Privacy Policy

Istibqa Ltd
Registered in England and Wales · Company No. 17089113
27 West Park Terrace, Bradford, BD8 9SQ, United Kingdom
Tel: +44 7760 979458
Email: [email protected] · [email protected]

For data protection enquiries or to exercise your rights, contact us at the address above. We aim to respond within 30 days.

Business customers may request our Data Processing Agreement (DPA) at tadhkirapp.com/dpa.

Business account holders (you):

• Name and email address (for account creation and communication)
• Business name, type, and WhatsApp phone number
• Payment information (processed and stored by Stripe — we never store card details)
• IP address, browser type, and usage data (for security and analytics)

Your customers (end users whose data you upload):

• Name and WhatsApp phone number
• Last visit date, birthday, and anniversary (if collected via self-registration)
• Opt-in source and consent timestamp

Affiliate partners:

• Name, email, and WhatsApp number
• Referral activity and commission data
• Payment details for payout processing

You are the data controller for the personal data of your customers. Istibqa Ltd acts as your data processor. You are responsible for:

• Obtaining valid consent from your customers before uploading their data
• Ensuring your use of Tadhkir complies with applicable data protection laws in your jurisdiction
• Responding to data subject requests from your customers
• Ensuring your customers are aware that their data is processed by a third-party service

We process your customers' data solely on your instructions and will not use it for our own purposes.

We share data with the following third-party sub-processors:

• Supabase Inc — database hosting and authentication (EU/US data centres, Standard Contractual Clauses in place)
• Stripe Inc — payment processing (PCI-DSS Level 1 certified)
• WhatsApp / Meta Platforms — message delivery (subject to Meta's Privacy Policy and WhatsApp Business Terms of Service at business.whatsapp.com/policy)
• Netlify Inc — hosting and edge infrastructure (US, with global CDN)
• Anthropic PBC — AI copilot features (where enabled; no customer PII transmitted)

We do not sell personal data to third parties. We do not use personal data for advertising purposes.

Some of our sub-processors operate outside the UK and EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK ICO or the European Commission, or adequacy decisions where applicable.

We use the following cookies:

• Strictly necessary cookies — session management and authentication (no consent required)
• tadhkir_ref — affiliate referral attribution cookie (90-day lifetime, first-party)
• Analytics — we may use privacy-preserving analytics; no third-party advertising cookies are used

You can manage cookies via your browser settings. Blocking strictly necessary cookies may affect platform functionality.

We retain personal data for as long as necessary to fulfil the purposes described in this policy. Specifically:

• Account data: retained for the duration of your subscription and up to 6 years after closure (UK statutory requirement)
• Customer data you upload: deleted within 30 days of account closure upon request
• Payment records: retained for 7 years for legal and accounting purposes
• Access logs: retained for up to 12 months for security purposes

Under UK GDPR, you have the following rights in respect of your personal data:

• Right of access — to obtain a copy of your personal data
• Right to rectification — to have inaccurate data corrected
• Right to erasure — to have your data deleted ('right to be forgotten')
• Right to restriction — to restrict how we process your data
• Right to data portability — to receive your data in a machine-readable format
• Right to object — to object to processing based on legitimate interests
• Rights related to automated decision-making — we do not make solely automated decisions with legal or significant effects

To exercise any of these rights, contact [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

We implement industry-standard technical and organisational measures to protect personal data, including:

• Row-Level Security (RLS) on all database tables via Supabase — each business can only access its own data
• All data transmitted over HTTPS/TLS
• Service role API keys stored as environment secrets, never exposed client-side
• Access to production systems restricted to authorised personnel only

Tadhkir is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the service constitutes acceptance of the updated policy.

For privacy-related enquiries, data subject requests, or to report a concern:

Email: [email protected] · [email protected]
Tel: +44 7760 979458
Istibqa Ltd · 27 West Park Terrace, Bradford, BD8 9SQ, UK · Co. No. 17089113

If you are unsatisfied with our response, you may contact the UK ICO at ico.org.uk/make-a-complaint.