Privacy Policy
Document reference: TDOLLS-PP-v1.2
Issued by: Corestack Digital Ltd
Last updated: March 2026
1. Who We Are
TDolls is operated by Corestack Digital Ltd, a company registered in Gibraltar.
Data controller:
Corestack Digital Ltd
Gibraltar
Contact for data protection matters:
Email: privacy@tdolls.net
Where this policy refers to "we", "us", or "our", it means Corestack Digital Ltd acting as data controller in respect of your personal data.
We are registered with the Gibraltar Regulatory Authority (GRA), which acts as the Information Commissioner and supervisory authority for data protection in Gibraltar.
2. About This Policy
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use the TDolls platform, including the websites at TDolls.net, TDolls.eu, and TDolls.uk, and the Proxima by TDolls web application (together, the "Platform").
It also explains your rights under applicable data protection law. As a company registered in Gibraltar, we are subject to the Gibraltar General Data Protection Regulation (Gibraltar GDPR) and the Data Protection Act 2004 (Gibraltar), which are administered and enforced by the GRA as Information Commissioner.
The Gibraltar GDPR mirrors the material obligations of the EU GDPR and provides equivalent protections for your personal data. Where you access the Platform from within the European Economic Area (EEA), the EU General Data Protection Regulation (EU GDPR) may also apply by virtue of its extra-territorial effect. In those circumstances, we apply the same standards and lawful bases described in this policy, and we will appoint an EU representative where required by law.
This policy should be read alongside:
- Our Cookie Policy — which explains how we use cookies and similar technologies
- Our General Platform Terms — which govern use of the Platform
3. The Platform and Its Users
TDolls is an online directory and intermediary platform. It allows two types of registered users:
- Service Providers — self-employed individuals and sole traders who create profiles to advertise their services
- Service Users (Clients) — individuals who register to browse and contact Service Providers
Each account type involves different data collection and processing, which is described throughout this policy. Where a section applies only to one account type, this is clearly indicated.
The Platform operates an age gate: visitors without a verified account see only age-appropriate (SFW) content. Full access requires registration and age verification.
4. Data We Collect and Why
4.1 Data You Provide at Registration (All Users)
When you create an account, we collect:
| Data | Purpose | Lawful Basis |
|---|---|---|
| Email address | Account creation; legal notices; re-consent on policy updates | Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) |
| Password (hashed) | Account security | Contract (Art. 6(1)(b)) |
| Date of birth | Age verification; compliance with legal obligations | Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)) |
| Country of residence | Determining applicable legal framework; content access rules | Legal obligation (Art. 6(1)(c)); Contract (Art. 6(1)(b)) |
| Phone number | Account security; fraud prevention; future two-factor authentication | Legitimate interests (Art. 6(1)(f)) |
All Article references in this policy refer to the Gibraltar GDPR unless otherwise stated.
4.2 Additional Data Collected from Service Providers at Registration
| Data | Purpose | Lawful Basis |
|---|---|---|
| Legal name (first and last) | Identity verification baseline; compliance with legal obligations and law enforcement requests | Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)) |
| Country where services are offered | Determining applicable local law; platform directory functionality | Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) |
Your legal name is used for compliance purposes only. It is never displayed publicly on the Platform. Your public-facing profile uses a working name that you set during profile setup.
4.3 Consent Record Data (All Users)
At registration, we record the details of your consent to our terms and policies. This includes:
- Which version of each document you accepted
- The date and time of acceptance
- A declaration that you are 18 years of age or older
This data is retained as a permanent compliance record and is not deleted upon account closure. See Section 10 for more on retention.
4.4 Technical and Device Data Collected at Registration
To support fraud prevention, security monitoring, and compliance auditing, we collect the following at the point of account creation:
Collected server-side (from your connection):
| Data | Purpose |
|---|---|
| IP address | Fraud prevention; security; compliance auditing |
| IP-derived country | Jurisdictional determination; anomaly detection |
| Browser and operating system (parsed from User-Agent) | Fraud prevention; security monitoring |
| Device type (desktop, mobile, tablet) | Fraud prevention |
| Browser language preference | Compliance; user experience |
| HTTP referrer (sanitised) | Platform analytics; fraud detection |
| Session identifier | Linking signup activity to pre-registration session |
| Cookie consent record identifier | Linking consent records |
Collected client-side (from your browser/device):
| Data | Purpose |
|---|---|
| Device fingerprint (generated via FingerprintJS) | Fraud prevention; detecting multiple accounts from the same device |
| Screen resolution | Fraud prevention; device consistency checks |
| Timezone | Anomaly detection; jurisdiction verification |
| Cookie functionality status | Technical diagnostics |
| Do Not Track signal | Honouring user preferences where technically feasible |
The lawful basis for collecting technical and device data is our legitimate interests in preventing fraud, protecting the security of the Platform and its users, and maintaining a compliant record of account creation (Article 6(1)(f) Gibraltar GDPR). We have conducted a legitimate interests assessment and determined that this processing does not override your rights and freedoms, given the sensitive nature of the Platform and the importance of preventing misuse.
