Privacy Policy
Last updated: 28 February 2026
MasjidConnect Ltd is committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
MasjidConnect Ltd (“MasjidConnect”, “we”, “our”, “us”) is a company registered in England and Wales (Company No. [TBC]). We are the Data Controller in respect of personal data collected through our website and platform.
We are registered with the Information Commissioner's Office (ICO) under registration number [TBC].
For any privacy-related queries, please contact us at privacy@masjidconnect.co.uk.
2. Data We Collect
We collect the following categories of personal data when you use MasjidConnect:
Account Data
- Full name of the account registrant;
- Email address; and
- Password (stored as an irreversible cryptographic hash — we never store your plaintext password).
Masjid Data
- Masjid name and address;
- Prayer times and Jamaat schedules;
- Announcements and event information; and
- Any images or files uploaded to the platform.
Display Screen Data
- Screen identifiers (device IDs) generated during pairing;
- Connection status and last-seen timestamps; and
- Device metadata (e.g. browser user agent of the display device).
Payment Data
- Billing name and email address (used to identify your subscription);
- Subscription plan and billing history (for your records and HMRC compliance).
We do not store payment card details. All card information is held exclusively by Paddle.com, Inc., our Merchant of Record, who process payments on our behalf.
Technical Data
- IP address;
- Browser type and version;
- Session authentication tokens (via essential cookies only); and
- Server access logs (retained for 30 days on a rolling basis).
3. How We Use Your Data
We use the personal data we collect to:
- Create and manage your Account and provide you with access to the Service;
- Process your subscription and communicate billing information through Paddle;
- Send transactional emails — including account confirmation, password resets, subscription invoices, and important service updates;
- Monitor and ensure the security of the platform, detect fraud, and prevent misuse;
- Improve the platform using aggregated and anonymised usage data — we do not use individual user data for analytics; and
- Comply with our legal obligations, including HMRC record-keeping requirements.
We do not use your personal data for advertising or marketing to third parties. We do not sell your data.
4. Lawful Basis for Processing
Under UK GDPR, we must have a lawful basis for each type of processing we carry out. Our lawful bases are:
- Contract performance (Article 6(1)(b)): Processing your Account data, Masjid data, and screen data is necessary to provide the Service you have signed up for.
- Legitimate interests (Article 6(1)(f)): We process technical data and server logs to maintain security and improve the platform. Our legitimate interests do not override your rights.
- Legal obligation (Article 6(1)(c)): We retain payment and invoicing records for 7 years as required by HMRC regulations.
We do not rely on consent as a lawful basis for routine processing. Where we do seek consent (for example, for optional marketing communications), we will make this clear at the time and you may withdraw consent at any time.
5. Data Sharing
We share personal data with the following third-party service providers who act as data processors on our behalf:
- Paddle.com, Inc. — payment processing and Merchant of Record. Paddle receives billing name, email, and subscription information to process payments and issue invoices. Paddle's own privacy policy applies to data they hold.
- Vercel, Inc. — hosting of the MasjidConnect website and admin portal on Vercel's edge network.
- Neon, Inc. — PostgreSQL database hosting for all platform data.
- Amazon Web Services (AWS) — cloud storage (S3) for files and images uploaded to the platform.
We do not sell personal data to any third party. We do not share personal data with third parties for their own marketing purposes.
We may disclose data where required to do so by law, by a court order, or by a regulatory authority.
6. International Data Transfers
Vercel, Neon, and Amazon Web Services are US-based companies. Where your data is processed outside of the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR Article 46.
Specifically, data transfers to the US are governed by Standard Contractual Clauses (SCCs) approved for use under UK data protection law. Paddle maintains its own Data Processing Agreement and transfer mechanisms covering payments data.
You may request a copy of the applicable Standard Contractual Clauses by emailing privacy@masjidconnect.co.uk.
7. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:
- Active accounts: Data is retained for the duration of your Account.
- Cancelled accounts: Data is retained for 90 days following cancellation to allow you to export your data, after which it is permanently deleted (subject to the exceptions below).
- Payment and invoice records: Retained for 7 years in compliance with HMRC legal obligations.
- Server access logs: Retained on a rolling 30-day basis.
- Community member data: Any data you have entered about your community members (as Data Controller) is deleted within 90 days of your Account closure.
8. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access: You can request a copy of the personal data we hold about you (Subject Access Request).
- Right to rectification: You can ask us to correct inaccurate or incomplete data.
- Right to erasure: You can ask us to delete your personal data where there is no compelling reason for us to continue holding it (“right to be forgotten”).
- Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
- Right to data portability: You can request your data in a structured, machine-readable format.
- Right to object: You can object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email privacy@masjidconnect.co.uk. We will respond within 30 days. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully. You can reach the ICO at ico.org.uk or on 0303 123 1113.
10. Data Security
We take the security of your data seriously and implement industry-standard technical and organisational measures, including:
- Encryption of all data in transit using TLS 1.2 or higher;
- Encryption of data at rest;
- Role-based access controls to ensure only authorised personnel can access sensitive data;
- Regular security reviews of our infrastructure and codebase;
- No storage of payment card details — all card credentials are held exclusively by Paddle; and
- Confidentiality obligations for all staff and contractors with access to personal data.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
11. MasjidConnect as Data Processor
When you use MasjidConnect features that involve storing data about members of your community — such as names, email addresses, donation records, or event attendance — the following roles apply:
- Your Masjid is the Data Controller. You determine the purposes and means of processing your community's data and are responsible for ensuring you have a lawful basis for collecting and using it.
- MasjidConnect is the Data Processor. We process that community data solely on your instructions, for the purpose of providing the Service.
By using these features, you confirm that:
- You have informed your community members about how their data will be used;
- You have obtained any necessary consents or have another lawful basis for processing; and
- You have a privacy notice in place for your Masjid's own data processing activities.
12. Children's Data
The MasjidConnect platform is designed for and directed at adult administrators of Islamic organisations. We do not knowingly collect personal data from individuals under the age of 16.
If you believe we have inadvertently collected data from a child under 16, please contact us at privacy@masjidconnect.co.uk and we will promptly delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law.
Where changes are material, we will notify you via email and/or a banner notification in your admin dashboard, with at least 30 days' notice before the changes take effect. Continued use of the Service after that date constitutes acceptance of the updated policy.
The date at the top of this page shows when the policy was last updated.
14. Contact & Complaints
For any questions about this Privacy Policy, to exercise your rights, or to raise a concern, please contact us:
- Email: privacy@masjidconnect.co.uk
- Company: MasjidConnect Ltd
- Registered Address: [TBC]
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF