing communicationsConsent (opt-in) — you can unsubscribe at any time
Complying with legal, tax, regulatory, or accounting obligationsLegal obligation
Protecting our rights, preventing fraud, enforcing our agreementsLegitimate interests (see §4.1)
Improving the Site, our services, and client experienceLegitimate interests (see §4.1)
Defending against legal claims and participating in arbitration or litigationLegitimate interests; legal obligation
4.1 Legitimate interests balancing test (GDPR Recital 47)For each "Legitimate interests" basis above, we have conducted a balancing test as required by GDPR Art. 6(1)(f). In each case:
Interest pursued: protecting our business and clients from fraud, enforcing valid contractual rights, improving the quality and security of our services.
Necessity: processing is necessary because no less intrusive means would achieve the same outcome (e.g., we cannot detect chargeback fraud without retaining transaction metadata; we cannot improve the Site without aggregated analytics).
Balance: the interests pursued do not override your fundamental rights and freedoms, considering the limited categories of data, the security measures we apply, and your right to object under §9.
Documentation: balancing tests are documented internally and reviewed annually. You may request a summary of the relevant balancing test for any specific use by writing to legal@ttgcreatives.com.
You have the right to object to processing based on legitimate interests. We will stop the processing unless we demonstrate compelling legitimate grounds that override your rights, or processing is required for the establishment, exercise, or defense of legal claims.
5. Who We Share Your Data WithWe do not sell, rent, or trade your personal data. We share personal data only with:
Processors and service providers acting on our documented instructions, including:
Payment processors (e.g., Stripe and other PCI-DSS-compliant payment partners);
Transactional email and messaging providers (e.g., Postmark, SendGrid, Mailgun, Resend);
Cloud hosting and storage providers (e.g., AWS, Cloudflare, Google Cloud, Microsoft Azure, Dropbox, Google Drive);
Customer support and CRM platforms (e.g., HubSpot, Intercom, Zendesk, or equivalents);
Analytics providers (e.g., Google Analytics 4, Plausible, Fathom, or equivalents);
Project management and collaboration tools (e.g., Notion, Asana, Linear, Monday, Slack, or equivalents);
Reverse-CAPTCHA / bot-prevention providers (e.g., Google reCAPTCHA, Cloudflare Turnstile, hCaptcha);
Document e-signature platforms (e.g., DocuSign, HelloSign, or equivalents).

Subcontractors and Design Agents engaged to deliver the services, each bound by written confidentiality and data-processing obligations.
Professional advisers (lawyers, accountants, auditors) under obligations of confidentiality.
Authorities and regulators where disclosure is required by law, a valid legal process, or to respond to a lawful request.
Successor entities in the event of merger, acquisition, or sale of all or part of our business.
A current list of key sub-processors is maintained and made available on request at legal@ttgcreatives.com.
For the avoidance of doubt under CCPA/CPRA: in the preceding twelve (12) months we have not "sold" personal information for monetary or other valuable consideration as defined under §1798.140(ad). We have "shared" personal information with the categories of service providers listed above strictly in support of operating our services — this is a service-provider relationship, not "sharing for cross-context behavioral advertising" within CPRA's meaning. If our practices change, this section will be updated.
6. International Data TransfersWe are headquartered in the United Arab Emirates. When we transfer personal data out of your jurisdiction, we rely on:
UAE PDPL: transfers consistent with Article 22 of the PDPL, including through adequacy decisions or appropriate safeguards.
GDPR / UK GDPR: Standard Contractual Clauses (SCCs) adopted by the European Commission and the UK ICO, or other recognized transfer mechanisms.
Philippines DPA: appropriate safeguards consistent with NPC guidance.
CCPA/CPRA and other U.S. state laws: contractual safeguards with sub-processors mandating equivalent protection.
Copies of the transfer mechanisms we rely on are available on request at legal@ttgcreatives.com.
7. How Long We Keep Your DataWe retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:
Account and project data: for the duration of your engagement plus seven (7) years thereafter, to meet UAE commercial record-keeping and tax requirements;
Contractual acceptance records: for the limitation period applicable to claims arising under the agreement (six (6) years under UAE Civil Transactions Law) plus an additional two (2) years to defend any late-filed challenges. After this period, acceptance records are deleted or fully anonymized;
Payment and invoicing data: seven (7) years after the transaction, in accordance with UAE VAT and corporate-tax requirements;
Marketing data: until you unsubscribe, plus a reasonable suppression period (up to 18 months) to honor your opt-out;
Correspondence and support tickets: up to three (3) years from closure, for quality assurance and dispute handling;
Cookie and analytics data: per the durations disclosed in §14 and the cookie banner, typically not exceeding 24 months for analytics cookies.
When retention periods expire, we delete, anonymize, or aggregate the data.
8. How We Protect Your DataWe apply administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction. Measures include:
encryption in transit (TLS 1.2 or higher) and at rest where appropriate;
access controls and role-based permissions;
logging and monitoring of access to sensitive data;
multi-factor authentication on internal admin accounts;
written confidentiality and data-processing agreements with all employees, Design Agents, and sub-processors;
secure development practices, code review, and regular review of our security posture;
annual employee privacy and security training;
documented incident response and breach notification procedures.
No security measure is perfect. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority within the timelines required by applicable law (within 72 hours for GDPR notifications to authorities; without unreasonable delay for CCPA/CPRA notifications; within timelines required by U.S. state breach-notification laws of your state of residence).
9. Your Rights (General)Depending on your jurisdiction, you may have the right to:
access the personal data we hold about you;
rectify or correct inaccurate or incomplete data;
erase your data ("right to be forgotten"), subject to legal retention requirements;
restrict or object to certain processing, including processing based on legitimate interests;
data portability — receive a copy of your data in a commonly used, machine-readable format;
withdraw consent where processing is based on consent;
lodge a complaint with your local supervisory authority, including the UAE Data Office, the European Data Protection Board member authorities, the UK Information Commissioner's Office (ICO), the Philippines National Privacy Commission, the California Privacy Protection Agency, or your state attorney general.
To exercise these rights, email legal@ttgcreatives.com. We will respond within thirty (30) days for most requests, or as required by applicable law (45 days under CCPA/CPRA, extendable by another 45 days where reasonably necessary). We may need to verify your identity before processing your request.
Section 10 sets out additional, jurisdiction-specific rights for U.S. state residents.
10. U.S. State Privacy RightsThis section sets out additional rights and disclosures for residents of U.S. states with comprehensive privacy laws. The rights described below are in addition to those in §9.
10.1 California residents (CCPA/CPRA)Categories of personal information collected (last 12 months). We have collected the following CCPA categories of personal information:
CCPA CategoryExamples we collect
A. Identifiersname, email, postal address, phone, account ID, IP address
B. Customer recordsbilling address, payment-method last 4 digits, signatory title
C. Protected classificationnone knowingly collected
D. Commercial informationpurchase history, subscription tier, project type
E. Biometric informationnone
F. Internet/network activitybrowsing on Site, page-views, referring URL, session metadata
G. Geolocationapproximate location from IP only; no precise geolocation
H. Sensory datanone
I. Professional/employmentjob title, company name
J. Education informationnone
K. Inferencesbasic preferences inferred from interaction history
L. Sensitive PI (CPRA)account log-in credentials only (stored hashed); no other categories
Sources, purposes, recipients, and retention. See §§3.5, 4, 5, 7 above. Each category is collected for the purposes listed in §4 and disclosed to the categories of recipients listed in §5; retention follows §7.
Sale or sharing of personal information. We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising.
Your CCPA/CPRA rights:
Right to know — request the categories and specific pieces of personal information we have collected about you, the categories of sources, purposes, and the categories of third parties with whom we have shared it.
Right to delete — request deletion of personal information we have collected from you, subject to statutory exceptions (including, but not limited to, completing the transaction for which the information was collected, detecting security incidents, complying with a legal obligation, and exercising or defending legal claims).
Right to correct — request correction of inaccurate personal information.
Right to opt out of sale or sharing — because we do not currently sell or share personal information as defined by CPRA, this right is presented for completeness; if our practices ever change, we will provide a "Do Not Sell or Share My Personal Information" link on the Site at ttgcreatives.com/legal/do-not-sell-or-share and honor opt-out signals (Global Privacy Control/GPC).
Right to limit the use of sensitive personal information — to the extent we process sensitive personal information beyond what is necessary to provide the service, you may direct us to limit such use; the relevant link, when applicable, is at ttgcreatives.com/legal/limit-sensitive-pi.
Right to non-discrimination — we will not discriminate against you for exercising any CCPA/CPRA right.
Authorized agent — you may designate an authorized agent to make a request on your behalf. We may require written, signed authorization and verify your identity directly.
How to exercise CCPA/CPRA rights. Email legal@ttgcreatives.com with the subject line "CCPA Request", or use the request form at ttgcreatives.com/legal/privacy-request. We may verify your identity (typically by confirming details associated with your account or matching attributes provided in your request to our records). We will respond within 45 days, extendable by another 45 days where reasonably necessary, with notice of the extension.
California "Shine the Light" Law (Cal. Civ. Code §1798.83). We do not disclose personal information to third parties for those parties' direct marketing purposes.
10.2 Other U.S. state residentsIf you are a resident of Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Montana, Iowa, or any other U.S. state with a comprehensive consumer privacy law in effect, you may have rights including:
Right to know / access the personal data we process about you;
Right to delete your personal data, subject to statutory exceptions;
Right to correct inaccurate personal data (except Utah, which does not provide this right at the time of writing);
Right to data portability;
Right to opt out of the sale of personal data (we do not sell);
Right to opt out of targeted advertising (we do not engage in targeted advertising as defined under these laws);
Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects — we do not engage in such profiling (see §13);
Right to appeal a denial of your request (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others — see §10.3).
To exercise any of these rights, email legal@ttgcreatives.com with the subject line "State Privacy Request" and identify your state of residence. We will respond within 45 days, extendable as permitted by your state's law.
10.3 AppealsIf we decline a privacy rights request, you may appeal by replying to our determination email or by writing to legal@ttgcreatives.com with the subject line "Privacy Request Appeal" within 60 days of our determination. We will respond to the appeal within 45 days. If your appeal is denied, you may contact your state attorney general or applicable supervisory authority.
10.4 Notice at collectionWhere required by CCPA/CPRA or other state laws, we provide a "notice at collection" at or before the point of collection (e.g., on signup forms) summarizing the categories of personal information collected and purposes. Full disclosures appear in this Privacy Policy.
11. Consumer Health DataThis section addresses consumer health data laws that may apply to our processing because some of our clients are healthcare providers and aesthetic clinics whose services involve consumer health data.
11.1 DefinitionFor the purposes of this section, "consumer health data" includes any personal data that identifies a consumer's past, present, or future physical or mental health, including data inferred or derived from non-health data, as defined by the Washington My Health My Data Act (RCW 19.373 et seq.), the Nevada Consumer Health Data Privacy Act (SB 370), the Connecticut Consumer Health Data Law (P.A. 22-15 / SB 3, as amended), and similar laws.
11.2 Our roleWe do not directly collect consumer health data from data subjects. To the extent consumer health data passes through our systems in the course of providing services to a clinic, healthcare, or wellness client, we act as a service provider / processor on behalf of that client, who is the controller responsible for direct compliance with applicable consumer health data laws.
11.3 Consumer rightsIf you believe your consumer health data has been processed by us in connection with a clinic's engagement, you may exercise the following rights, subject to our verification of your identity and our coordination with the relevant clinic-controller:
Right to know what categories of consumer health data we have processed;
Right to access consumer health data;
Right to delete consumer health data, subject to statutory exceptions and the controller's instructions;
Right to withdraw consent previously given for the processing of consumer health data.
To exercise these rights, email legal@ttgcreatives.com with the subject line "Consumer Health Data Request". We will route your request to the relevant controller and assist as required by law.
11.4 Sale of consumer health dataWe do not sell consumer health data. We will not sell consumer health data without first obtaining the affirmative, valid authorization required by Washington MHMDA (which separately requires a "valid authorization" form) and other applicable state laws.
11.5 GeofencingConsistent with Washington MHMDA RCW 19.373.040, we do not implement, and we instruct clients not to instruct us to implement, geofences around in-person healthcare facilities for the purpose of identifying consumers seeking health services, tracking such consumers' locations, collecting consumer health data, or sending notifications related to consumer health data.
11.6 Consumer Health Data Privacy Policy postingThis section, together with §12 below, satisfies the consumer health data privacy policy posting requirement under Washington MHMDA, Nevada SB 370, and Connecticut SB 3 to the extent applicable to TTGC's role.
11.7 Authorized agentsConsumers may designate an authorized agent to act on their behalf in exercising consumer health data rights. We may require written, signed authorization and verify the consumer's identity directly.
12. HIPAA Posture12.1 Default rule — PHI is prohibitedTTGC is not, by default, a HIPAA Business Associate of any healthcare provider client. Clients who are HIPAA Covered Entities (such as healthcare providers, health plans, and healthcare clearinghouses, as defined under 45 C.F.R. §160.103) must not transmit, store, share, or otherwise route Protected Health Information ("PHI", as defined under 45 C.F.R. §160.103) through TTGC's systems, communication channels, or services unless and until a Business Associate Agreement ("BAA") has been executed in writing between TTGC and the client.
This includes, without limitation, patient-identifying photos, medical records, test results, intake forms containing health information, or any combination of identifiers that can be used to identify a patient and their health condition.
12.2 BAA on request — premium pricing appliesWhere a client engagement requires processing of PHI, TTGC will, at its discretion, enter into a BAA with the client substantially in the form of TTGC's standard BAA template (available on request at legal@ttgcreatives.com). The BAA will:
identify TTGC as a Business Associate of the client;
describe the permitted and required uses and disclosures of PHI;
impose obligations on TTGC that mirror the requirements of 45 C.F.R. §§164.502–164.504, 164.314, and 164.504(e);
require subcontractors that handle PHI on TTGC's behalf to execute equivalent agreements.
HIPAA-Compliant Engagement Premium. Engagements that require a BAA, or that otherwise involve the processing of PHI by TTGC, are priced as a separate, premium service tier. The HIPAA-Compliant Engagement Premium reflects the substantially increased compliance, infrastructure, audit, training, indemnification, and breach-response obligations TTGC undertakes as a Business Associate, including but not limited to: enhanced access controls, segregated PHI storage, periodic Security Rule compliance assessments, designated HIPAA-trained staff, sub-Business-Associate management, and breach-notification readiness. The premium is quoted on a per-engagement basis at the time of BAA negotiation and is in addition to the standard service fees specified in the applicable Project Order or Subscription Package. Clients should expect HIPAA-compliant engagements to be priced materially higher than equivalent non-PHI engagements. TTGC reserves the right to decline an engagement where the proposed scope or fee is not commercially reasonable for the HIPAA compliance obligations involved.
12.3 Inadvertent transmissionIf a client transmits PHI to TTGC without an executed BAA in place, TTGC will:
notify the client immediately;
contain or delete the PHI per the client's documented instruction (or, absent instruction within 5 business days, securely delete the PHI from active systems);
document the incident and TTGC's response;
consider in good faith whether the incident should be treated as a "breach" under 45 C.F.R. §164.402 and notify the client and (if applicable) regulators accordingly.
Inadvertent transmission of PHI without a BAA is a violation of HIPAA by the client (and potentially by TTGC). The cost of any remediation is the responsibility of the client.
12.4 Other healthcare lawsTTGC will, in good faith, address comparable requirements under other health-related privacy regimes (state-level mini-HIPAA laws, the EU GDPR special-category rules, and similar) on a case-by-case basis through executed addenda.
12.5 ContactTo request a BAA, raise a HIPAA concern, or report a possible PHI incident, contact: legal@ttgcreatives.com with the subject line "HIPAA — [type of request]".
13. Automated Decision-Making and ProfilingWe do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of GDPR Article 22, Connecticut DPA §6(8), Colorado CPA §6-1-1306(2), or similar laws. In particular:
We do not use automated systems to make decisions about credit, employment, housing, insurance, or healthcare access.
We do not engage in targeted advertising or "cross-context behavioral advertising" as those terms are defined under U.S. state privacy laws.
We use bot-prevention systems (such as reCAPTCHA) to verify whether visitors are human; this is not a "decision producing legal effect" but rather a security measure.
We use basic analytics (e.g., page-view aggregation) which do not constitute profiling for the purposes of these laws.
If our practices change, we will update this section, conduct any required impact assessments, and provide you with the right to:
request meaningful information about the logic involved;
request human review of the automated decision;
contest the decision; and
opt out of profiling, where required by applicable law.
14. Cookies and Similar TechnologiesWe use cookies and similar technologies to operate the Site, remember your preferences, analyze usage, and deliver relevant content.
Categories of cookies we use:
Strictly necessary — required for the Site to function (session management, security, authentication tokens, CSRF protection). These do not require consent.
Functional — remember preferences and improve user experience (language, region, dashboard layout).
Analytics — help us understand how visitors use the Site (aggregated metrics; we use privacy-respecting analytics).
Marketing — used only with your express consent to personalize content and measure the effectiveness of marketing efforts.
Where required by law (including in the EEA, UK, and certain U.S. states), we present a cookie banner on first visit that allows you to accept all, reject all (with equal prominence), or customize non-essential cookies. We will not set non-essential cookies until you give consent. You can change your preferences at any time via the "Cookie Settings" link in the Site footer. Most browsers also allow you to block or delete cookies through their settings.