4.5 Data Collected When You Use the Platform
When you browse or interact with the Platform after registration, we may collect:
| Data | Purpose | Lawful Basis |
|---|---|---|
| Log data (pages visited, timestamps, errors) | Security; debugging; fraud detection | Legitimate interests (Art. 6(1)(f)) |
| Search and filter activity | Platform improvement; personalisation | Legitimate interests (Art. 6(1)(f)) |
| Messages sent via Platform messaging | Providing the messaging service; content moderation | Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) |
| Content you upload (images, descriptions, profile text) | Providing the Platform; content moderation | Contract (Art. 6(1)(b)) |
| Reviews and ratings you submit | Providing review functionality; fraud detection | Contract (Art. 6(1)(b)) |
| Payment transaction data (via third-party processors) | Processing subscription payments | Contract (Art. 6(1)(b)) |
4.6 Special Category Data
Certain data we process may constitute special category data under Article 9 Gibraltar GDPR. In particular:
- Sexual orientation and gender identity may be revealed or inferred from use of the Platform, given its nature as a trans-focused adult directory.
We do not actively ask users to declare their sexual orientation or gender identity, and we do not create explicit records of these attributes. However, we acknowledge that use of the Platform may imply such attributes.
Where special category data is processed incidentally as a result of Platform use, we rely on the following conditions under Article 9(2) Gibraltar GDPR:
- Article 9(2)(a) — Explicit consent, given when you registered for the Platform with knowledge of its nature
- Article 9(2)(f) — Establishment, exercise or defence of legal claims, where relevant
We apply additional safeguards to any data that may reveal special category attributes, including strict access controls and enhanced data minimisation practices.
5. Age Verification Data
Age verification is a legal obligation under applicable law and a core operational requirement of the Platform. We process date of birth data to verify that all users are 18 years of age or older.
We do not use third-party identity document scanning for account creation. Your date of birth is self-declared at registration and is retained as part of your consent record.
Where identity document verification is required (for example, during Service Provider onboarding), this is handled by a contracted third-party verification partner. In such cases:
- You will be directed to the third-party provider's interface
- We receive a verification result (pass/fail and verified age range) — not the underlying document
- The third-party provider's own privacy policy governs their handling of your identity documents
- We will always identify our verification partner and link to their privacy policy before initiating verification
Data collected in connection with age verification is retained for the duration required by applicable law and our regulatory obligations. See Section 10 for retention periods.
Failed age verification attempts (where a user attempted to register with a date of birth indicating an age below 18) are logged for compliance purposes. This log includes the timestamp, IP address, and device data associated with the attempt, but does not include the date of birth itself.
6. Cookies and Tracking Technologies
We use cookies and similar technologies on the Platform. Full details of the cookies we use, their purposes, and how to manage your preferences are set out in our separate Cookie Policy.
In summary:
- Strictly necessary cookies — used to operate the Platform and cannot be disabled
- Functional cookies — remember your preferences and settings
- Analytics cookies — help us understand how the Platform is used. Only set with your consent.
- Marketing and personalisation cookies — only set with your explicit consent
You can manage your cookie preferences at any time via the cookie preference centre accessible from the footer of the Platform.
7. How We Share Your Data
We do not sell your personal data. We share your data only in the following circumstances:
7.1 Service Providers Acting on Our Behalf
We use third-party service providers to help operate the Platform. These providers act as data processors under contracts that require them to protect your data and process it only on our instructions. They include providers of:
- Cloud hosting and infrastructure (including database hosting)
- Payment processing
- Age and identity verification
- Device fingerprinting and fraud prevention
- Email and communications delivery
- Security and monitoring services
- Analytics (where consent-based)
We will update this policy when we engage new processors that handle significant volumes of user data.
7.2 Other Users of the Platform
Where you are a Service Provider, information you choose to include in your public profile (working name, location, service categories, availability, photos, and other profile content) is visible to registered Clients on the Platform.
Your legal name and private contact details are never shared with other users.
Where you submit a review or rating, your display identity (if you have one set) may be visible alongside that review, subject to the Platform's review display settings.
7.3 Law Enforcement and Regulatory Authorities
We may disclose personal data to police, regulatory authorities, or other competent bodies where we are legally required to do so, or where disclosure is necessary to:
- Comply with a legal obligation under Gibraltar law or other applicable law
- Respond to a valid court order or warrant issued by a competent authority
- Protect the vital interests of a person
- Prevent, detect, or investigate a serious crime, including human trafficking or child sexual abuse
7.4 Protection of Rights and Safety
We may share data where necessary to prevent harm, protect our legal rights, or enforce our Terms of Service, including in cases of suspected fraud, abuse, or serious misuse of the Platform.
7.5 Business Transfers
If Corestack Digital Ltd is acquired, merges with another company, or transfers all or part of its business, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
8. International Data Transfers
Corestack Digital Ltd is based in Gibraltar. The Platform is accessed by users across Europe and beyond.
