Privacy policy.
Version 1 · Last updated 2026-05-25
Privacy Policy
Version 1.0 — effective 2026-05-25. This policy is published in English. An Arabic version is owed and will replace this notice when ready. Until then, the English text governs.
1. Who controls your data
The data controller is TSGG (F.Z.C), a UAE Free Zone Company operating under DU account number 6.289375, registered for Corporate Tax with the UAE Federal Tax Authority, banking with Wio Business. Reach the controller at:
- Email:
info@tsgg.co - Postal address: available on request via
info@tsgg.co
This policy is drafted to Federal Decree-Law No. (45) of 2021 on the Protection of Personal Data ("UAE PDPL") and its Executive Regulations. Where this policy is silent on a matter the law addresses, the law governs.
2. Scope
This policy covers personal data we collect through tsgg.co and its sub-paths, and through transactional emails we send in connection with use of the website. It does not cover personal data we collect under a separate written engagement letter (training contracts, legal consultation engagements, RIHLA coaching agreements) — those engagements are governed by the data-handling terms inside each engagement letter, which prevail over this policy for that engagement.
3. What data we collect, why, and on what basis
We collect only the categories listed below. We do not buy lists, scrape contacts, or enrich submitted records with third-party data.
| Category | Examples | Purpose | Lawful basis (UAE PDPL Art. 4) |
|---|---|---|---|
Inquiry forms (/contact, /consultation) | Name, work email, organization, country, scope description | Reply to your inquiry, prepare a scoping call | Performance of a pre-contractual step at your request (Art. 4(2)) |
Booking requests (/booking) | Name, work email, organization, topic, preferred time slots | Schedule a scoping call | Performance of a pre-contractual step at your request (Art. 4(2)) |
Newsletter subscription (Letters to the Unseen) | Email address, the source you subscribed through (LinkedIn, tsgg.co, manual import) | Deliver the newsletter you asked for | Your explicit consent (Art. 4(1)), which you can withdraw at any time by replying with "unsubscribe" |
| Cookie consent record | Your choices per cookie category, the timestamp, a salted SHA-256 hash of your IP, your browser user-agent string | Prove we honored your choice, defend against a data-subject complaint | Compliance with a legal obligation (Art. 4(5)) — we are required to be able to demonstrate consent under PDPL Art. 6 |
| Server access logs | Salted SHA-256 hash of your IP, request path, response status, timestamp, user-agent. We do not store raw IP addresses. | Detect abuse, debug errors, defend the service against attack | Legitimate interests in the security and integrity of the service (Art. 4(6)) |
| Analytics (only if you accept analytics cookies) | Aggregate page views, referrer category, country (not city), device class. No cross-site tracking. We use Plausible self-hosted; no third-party analytics. | Understand what content readers value | Your consent (Art. 4(1)). If you decline, no analytics are recorded for your visit. |
We do not collect special-category data (health, religion, political opinion, biometric identifiers) through the website. If you mention such data in the free-text body of an inquiry form, we treat it under the same retention rules as the rest of the form and we do not process it further than is needed to reply.
4. What we do not collect
- We do not run marketing pixels (Meta, Google Ads, LinkedIn Insight Tag, TikTok) on
tsgg.co. There is no "Marketing" cookie category active in v1. The category exists in the consent banner as a reserved placeholder; it does nothing until we explicitly activate it through a future version of this policy. - We do not sell, rent, or share personal data with data brokers.
- We do not profile data subjects with automated decision-making that produces legal effects (UAE PDPL Art. 13). No content on
tsgg.cois personalized to you based on your data.
5. Who processes the data on our behalf
| Processor | Role | Where data sits | Cross-border transfer? |
|---|---|---|---|
| OPS360 (our own infrastructure operator) | Hosts the website and the application database | United Arab Emirates, Hostinger VPS at 168.231.122.116 | No |
Mailcow at mail.opshosts.com (OPS360-operated) | Sends transactional email (inquiry acknowledgements, admin notifications) | United Arab Emirates, OPS360 mail server | No |
| Plausible Analytics (self-hosted by OPS360) | Records aggregate page-view counts after analytics consent | United Arab Emirates, OPS360 infrastructure | No |
| Google Search Console | Reports search-coverage data to us. Receives only the URLs Google has already crawled, plus aggregate query data. No personal data about you. | United States | Yes — see §6 |
We do not use Base44, Supabase, HubSpot, or any other third-party SaaS for the v1 website beyond what is listed above. If we add a new processor we will update this policy and you will see the change in the version history.
6. Cross-border transfers
The Google Search Console relationship in §5 above is the only cross-border transfer in v1. UAE PDPL Art. 22 permits transfer to a country with adequate protection or under an approved safeguard. Google's Search Console terms commit Google to applicable EU/UK GDPR-grade safeguards, which the UAE Data Office recognizes as adequate. We do not transfer your personal data to Google for marketing or advertising purposes — Search Console receives only the URLs Google has already independently crawled and aggregate search-query data. None of it is keyed to you as a data subject.
