Your data, your rights

Privacy Policy

We believe protecting your personal information is both a legal obligation and an Islamic one. This policy explains clearly what we collect, why we collect it, and the full rights you hold over your data.

Document information

Last updated March 17, 2026

Effective date March 17, 2026

Applies to All users

Privacy inquiries

Plain-language summary: the key points

We never sell your data

Your personal information is never sold, rented, or traded to third parties for commercial purposes under any circumstances.

Minimal collection

We only collect what is necessary to operate the platform and run community programs. Nothing more.

You are in control

You can access, correct, export, or delete your personal data at any time by contacting our admin team.

We protect it

Data is stored securely, access is role-restricted, and we apply technical and organizational safeguards.

No third-party tracking

We do not use advertising networks, tracking pixels, or behavioral analytics that follow you across the web.

We tell you of changes

If this policy changes in a way that affects your rights, we will notify all members before the change takes effect.

Contents

Section 1

Who we are

Haya Al Alfalah Community ("we", "us", "our") is a non-profit community organization based in Lahore, Pakistan. We operate the Haya Al Alfalah Community Platform (the "Platform") a digital platform providing community management tools, project collaboration, an educational resource library, and a forum to registered members.

We are the data controller for all personal information processed through this Platform. If you have any questions about how we handle your data, you may contact us at any time using the details in Section 14.

Data Controller

Haya Al Alfalah Community
Block 7, Gulberg III, Lahore, Pakistan
Email: privacy@hayaalfalah.com

Section 2

Data we collect

We collect only the data necessary to operate the Platform and deliver community services. Below is a complete breakdown of every category of data we may hold about you.

Account & identity data

Collected when you register or update your profile.

Full name (first and last)
Email address
Password (stored as a one-way hash (we cannot read it))
Display name
Profile photograph (optional)
Phone number (optional)
Location / city (optional)
Website or social media links (optional)
Short biography (optional)

Membership application data

Collected when you submit a membership application.

Reason for joining the community
Skills and areas of interest you wish to contribute
Application status and review notes (internal use only)

Platform activity data

Generated automatically when you use the Platform.

Login timestamps and session duration
Pages visited and features used
Projects joined and project role
Tasks created, assigned, or completed
Resources downloaded
Forum posts, replies, and votes
Notifications sent and read status

Technical data

Collected automatically by the server on every request.

IP address
Browser type and version
Operating system
Device type (desktop, mobile, tablet)
Session token (for authentication)
Referring URL

Communications data

Collected when you contact us directly.

Messages sent via the contact form
Subject and category of inquiry
Email correspondence with the admin team
Support ticket content and responses

What we do not collect: We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs (beyond your voluntary community participation), health data, biometric data, or financial/payment information. We have no advertising accounts and no tracking pixels from social networks.

Section 3

How we use your data

We use your personal information only for the purposes listed below. We do not use your data for any purpose other than those stated here without obtaining your explicit consent first.

Operating your account

Creating and maintaining your account, authenticating your login, and managing your session securely.

Platform personalisation

Showing you content and navigation options relevant to your role (member dashboard, admin panel, project coordinator tools) based on your assigned permissions.

Project participation

Enabling you to join, contribute to, and track community projects. This includes assigning tasks, sharing documents, and posting project updates.

Community communications

Sending you platform notifications (task assignments, project updates, membership approvals), announcements, and responses to your contact form messages.

Membership review

Reviewing your membership application, contacting you with the outcome, and maintaining a record of the review decision.

Security and fraud prevention

Detecting and preventing unauthorized access, account abuse, spam, and other malicious activity. Maintaining audit logs for security investigations.

Platform improvement

Analysing aggregated, anonymised usage patterns to improve features, fix bugs, and enhance the user experience. No individual is identified in this analysis.

Legal compliance

Complying with applicable laws of the Islamic Republic of Pakistan, responding to lawful requests from authorities, and enforcing our Terms of Use.