We honor browser-based opt-out signals where required, including Global Privacy Control (GPC) signals from California and other state residents.
15. Children's PrivacyThe Site and our services are not directed to children under the age of 18. We do not knowingly collect personal data from children. If we discover that we have collected personal data from a child under 13 in violation of the United States Children's Online Privacy Protection Act ("COPPA", 15 U.S.C. §§6501–6506), we will delete it promptly and notify the child's parent or guardian where reasonably possible. If you believe a child has provided us with personal data, please contact legal@ttgcreatives.com.
For users between 13 and 18, we honor the rights of California minors under California Business & Professions Code §22580 et seq. (the "Eraser Law"): a registered user under 18 may request the removal of content or information they have publicly posted on the Site by writing to legal@ttgcreatives.com.
16. Data Protection Officer and ContactData Protection Officer (DPO): legal@ttgcreatives.com
General privacy queries: support@ttgcreatives.com
Postal address: Through The Glass Creatives Global – FZCO, Attention: DPO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates.
For privacy requests originating from California residents (CCPA/CPRA), use the subject line "CCPA Request" or submit via the form at ttgcreatives.com/legal/privacy-request. For other U.S. state requests, use the subject line "State Privacy Request".
17. Data Processor Services (Business Clients)When TTGC is engaged to perform services that involve processing personal data belonging to our business clients' customers, users, or employees, TTGC acts as a Data Processor (or, under U.S. state laws, a "service provider" or "processor" as those terms are defined) and the client acts as the Data Controller (or "business"). The processor-specific obligations, instructions, and liabilities are governed by Appendix M (Data Processing Agreement) of the Master Services Agreement, which operates as a Data Processing Agreement within the meaning of GDPR Article 28, UAE PDPL Article 23, Philippines DPA § 20, and equivalent provisions of U.S. state privacy laws (CCPA/CPRA "service provider" / "contractor" addendum, VCDPA / CPA / CTDPA processor terms, etc.).
Where the client is a HIPAA Covered Entity and the engagement involves PHI, see §12 (HIPAA Posture) and the BAA template referenced therein.
This Privacy Policy applies to our processing as Controller of client and visitor data described in §§3–15.
18. Changes to this Privacy PolicyWe may update this Privacy Policy from time to time. The effective date at the top of this page reflects the current version. Prior versions are archived at ttgcreatives.com/legal/privacy-policy/archive/.
For material changes that affect your rights, we will provide at least thirty (30) days' advance notice by email (for registered users) and by a prominent notice on the Site. Continued use of the Site or services after the effective date of changes constitutes acceptance of the updated Privacy Policy.
Version 2.1 · Document ID: PP-TTGC-2.1 · Effective May 26, 2026
© 2026 Through The Glass Creatives Global – FZCO. All rights reserved.

Purpose	Legal basis (GDPR / PDPL)
Providing the services you requested, including delivering creative work and supporting your subscription	Contract performance
Processing payments, issuing invoices, recovering debts, handling chargebacks	Contract performance; legal obligation
Sending operational communications (delivery notifications, approval requests, project updates)	Contract performance
Sending marketing communications	Consent (opt-in) — you can unsubscribe at any time
Complying with legal, tax, regulatory, or accounting obligations	Legal obligation
Protecting our rights, preventing fraud, enforcing our agreements	Legitimate interests (see §4.1)
Improving the Site, our services, and client experience	Legitimate interests (see §4.1)
Defending against legal claims and participating in arbitration or litigation	Legitimate interests; legal obligation

CCPA Category	Examples we collect
A. Identifiers	name, email, postal address, phone, account ID, IP address
B. Customer records	billing address, payment-method last 4 digits, signatory title
C. Protected classification	none knowingly collected
D. Commercial information	purchase history, subscription tier, project type
E. Biometric information	none
F. Internet/network activity	browsing on Site, page-views, referring URL, session metadata
G. Geolocation	approximate location from IP only; no precise geolocation
H. Sensory data	none
I. Professional/employment	job title, company name
J. Education information	none
K. Inferences	basic preferences inferred from interaction history
L. Sensitive PI (CPRA)	account log-in credentials only (stored hashed); no other categories

Privacy Policy

How Through The Glass Creatives Global collects, uses, and protects your information.

Version2.1
Effective dateMay 26, 2026
Document IDPP-TTGC-2.1
SHA-256 hashpending — generated at publish
Last updatedMay 26, 2026
Download PDF
PRIVACY POLICYThrough The Glass Creatives Global – FZCO
Version 2.1 · Effective May 26, 2026
Document ID: PP-TTGC-2.1
Supersedes: PP-TTGC-2.0 (effective January 10, 2026)
1. IntroductionThrough The Glass Creatives Global – FZCO ("TTGC", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, share, and protect personal data when you visit ttgcreatives.com (the "Site"), engage our creative services, subscribe to any of our plans, or otherwise interact with us.
By using the Site or our services, you confirm that you have read and understood this Privacy Policy. If you do not agree, please do not use the Site or our services.
Controller details
Legal name: Through The Glass Creatives Global – FZCO
Trade license: 67626 (Dubai Integrated Economic Zones Authority)
Registered office: Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
Data Protection Officer: legal@ttgcreatives.com (see §16)
2. Scope and Applicable LawsThis Privacy Policy is designed to comply with, and is interpreted consistently with:
UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL");
the EU General Data Protection Regulation (GDPR) and the UK GDPR, where you are located in or interacting with us from the EEA or United Kingdom;
the Philippines Data Privacy Act of 2012 (Republic Act 10173), where you are located in the Philippines;
the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA/CPRA"), where you are a California resident;
the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Texas Data Privacy and Security Act (TDPSA), Utah Consumer Privacy Act (UCPA), Oregon Consumer Privacy Act (OCPA), Montana Consumer Data Privacy Act (MCDPA), Iowa Consumer Data Protection Act (ICDPA), and similar U.S. state privacy laws as they take effect, where you are a resident of those states;
the Washington My Health My Data Act (MHMDA), Nevada SB 370, and Connecticut Public Act 22-15 / SB 3 ("Connecticut Consumer Health Data Law"), where applicable to consumer health data;
the United States Health Insurance Portability and Accountability Act (HIPAA), where TTGC has executed a Business Associate Agreement (BAA) with a Covered Entity client (see §12);
the United States Children's Online Privacy Protection Act (COPPA), where children under 13 are involved; and
other applicable privacy laws where we do business.