Under the Gibraltar GDPR, transfers of personal data to countries outside Gibraltar require appropriate safeguards. Where we transfer personal data internationally, we ensure such safeguards are in place, including:
- Adequacy decisions recognised under Gibraltar law
- Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms approved for use under the Gibraltar GDPR
- Binding Corporate Rules where applicable
Gibraltar is not a member of the EU. Where your data is processed in Gibraltar and you are located in the EEA, Gibraltar's data protection framework provides protections materially equivalent to the EU GDPR. However, Gibraltar does not currently hold a formal EU adequacy decision, and where required, we will ensure appropriate transfer mechanisms are in place for data flows from the EEA to Gibraltar.
You may request details of the specific safeguards in place for any particular transfer by contacting us at privacy@tdolls.net.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. Our measures include:
- Encryption of data in transit (TLS) and at rest
- Hashed storage of passwords using bcrypt (never stored in plaintext)
- Access controls limiting data access to authorised personnel only
- Regular security reviews and monitoring
- Procedures for detecting, reporting, and investigating data breaches
No system is completely secure. You are responsible for keeping your login credentials confidential. Please notify us immediately at security@tdolls.net if you suspect any unauthorised access to your account.
Where we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Gibraltar Regulatory Authority (GRA) within 72 hours as required by the Gibraltar GDPR, and will notify affected users without undue delay where required.
10. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by Gibraltar law and our regulatory obligations. The following retention periods apply:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (active accounts) | Duration of account + 6 years after closure | Legal claims; regulatory compliance |
| Consent records | Indefinite | Permanent compliance record; cannot be deleted |
| Age verification records | Duration of account + 6 years | Regulatory obligation |
| Technical/device data at registration | 2 years from collection | Fraud detection; security review window |
| Failed registration attempts | 2 years | Fraud detection; compliance |
| Transaction and billing records | 7 years | Gibraltar tax and accounting obligations |
| Content moderation records | 3 years from moderation action | Legal claims; regulatory compliance |
| Law enforcement disclosure records | 7 years | Legal obligation |
| Communications and message logs | 1 year | Security; dispute resolution |
Where you request deletion of your account, we will delete or anonymise your personal data subject to the above retention requirements. Consent records and data retained for legal or regulatory compliance will not be deleted.
11. Your Rights
Under the Gibraltar GDPR, you have the following rights in relation to your personal data:
| Right | Description |
|---|---|
| Right of access | You have the right to request a copy of the personal data we hold about you. |
| Right to rectification | You have the right to ask us to correct inaccurate or incomplete personal data. |
| Right to erasure | You have the right to ask us to delete your personal data in certain circumstances — for example, where it is no longer necessary for the purposes for which it was collected. This right does not apply where we are required to retain data by law or for legal claims. |
| Right to restriction | You have the right to ask us to restrict processing of your personal data in certain circumstances — for example, while a dispute about accuracy is resolved. |
| Right to data portability | Where processing is based on your consent or a contract, and is carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format. |
| Right to object | You have the right to object to processing based on legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Automated decision-making | You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently use fully automated decision-making of this kind. |
| Right to withdraw consent | Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. |
How to Exercise Your Rights
To exercise any of the above rights, contact us at:
Email: privacy@tdolls.net
We will respond within one calendar month of receiving your request. Where requests are complex or numerous, we may extend this by a further two months and will inform you accordingly.
We may ask you to verify your identity before processing your request. This is to protect your data and ensure we do not disclose it to an unauthorised person.
We will not charge a fee for responding to rights requests, except in cases of manifestly unfounded or excessive requests.
12. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Gibraltar Regulatory Authority (GRA):
Gibraltar Regulatory Authority
Information Commissioner
2nd Floor, Eurotowers 4
1 Europort Road
Gibraltar
Email: info@gra.gi
Data protection enquiries: privacy@gra.gi
Telephone: +350 200 74636
We would, however, appreciate the opportunity to address your concerns before you contact the GRA. Please contact us at privacy@tdolls.net in the first instance.
If you are based in the EEA and have a complaint about our processing of your data, you may also contact the supervisory authority in your country of residence.
13. Proxima by TDolls
Proxima by TDolls is a web application that provides additional features and expanded content permissions to verified users of the Platform. It operates under this Privacy Policy and the Proxima Supplemental Terms.
Where Proxima involves any additional or different data processing compared to the main Platform, this is described in the Proxima Privacy Addendum, which forms part of this policy and should be read alongside it.
14. Children
The Platform is strictly for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18.
If we become aware that we have collected personal data from a person under 18, we will delete that data immediately and terminate the associated account. If you believe we have inadvertently collected data from a person under 18, please contact us immediately at privacy@tdolls.net.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the "Last updated" date at the top of this document
- Update the document reference version number
- Notify registered users by email where the changes are material
- Where required by Gibraltar law, seek fresh consent before processing data under new or changed terms
Your continued use of the Platform after the effective date of any changes constitutes your acknowledgement of the updated policy. If you do not agree with the changes, you must stop using the Platform and may close your account.
16. Contact Us
For any questions about this Privacy Policy or our data practices:
Corestack Digital Ltd
Email: privacy@tdolls.net
For urgent security or data breach matters: security@tdolls.net
This document is version TDOLLS-PP-v1.1. The current version is always available at tdolls.net/privacy, tdolls.eu/privacy, and tdolls.uk/privacy.