Moderation

Reviewing reported content and taking appropriate action to maintain a safe and respectful community environment.

Section 4

Legal basis for processing

Where applicable under data protection law, we process your personal data on one or more of the following legal bases:

Contractual necessity

Processing required to fulfil our obligations to you as a registered member: operating your account, enabling platform access, and delivering community services you have requested.

Consent

Where you have freely, specifically, and informedly given consent; for example, publishing your profile publicly or subscribing to optional email communications.

Legitimate interests

Where we have a legitimate organizational interest that does not override your rights; such as maintaining security logs, improving platform performance, and enforcing community rules.

Legal obligation

Where processing is required to comply with a legal obligation under the laws of the Islamic Republic of Pakistan.

Section 5

Data sharing and disclosure

We do not sell, rent, or trade your personal data. The only circumstances under which your data is shared are described below.

We never sell, rent, share for profit, or give your data to advertising networks.

Within the community

Certain profile information (name, display name, member role, project membership) is visible to other logged-in members according to your visibility settings. You control your profile visibility from your account preferences.

Project collaborators

When you join a project, your name, role, and contributions within that project are visible to other project members and the project coordinator.

Platform administrators

Admins and Super Admins have access to member accounts, activity logs, and audit trails for the purpose of platform management, security, and moderation. Access is logged.

phpBB forum integration

If you participate in the community forum, your account is linked to a phpBB forum account. Your display name and member status are shared with the forum system. Forum posts you make are publicly visible unless posted in a members-only category.

Hosting and infrastructure

Our Platform is hosted on servers in [your hosting provider/location]. The hosting provider processes data on our behalf under a data processing agreement and may not use your data for any other purpose.

Legal authorities

We may disclose your data to law enforcement or regulatory authorities in Pakistan where required by law, court order, or to protect the rights, safety, or property of the community or its members.

Section 6

Data retention

We retain your personal data for as long as necessary to provide the services you have requested and to comply with our legal obligations. The specific retention periods for each data category are as follows:

Data category	Retention period	Reason
Active member account	Duration of membership	Required to operate the platform
Inactive member account	2 years after last login, then deleted	Standard inactivity period
Membership applications (rejected)	6 months	Administrative record and potential appeals
Membership applications (approved)	Duration of membership	Underpins the active account
Audit and activity logs	3 years	Security, governance, and dispute resolution
Project contributions	Duration of project + 2 years after project closure	Community record and reporting
Forum posts	Indefinite (unless you request removal)	Public community record
Contact form messages	2 years	Follow-up and reference
Technical/server logs (IP)	90 days	Security monitoring only
Password reset tokens	60 minutes (auto-expired)	Security by design
Session tokens	7 days or on logout	Authentication lifecycle

When data reaches the end of its retention period it is securely deleted or anonymised so it can no longer be linked to you. You may request earlier deletion of your data; see Section 7.

Section 7

Your rights

You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@hayaalfalah.com and we will respond within 30 days.

Right to access

Request a copy of all personal data we hold about you. We will provide it in a readable format within 30 days.

Right to correction

Request correction of inaccurate or incomplete personal data. You can update most information directly from your profile settings.

Right to deletion

Request deletion of your account and associated personal data. We will action this within 10 business days, subject to legal retention requirements.

Right to portability

Request your personal data in a structured, machine-readable format (JSON or CSV) so you can transfer it to another service.

Right to object

Object to processing of your data where we rely on legitimate interests as the legal basis. We will cease processing unless we have compelling grounds.

Right to restriction

Request that we restrict processing of your data; for example, while we investigate a correction request or objection.

Right to withdraw consent

Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to complain

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the relevant data protection authority in Pakistan.

How to exercise your rights: Email privacy@hayaalfalah.com with the subject line "Data Rights Request" and specify which right you wish to exercise. We may ask you to verify your identity before processing your request. There is no fee for exercising your rights.

