GDPR & UAE PDPL Compliance

1. Scope & Applicability 2. Regulatory Framework 3. Data Processing Activities 4. Legal Basis for Processing 5. Data Subject Rights 6. Technical & Organizational Measures 7. Sub-Processors 8. Data Residency & Transfers 9. Breach Notification 10. Data Processing Agreement (DPA) 11. Data Retention & Deletion Contact & DPO

1. Scope & Applicability

This compliance document describes how Islamic-Microfinance.com (operated by Koodo Tech LLC FZ, Sharjah, UAE) adheres to:

UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL")
EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679

This document is intended for: enterprise clients, partner organizations, regulatory bodies, and data protection authorities. It serves as both a compliance declaration and a reference for data processing agreements (DPAs).

2. Regulatory Framework

Regulation	Jurisdiction	Status
UAE PDPL (Law #45/2021)	United Arab Emirates	Compliant
GDPR (EU) 2016/679	European Union / EEA	Compliant
CBUAE Consumer Protection Regulation	UAE Banking Sector	Compliant
Dubai Data Law (Law #26/2015)	Dubai, UAE	Compliant

2.1 Data Controller & Data Processor Classification

Data Controller: Koodo Tech LLC FZ (for standard users accessing the public platform)
Data Processor: Islamic-Microfinance.com (for enterprise/white-label clients — the client remains the Data Controller)

3. Data Processing Activities

We process personal data for the following purposes:

Processing Activity	Data Categories	Purpose	Lawful Basis (GDPR)
AI Chat Queries	Query text (may contain personal info)	AI response generation, service improvement	Legitimate Interest / Consent
Zakat Calculation	Financial figures (no PII required)	Zakat calculation	Legitimate Interest
Demo Booking	Name, email, institution, phone	Sales follow-up, demo scheduling	Consent / Pre-contractual
Account Management	Email, billing info, usage	Service delivery, billing	Contractual Necessity
Analytics	IP address, page views, device info	Site improvement, troubleshooting	Legitimate Interest
Enterprise White-Label	Per enterprise agreement	Client-specific service delivery	Contractual Necessity

4. Legal Basis for Processing

Under GDPR Article 6, we rely on the following lawful bases:

Lawful Basis	Application
Consent (Art. 6(1)(a))	Demo booking form, cookie preferences, marketing communications
Contractual Necessity (Art. 6(1)(b))	Account creation, service delivery, billing, enterprise agreements
Legal Obligation (Art. 6(1)(c))	Regulatory compliance, tax reporting, legal requests
Legitimate Interest (Art. 6(1)(f))	Analytics, service improvement, security monitoring (balanced against user rights)

🕌 Islamic Finance Context: Our AI processing does not involve automated decision-making with legal or similarly significant effects concerning individuals. All zakat calculations and stock screening results are estimates requiring human verification with qualified scholars. AI responses are informational only.

5. Data Subject Rights

We honour all rights under both GDPR and UAE PDPL. Response time: within 30 days (free of charge, unless requests are manifestly unfounded or excessive).

Right	GDPR	UAE PDPL	Implementation
Access	Art. 15	Art. 10	Submit request → CSV/JSON export within 30 days
Rectification	Art. 16	Art. 11	Update account settings or submit correction request
Erasure	Art. 17	Art. 12	Account deletion via support or automated (self-serve coming Q3 2026)
Restriction	Art. 18	Art. 13	Request via DPO; data flagged and restricted
Portability	Art. 20	—	Machine-readable export (JSON/CSV)
Objection	Art. 21	Art. 14	Opt-out of marketing; object to legitimate interest processing
Withdraw Consent	Art. 7(3)	Art. 15	Cookie settings, email unsubscribe, DPO request

To exercise any right: Email privacy@islamic-microfinance.com or contact our DPO (see Section 12). We verify identity before processing requests.

6. Technical & Organizational Measures

6.1 Technical Measures

Measure	Details
Encryption at Rest	AES-256 for all stored data (databases, backups, logs)
Encryption in Transit	TLS 1.3 for all HTTPS connections; TLS 1.2+ for API calls
Server Hardening	Minimal attack surface: only port 443 (HTTPS) and 22 (SSH, key-only) exposed
Authentication	SSH key-only (no passwords); 2FA for admin accounts
AI Sandboxing	Model runs in isolated GPU environment; prompts not persisted beyond session
Logging & Monitoring	Structured logging with alerting; 90-day log retention
Backup	Encrypted daily backups; 90-day retention; off-site storage
Penetration Testing	Annual third-party penetration test (next: Q3 2026)
Vulnerability Scanning	Weekly automated CVE scanning on all infrastructure
Access Control	RBAC for infrastructure; principle of least privilege
WAF	Web Application Firewall rate-limiting and DDoS protection

6.2 Organizational Measures

Data Protection Officer (DPO) appointed — see Section 12
Staff training: Annual data protection training for all personnel with system access
Incident response plan: Documented, tested bi-annually
Data Processing Agreements (DPAs): Executed with all sub-processors and enterprise clients
Privacy by Design: All new features reviewed for data protection impact before deployment
Records of Processing Activities (ROPA): Maintained and updated quarterly

7. Sub-Processors

We use the following sub-processors to deliver our service. All have executed DPAs and meet our security requirements.

