Legal
Privacy Policy
1. Introduction
Toglelabs LLC, registered in the Sharjah Media City Free Zone in the United Arab Emirates ("Toglelabs," "we," "us," or "our"), operates Typeorg (the "Service"), a multi-tenant software platform for typing centres and document-processing businesses across the United Arab Emirates and other GCC countries. This Privacy Policy explains how we collect, use, disclose, and protect personal data in connection with the Service, and the rights available to individuals whose personal data we process. It applies to Tenant Admins and Authorised Users who access the Service directly, to End Customers who interact with the Service through a tracking-link portal, and to visitors to our marketing website.
Where a Tenant, meaning a typing centre using Typeorg, uploads personal data about its own customers, corporate clients, or staff into the Service, Toglelabs processes that data as a data processor acting on the Tenant's instructions, not as the controller. The Tenant is responsible for providing privacy notices to, and obtaining any consents required from, its own customers and staff. This Policy describes both our role as controller, for example for Tenant Admin account data, and our role as processor, for example for End Customer data within a Tenant's workspace. Full detail on our processor obligations is set out in our Data Processing Agreement, available at typeorg.com/dpa.
2. Key Definitions
"Personal data" means any information relating to an identified or identifiable natural person, consistent with the definition in the PDPL. "Sensitive personal data" means personal data revealing categories such as biometric data, health data, or other categories the PDPL or applicable law treats as sensitive; copies of passports, Emirates IDs, and visa documents processed through the Service may contain sensitive personal data, such as biometric photographs, and are treated with the heightened care described in Section 6. "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion. A "controller" is the entity that determines the purposes and means of processing personal data, while a "processor" processes personal data on behalf of, and under the instructions of, a controller. The terms "Tenant," "Authorised User," and "End Customer" have the meanings given in our Terms and Conditions.
3. Personal Data We Collect
3.1 Data collected directly from Tenant Admins and Authorised Users
When you create an Account or use the Service, we collect account and identity data such as your name, business email, job title, and role, which you provide at signup or when invited. We collect authentication data, including a hashed password and session tokens stored as httpOnly cookies, generated when you log in. We collect billing data such as your billing contact name and address and your payment method details, which you provide at checkout; we do not store full card numbers ourselves, as this is handled by our payment processor. We automatically collect usage and log data, including your IP address, browser and device type, the pages you visit, the actions you take, and timestamps. If you contact our support team, we collect the content of those communications.
3.2 Data Tenants submit into the Service, which we process as a processor
As part of operating their business, Tenants and their Authorised Users may upload several categories of personal data relating to End Customers, corporate-client contacts, and Staff, and we process this data strictly on the Tenant's instructions. This includes customer contact data such as name, phone number, email, and address, used for customer records, job tracking, and communication. It includes identity-document data such as passport copies, Emirates ID copies, visa copies, and trade-licence copies, used for document management and expiry tracking. It includes job and task data such as service type, job status, task comments, and attachments, used for the core job and task workflow. It includes staff HR data such as name, contact details, role, department, salary, and attendance records, used for staff management, attendance, and payroll. It includes communications data, meaning messages sent through the in-app team chat or the End Customer Portal chat, and it includes feedback data, meaning customer ratings and written feedback submitted through the Portal.
3.3 Data collected from End Customers through the tracking Portal
When an End Customer accesses a Portal link, we, on behalf of the relevant Tenant, may collect the data the Tenant has already entered about that End Customer's job, any documents the End Customer uploads in response to a document request, messages sent through the Portal chat, and feedback or ratings submitted through the Portal. The Portal does not require End Customers to create an account or set a password; access is instead governed by a unique, high-entropy tracking token.
3.4 Data collected automatically, and cookies
Like most web platforms, we automatically collect certain technical data when you use the Service, including IP address, browser type and version, device identifiers, operating system, referring URLs, and timestamps of access, primarily through server logs. We use a minimal set of cookies strictly necessary to operate the Service, namely httpOnly session cookies used for authentication, which cannot be read by client-side scripts. We do not use third-party advertising or cross-site tracking cookies on the Service's application dashboards, and we do not currently use third-party advertising trackers or sell data to advertising networks, as described further in Section 8. Our public marketing website may use limited analytics cookies, described in Section 13.
4. How We Use Personal Data
Acting as a controller for the account, billing, and platform-operation data described in Section 3.1, we use personal data to create and administer Accounts and authenticate Authorised Users, to provide, maintain, secure, and improve the Service, to process billing and manage subscriptions, to send transactional communications such as login alerts, password-reset emails, and billing notices, to respond to support requests, to detect and prevent fraud and security incidents, to comply with our legal obligations including tax and accounting recordkeeping, and, with your consent or as permitted by law, to send product updates or marketing communications, which you can opt out of at any time as described in Section 11.