Section 8

Cookies and local storage

We use a small number of cookies strictly necessary to operate the Platform. We do not use advertising cookies, tracking cookies, or any cookies from third-party marketing networks.

Cookie name	Purpose	Type	Expires
PHPSESSID	Maintains your login session	Strictly necessary	Session (clears on browser close) or 7 days if "remember me"
csrf_token	Prevents cross-site request forgery attacks	Strictly necessary	Session
phpbb3_*	Forum authentication (phpBB integration)	Strictly necessary	1 year (phpBB default)

Because we only use strictly necessary cookies, we do not display a cookie consent banner. You may disable cookies in your browser settings, but this will prevent you from logging in to the Platform.

Section 9

Security

We implement technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include:

Passwords hashed with bcrypt (cost factor 10): we cannot read your password

HTTPS/TLS encryption for all data in transit

CSRF tokens on all state-changing forms

Role-based access control: admins only access what their role permits

Full audit logging of administrative actions

Session tokens with configurable expiry and per-device revocation

Regular database backups with off-site storage

Access to production data limited to the minimum number of authorized personnel

No method of electronic storage or transmission is 100% secure. If you believe your account has been compromised, please contact us immediately at privacy@hayaalfalah.com. In the event of a data breach that poses a risk to your rights, we will notify affected members without undue delay.

Section 10

Children and minors

The Platform is designed for adults (18 years and over). We do not knowingly collect personal data from individuals under the age of 18 without verified parental or guardian consent.

Our community does run educational programs for children (such as the Quran Literacy Program), but participation data for minors is managed through the parent's or guardian's registered adult account. Minors do not have independent accounts on the Platform.

If you believe we have inadvertently collected personal data from a minor without appropriate consent, please contact us immediately and we will delete it without delay.

Section 11

Third-party links and services

The Platform may contain links to external websites, social media profiles, or third-party resources. These links are provided for your convenience and do not constitute an endorsement.

Once you leave our Platform, this Privacy Policy no longer applies. We have no control over and accept no responsibility for the privacy practices of third-party websites. We encourage you to review the privacy policy of any external site you visit.

Our Platform uses the following external services for display purposes only. None of these services receive your personal data from us:

Bootstrap CDN (jsDelivr): CSS and JavaScript libraries served from CDN. No user data transmitted.
Bootstrap Icons (jsDelivr): Icon font served from CDN. No user data transmitted.
Google Fonts: Typography served from Google's servers. Google may log the request IP. You may self-host these fonts to avoid this.

Section 12

Forum and public content

Content you post in public forum categories, public project updates, or any publicly visible section of the Platform is visible to anyone on the internet and may be indexed by search engines.

Think before you post publicly. Do not share personal information (your own or others') in public forum posts or project updates. We cannot recover information once it has been crawled by search engines.

Content posted in members-only forum categories is visible only to registered and approved members. You may request removal of your forum posts by contacting an admin or moderator. We will honor reasonable removal requests but cannot guarantee removal from search engine caches.

Section 13

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the features of the Platform. The "Last updated" date at the top of this page will always reflect the most recent revision.

If we make changes that materially affect your rights or how we use your personal data, we will:

Post a prominent notice on the Platform homepage for at least 14 days before the change takes effect
Send a notification to all registered members via the platform notification system
Email active members at the email address associated with their account

Your continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the changes. If you do not accept the revised policy, you may request deletion of your account.

Section 14

Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact our Privacy Lead using any of the following methods:

Email (preferred)

privacy@hayaalfalah.com

General contact

info@hayaalfalah.com

Contact form

hayaalfalah.com/contact

Postal address

Block 7, Gulberg III, Lahore, Pakistan

We aim to respond to all privacy-related requests within 30 calendar days. For urgent security concerns such as suspected data breaches or compromised accounts, please use the email subject line "URGENT: Security" and we will prioritize your request.

Questions about your privacy?

Our team is here to help. Contact us with any privacy question or rights request and we'll respond within 30 days.