Data Protection & Privacy

PrivacyPolicy

Islamic Open Finance™ is committed to protecting your privacy and processing your data in compliance with GDPR, SOC 2 Type II, and ISO 27001 standards.

Last updated: March 15, 2026

This Privacy Policy describes how Islamic Open Finance™ ("IOF," "we," "us," or "our") collects, uses, and shares your personal information when you use our website, APIs, platform services, and financial infrastructure products. IOF operates as a Shariah-native financial technology provider subject to AAOIFI governance standards.

1. Data Controller

The data controller responsible for your personal data is:

Islamic Open Finance™

Dubai International Financial Centre (DIFC)

Dubai, United Arab Emirates

Data Protection Officer: dpo@islamicopenfinance.com

2. Information We Collect

Account & Identity Data

  • Name, email address, phone number, and organizational affiliation
  • Professional information: job title, role, company name, and industry sector
  • Account credentials (hashed), multi-factor authentication tokens
  • KYC/AML verification data as required by financial regulations
  • Tenant and workspace identifiers for multi-tenant platform access

Technical & Usage Data

  • IP address, browser type, operating system, and device identifiers
  • API usage statistics: request counts, latency metrics, error rates
  • Pages visited, navigation patterns, and session duration
  • Authentication and access logs (retained per SOC 2 requirements)
  • Webhook delivery logs and integration configuration data

Financial Transaction Data

  • Islamic contract metadata (Murabaha, Ijarah, Musharakah, etc.) processed through our API
  • Payment processing records and billing information (via Stripe)
  • Ledger entries and transaction identifiers (stored in encrypted, tenant-isolated databases)
  • Shariah compliance attestation records and audit trail data

3. Lawful Basis for Processing (GDPR Art. 6)

  • Contractual Necessity (Art. 6(1)(b)): Processing required to deliver our API services, manage your account, and fulfill our service agreement.
  • Legal Obligation (Art. 6(1)(c)): Processing required by financial regulations including AML/KYC, PSD2, and AAOIFI reporting requirements.
  • Legitimate Interest (Art. 6(1)(f)): Platform security monitoring, fraud prevention, service improvement, and anonymized analytics.
  • Consent (Art. 6(1)(a)): Marketing communications, optional analytics cookies, and participation in beta programs. Consent may be withdrawn at any time.

4. How We Use Your Information

Service Provision

To provide, maintain, and improve our Shariah-compliant financial infrastructure, APIs, and multi-tenant platform services.

Communication

To communicate with you about your account, API usage, service updates, security advisories, and support inquiries.

Security & Compliance

To ensure platform security, prevent fraud, enforce AML/KYC requirements, and comply with GDPR, PSD2, SOC 2, and ISO 27001 standards.

Analytics & Improvement

To analyze aggregated usage patterns, monitor API performance, and improve platform reliability and developer experience.

5. Information Sharing & Sub-Processors

We share personal data only when necessary and under appropriate safeguards:

  • Infrastructure Providers: AWS (EU-West-1, Frankfurt), Cloudflare (global edge) for hosting and content delivery. Data processed under Standard Contractual Clauses (SCCs).
  • Payment Processing: Stripe for subscription billing and usage metering. Stripe is PCI DSS Level 1 certified.
  • Authentication: Clerk for identity management and multi-factor authentication. SOC 2 Type II certified.
  • Regulatory Compliance: When required by law, court order, or financial regulatory authority (DFSA, FCA, or equivalent).
  • Business Transfers: In connection with mergers, acquisitions, or asset sales, with advance notice to affected users.

A complete list of sub-processors is available upon request to dpo@islamicopenfinance.com. We provide 30 days advance notice before adding new sub-processors.

6. Data Security

We implement enterprise-grade security measures aligned with banking industry standards:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest. All database connections encrypted.
  • Access Control: Role-based access control (RBAC) with attribute-based policies (Cerbos ABAC). Principle of least privilege enforced.
  • Audit Trail: Immutable audit logs on all data access and modifications. SOC 2 Type II attested annually.
  • Infrastructure: ISO 27001 certified data centers. Tenant data isolation at database and network level. Regular penetration testing by independent auditors.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. We ensure adequate protection through:

  • EU Standard Contractual Clauses (SCCs) for transfers outside the EEA
  • DIFC Data Protection Law compliance for UAE-based processing
  • Adequacy decisions where available (e.g., EU-UK adequacy)
  • Transfer Impact Assessments for each data destination country

Primary data processing occurs in AWS EU-West-1 (Ireland) and EU-Central-1 (Frankfurt). Edge caching via Cloudflare respects data residency preferences.

8. Data Retention

Data CategoryRetention Period
Account dataDuration of account + 30 days after deletion
Financial transaction records7 years (regulatory requirement)
API access logs90 days (security), then anonymized
Audit trail records7 years (SOC 2 / regulatory)
Marketing preferencesUntil consent withdrawn
Support tickets3 years after resolution

9. Your Rights

Under GDPR, DIFC Data Protection Law, and applicable regulations, you have the following rights:

Right of Access (GDPR Art. 15)

Request a copy of all personal data we process about you, including API logs, account data, and usage records.

Right to Rectification (GDPR Art. 16)

Request correction of inaccurate or incomplete personal information in your account or organization profile.

Right to Erasure (GDPR Art. 17)

Request deletion of your personal data, subject to regulatory retention requirements for financial records (typically 7 years).

Right to Data Portability (GDPR Art. 20)

Receive your personal data in a structured, machine-readable JSON format for transfer to another service provider.

Right to Restriction (GDPR Art. 18)

Request that we restrict processing of your personal data while a complaint or correction request is under review.

Right to Object (GDPR Art. 21)

Object to processing of your personal data for direct marketing, profiling, or purposes based on legitimate interests.

To exercise any of these rights, contact our Data Protection Officer at dpo@islamicopenfinance.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

10. Cookies & Tracking

We use minimal cookies for essential platform functionality:

  • Essential Cookies: Authentication session tokens, CSRF protection, theme preferences. Cannot be disabled.
  • Analytics Cookies (optional): Privacy-respecting analytics for aggregate usage insights. No cross-site tracking. Requires explicit consent.

We do not sell personal data. We do not use third-party advertising trackers. We do not participate in real-time bidding or data broker exchanges.

11. Children's Privacy

Our services are designed for business use by financial institutions, fintech companies, and developers. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact our DPO immediately for removal.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email to the address associated with your account at least 30 days before the changes take effect. Continued use of our services after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy, data subject access requests, or to exercise your rights:

Privacy: privacy@islamicopenfinance.com
DPO: dpo@islamicopenfinance.com
General: info@islamicopenfinance.com
Address: Islamic Open Finance™, Dubai International Financial Centre, Dubai, UAE

We will respond to all data subject requests within 30 calendar days. For complex requests, we may extend this by up to 60 additional days with notice.

Your Privacy is Our Priority

Built with GDPR, SOC 2, and ISO 27001 compliance from day one

View Terms of Service