Who We Are
T32 Studios ("T32 Studios", "we", "us", or "our") is a creative agency providing brand identity, web design & development, creative direction, photography, motion, and content strategy services. We operate internationally from offices in Miami (USA), Nelson BC (Canada), London (UK), and Murcia (Spain).
This Privacy Policy explains how T32 Studios collects, uses, stores, shares, and protects personal data when you visit our website t32studios.com (the "Site"), interact with our services, or communicate with us.
For the purposes of the General Data Protection Regulation (GDPR) and UK GDPR, T32 Studios acts as the Data Controller. For Brazilian residents under the Lei Geral de Proteção de Dados (LGPD), T32 Studios is the Controlador.
Information We Collect
A. Information You Provide Directly
- Contact & inquiry data: Name, email address, phone number, company name, and the content of messages sent through our contact form or email.
- Project & briefing data: Information you share when briefing us on a project, including business details, creative requirements, and reference materials.
- Billing & payment data: Name, billing address, and payment method details processed through our third-party payment processors (we do not store full card numbers).
- Communications: Records of correspondence by email, phone, or messaging platforms when you contact us.
B. Information Collected Automatically
- Usage data: Pages visited, time on page, scroll depth, clicks, referring URL, and navigation paths.
- Device & technical data: IP address, browser type and version, operating system, device type, screen resolution, and language settings.
- Cookies & similar technologies: Session cookies, persistent cookies, and pixel tags as described in Section 6.
- Log data: Server logs including access timestamps, error logs, and performance data.
C. Information from Third Parties
- Analytics providers: Aggregated and anonymised data from analytics platforms about how visitors use the Site.
- Social media platforms: If you interact with our social media profiles or share content, we may receive limited information permitted by those platforms' privacy settings.
- Referral sources: Information from partners or clients who refer you to our services.
How We Use Your Information
We use the personal data we collect for the following purposes:
- Service delivery: To respond to inquiries, scope projects, deliver creative services, and manage client relationships.
- Contract performance: To fulfill our obligations under client agreements, including invoicing and payment processing.
- Site improvement: To analyse usage patterns, diagnose technical issues, and improve the performance and user experience of the Site.
- Marketing communications: To send updates about our work, industry insights, or promotional content — only where you have given consent or where we have a legitimate interest and applicable law permits.
- Legal compliance: To meet our obligations under applicable law, including tax, accounting, and regulatory requirements.
- Fraud prevention & security: To detect, investigate, and prevent fraudulent transactions or other illegal activity.
- Dispute resolution: To establish, exercise, or defend legal claims.
Legal Basis for Processing (GDPR / UK GDPR)
For individuals in the EU and UK, we process personal data only where we have a valid legal basis under Article 6 GDPR.
| Processing Activity | Legal Basis |
|---|---|
| Responding to contact form submissions | Legitimate interests (Art. 6(1)(f)) — or pre-contractual steps (Art. 6(1)(b)) |
| Delivering contracted services & invoicing | Contract performance (Art. 6(1)(b)) |
| Analytics & site performance monitoring | Legitimate interests (Art. 6(1)(f)) — improving the Site |
| Marketing emails & newsletters | Consent (Art. 6(1)(a)) — freely given, specific, and withdrawable |
| Legal, tax & compliance obligations | Legal obligation (Art. 6(1)(c)) |
| Fraud detection & security | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 9.
Sharing & Disclosure
T32 Studios does not sell, rent, or trade your personal data. We may share it in the following limited circumstances:
Service Providers (Processors)
We engage trusted third-party vendors who process data on our behalf, bound by Data Processing Agreements (DPAs) under GDPR Article 28:
- Hosting & infrastructure: Cloud hosting providers for Site operation and data storage.
- Analytics: Web analytics platforms (e.g. Google Analytics, with IP anonymisation enabled, or privacy-first alternatives).
- Payment processing: PCI-DSS compliant payment processors (e.g. Stripe). We never store full card details.
- Email & CRM: Email delivery services and client relationship management tools.
- Project management: Collaboration tools used to deliver client projects.
Legal & Regulatory Disclosure
We may disclose personal data to competent authorities, courts, or regulators where required by applicable law, court order, or to protect the rights, property, or safety of T32 Studios, our clients, or others.
Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, provided it continues to be protected consistent with this Policy.