Acting as a processor for the data Tenants submit about End Customers and Staff, described in Sections 3.2 and 3.3, we process that data solely as instructed by the relevant Tenant and only as necessary to provide the Service's functionality to that Tenant. This includes storing and displaying job, task, and document records within the Tenant's isolated workspace, generating and operating tracking-link Portals, sending automated expiry and renewal reminder emails on the Tenant's behalf, and maintaining the audit trail of actions taken within the Tenant's workspace. We do not use this data for our own independent purposes, including marketing or profiling, except as required by law.
Where we act as controller, we rely on one or more recognised legal bases for processing: the performance of a contract with you, such as providing the Service you signed up for; our legitimate business interests, balanced against your rights, such as securing the Service or preventing fraud; compliance with a legal obligation; and your consent, where required, such as for optional marketing communications. Where we act as processor on a Tenant's instructions, the Tenant is responsible for establishing the lawful basis for collecting and submitting that personal data into the Service.
5. How We Share Personal Data
We do not sell personal data, and we share it only in the circumstances described below. Within a Tenant's own workspace, personal data submitted by or about that Tenant's End Customers and Staff is visible to that Tenant's own Authorised Users, subject to the permission matrix the Tenant configures, and it is never shared with, or visible to, any other Tenant.
We share personal data with carefully selected Sub-processors that provide infrastructure or functionality necessary to operate the Service, under contracts requiring them to protect personal data to a standard consistent with this Policy and our Data Processing Agreement. As of the effective date of this Policy, our Sub-processors are Cloudflare, Inc., which provides cloud object storage for uploaded documents and file attachments, including identity-document copies such as passport, Emirates ID, and visa copies; and Resend, which provides transactional email delivery for password resets, invitations, expiry and renewal reminders, and other notifications, and which accordingly handles recipient names, email addresses, and the relevant email content. An up-to-date list of Sub-processors is also maintained in our Data Processing Agreement, and we will notify Tenants of any new Sub-processor that will process Customer Data, consistent with the notice provisions there; Tenants may object on reasonable data-protection grounds as set out in that agreement.
We may also share personal data with our legal, accounting, or financial advisors as necessary, and in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections. We may disclose personal data where required to comply with applicable law, regulation, legal process, or a lawful request by a UAE governmental or regulatory authority, to enforce our Terms or investigate potential violations, to detect or address fraud, security, or technical issues, or to protect the rights, property, or safety of Toglelabs, our users, or the public, as permitted by law. We do not share personal data collected through the Service with third parties for their own advertising or marketing purposes.
6. Special Handling of Identity and Sensitive Documents
Because Typeorg is built for typing centres, Tenants may upload copies of passports, Emirates IDs, visas, trade licences, and similar government-issued identity documents as part of document management and the expiry tracker. We treat this category of data with heightened safeguards. Files are stored under a document-management system with tenant-scoped storage keys, so they remain logically segregated per Tenant. Every upload entry point applies file-type and content validation against an allow-list of permitted formats, rejecting disallowed or mismatched file types. Access is restricted to Authorised Users with the relevant document or job permission, enforced on the server rather than only hidden in the interface. Files are served with security headers, including protections against content-sniffing, to reduce the risk of malicious file execution, and all uploads and downloads are encrypted in transit. We do not use the content of identity documents for any purpose other than providing the Service's document-management and expiry-tracking functionality to the relevant Tenant.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, including any applicable legal, accounting, or reporting obligations. Active Tenant account and Customer Data is retained for the duration of the active subscription. After termination, Customer Data is retained for thirty days, which we call the Retrieval Period, to allow export, and is then deleted from production systems, subject to backup rotation. Activity logs and the audit trail are retained for the duration of the Tenant relationship plus a reasonable further period for accountability and dispute-resolution purposes, after which older entries may be archived or deleted. Billing and financial records are retained for the period required by applicable UAE tax and accounting law, generally up to five years. Backups follow a rolling retention schedule consistent with our backup process and are overwritten in the ordinary course, so they are not a means of indefinite retention. Marketing consent records are retained until consent is withdrawn, plus a reasonable period to evidence compliance.
Tenant Admins can delete or deactivate, or "soft-delete," records for their own End Customers and Staff directly within the Service, which preserves historical references such as past jobs while removing the record from default views. If an End Customer wants to delete their personal data, they should generally contact the relevant Tenant in the first instance, since the Tenant is the data controller for that data; we will assist Tenants in fulfilling such requests as required under our Data Processing Agreement.
8. No Sale of Personal Data, and No Significant Automated Decision-Making
We do not sell personal data to third parties, and we do not use personal data submitted through the Service for any automated decision-making that produces legal or similarly significant effects on individuals without human involvement. Expiry reminders and notifications generated by the Service are informational alerts, not automated decisions affecting an individual's legal status.
9. How We Protect Personal Data
We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include tenant-level data isolation enforced at the application and database layer, encryption in transit for all traffic to and from the Service, authentication through httpOnly, secure session cookies that are inaccessible to client-side scripts, paired with short-lived access tokens and rotating refresh tokens, and industry-standard password hashing. They also include granular, server-enforced role-based access control across staff permissions, allow-listed file-upload validation to reduce malicious-file risk, a comprehensive audit trail of material actions taken within each workspace, rate limiting on authentication and other sensitive endpoints to reduce brute-force risk, and restricted internal access to production data, limited to personnel who need it to operate or support the Service. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; our incident-notification commitments are described in Section 9 of our Terms and Conditions.
10. International and Cross-Border Data Transfers
Toglelabs is established in the United Arab Emirates, and our infrastructure and Sub-processors may store or process data in locations outside the country in which a Tenant or End Customer is located, including other GCC countries and, depending on our Sub-processors' infrastructure, other jurisdictions. Where we transfer personal data outside the United Arab Emirates, we take steps designed to ensure an adequate level of protection consistent with the cross-border transfer requirements of the PDPL, which generally permits transfers where the destination provides an adequate level of protection, where appropriate contractual or other safeguards are in place, or where another statutory exception applies, such as the data subject's explicit consent or the transfer being necessary for the performance of a contract. Our agreements with Sub-processors include data-protection commitments consistent with this standard. Tenants operating in multiple GCC countries acknowledge that Customer Data may be accessed by their own Authorised Users from different countries as part of the ordinary operation of a multi-location business, and that such access is controlled by the Tenant's own permission settings, not by Toglelabs.
11. Your Rights
Subject to applicable law, including the PDPL, and the limitations described below, you may have the right to access your personal data, meaning to request confirmation of whether we process it and to obtain a copy; the right to rectification, meaning to request correction of inaccurate or incomplete data; the right to erasure, meaning to request deletion of your personal data, subject to our legal retention obligations; the right to restrict or object to processing, meaning to request that we limit how we use your data, or to object to processing based on legitimate interests, including for direct marketing; the right to data portability, meaning to request a structured, commonly used, machine-readable copy of personal data you provided to us, where technically feasible; and the right to withdraw consent, where processing is based on consent such as marketing emails, at any time without affecting the lawfulness of processing carried out before withdrawal.
If you are a Tenant Admin or Authorised User, you can exercise these rights by contacting us at support@typeorg.com; we will verify your identity and respond within the timeframe required by applicable law. If you are an End Customer of a Tenant, because the relevant Tenant is the data controller for your personal data, we recommend contacting that Tenant, your typing centre, directly in the first instance; if you contact us directly instead, we will forward your request to the relevant Tenant and provide reasonable assistance, consistent with our role as processor. We will not discriminate against you, or degrade your access to the Service, for exercising any of these rights.
12. Children's Data
The Service is intended for business use by adults and is not directed at children. We do not knowingly collect personal data from individuals under the age of eighteen through our Account-registration process. Document records uploaded by a Tenant may incidentally include a minor's name or document copy, for example a passport copy of a dependent submitted as part of a visa-processing job; such data is processed solely as instructed by the relevant Tenant, under the same protections described in Section 6, and the Tenant is responsible for ensuring it has the appropriate legal basis, such as parental or guardian consent where required, to submit such data.
13. Our Marketing Website
This section applies to typeorg.com when visited outside the authenticated dashboard, meaning our public marketing site. Our marketing website may use a limited set of cookies and similar technologies for essential site functionality and for basic, privacy-respecting analytics to understand aggregate visitor traffic. Where required by applicable law, we will present a cookie banner allowing you to accept or reject non-essential cookies before they are set. If you submit a contact, demo-request, or newsletter sign-up form on our marketing website, we will use the personal data you provide, such as your name, business email, and company name, to respond to your enquiry and, where you have opted in, to send you marketing communications about Typeorg, which you may unsubscribe from at any time.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will post the updated Policy with a revised effective date and, for material changes, will provide notice by email to Tenant Admins and, or, a prominent notice within the dashboard at least fourteen days before the changes take effect. We encourage you to review this Policy periodically.
15. How to Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact Toglelabs LLC, operating Typeorg, registered in the Sharjah Media City Free Zone, United Arab Emirates, by email at support@typeorg.com. If you believe we have not adequately addressed a personal-data concern, you may also have the right to lodge a complaint with the UAE Data Office or another competent UAE data-protection regulator.