Privacy Policy
Effective 2026-06-03 · Version 2.0 · revised 2026-06-03 — alignment with Terms §3a alameleen alaiha cost-recovery model; no monthly-subscription billing data is collected
In plain English
We collect what we need to run the platform safely: who you are, which bank account is yours, which brokerage account is yours, what rules you set for your waqf, and what moved when. We do not see your bank password. We do not see your brokerage password. We use vendors that give us tokens — not credentials — to operate on accounts you own. We never sell your data. We never share it with third parties for marketing. We protect borrower identity absolutely: if you give waqf, you do not see who received it; if you borrow, the giver does not see you.
1. Who we are
qardon.org is a technology platform owned by Fotoh, Inc., a for-profit company incorporated in the United States. We are the operator that controls and is responsible for the personal data described here. For privacy questions: privacy@qardon.org.
2. What we collect
- Identity at sign-up (KYC). Through a third-party verification service (Persona, or an equivalent vendor we may use): your legal name, date of birth, government-issued identification number where required by law, a photo of your government ID, a selfie used for liveness check, and your country of residence. The KYC vendor returns to us a yes/no verification result plus the minimum identity record needed to comply with anti-money-laundering law.
- Bank account information. Through a bank-linking service (Plaid, or an equivalent vendor): a long-lived access token that authorizes us to read your waqf bank account's balance and transactions, and to initiate the movements you authorized in the Giver Waqf Agreement. We do not see, store, or transmit your bank password. We do not see your full account or routing number except where the law requires it for a specific transaction.
- Brokerage account information. Through the partner halal brokerage's interface: an API access token authorizing us to place trades and read positions in your waqf investment account. We do not see your brokerage password.
- Waqf rules. The commitments you have set: time horizon (permanent, fixed-term, flexible-term), purpose restrictions (category, country, or other allowed limits), opt-in or opt-out of bot-managed investing, contribution amounts and dates.
- Transaction metadata. Timestamps, amounts, idempotency keys, and outcome codes of every authorized movement on your accounts. The minimum needed to run the registry and reconcile against bank and brokerage records.
- Application content. If you apply for a goodly loan: the details you submit (income, debt, purpose, supporting documents), the review panel's findings, and the final decision. If you submit a Recovery Fund claim: the calamity details and supporting documents, the review panel's findings, and the final decision.
- Support correspondence. Messages you exchange with our specialist agents, with timestamps, for service quality and audit.
- Technical data. IP address, browser user-agent, session cookie, and standard server logs needed to operate the site and detect abuse.
3. What we do not collect
- We do not collect or store your bank password.
- We do not collect or store your brokerage password.
- We do not collect or store payment card numbers.
- We do not collect biometric data beyond the liveness check the KYC vendor performs at sign-up (and we do not retain the liveness video).
- We do not collect precise geolocation. The site does not request your device's GPS.
- We do not run third-party tracking pixels. We do not run Google Analytics. We do not run advertising trackers.
4. How we use what we collect
We use it only to:
- Verify that you are who you say you are (KYC and anti-money-laundering compliance).
- Open, link, and operate the accounts described in the Terms of Service: your waqf bank account, your waqf investment account, and the registry entry in your name.
- Execute the movements you authorized in the Giver Waqf Agreement.
- Review goodly-loan applications and Recovery Fund claims through the specialist panel.
- Detect fraud, abuse, and system anomalies.
- Communicate with you about your account, applications, and claims.
- Comply with our legal obligations, including tax reporting where applicable.
- Audit our own operations, including the meta-supervisor's sample review of decisions for quality control.
We do not profile you for advertising. We do not target you with ads. We do not sell your data. We do not share your data with third parties for their independent purposes, except as described in §6.
5. Borrower dignity — the absolute privacy rule
If you give a waqf, you do not see who received any portion of it as a goodly loan. You see only aggregated category totals and impact summaries (for example: "Your waqf helped 12 families this year; 4 medical, 3 education, 5 debt-relief"). You do not see borrower names, faces, ages, locations beyond a country level, loan amounts per individual, or any other identifying detail.
If you receive a goodly loan, no giver sees you. Your identity is shielded from the people whose waqf funded your loan. The specialist panel and qardon.org's internal systems see you for the purpose of running the loan; no member of the platform sees you on the lender side.
This separation is architectural. It is enforced by the system, not by trust. It cannot be opted out of and it cannot be requested around.
6. Where the data lives, and who sees it
- Cloudflare is our primary infrastructure provider (D1 databases, KV namespaces, Vectorize indexes, Workers). The data is stored in their United States regions. Cloudflare is SOC 2 Type II compliant.