Cookies & Tracking Technologies
The Site uses cookies and similar technologies to operate, analyse, and improve our services. Where required by law (e.g. EU ePrivacy Directive, UK PECR), we obtain consent before setting non-essential cookies.
| Category | Purpose | Consent Required? |
|---|---|---|
| Strictly Necessary | Site functionality, security, session management | No — essential to operate |
| Performance / Analytics | Measuring traffic, page views, user behaviour | Yes — EU/UK/Brazil |
| Functional | Language preferences, UI customisation | Yes — EU/UK |
| Marketing / Targeting | Retargeting ads, campaign attribution | Yes — all jurisdictions |
You may withdraw consent or manage cookie preferences at any time via our cookie banner or by adjusting your browser settings. Note that disabling certain cookies may affect Site functionality.
Under the EU ePrivacy Directive and UK Privacy and Electronic Communications Regulations (PECR), we obtain prior informed consent for all non-essential cookies placed on devices of EU and UK visitors.
International Data Transfers
T32 Studios operates internationally. Personal data may be transferred to, and processed in, countries outside your country of residence, including the United States, Canada, and the United Kingdom.
When transferring personal data from the European Economic Area (EEA) to third countries, we rely on one or more of the following safeguards: EU Standard Contractual Clauses (SCCs) as approved by the European Commission; adequacy decisions where applicable; or, where the UK is the origin, International Data Transfer Agreements (IDTAs).
International transfers of Brazilian residents' personal data are conducted only to countries providing an adequate level of protection, or under contractual clauses, global corporate policies, or other mechanisms approved by Brazil's National Data Protection Authority (ANPD).
Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. Our general retention framework is:
- Client project data: Retained for the duration of the engagement plus 7 years for accounting and legal purposes.
- Contact form & inquiry data: Retained for 2 years from the date of last contact if no engagement follows.
- Marketing data: Retained until you withdraw consent or opt out, plus a reasonable period to evidence compliance.
- Analytics data: Retained in aggregated, anonymised form — individual session data typically retained for 14 months.
- Legal & compliance records: Retained for the period required by applicable law (typically 5–10 years depending on jurisdiction and record type).
When data is no longer needed, we securely delete or anonymise it in accordance with our internal data disposal procedures.
Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal data. We respond to verified requests within the timeframes required by law (typically 30 days under GDPR; 45 days under CCPA).
| Right | Description | Frameworks |
|---|---|---|
| Access | Obtain a copy of your personal data and information about how it is processed. | GDPRCCPALGPDPIPEDA |
| Rectification | Request correction of inaccurate or incomplete personal data. | GDPRLGPD |
| Erasure | Request deletion of your personal data ("right to be forgotten") where no overriding legal basis exists. | GDPRCCPALGPD |
| Portability | Receive your data in a structured, machine-readable format and transfer it to another controller. | GDPRLGPD |
| Restriction | Request that we restrict processing of your data in certain circumstances. | GDPRLGPD |
| Object | Object to processing based on legitimate interests or for direct marketing purposes. | GDPRLGPD |
| Withdraw Consent | Withdraw previously given consent at any time, without affecting prior lawful processing. | GDPRLGPDCASL |
| Non-Discrimination | Not be discriminated against for exercising your privacy rights. | CCPA |
| Opt-Out of Sale / Sharing | Opt out of the sale or sharing of personal information for cross-context behavioural advertising. | CCPA/CPRA |
To exercise any of these rights, please contact us as described in Section 16. We may need to verify your identity before processing your request. You also have the right to lodge a complaint with your local supervisory authority:
- EU: Your national Data Protection Authority (e.g. AEPD in Spain, CNIL in France).
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
- Canada: Office of the Privacy Commissioner (OPC) — priv.gc.ca
California Residents — CCPA / CPRA
This section applies to consumers who are residents of California, USA, pursuant to the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020.
Categories of Personal Information Collected
In the preceding 12 months, T32 Studios has collected the following categories of personal information as defined by the CCPA:
- Identifiers: Real name, email address, IP address, and other similar identifiers.
- Commercial information: Records of services purchased or considered.
- Internet or electronic network activity: Browsing history on the Site, interaction with advertisements.
- Professional or employment-related information: Company name and professional role, provided voluntarily.
- Inferences: Profiles reflecting preferences drawn from the above data.
We Do Not Sell or Share Your Personal Information
T32 Studios does not sell your personal information as defined under the CCPA/CPRA. We do not share personal information for cross-context behavioural advertising to third parties. If this practice changes, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" mechanism as required.
Your California Rights
California residents have the right to: know what personal information is collected; delete personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information; limit the use of sensitive personal information; and non-discrimination for exercising these rights.
To submit a CCPA request, contact us at the details in Section 16. We will verify your identity and respond within 45 calendar days, with a possible 45-day extension where reasonably necessary.
Authorised Agent
You may designate an authorised agent to submit requests on your behalf. We will require written proof of the agent's authorisation and may verify your identity directly.
Brazilian Residents — LGPD
This section applies to natural persons located in Brazil whose personal data is processed by T32 Studios, pursuant to Brazil's General Data Protection Law (LGPD), effective September 2020 and enforced by the ANPD.
Bases Legais de Tratamento (Legal Bases)
We process personal data of Brazilian residents under one or more of the following legal bases established in Article 7 of the LGPD:
- Consentimento (Consent) — Art. 7, I: For marketing communications and non-essential cookies.
- Execução de contrato (Contract) — Art. 7, V: For delivering agreed services and billing.
- Legítimo interesse (Legitimate interest) — Art. 7, IX: For analytics and fraud prevention, subject to our legitimate interest assessment.
- Cumprimento de obrigação legal (Legal obligation) — Art. 7, II: For tax and regulatory compliance.
Seus Direitos (Your Rights under LGPD)
Brazilian residents have rights under Articles 17–22 of the LGPD, including confirmation of processing, access, correction, anonymisation or deletion, data portability, information about sharing, the right to object to consent-based processing, and the right to withdraw consent. Requests are responded to within a reasonable timeframe.
The Data Protection Officer (Encarregado) for Brazilian data subjects can be reached at the contact details in Section 16.
Canadian Residents — PIPEDA & CASL
This section applies to Canadian residents under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, as well as Canada's Anti-Spam Legislation (CASL).
PIPEDA Principles
We adhere to the 10 Fair Information Principles under PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.
CASL — Commercial Electronic Messages
We send commercial electronic messages (CEMs) to Canadian residents only where we have obtained express or implied consent as defined under CASL. Every CEM includes a clear and functional unsubscribe mechanism. Consent can be withdrawn at any time by following the unsubscribe link or contacting us directly.
To exercise your PIPEDA rights or challenge our compliance, contact our Privacy Officer at the details in Section 16. You may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Children's Privacy
The Site and our services are directed to businesses and professionals and are not intended for children under the age of 16 (or under 13 in the United States). We do not knowingly collect personal data from children under these ages.
If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at the details in Section 16 and we will promptly delete such information. This commitment aligns with the Children's Online Privacy Protection Act (COPPA) in the United States, the GDPR provisions on children's data, and equivalent frameworks in other jurisdictions.
Security
T32 Studios implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include:
- TLS/SSL encryption for all data transmitted between your browser and our servers.
- Access controls and authentication requirements for internal systems handling personal data.
- Regular security reviews and vulnerability assessments of our infrastructure.
- Contractual data security requirements with all third-party processors.
- Staff training on data protection and information security obligations.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR; without undue delay under LGPD).
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required by law or where changes are significant, notify you by email or by a prominent notice on the Site.
Your continued use of the Site following the posting of changes constitutes your acknowledgement of the revised Policy. We encourage you to review this page periodically to stay informed.
Previous versions of this Policy are available upon request by contacting us at the details below.
Contact & Data Protection Officer
For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices — including exercising your rights under GDPR, CCPA, LGPD, PIPEDA, or any other applicable law — please contact us:
Email: [email protected]
Subject line: "Privacy Request — [Your Name / Jurisdiction]"
Alternatively via our contact form at t32studios.com
Data Protection Officer (DPO)
In accordance with GDPR Article 37, T32 Studios has designated a Data Protection Officer responsible for overseeing compliance with this Policy and applicable data protection law. The DPO can be contacted at the email address above, with the subject line: "DPO — [Matter]".
EU Representative
For the purposes of GDPR Article 27, T32 Studios' EU establishment in Murcia, Spain serves as the point of contact for EU supervisory authorities and data subjects.
Supervisory Authorities
- Spain (Lead SA for EU): Agencia Española de Protección de Datos (AEPD) — aepd.es
- United Kingdom: Information Commissioner's Office — ico.org.uk
- Brazil: Autoridade Nacional de Proteção de Dados — gov.br/anpd
- Canada: Office of the Privacy Commissioner — priv.gc.ca
- California, USA: California Privacy Protection Agency (CPPA) — cppa.ca.gov