Data Protection Policy
How we protect your personal data in compliance with GDPR and Islamic principles of trust (Amanah).
Last updated: February 28, 2026
Our Data Protection Commitment
AmalQ is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR), applicable data protection laws, and Islamic principles of trust (Amanah). This policy explains your rights, how we process your data, and the safeguards we have in place.
Data Controller Information
Understanding who is responsible for your data and how to contact us about data protection matters.
Data Controller
AmalQ is the data controller for personal data collected through the amalq.org platform. We determine the purposes and means of processing your personal data.
Data Protection Contact
For all data protection inquiries, requests, or complaints, contact our data protection team at legal@amalq.org. We aim to respond to all data protection requests within 30 days.
Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.
Lawful Basis for Processing
We process your personal data only when we have a lawful basis to do so, as required by GDPR Article 6.
Consent (Art. 6(1)(a))
Marketing emails, newsletter subscriptions, and non-essential cookies are processed based on your explicit consent, which you can withdraw at any time.
Contractual Necessity (Art. 6(1)(b))
Account creation, donation processing, campaign management, and customer support require processing your data to fulfill our contractual obligations to you.
Legal Obligation (Art. 6(1)(c))
Tax reporting, anti-money laundering compliance, and responding to legal requests require us to process certain data as mandated by law.
Legitimate Interest (Art. 6(1)(f))
Platform security, fraud prevention, analytics for service improvement, and maintaining Islamic compliance are processed under our legitimate interests, balanced against your rights.
Categories of Personal Data
We collect and process the following categories of personal data, each with a specific purpose and retention period.
Identity Data
Full name, date of birth, government ID (for campaign creators). Used for account management and identity verification. Retained for the duration of your account plus 6 years.
Contact Data
Email address, phone number, postal address. Used for communications, support, and delivery of services. Retained for the duration of your account.
Financial Data
Payment card tokens (stored by Stripe, not AmalQ), bank account details (for campaign creators), donation history. Used for payment processing and tax reporting. Retained for 7 years after last transaction.
Technical Data
IP address, browser type, device information, login timestamps, device fingerprint. Used for security, fraud prevention, and platform optimization. Retained for 12 months.
Usage Data
Pages visited, features used, campaign interactions, search queries. Used for analytics and service improvement. Retained for 24 months in anonymized form.
Preference Data
Language preference, notification settings, Islamic compliance preferences, communication opt-ins. Used for personalization. Retained for the duration of your account.
Data Retention Periods
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
Active Accounts
Data is retained for the duration of your account. You can request deletion at any time (subject to legal obligations).
Closed Accounts
After account closure, most personal data is deleted within 30 days. Financial records are retained for 7 years for tax and legal compliance.
Campaign Data
Campaign information and donation records are retained for transparency and audit purposes for a minimum of 7 years after campaign completion.
Data Anonymization
Where possible, we anonymize data rather than delete it, allowing us to maintain aggregate statistics while protecting individual privacy.
International Data Transfers
As a global platform, your data may be transferred to and processed in countries outside your country of residence.
Transfer Safeguards
All international data transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or other approved transfer mechanisms.
Payment Data Transfers
Payment data processed by Stripe may be transferred to Stripe's data centers. Stripe maintains EU-US Data Privacy Framework certification.
Hosting Infrastructure
Our primary servers are located in Europe. Data may be cached or processed in other regions for performance optimization, always with appropriate safeguards.
Your Data Protection Rights
Under GDPR, you have the following rights regarding your personal data. We honor all requests within 30 days.
Right of Access (Art. 15)
Request a copy of all personal data we hold about you, including the purposes of processing, data categories, and recipients.
Right to Rectification (Art. 16)
Request correction of any inaccurate personal data. You can update most information directly through your account settings.
Right to Erasure (Art. 17)
Request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent. Subject to legal retention requirements.
Right to Restriction (Art. 18)
Request restriction of processing while we verify accuracy, assess legitimate interests, or process your objection.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.
Automated Decision-Making (Art. 22)
We do not make decisions based solely on automated processing that significantly affect you. Fraud detection systems include human review for any adverse decisions.
Data Breach Notification
We have procedures in place to detect, report, and investigate personal data breaches.
Breach Detection
We maintain 24/7 security monitoring systems to detect potential data breaches. Our incident response team is on call to investigate any alerts.
Authority Notification
In the event of a breach likely to result in risk to individuals, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
User Notification
If a breach is likely to result in high risk to your rights and freedoms, we will notify affected users without undue delay via email and platform notification.
Breach Mitigation
We take immediate steps to contain and mitigate any breach, including securing systems, resetting credentials, and engaging forensic investigators when necessary.
Children's Data
AmalQ does not knowingly collect or process personal data from children under 16 years of age.
Age Restriction
Our platform is intended for users aged 18 and above. We do not knowingly collect data from individuals under 16.
Parental Notice
If we discover that we have collected personal data from a child under 16, we will delete it promptly. Parents or guardians who become aware of such collection should contact us immediately.
Policy Updates
We may update this Data Protection Policy to reflect changes in our practices, technology, or legal requirements.
Change Notification
Material changes to this policy will be communicated via email and a prominent notice on our platform at least 30 days before they take effect.
Version History
Previous versions of this policy are available upon request. The current version date is displayed at the top of this page.
Data Protection Inquiries
For any questions about data protection, to exercise your rights, or to report a data protection concern, please contact our data protection team. We take every inquiry seriously and aim to respond within 30 days.
legal@amalq.org
We respond to all data protection requests within 30 days