Law Enforcement Request Policy

1. Purpose

This policy explains how Corestack Digital Ltd responds to requests from law enforcement agencies, regulatory authorities, and other competent bodies for access to user data or content hosted on the TDolls platform.

We are committed to cooperating with lawful requests from authorities. We are equally committed to protecting the privacy and rights of our users and will not disclose data beyond what is legally required.

This policy is intended to provide transparency to users and to provide guidance to law enforcement agencies wishing to make requests.

2. Our Legal Framework

Corestack Digital Ltd is registered in Gibraltar. Our primary legal obligations in respect of law enforcement requests are governed by:

Gibraltar law, including the Gibraltar GDPR and applicable criminal procedure legislation
UK law, where requests relate to users in the United Kingdom or to our .uk domain operations
EU law, where requests relate to users in the European Economic Area or to our .eu domain
Our obligations under the Gibraltar GDPR and EU GDPR regarding data subject rights and lawful processing

We are subject to the jurisdiction of Gibraltar courts. Requests from foreign authorities may require compliance with applicable mutual legal assistance treaties (MLATs) or other recognised international frameworks.

3. Types of Requests We Receive

3.1 Data Disclosure Requests

Requests asking us to provide user account data, registration information, usage logs, IP addresses, device data, or communications.

3.2 Content Preservation Requests

Requests asking us to preserve data that may be relevant to an investigation without immediately disclosing it, pending a formal legal process.

3.3 Content Removal Requests

Requests asking us to remove specific content from the Platform on the basis that it is unlawful.

3.4 Account Restriction or Suspension Requests

Requests asking us to suspend or restrict a user's account pending investigation.

4. Requirements for Valid Requests

4.1 General Requirements

All requests must:

Be submitted on official letterhead or through a verified official channel
Identify the requesting agency, the officer making the request, and their contact details
Specify the legal basis for the request under applicable law
Specify clearly what data or action is requested
Be addressed to Corestack Digital Ltd and signed by an authorised officer

We will not respond to informal requests sent via social media, anonymous channels, or without proper identification of the requesting authority.

4.2 Requests from Gibraltar Authorities

Requests from Gibraltar Royal Police or other Gibraltar competent authorities should be submitted by:

Post:

Legal and Compliance Team

Corestack Digital Ltd

[Registered address, Gibraltar]

Marked: Law Enforcement Request — Confidential

Email: legal@tdolls.net

Subject line: Law Enforcement Request — [Agency name] — [Reference number]

Gibraltar-based requests will be processed under Gibraltar law. We will cooperate with lawful Gibraltar court orders, production orders, and other valid legal instruments.

4.3 Requests from UK Authorities

Requests from UK law enforcement (including the National Crime Agency, Metropolitan Police, and other forces) and UK regulatory authorities should be submitted to legal@tdolls.net with the subject line indicating the requesting agency and reference number.

UK requests will be assessed under UK law. Where a UK court order or production notice under the Investigatory Powers Act or other applicable UK legislation is presented, we will comply within the timeframe specified in the order.

4.4 Requests from EU Authorities

Requests from EU member state law enforcement agencies should be submitted to legal@tdolls.net. Where relevant, requests may need to be channelled through applicable MLAT frameworks or EU-Gibraltar cooperation mechanisms.

We will comply with orders from EU courts or authorities that are presented through appropriate legal channels and that have a valid legal basis under applicable law.

4.5 Requests from Other International Authorities

Requests from authorities outside Gibraltar, the UK, and the EU will be assessed on a case-by-case basis. We are generally not in a position to comply with informal international requests without a valid legal instrument. We recommend that international authorities seek assistance through their government's mutual legal assistance mechanisms.

5. Emergency Disclosure

5.1 Imminent Risk to Life

Where we reasonably believe there is an imminent risk to the life of a person, we may disclose limited data to law enforcement without waiting for a formal legal process. This is an exceptional measure and requires:

A credible, specific, and imminent threat to a person's life
The disclosure to be limited to what is strictly necessary to address the threat
A formal legal process to follow as soon as practicable

5.2 Child Safety

Where we identify or receive credible information indicating that a child is at imminent risk of sexual abuse or exploitation, we will contact relevant authorities immediately, including Gibraltar Royal Police, the Internet Watch Foundation, and NCMEC where applicable, without waiting for a formal request.

6. Data We Can and Cannot Provide

6.1 Data We Hold

Subject to valid legal process, we may be able to provide:

Account registration data (email address, phone number, country of residence)
Service Provider legal name and identity verification data
IP addresses and device data captured at registration and login
Account activity logs
Content moderation records
Subscription and billing records (excluding full payment card details, which we do not hold)
Message content, subject to applicable interception laws

6.2 Data We Do Not Hold

We do not hold:

Full payment card numbers (these are held by our payment processor)
Identity document images for Service Providers (these are held by our third-party verification provider)
Unencrypted passwords

For data held by our third-party processors, authorities may need to approach those providers separately.

6.3 Non-Disclosure of User Data Without Legal Process

We will not disclose user data to any authority — including law enforcement — without a valid legal instrument, except in the emergency circumstances described in Section 5. We will not comply with informal requests, subpoenas that have not been properly served, or requests that do not have a valid legal basis.

7. User Notification

7.1 Default Notification

Where we are served with a valid legal instrument requiring data disclosure, we will endeavour to notify the affected user before complying, unless:

The legal instrument includes a non-disclosure order or gag order prohibiting notification
Notification would likely prejudice the investigation (for example, where tipping off could endanger a victim or destroy evidence)
The matter involves suspected child sexual abuse, trafficking, or other serious crimes where we consider notification to be contrary to the interests of public safety

7.2 Post-Disclosure Notification

Where notification is prohibited at the time of disclosure, we will endeavour to notify the user after any prohibition expires, to the extent we are permitted to do so.

8. Content Preservation

Where we receive a valid preservation request, we will preserve the specified data for a period of 90 days, renewable upon request, pending the service of a formal legal instrument requiring disclosure. Preservation does not constitute disclosure.

9. Cost Recovery

We reserve the right to seek cost recovery for compliance with particularly burdensome requests, where permitted by applicable law. We will discuss cost recovery in advance with the requesting agency.

10. Transparency Reporting

We are committed to transparency about our responses to law enforcement requests. We will include aggregate data on law enforcement requests received and complied with in our periodic DSA Transparency Reports, published at tdolls.net/transparency, to the extent permitted by law and any applicable non-disclosure obligations.

11. Contact

For law enforcement requests: