← Back to Deenari

Privacy Policy

Last updated: March 2026

Privacy PolicyTerms & Conditions

1. Introduction

Welcome to Deenari ("we", "us","our"). Deenari is an AI-powered Islamic financial life planning platform that helps Muslims manage their zakat obligations, inheritance planning, halal mortgage comparisons, pension screening, and broader financial well-being in accordance with Shariah principles.

We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website at https://deenari.app (the "Website") and use our services, applications, and tools (collectively, the "Services").

This policy applies to all visitors, registered users, and subscribers of Deenari. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree with any part of this policy, please do not use our Services.

We take particular care with the nature of data processed through our platform. Financial data and religious preferences are sensitive by nature, and we have designed our systems, processes, and policies with this sensitivity at the forefront. Our commitment is to collect only the data necessary to deliver and improve our Services, to store it securely, and to never sell or share it for advertising or profiling purposes.

2. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), the data controller is:

  • Name: Deenari (trading as a sole trader; registration as Deenari Ltd is pending when revenue thresholds are met)
  • Contact email: hello@deenari.app
  • Website: https://deenari.app
  • Jurisdiction: England and Wales, United Kingdom
  • ICO registration: Pending — we are in the process of registering with the Information Commissioner's Office (ICO) as a data controller. Our registration number will be published here upon completion.

We are subject to and comply with the UK GDPR (as retained under the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018. Where applicable, we also have regard to the EU GDPR for any data subjects located in the European Economic Area.

3. What Data We Collect

We collect and process various categories of personal data depending on how you interact with our Services. We only collect data that is necessary for the purposes outlined in this policy.

3.1 Account Data

When you create a Deenari account, we collect information necessary to set up and maintain your account:

  • Email address
  • Full name (if provided)
  • Password (stored as a cryptographic hash using bcrypt — we never store your password in plain text)
  • Authentication provider details (if you sign in via Google OAuth, we receive your name and email from Google; we do not receive or store your Google password)
  • Account creation date and last login timestamp

3.2 Profile Data

To personalise your experience and provide accurate calculations according to your chosen school of Islamic jurisprudence, we collect:

  • Preferred madhab (school of thought): Hanafi, Shafi'i, Maliki, or Hanbali
  • Preferred currency (default: GBP)
  • Zakat anniversary date (the date you first became eligible for zakat, used to calculate your annual hawl)
  • Subscription tier (free, premium monthly, or premium annual)

3.3 Financial Data

To perform zakat calculations, inheritance planning, and other financial analyses, we collect data about your financial position. This data is provided voluntarily by you and may include:

  • Cash and savings: bank balances, savings account amounts, cash holdings
  • Precious metals: gold and silver holdings (weight and/or value)
  • Investments: stocks, shares, ISAs, and their current market values
  • Cryptocurrency: digital asset holdings and their values
  • Business assets: inventory, receivables, business cash
  • Property: rental income from investment properties
  • Retirement accounts: pensions, 401(k), ISA balances
  • Agricultural produce: value of harvested crops (where applicable)
  • Liabilities: debts, mortgages, loans, and immediate expenses
  • Zakat calculation results: total zakatable wealth, deductions, zakat due, breakdown by asset class
  • Inheritance data: estate value, heir relationships, wasiyyah (bequest) amounts

Important: All zakat and inheritance calculations are performed using deterministic, rules-based engines. These calculations are not generated by artificial intelligence. AI is used only for explanatory guidance and Q&A — never for issuing rulings or performing calculations.

3.4 AI Conversation Data

When you interact with our AI financial advisor feature, we collect:

  • Your messages and questions submitted to the AI advisor
  • AI-generated responses provided to you
  • Timestamps of each interaction
  • Session identifiers linking conversations to your account

AI conversation data is used to deliver the advisory feature and to improve the quality of our responses. It is not used to train third-party AI models (see Section 13 for details).

3.5 Payment Data

When you subscribe to Deenari Premium, we collect and store:

  • Subscription tier and plan details (monthly or annual)
  • Stripe customer ID (a unique identifier assigned by our payment processor)
  • Subscription status, start date, and renewal date
  • Payment history (amounts, dates, and transaction status)

We do not collect, store, or have access to your full credit or debit card number, CVV, or bank account details. All payment processing is handled entirely by Stripe, Inc., which is certified to PCI DSS Level 1 — the highest level of payment security certification. Your card details are entered directly into Stripe's secure payment form and are never transmitted to or stored on our servers.

3.6 Technical Data

When you access our Website, we automatically collect certain technical information:

  • IP address (anonymised for analytics purposes)
  • Browser type and version
  • Device type, operating system, and screen resolution
  • Pages visited, time spent on pages, and navigation paths
  • Referring URL (the page that directed you to our Website)
  • Timezone and language preferences

3.7 Communication Data

We collect data from your communications with us, including:

  • Waitlist registrations (email address and sign-up date)
  • Support emails and enquiries sent to hello@deenari.app
  • Transactional emails we send to you (welcome emails, password resets, zakat reminders, subscription confirmations)
  • Marketing email preferences and opt-in/opt-out status

4. Special Category Data

Under Article 9 of the UK GDPR, certain categories of personal data are considered "special category data" and are subject to additional protections. These include data revealing religious or philosophical beliefs.

When you select your preferred madhab (school of Islamic jurisprudence — Hanafi, Shafi'i, Maliki, or Hanbali), this constitutes data that reveals your religious beliefs. The use of Deenari itself, as an Islamic financial planning platform, may also imply religious affiliation.

We process this special category data under the following lawful basis:

  • Explicit consent (Article 9(2)(a) UK GDPR): When you create an account and select your madhab preference, you are providing explicit consent for us to process this data in order to deliver calculations and guidance tailored to your chosen school of thought.

Your provision of madhab preference is entirely voluntary. You may use our free zakat calculator without creating an account, and the default madhab (Hanafi) will be applied unless you change it. You may withdraw your consent to the processing of this data at any time by:

  • Changing your madhab preference in your account settings
  • Deleting your account entirely
  • Contacting us at hello@deenari.app to request deletion

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5. How We Use Your Data

We use your personal data only for specific, explicit, and legitimate purposes. Below we set out each purpose alongside the corresponding lawful basis under the UK GDPR.

5.1 Contractual Necessity (Article 6(1)(b))

We process your data where it is necessary for the performance of our contract with you (i.e., providing the Services you have registered for):

  • Creating and managing your Deenari account
  • Performing zakat calculations based on the asset and liability data you provide
  • Generating inheritance (faraid) plans based on estate data and heir information
  • Delivering AI-powered financial guidance and Q&A responses
  • Processing subscription payments through Stripe
  • Generating PDF reports (zakat summaries, inheritance breakdowns, will documents)
  • Providing halal mortgage comparisons and pension screening results
  • Sending transactional communications (account verification, password resets, payment receipts, zakat reminders)

5.2 Legitimate Interest (Article 6(1)(f))

We process certain data where it is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms:

  • Service improvement: Analysing anonymised usage patterns to understand how users interact with our platform, which features are most valuable, and where we can improve
  • Security: Detecting and preventing fraud, abuse, and unauthorised access to our systems
  • Technical maintenance: Monitoring server performance, diagnosing errors, and ensuring platform stability
  • Business operations: Managing our waitlist, understanding our user base demographics (in aggregate), and planning product development

5.3 Consent (Article 6(1)(a))

We process your data based on your consent for the following purposes:

  • Sending marketing emails, newsletters, and product updates (you may opt out at any time via the unsubscribe link in each email or by contacting us)
  • Processing special category data, specifically your madhab preference (see Section 4)

5.4 Legal Obligation (Article 6(1)(c))

We process your data where it is necessary for compliance with a legal obligation:

  • Retaining financial transaction records as required by HMRC and UK tax legislation
  • Responding to lawful requests from law enforcement or regulatory authorities
  • Complying with the UK GDPR, DPA 2018, and related data protection laws

6. How We Store and Protect Your Data

We implement robust technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. The security of your data — particularly financial and religious data — is of paramount importance to us.

6.1 Database and Infrastructure Security

  • Database hosting: Your data is stored in Supabase, which uses PostgreSQL databases hosted in London, UK (eu-west-2). Data residency in the UK ensures compliance with UK data sovereignty expectations.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints.
  • Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption, an industry-standard encryption algorithm.
  • Password hashing: User passwords are hashed using bcrypt with an appropriate cost factor. We never store passwords in plain text and cannot retrieve your original password.
  • Row Level Security (RLS): Our database employs Supabase Row Level Security policies, ensuring that authenticated users can only access their own data. Even in the event of an application-level vulnerability, RLS provides a database-level safeguard preventing cross-user data access.

6.2 Payment Security

All payment processing is handled by Stripe, Inc., which is certified to PCI DSS Level 1 — the most stringent level of security certification in the payments industry. Your payment card details are processed entirely within Stripe's secure infrastructure and are never transmitted to, processed by, or stored on Deenari's servers.

6.3 AI Processing Security

AI-powered features use the Anthropic Claude API via commercial API endpoints. Queries sent to the Claude API are processed under Anthropic's commercial terms of service, which stipulate that commercial API data is not used to train Anthropic's models. See Section 13 for full details on AI-specific privacy provisions.

6.4 Access Controls

Access to production databases, infrastructure, and personal data is strictly limited to the founder and any authorised personnel operating under binding confidentiality obligations. We follow the principle of least privilege and review access controls regularly.

7. Third-Party Data Processors

We engage a limited number of third-party service providers who process personal data on our behalf. Each processor has been selected for its security standards and compliance posture. Where required, we have entered into Data Processing Agreements (DPAs) that comply with Article 28 of the UK GDPR.

ProviderPurposeData ProcessedLocation
SupabaseDatabase hosting, authentication, row-level securityAccount data, profile data, financial data, calculation resultsLondon, UK (eu-west-2)
VercelWebsite and application hosting, serverless functionsTechnical data (IP addresses, request metadata); no persistent user data storedUnited States (with global edge network)
StripePayment processing, subscription managementPayment card details (directly), Stripe customer ID, transaction historyUnited States (PCI DSS Level 1 certified)
AnthropicAI-powered financial advisor (Claude API)AI conversation messages and responsesUnited States
ResendTransactional and marketing email deliveryEmail addresses, email content, delivery metadataUnited States
CloudflareDNS resolution, CDN, DDoS protection, email routingTechnical data (IP addresses, request headers); email routing metadataGlobal (edge network)
GoldAPI.ioLive gold and silver price data for nisab calculationsNo user data is transmitted — API calls are server-side with no user identifiersN/A (no user data shared)
Google (OAuth)Optional social sign-inEmail address and display name (received from Google upon user consent)United States

We do not share, sell, rent, or trade your personal data with any third parties for their own marketing or advertising purposes. Our processors are contractually bound to process your data only on our instructions and in accordance with applicable data protection law.

8. International Data Transfers

Your primary data is stored in the United Kingdom (Supabase, London eu-west-2). However, certain third-party processors listed in Section 7 are based in the United States, which means your data may be transferred outside the UK.

Where we transfer personal data to countries that have not been deemed to provide an adequate level of data protection by the UK Secretary of State, we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses (as adopted for UK use) as the transfer mechanism for data sent to US-based processors.
  • UK International Data Transfer Agreement (IDTA): Where applicable, we use the UK's own International Data Transfer Agreement or the UK Addendum to the EU SCCs, as approved by the ICO.
  • Adequacy decisions: Where the UK has issued an adequacy decision for a recipient country, we rely on that decision as the lawful basis for the transfer.
  • Supplementary measures: We assess each transfer on a case-by-case basis and implement supplementary technical or organisational measures where necessary to ensure that the level of protection afforded to your data is not undermined.

Our key US-based processors (Stripe, Anthropic, Vercel, Resend, and Google) each maintain robust security programmes, and we have reviewed their data processing terms to confirm the presence of adequate safeguards for international transfers.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The table below summarises our retention periods:

Data CategoryRetention Period
Account data (email, name, auth)Until you delete your account, plus 30 days for backup purging
Financial data (assets, liabilities, calculations)Until you delete your account or request deletion of specific records
AI conversation data12 months from the date of the conversation, then automatically deleted
Payment and transaction records7 years (as required by HMRC for financial record-keeping obligations)
Transactional emails (receipts, confirmations)12 months
Waitlist registrations24 months from sign-up, or until you unsubscribe, whichever is sooner
Analytics dataAnonymised and retained for up to 26 months
Server and access logs90 days

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised. If you request deletion of your account, we will delete or anonymise your personal data within 30 days, except where we are legally required to retain certain records (e.g., payment records for HMRC compliance).

10. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain exemptions under applicable law.

10.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. This is commonly known as a "Subject Access Request" (SAR). We will provide the data in a commonly used, machine-readable format (e.g., JSON or CSV).

10.2 Right to Rectification (Article 16)

You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete data. You can update most of your information directly through your account settings.

10.3 Right to Erasure (Article 17)

You have the right to request that we delete your personal data, commonly known as the "right to be forgotten." We will comply with your request unless we have a lawful reason to retain the data (e.g., legal obligations to retain payment records). Account deletion can be initiated through your account settings or by contacting us.

10.4 Right to Restrict Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example if you contest the accuracy of the data or object to our processing.

10.5 Right to Data Portability (Article 20)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. This applies to data processed by automated means on the basis of consent or contract.

10.6 Right to Object (Article 21)

You have the right to object to the processing of your personal data where we are relying on legitimate interest as the lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

10.7 Right to Withdraw Consent

Where we process your data based on consent (e.g., marketing emails, madhab preference), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

10.8 Right to Lodge a Complaint

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the UK's supervisory authority:

  • Information Commissioner's Office (ICO)
  • Website: https://ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

10.9 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at hello@deenari.app. We will respond to your request within 30 days of receipt. If your request is particularly complex or you have made multiple requests, we may extend this period by a further two months, in which case we will notify you of the extension and the reasons for it within the initial 30-day period.

We may ask you to verify your identity before processing your request to ensure the security of your data. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

11. Cookies and Tracking

We take a privacy-first approach to cookies and tracking technologies. Our use of cookies is minimal and limited to those strictly necessary for the functioning of our Website.

11.1 Essential Cookies Only

We use only essential (strictly necessary) cookies that are required for the operation of our Website. These include:

  • Authentication cookies: To keep you signed in to your account and manage your session securely
  • Security cookies: To detect and prevent cross-site request forgery (CSRF) and other security threats
  • Preference cookies: To remember your selected settings (e.g., madhab preference, currency) during your session

11.2 What We Do Not Use

  • No advertising cookies: We do not serve advertisements on our platform and do not use any advertising tracking cookies or pixels.
  • No third-party tracking: We do not embed third-party trackers (such as Facebook Pixel, Google Ads tags, or similar marketing pixels) on our Website.
  • No data sales: We do not sell, trade, or share your personal data or browsing behaviour with advertisers, data brokers, or any other third parties for commercial purposes.

Because we use only strictly necessary cookies, consent under the Privacy and Electronic Communications Regulations (PECR) is not required for these cookies. However, should we introduce any non-essential cookies in the future, we will implement a cookie consent mechanism and update this policy accordingly.

12. Children's Privacy

Deenari is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. The financial planning tools we provide are designed for use by adults who are managing their own financial affairs.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that data from our systems. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@deenari.app and we will promptly investigate and delete the data.

The age threshold of 16 aligns with the UK GDPR's provisions under Article 8 as implemented by Section 9 of the DPA 2018, which sets 13 as the minimum age for consent to information society services in the UK. We have chosen the higher threshold of 16 given the financial nature of our Services.