7. How long we keep your data
| Data category | Retention | Then what |
|---|---|---|
Inquiry forms (/contact, /consultation) | 24 months from submission | Automatic deletion. If the inquiry converted to a signed engagement, the engagement's own retention terms govern from the moment of signature. |
Booking requests (/booking) | 24 months from submission | Automatic deletion. Same conversion rule as above. |
| Newsletter subscribers | Until you unsubscribe, plus a 30-day grace period in case of accidental click | Automatic deletion of the email row after grace period ends. The unsubscribedAt timestamp is retained as a tombstone (no PII) so we never re-add you accidentally. |
| Cookie consent records | 5 years from the most recent consent action | Automatic deletion. The 5-year window matches the PDPL statute of limitations for data-subject complaints. |
| Server access logs (hashed) | 90 days | Automatic deletion. Hashes cannot be reversed; the 90-day window covers our incident-response need. |
| Analytics aggregates (Plausible) | Indefinite — but contain no personal data | No deletion needed; aggregates cannot identify you. |
| Operational backups | 35-day rolling window | Older backups are overwritten. Restoration restores all data including data you have requested deletion of, in which case we re-apply the deletion within 7 days of restore. |
Retention is enforced by an automated cron job. The job runs nightly and writes its actions to an internal audit log we keep for 1 year.
8. Your rights
Under UAE PDPL Art. 13, you have the following rights with respect to your personal data:
| Right | What it means |
|---|---|
| Access | Receive a copy of the personal data we hold about you, in a structured machine-readable format. |
| Rectification | Have us correct inaccurate or incomplete data. |
| Erasure | Have us delete your data, subject to legal-hold exceptions (active engagement, dispute, tax record). |
| Restriction | Have us pause processing of your data while a complaint is open. |
| Portability | Receive your data in a structured machine-readable format and have it transferred to another controller you name. |
| Objection | Object to processing based on legitimate interests (server logs); we will stop unless we can show overriding grounds. |
| Withdraw consent | Withdraw consent for any processing based on consent (newsletter, analytics) at any time. Withdrawal does not affect processing done before withdrawal. |
| Not be subject to automated decision-making | We do not run such decisions; this right is satisfied by default. |
| Complain to the UAE Data Office | Lodge a complaint directly with the UAE Data Office at dataoffice.gov.ae if you believe we have mishandled your data. We ask you to contact us first so we have a chance to fix it, but you are not required to. |
9. How to exercise a right
Send an email to info@tsgg.co with the subject Data Subject Request — <right>. Tell us which right you are exercising and provide enough detail for us to find your data (the email address you submitted from is usually enough).
We respond within 30 calendar days of receipt. If your request is complex or we need to extend, we will tell you within those 30 days, with a maximum extension of a further 30 days.
We do not charge a fee for exercising a right. If a request is manifestly unfounded or excessive (UAE PDPL Art. 14(3)), we may charge a reasonable administrative fee or refuse the request, and we will explain why in writing.
We may ask you to confirm your identity before acting on a request, to prevent disclosure to the wrong person.
10. Cookies
We use cookies in three categories. Only the Necessary category is on by default. You make your choices on first visit, and you can change them at any time via the Manage consent link in the footer.
| Category | What it stores | Default | Required for |
|---|---|---|---|
| Necessary | A session cookie when you log in to the admin area, a CSRF token for form submissions, and the cookie that remembers your choice on this banner (tsgg_consent_v1) | On | The site to function. Cannot be disabled. |
| Analytics | Plausible cookieless analytics ping (no actual cookie is set; we list this category for transparency about the network request) | Off | Aggregate page-view counts |
| Marketing | Nothing in v1 | Off | Reserved for a future marketing-pixel integration, which would update this policy first |
We do not use third-party tracking cookies, social-media pixels, or advertising identifiers.
11. Children
tsgg.co is not directed at children under 18. We do not knowingly collect personal data from anyone we believe to be a child. If you believe a child has submitted data to us, please tell us at info@tsgg.co and we will delete it.
12. Security
We protect your data with the following measures:
- TLS 1.2+ on every page (Let's Encrypt certificate, auto-renewing).
- Salted SHA-256 hashing of IP addresses before storage (we never store the raw IP).
- Password hashing using
bcryptwith a work factor of 12 for the single admin account. - Database access restricted to the application user role; no public network exposure.
- Application logs separated from application data; logs scrubbed of email addresses before retention.
- Daily encrypted backups to an OPS360-controlled offsite location.
- 4-hour idle session timeout, 24-hour absolute session timeout on admin sessions.
- CSRF tokens on every mutating request.
No system is perfectly secure. If we discover a personal-data breach that is likely to result in risk to your rights and freedoms, we will:
- Notify the UAE Data Office within 72 hours of discovery, per UAE PDPL Art. 9.
- Notify affected data subjects without undue delay where the risk is high, per UAE PDPL Art. 10.
13. Changes to this policy
We will publish material changes here with a new version number and effective date. For changes that materially affect your rights (a new processor, a new data category, a longer retention period), we will provide 30 days' notice before the change takes effect, by updating the version date and — for newsletter subscribers — sending an email notice. Continued use of the site after the effective date is your acceptance of the changed policy.
14. Version history
| Version | Effective | Notes |
|---|---|---|
| 1.0 | 2026-05-25 | First version published with the rebuilt tsgg.co. Replaces any earlier policy served by the legacy Base44 site. |
Trust-head note (not part of the published policy):
An Arabic translation of this policy is owed and not yet drafted. The IDENTITY.md §7 immutable principle "Arabic and English are both first-class" requires it. Mohammad and Shaima own the translation. Until it ships, the English version above is canonical and the site footer carries a one-line acknowledgement: "Arabic translation in progress."