Sub-Processor	Service	Data Processed	Location	SOC2/ISO
Stripe, Inc.	Payment processing	Billing info (no card numbers stored by us)	USA / Global	SOC 2 Type II
Google Cloud Platform	Infrastructure, compute	All platform data (configurable region)	USA / Europe / GCC*	ISO 27001, SOC 2/3
Hetzner Online GmbH	GPU compute (AI inference)	AI prompts & responses (in-memory only)	Finland / Germany	ISO 27001
Ollama	AI model serving	No data stored; in-memory processing	Self-hosted	N/A

* GCC data residency available for enterprise clients (UAE/Saudi Arabia availability zones).

8. Data Residency & Transfers

8.1 Standard Users

Data stored in European data centers (default) or US (West Coast)
AI model inference runs on European GPU infrastructure (Hetzner, Finland)
International transfers safeguarded by Standard Contractual Clauses (SCCs)

8.2 GCC Enterprise Clients

🇦🇪 GCC Data Residency: Enterprise clients can elect to have all data — including AI processing — handled within the GCC region (UAE / Saudi Arabia availability zones). Additional charges apply for dedicated regional infrastructure.

8.3 Transfer Safeguards

Standard Contractual Clauses (EU 2021/914) for all cross-border data transfers
Transfer Impact Assessments completed for each jurisdiction
Supplementary measures in place where SCCs alone are insufficient (encryption, pseudonymisation)

9. Breach Notification

Requirement	Our Commitment
Notification to Data Protection Authority	Within 72 hours of becoming aware (GDPR Art. 33)
Notification to Data Subjects	Without undue delay when high risk to rights and freedoms (GDPR Art. 34)
Notification to UAE PDPL Authority	As specified in UAE PDPL implementing regulations
Notification to Enterprise Clients	Within 24 hours for confirmed breaches affecting client data
Incident Log	All data breaches documented in internal incident register with root cause analysis

10. Data Processing Agreement (DPA)

Enterprise clients and partners can request a signed Data Processing Agreement. Our DPA covers:

Scope and purpose of processing
Duration of processing
Nature and purpose of processing
Types of personal data and categories of data subjects
Processor obligations (confidentiality, security, sub-processor notifications)
Data subject rights assistance
Audit rights (including on-site inspections with reasonable notice)
Return and deletion of data upon termination
Liability and indemnification
Governing law (UAE / DIFC)

📄 Request DPA: Email dpo@islamic-microfinance.com with the subject "DPA Request." We will provide a signed DPA within 5 business days.

11. Data Retention & Deletion

Data Category	Retention Period	Deletion Mechanism
Account data	Account duration + 12 months	Automated purge after 12 months inactivity
Demo / inquiry records	24 months after last contact	Quarterly purge script
AI chat logs (standard)	Not stored server-side (browser localStorage only)	User clears browser data
Enterprise query logs	Per enterprise agreement (default 90 days)	Automated deletion after TTL
Analytics	Aggregated: indefinite; raw: 26 months	Anonymisation after 26 months
Backups	90 days rolling	Overwritten on rolling cycle
Billing records	7 years (legal/regulatory requirement)	Encrypted archive, restricted access

11.1 Deletion Requests

Data subjects can request deletion at any time. We verify identity and complete deletion within 30 days, except where retention is legally required (e.g., billing records). Deletion confirmation sent to the requester.

12. Contact & Data Protection Officer

Data Controller / Operator	Koodo Tech LLC FZ, Sharjah, United Arab Emirates
Data Protection Officer	dpo@islamic-microfinance.com
Privacy Inquiries	privacy@islamic-microfinance.com
Legal Inquiries	legal@islamic-microfinance.com
Supervisory Authority (GDPR)	Irish Data Protection Commission (Lead SA) — complaints@dataprotection.ie
Supervisory Authority (UAE)	UAE Data Office — info@dataoffice.ae

Your Rights Matter. We are committed to protecting your privacy and handling your data with the utmost care. If you have any concerns about how we process your personal data, please contact our DPO first — we will respond within 5 business days. You also have the right to lodge a complaint with your local data protection authority at any time.

This compliance document was last updated on June 30, 2026. It is reviewed quarterly and updated as regulations evolve.

← Privacy Policy | Terms of Service

Table of Contents