- Persona (or the KYC vendor in use) handles identity verification. They see the documents you submit at sign-up. They return to us a verification result and a minimum identity record.
- Plaid (or the bank-linking vendor in use) handles the connection between qardon.org and your bank. They hold the access token. They see your bank's transaction records on our behalf when we query.
- The partner halal brokerage (for example, Wahed Invest) holds your waqf investment account. They see the trades and positions in your account because the account is at their firm. Their privacy policy governs their handling of your data; their terms govern your account relationship with them.
- qardon.org's automated systems see what is needed to run your account: balances, rules, transactions, applications, and decisions.
- qardon.org's admin operator (a small operations team within Fotoh, Inc.) has read-only audit access used for resolving escalations, complaints, and meta-supervisor anomalies. Every access is logged.
- The Founder of Fotoh, Inc. has override authority for cases that escalate to him and for governance reasons described in our Charter. Every access is logged.
We do not sell your data. We do not share your data with any third party for marketing. We do not give your data to any government, agency, or other party except in response to a valid legal demand, and even then we challenge demands that exceed the law.
7. How we protect the data
- Encryption in transit. All connections to qardon.org use TLS 1.3.
- Encryption at rest. Sensitive tokens (bank-linking access tokens, brokerage API tokens) are encrypted at rest with AES-256-GCM. Keys are managed in Cloudflare's secret store.
- Least-privilege access. Internal services see only the fields they need. Admin operator access is audit-logged.
- Idempotency and reconciliation. Every movement carries an idempotency key; daily reconciliation against bank and brokerage records catches any drift.
- Meta-supervisor audit. A separate automated process samples one in one hundred decisions for quality review.
8. Cookies
We use a small number of cookies, all functional:
- A session cookie that keeps you signed in while you use the platform.
- A CSRF protection cookie that defends against forged-request attacks.
- A preference cookie that remembers your language and accessibility choices.
We do not use tracking pixels. We do not use third-party analytics. We do not use advertising cookies.
9. How long we keep the data
- Transaction records: seven years from the date of the transaction. This is the standard regulatory retention period in the United States for financial records.
- Audit logs: seven years from the date of the log entry.
- Member account data: while your account is active, plus one year after closure. After that we retain only what regulatory rules require us to keep.
- KYC records: five years from account closure, as anti-money-laundering law requires.
- Application and claim files: seven years from the decision date.
- Support correspondence: three years from the date of the message, unless tied to an ongoing dispute, in which case until the dispute is resolved plus seven years.
10. Your rights
Depending on where you live, you may have legal rights to:
- Access the data we hold about you. Email privacy@qardon.org with the request.
- Correct data that is inaccurate. You can correct most of this yourself in your dashboard; contact us for the rest.
- Delete data we hold about you. We honor deletion requests subject to legal retention obligations. We cannot delete records of committed waqf without breaching the agreement you signed; we can delete records that are not bound by that agreement.
- Export your data in a portable format.
- Restrict or object to certain processing.
- Withdraw consent for any processing that requires consent. Withdrawing consent for KYC, account linking, or trading authorization will result in our being unable to operate the platform for you.
- Lodge a complaint with your local data protection authority.
We respond to verified requests within thirty days. We may extend by another thirty days for complex requests and will tell you if we do.
11. Children
We do not knowingly collect data from anyone under eighteen years old. If you believe a child has provided us data, write to privacy@qardon.org and we will delete it.
12. International transfers
If you live outside the United States, your data is transferred to and processed in the United States. For users in jurisdictions that require it (the European Economic Area, the United Kingdom, and similar), the data transfer is governed by standard contractual clauses or an equivalent legal mechanism.
13. California residents
If you live in California, the California Consumer Privacy Act (CCPA) gives you the rights described in §10, plus: the right to know the categories of personal information we have collected; the right to non-discrimination for exercising your rights; the right to opt out of any sale or sharing of your personal information. We do not sell or share your personal information. No opt-out is needed.
14. European Economic Area, United Kingdom, and similar
If you live in the European Economic Area, the United Kingdom, or a jurisdiction with a similar regime, the General Data Protection Regulation (or its local equivalent) gives you the rights described in §10. Our legal bases for processing are: performance of the contract you entered into with us (Terms of Service and Giver Waqf Agreement); compliance with our legal obligations; and our legitimate interests in operating the platform safely. Our data protection contact: privacy@qardon.org.
15. Changes
We may update this Privacy Policy. We will give you thirty days' notice by email and by banner in your member dashboard before any material change takes effect. Continued use after the effective date is your acceptance of the changed Privacy Policy.
16. Contact
For privacy questions: privacy@qardon.org.