Where laws conflict, the stricter protection applies to the corresponding data subject.
3. What Data We Collect3.1 Data you provide to us directlyIdentity and contact data: name, email address, mailing address, phone number, job title, company name, country of residence or incorporation.
Account data: username, password (stored hashed), authentication tokens, account preferences.
Project and intake data: briefs, brand assets, content, files, logos, and any other material you share with us to perform the services.
Payment data: payment method, billing address, and transaction records. Full card numbers are processed by our PCI-DSS–compliant payment processors (Stripe and other regulated providers) and are not stored on our servers.
Contractual acceptance data: the information captured at acceptance of our Master Services Agreement or Subscription Terms (company name, signatory name and title, verified email, IP address, user agent, timestamp, SHA-256 hash of the accepted document version, and the state of each acknowledgment checkbox).
Correspondence: emails, chat messages, support tickets, and notes from calls or meetings.
3.2 Data we collect automaticallyTechnical data: IP address, browser type and version, device type, operating system, approximate location derived from IP, referring URLs, pages visited, session duration.
Cookie and similar technology data: see §14 (Cookies).
Analytics data: aggregated usage patterns via privacy-respecting analytics tools.
3.3 Data we receive from third partiesPayment confirmations from Stripe and other processors.
Authentication data where you log in using a third-party identity provider.
Public professional information from platforms such as LinkedIn, only when you have voluntarily made it public.
3.4 Special category / sensitive dataWe do not seek or intentionally collect special category data under GDPR Art. 9 (health, religion, political views, biometric data, data concerning sex life or sexual orientation, etc.) or "sensitive personal information" under CCPA/CPRA (precise geolocation, racial or ethnic origin, citizenship or immigration status, contents of communications, genetic data, biometric data, financial account log-in, etc.).
If special category or sensitive data is present in project material you provide, you authorize its processing solely to perform the services. Processing of patient health data ("Protected Health Information" or PHI under HIPAA) is prohibited unless TTGC and a Covered Entity client have executed a Business Associate Agreement (see §12).
3.5 Sources of personal dataFor CCPA/CPRA disclosure purposes, we collect the categories of personal information listed above directly from you, automatically through your interaction with the Site, and from third parties (payment processors, identity providers, public professional sources).
4. How We Use Your DataWe process your personal data only for specified, explicit, and legitimate purposes, including:
PurposeLegal basis (GDPR / PDPL)
Providing the services you requested, including delivering creative work and supporting your subscriptionContract performance
Processing payments, issuing invoices, recovering debts, handling chargebacksContract performance; legal obligation
Sending operational communications (delivery notifications, approval requests, project updates)Contract performance
Sending marketing communicationsConsent (opt-in) — you can unsubscribe at any time
Complying with legal, tax, regulatory, or accounting obligationsLegal obligation
Protecting our rights, preventing fraud, enforcing our agreementsLegitimate interests (see §4.1)
Improving the Site, our services, and client experienceLegitimate interests (see §4.1)
Defending against legal claims and participating in arbitration or litigationLegitimate interests; legal obligation
4.1 Legitimate interests balancing test (GDPR Recital 47)For each "Legitimate interests" basis above, we have conducted a balancing test as required by GDPR Art. 6(1)(f). In each case:
Interest pursued: protecting our business and clients from fraud, enforcing valid contractual rights, improving the quality and security of our services.
Necessity: processing is necessary because no less intrusive means would achieve the same outcome (e.g., we cannot detect chargeback fraud without retaining transaction metadata; we cannot improve the Site without aggregated analytics).
Balance: the interests pursued do not override your fundamental rights and freedoms, considering the limited categories of data, the security measures we apply, and your right to object under §9.
Documentation: balancing tests are documented internally and reviewed annually. You may request a summary of the relevant balancing test for any specific use by writing to legal@ttgcreatives.com.
You have the right to object to processing based on legitimate interests. We will stop the processing unless we demonstrate compelling legitimate grounds that override your rights, or processing is required for the establishment, exercise, or defense of legal claims.
5. Who We Share Your Data WithWe do not sell, rent, or trade your personal data. We share personal data only with:
Processors and service providers acting on our documented instructions, including:
Payment processors (e.g., Stripe and other PCI-DSS-compliant payment partners);
Transactional email and messaging providers (e.g., Postmark, SendGrid, Mailgun, Resend);
Cloud hosting and storage providers (e.g., AWS, Cloudflare, Google Cloud, Microsoft Azure, Dropbox, Google Drive);
Customer support and CRM platforms (e.g., HubSpot, Intercom, Zendesk, or equivalents);
Analytics providers (e.g., Google Analytics 4, Plausible, Fathom, or equivalents);
Project management and collaboration tools (e.g., Notion, Asana, Linear, Monday, Slack, or equivalents);
Reverse-CAPTCHA / bot-prevention providers (e.g., Google reCAPTCHA, Cloudflare Turnstile, hCaptcha);
Document e-signature platforms (e.g., DocuSign, HelloSign, or equivalents).

Subcontractors and Design Agents engaged to deliver the services, each bound by written confidentiality and data-processing obligations.
Professional advisers (lawyers, accountants, auditors) under obligations of confidentiality.
Authorities and regulators where disclosure is required by law, a valid legal process, or to respond to a lawful request.
Successor entities in the event of merger, acquisition, or sale of all or part of our business.
A current list of key sub-processors is maintained and made available on request at legal@ttgcreatives.com.
For the avoidance of doubt under CCPA/CPRA: in the preceding twelve (12) months we have not "sold" personal information for monetary or other valuable consideration as defined under §1798.140(ad). We have "shared" personal information with the categories of service providers listed above strictly in support of operating our services — this is a service-provider relationship, not "sharing for cross-context behavioral advertising" within CPRA's meaning. If our practices change, this section will be updated.
6. International Data TransfersWe are headquartered in the United Arab Emirates. When we transfer personal data out of your jurisdiction, we rely on:
UAE PDPL: transfers consistent with Article 22 of the PDPL, including through adequacy decisions or appropriate safeguards.
GDPR / UK GDPR: Standard Contractual Clauses (SCCs) adopted by the European Commission and the UK ICO, or other recognized transfer mechanisms.
Philippines DPA: appropriate safeguards consistent with NPC guidance.
CCPA/CPRA and other U.S. state laws: contractual safeguards with sub-processors mandating equivalent protection.
Copies of the transfer mechanisms we rely on are available on request at legal@ttgcreatives.com.
7. How Long We Keep Your DataWe retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:
Account and project data: for the duration of your engagement plus seven (7) years thereafter, to meet UAE commercial record-keeping and tax requirements;
Contractual acceptance records: for the limitation period applicable to claims arising under the agreement (six (6) years under UAE Civil Transactions Law) plus an additional two (2) years to defend any late-filed challenges. After this period, acceptance records are deleted or fully anonymized;
Payment and invoicing data: seven (7) years after the transaction, in accordance with UAE VAT and corporate-tax requirements;
Marketing data: until you unsubscribe, plus a reasonable suppression period (up to 18 months) to honor your opt-out;
Correspondence and support tickets: up to three (3) years from closure, for quality assurance and dispute handling;
Cookie and analytics data: per the durations disclosed in §14 and the cookie banner, typically not exceeding 24 months for analytics cookies.
When retention periods expire, we delete, anonymize, or aggregate the data.
8. How We Protect Your DataWe apply administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction. Measures include:
encryption in transit (TLS 1.2 or higher) and at rest where appropriate;
access controls and role-based permissions;
logging and monitoring of access to sensitive data;
multi-factor authentication on internal admin accounts;
written confidentiality and data-processing agreements with all employees, Design Agents, and sub-processors;
secure development practices, code review, and regular review of our security posture;
annual employee privacy and security training;
documented incident response and breach notification procedures.
No security measure is perfect. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority within the timelines required by applicable law (within 72 hours for GDPR notifications to authorities; without unreasonable delay for CCPA/CPRA notifications; within timelines required by U.S. state breach-notification laws of your state of residence).
9. Your Rights (General)Depending on your jurisdiction, you may have the right to:
access the personal data we hold about you;
rectify or correct inaccurate or incomplete data;
erase your data ("right to be forgotten"), subject to legal retention requirements;
restrict or object to certain processing, including processing based on legitimate interests;
data portability — receive a copy of your data in a commonly used, machine-readable format;
withdraw consent where processing is based on consent;
lodge a complaint with your local supervisory authority, including the UAE Data Office, the European Data Protection Board member authorities, the UK Information Commissioner's Office (ICO), the Philippines National Privacy Commission, the California Privacy Protection Agency, or your state attorney general.
To exercise these rights, email legal@ttgcreatives.com. We will respond within thirty (30) days for most requests, or as required by applicable law (45 days under CCPA/CPRA, extendable by another 45 days where reasonably necessary). We may need to verify your identity before processing your request.
Section 10 sets out additional, jurisdiction-specific rights for U.S. state residents.
10. U.S. State Privacy RightsThis section sets out additional rights and disclosures for residents of U.S. states with comprehensive privacy laws. The rights described below are in addition to those in §9.
10.1 California residents (CCPA/CPRA)Categories of personal information collected (last 12 months). We have collected the following CCPA categories of personal information:
CCPA CategoryExamples we collect
A. Identifiersname, email, postal address, phone, account ID, IP address
B. Customer recordsbilling address, payment-method last 4 digits, signatory title
C. Protected classificationnone knowingly collected
D. Commercial informationpurchase history, subscription tier, project type
E. Biometric informationnone
F. Internet/network activitybrowsing on Site, page-views, referring URL, session metadata
G. Geolocationapproximate location from IP only; no precise geolocation
H. Sensory datanone
I. Professional/employmentjob title, company name
J. Education informationnone
K. Inferencesbasic preferences inferred from interaction history
L. Sensitive PI (CPRA)account log-in credentials only (stored hashed); no other categories
Sources, purposes, recipients, and retention. See §§3.5, 4, 5, 7 above. Each category is collected for the purposes listed in §4 and disclosed to the categories of recipients listed in §5; retention follows §7.
Sale or sharing of personal information. We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising.
Your CCPA/CPRA rights:
Right to know — request the categories and specific pieces of personal information we have collected about you, the categories of sources, purposes, and the categories of third parties with whom we have shared it.
Right to delete — request deletion of personal information we have collected from you, subject to statutory exceptions (including, but not limited to, completing the transaction for which the information was collected, detecting security incidents, complying with a legal obligation, and exercising or defending legal claims).
Right to correct — request correction of inaccurate personal information.
Right to opt out of sale or sharing — because we do not currently sell or share personal information as defined by CPRA, this right is presented for completeness; if our practices ever change, we will provide a "Do Not Sell or Share My Personal Information" link on the Site at ttgcreatives.com/legal/do-not-sell-or-share and honor opt-out signals (Global Privacy Control/GPC).
Right to limit the use of sensitive personal information — to the extent we process sensitive personal information beyond what is necessary to provide the service, you may direct us to limit such use; the relevant link, when applicable, is at ttgcreatives.com/legal/limit-sensitive-pi.
Right to non-discrimination — we will not discriminate against you for exercising any CCPA/CPRA right.
Authorized agent — you may designate an authorized agent to make a request on your behalf. We may require written, signed authorization and verify your identity directly.
How to exercise CCPA/CPRA rights. Email legal@ttgcreatives.com with the subject line "CCPA Request", or use the request form at ttgcreatives.com/legal/privacy-request. We may verify your identity (typically by confirming details associated with your account or matching attributes provided in your request to our records). We will respond within 45 days, extendable by another 45 days where reasonably necessary, with notice of the extension.
California "Shine the Light" Law (Cal. Civ. Code §1798.83). We do not disclose personal information to third parties for those parties' direct marketing purposes.
10.2 Other U.S. state residentsIf you are a resident of Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Montana, Iowa, or any other U.S. state with a comprehensive consumer privacy law in effect, you may have rights including:
Right to know / access the personal data we process about you;
Right to delete your personal data, subject to statutory exceptions;
Right to correct inaccurate personal data (except Utah, which does not provide this right at the time of writing);
Right to data portability;
Right to opt out of the sale of personal data (we do not sell);
Right to opt out of targeted advertising (we do not engage in targeted advertising as defined under these laws);
Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects — we do not engage in such profiling (see §13);
Right to appeal a denial of your request (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others — see §10.3).
To exercise any of these rights, email legal@ttgcreatives.com with the subject line "State Privacy Request" and identify your state of residence. We will respond within 45 days, extendable as permitted by your state's law.
10.3 AppealsIf we decline a privacy rights request, you may appeal by replying to our determination email or by writing to legal@ttgcreatives.com with the subject line "Privacy Request Appeal" within 60 days of our determination. We will respond to the appeal within 45 days. If your appeal is denied, you may contact your state attorney general or applicable supervisory authority.
10.4 Notice at collectionWhere required by CCPA/CPRA or other state laws, we provide a "notice at collection" at or before the point of collection (e.g., on signup forms) summarizing the categories of personal information collected and purposes. Full disclosures appear in this Privacy Policy.
11. Consumer Health DataThis section addresses consumer health data laws that may apply to our processing because some of our clients are healthcare providers and aesthetic clinics whose services involve consumer health data.
11.1 DefinitionFor the purposes of this section, "consumer health data" includes any personal data that identifies a consumer's past, present, or future physical or mental health, including data inferred or derived from non-health data, as defined by the Washington My Health My Data Act (RCW 19.373 et seq.), the Nevada Consumer Health Data Privacy Act (SB 370), the Connecticut Consumer Health Data Law (P.A. 22-15 / SB 3, as amended), and similar laws.
11.2 Our roleWe do not directly collect consumer health data from data subjects. To the extent consumer health data passes through our systems in the course of providing services to a clinic, healthcare, or wellness client, we act as a service provider / processor on behalf of that client, who is the controller responsible for direct compliance with applicable consumer health data laws.
11.3 Consumer rightsIf you believe your consumer health data has been processed by us in connection with a clinic's engagement, you may exercise the following rights, subject to our verification of your identity and our coordination with the relevant clinic-controller:
Right to know what categories of consumer health data we have processed;
Right to access consumer health data;
Right to delete consumer health data, subject to statutory exceptions and the controller's instructions;
Right to withdraw consent previously given for the processing of consumer health data.
To exercise these rights, email legal@ttgcreatives.com with the subject line "Consumer Health Data Request". We will route your request to the relevant controller and assist as required by law.
11.4 Sale of consumer health dataWe do not sell consumer health data. We will not sell consumer health data without first obtaining the affirmative, valid authorization required by Washington MHMDA (which separately requires a "valid authorization" form) and other applicable state laws.
11.5 GeofencingConsistent with Washington MHMDA RCW 19.373.040, we do not implement, and we instruct clients not to instruct us to implement, geofences around in-person healthcare facilities for the purpose of identifying consumers seeking health services, tracking such consumers' locations, collecting consumer health data, or sending notifications related to consumer health data.
11.6 Consumer Health Data Privacy Policy postingThis section, together with §12 below, satisfies the consumer health data privacy policy posting requirement under Washington MHMDA, Nevada SB 370, and Connecticut SB 3 to the extent applicable to TTGC's role.
11.7 Authorized agentsConsumers may designate an authorized agent to act on their behalf in exercising consumer health data rights. We may require written, signed authorization and verify the consumer's identity directly.
12. HIPAA Posture12.1 Default rule — PHI is prohibitedTTGC is not, by default, a HIPAA Business Associate of any healthcare provider client. Clients who are HIPAA Covered Entities (such as healthcare providers, health plans, and healthcare clearinghouses, as defined under 45 C.F.R. §160.103) must not transmit, store, share, or otherwise route Protected Health Information ("PHI", as defined under 45 C.F.R. §160.103) through TTGC's systems, communication channels, or services unless and until a Business Associate Agreement ("BAA") has been executed in writing between TTGC and the client.
This includes, without limitation, patient-identifying photos, medical records, test results, intake forms containing health information, or any combination of identifiers that can be used to identify a patient and their health condition.
12.2 BAA on request — premium pricing appliesWhere a client engagement requires processing of PHI, TTGC will, at its discretion, enter into a BAA with the client substantially in the form of TTGC's standard BAA template (available on request at legal@ttgcreatives.com). The BAA will:
identify TTGC as a Business Associate of the client;
describe the permitted and required uses and disclosures of PHI;
impose obligations on TTGC that mirror the requirements of 45 C.F.R. §§164.502–164.504, 164.314, and 164.504(e);
require subcontractors that handle PHI on TTGC's behalf to execute equivalent agreements.
HIPAA-Compliant Engagement Premium. Engagements that require a BAA, or that otherwise involve the processing of PHI by TTGC, are priced as a separate, premium service tier. The HIPAA-Compliant Engagement Premium reflects the substantially increased compliance, infrastructure, audit, training, indemnification, and breach-response obligations TTGC undertakes as a Business Associate, including but not limited to: enhanced access controls, segregated PHI storage, periodic Security Rule compliance assessments, designated HIPAA-trained staff, sub-Business-Associate management, and breach-notification readiness. The premium is quoted on a per-engagement basis at the time of BAA negotiation and is in addition to the standard service fees specified in the applicable Project Order or Subscription Package. Clients should expect HIPAA-compliant engagements to be priced materially higher than equivalent non-PHI engagements. TTGC reserves the right to decline an engagement where the proposed scope or fee is not commercially reasonable for the HIPAA compliance obligations involved.
12.3 Inadvertent transmissionIf a client transmits PHI to TTGC without an executed BAA in place, TTGC will:
notify the client immediately;
contain or delete the PHI per the client's documented instruction (or, absent instruction within 5 business days, securely delete the PHI from active systems);
document the incident and TTGC's response;
consider in good faith whether the incident should be treated as a "breach" under 45 C.F.R. §164.402 and notify the client and (if applicable) regulators accordingly.
Inadvertent transmission of PHI without a BAA is a violation of HIPAA by the client (and potentially by TTGC). The cost of any remediation is the responsibility of the client.
12.4 Other healthcare lawsTTGC will, in good faith, address comparable requirements under other health-related privacy regimes (state-level mini-HIPAA laws, the EU GDPR special-category rules, and similar) on a case-by-case basis through executed addenda.
12.5 ContactTo request a BAA, raise a HIPAA concern, or report a possible PHI incident, contact: legal@ttgcreatives.com with the subject line "HIPAA — [type of request]".
13. Automated Decision-Making and ProfilingWe do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of GDPR Article 22, Connecticut DPA §6(8), Colorado CPA §6-1-1306(2), or similar laws. In particular:
We do not use automated systems to make decisions about credit, employment, housing, insurance, or healthcare access.
We do not engage in targeted advertising or "cross-context behavioral advertising" as those terms are defined under U.S. state privacy laws.
We use bot-prevention systems (such as reCAPTCHA) to verify whether visitors are human; this is not a "decision producing legal effect" but rather a security measure.
We use basic analytics (e.g., page-view aggregation) which do not constitute profiling for the purposes of these laws.
If our practices change, we will update this section, conduct any required impact assessments, and provide you with the right to:
request meaningful information about the logic involved;
request human review of the automated decision;
contest the decision; and
opt out of profiling, where required by applicable law.
14. Cookies and Similar TechnologiesWe use cookies and similar technologies to operate the Site, remember your preferences, analyze usage, and deliver relevant content.
Categories of cookies we use:
Strictly necessary — required for the Site to function (session management, security, authentication tokens, CSRF protection). These do not require consent.
Functional — remember preferences and improve user experience (language, region, dashboard layout).
Analytics — help us understand how visitors use the Site (aggregated metrics; we use privacy-respecting analytics).
Marketing — used only with your express consent to personalize content and measure the effectiveness of marketing efforts.
Where required by law (including in the EEA, UK, and certain U.S. states), we present a cookie banner on first visit that allows you to accept all, reject all (with equal prominence), or customize non-essential cookies. We will not set non-essential cookies until you give consent. You can change your preferences at any time via the "Cookie Settings" link in the Site footer. Most browsers also allow you to block or delete cookies through their settings.
We honor browser-based opt-out signals where required, including Global Privacy Control (GPC) signals from California and other state residents.
15. Children's PrivacyThe Site and our services are not directed to children under the age of 18. We do not knowingly collect personal data from children. If we discover that we have collected personal data from a child under 13 in violation of the United States Children's Online Privacy Protection Act ("COPPA", 15 U.S.C. §§6501–6506), we will delete it promptly and notify the child's parent or guardian where reasonably possible. If you believe a child has provided us with personal data, please contact legal@ttgcreatives.com.
For users between 13 and 18, we honor the rights of California minors under California Business & Professions Code §22580 et seq. (the "Eraser Law"): a registered user under 18 may request the removal of content or information they have publicly posted on the Site by writing to legal@ttgcreatives.com.
16. Data Protection Officer and ContactData Protection Officer (DPO): legal@ttgcreatives.com
General privacy queries: support@ttgcreatives.com
Postal address: Through The Glass Creatives Global – FZCO, Attention: DPO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates.
For privacy requests originating from California residents (CCPA/CPRA), use the subject line "CCPA Request" or submit via the form at ttgcreatives.com/legal/privacy-request. For other U.S. state requests, use the subject line "State Privacy Request".
17. Data Processor Services (Business Clients)When TTGC is engaged to perform services that involve processing personal data belonging to our business clients' customers, users, or employees, TTGC acts as a Data Processor (or, under U.S. state laws, a "service provider" or "processor" as those terms are defined) and the client acts as the Data Controller (or "business"). The processor-specific obligations, instructions, and liabilities are governed by Appendix M (Data Processing Agreement) of the Master Services Agreement, which operates as a Data Processing Agreement within the meaning of GDPR Article 28, UAE PDPL Article 23, Philippines DPA § 20, and equivalent provisions of U.S. state privacy laws (CCPA/CPRA "service provider" / "contractor" addendum, VCDPA / CPA / CTDPA processor terms, etc.).
Where the client is a HIPAA Covered Entity and the engagement involves PHI, see §12 (HIPAA Posture) and the BAA template referenced therein.
This Privacy Policy applies to our processing as Controller of client and visitor data described in §§3–15.
18. Changes to this Privacy PolicyWe may update this Privacy Policy from time to time. The effective date at the top of this page reflects the current version. Prior versions are archived at ttgcreatives.com/legal/privacy-policy/archive/.
For material changes that affect your rights, we will provide at least thirty (30) days' advance notice by email (for registered users) and by a prominent notice on the Site. Continued use of the Site or services after the effective date of changes constitutes acceptance of the updated Privacy Policy.
Version 2.1 · Document ID: PP-TTGC-2.1 · Effective May 26, 2026
© 2026 Through The Glass Creatives Global – FZCO. All rights reserved.