13. AI-Specific Privacy Provisions

Deenari integrates artificial intelligence through the Anthropic Claude API to provide our AI financial advisor feature. Given the emerging regulatory landscape around AI and data protection, we provide the following specific disclosures:

13.1 How AI Processes Your Data

When you use the AI financial advisor, your messages are sent to Anthropic's Claude API via a secure, encrypted API connection. Anthropic processes your query and returns a response. The following data may be included in API requests:

  • Your message or question
  • Relevant context from your financial profile (to provide personalised guidance)
  • Your madhab preference (to tailor responses to your school of thought)
  • System instructions that define the advisor's behaviour and constraints

13.2 AI Training and Data Use

We use Anthropic's commercial API, which operates under Anthropic's commercial terms of service. Under these terms, data submitted through the commercial API is not used by Anthropic to train or improve their AI models. Your conversations with our AI advisor are not fed back into Anthropic's training pipeline.

13.3 No Advertising or Profiling from AI Data

Your AI conversation data is not used for advertising, behavioural profiling, or targeted marketing — by us or by Anthropic. The data is used solely to generate responses to your queries and, on our side, to maintain your conversation history as part of the Service.

13.4 AI Data Deletion

You may request deletion of your AI conversation history at any time by contacting us at hello@deenari.app. Upon receiving your request, we will delete your stored conversation data from our systems within 30 days. Data that has been transmitted to Anthropic via the API is subject to Anthropic's data retention policies, which provide for automatic deletion of API logs within 30 days.

13.5 AI Limitations Disclaimer

AI-generated responses are provided for educational and informational purposes only. Every AI response includes a disclaimer that it does not constitute a fatwa, financial advice, or a binding Islamic ruling. Users should consult qualified scholars for personal religious rulings and regulated financial advisors for investment decisions.

14. Data Breach Procedures

We take data security extremely seriously. Despite our robust security measures, we acknowledge that no system is entirely immune to security incidents. We have established procedures to deal with any suspected personal data breach promptly and effectively.

14.1 Detection and Assessment

We maintain monitoring systems to detect potential data breaches. Upon discovering or being notified of a suspected breach, we will immediately assess the nature, scope, and severity of the incident, including the categories and approximate number of individuals and records affected.

14.2 Notification to the ICO

In accordance with Article 33 of the UK GDPR, if a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, approximate number of individuals affected, likely consequences, and the measures taken or proposed to address the breach.

14.3 Notification to Affected Individuals

In accordance with Article 34 of the UK GDPR, if a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay. Notification will be made via email to your registered email address and will include a clear description of the breach, the likely consequences, and the steps we have taken to mitigate the impact.

14.4 Record-Keeping

We maintain a record of all personal data breaches, regardless of whether they are reportable to the ICO, including the facts of the breach, its effects, and the remedial actions taken. This record enables us to demonstrate compliance with our obligations under the UK GDPR.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the date of the latest revision at the top of this page by updating the "Last updated" date.

For material changes — such as changes to the categories of data we collect, the purposes for which we use your data, or the third parties with whom we share your data — we will notify you by email to the address associated with your account at least 14 days before the changes take effect. We will also display a prominent notice on our Website.

For non-material changes (e.g., clarifications, formatting, or typographical corrections), we may update this page without individual notification. We encourage you to review this policy periodically to stay informed about how we protect your data.

Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the revised policy. If you do not agree with the updated policy, you should discontinue your use of the Services and delete your account.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please do not hesitate to contact us:

Response Times

  • General enquiries: We aim to respond within 5 business days.
  • Formal data protection requests (Subject Access Requests, erasure requests, and other rights-related requests): We will respond within 30 days of receipt, as required by the UK GDPR. If the request is complex, we may extend this by a further two months, notifying you of the extension within the initial 30-day period.

Supervisory Authority

If you are unsatisfied with our response or believe we are processing your personal data in a manner that is not compliant with applicable data protection law, you have the right to lodge a complaint with the UK's supervisory authority:

  • Information Commissioner's Office (ICO)
  • Website: https://ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Deenari provides educational information to help you understand Islamic financial principles. This is not financial advice, tax advice, or a fatwa. Always consult a qualified scholar for personal rulings and a regulated financial advisor for investment decisions.