Legal

Privacy Policy

Last updated: 29 April 2026 · Effective date: 29 April 2026

This Privacy Policy describes how Hidayah ("Hidayah", "we", "us", "our") collects, uses, shares, and protects personal data when you use our website at hidayah.me and our madrasa management software (together, the "Service").

We are committed to handling personal data — particularly that of children, parents, and madrasa staff — in accordance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR (where applicable), and the Data Protection Act 2018.

1. Who we are

Hidayah is operated by Hidayah Ltd, with its registered office in the United Kingdom. For the purposes of UK GDPR, Hidayah Ltd is:

  • A data controller for personal data we collect about visitors to our marketing website and the staff at customer organisations who sign up for the Service.
  • A data processor for personal data that customer organisations (madrasas, Islamic schools) upload into the Service about their students, guardians, teachers, and other staff. The customer organisation is the data controller for that data.

To contact us about data protection, email [email protected].

2. Personal data we collect

2.1 Data you provide directly

  • Account information: name, email address, telephone number, password (hashed), role within the organisation.
  • Organisation information: school name, address, billing details, bank account details for payment settlement (held by our payment processor, Stripe).
  • Communications: any messages you send us by email, contact form, or in-app support.

2.2 Data uploaded by customer organisations

When a madrasa uses Hidayah, it uploads personal data about its students, guardians, teachers, and other staff. This may include:

  • Student name, date of birth, gender, photograph, address, medical/dietary notes, emergency contacts.
  • Guardian (parent) name, relationship to student, contact details, login credentials.
  • Teacher name, contact details, employment details, attendance.
  • Attendance records, academic progress notes (Hifz, Qaida, Tajweed), behavioural notes.
  • Fee invoices, payment history, refund records.

For this category of data, the madrasa is the data controller. Hidayah processes this data only on the madrasa's instructions, in accordance with our Data Processing Addendum.

2.3 Data collected automatically

  • Log data: IP address, browser type, device type, operating system, pages visited, timestamps.
  • Cookies: session cookies needed for authentication, and limited analytics cookies. See section 9.

2.4 Data from payment processors

When a parent pays fees through Hidayah, we receive limited transaction metadata from Stripe (the payment processor) — for example, the last 4 digits of the card, payment status, and transaction ID. We never receive or store full card numbers or CVCs. All card data is handled directly by Stripe, which is PCI DSS Level 1 certified.

3. How we use personal data

We use personal data for the following purposes:

  • Provide the Service: create accounts, host data, deliver features such as attendance tracking, fee collection, and parent communication.
  • Process payments: facilitate the collection of fees from parents to madrasas via Stripe Connect.
  • Customer support: respond to enquiries, troubleshoot issues, send service notifications.
  • Improve the Service: analyse usage patterns to improve features and stability.
  • Security and fraud prevention: detect and prevent unauthorised access, abuse, and fraudulent payment activity.
  • Legal obligations: comply with applicable laws, regulations, court orders, and tax requirements.

4. Lawful bases for processing

Where Hidayah is the data controller, we rely on the following lawful bases under UK GDPR Article 6:

  • Contract performance — to provide the Service to a customer who has signed up for it.
  • Legitimate interests — to operate, secure, and improve the Service; to communicate service updates; to prevent fraud.
  • Legal obligation — to comply with tax, accounting, anti-money-laundering, and similar requirements.
  • Consent — for non-essential cookies and any optional marketing communications, where required.

Where Hidayah is a data processor (for student, guardian, and teacher data uploaded by customer madrasas), the customer organisation is responsible for establishing the lawful basis under which it collects and processes that data, and for complying with parental consent requirements where applicable.

5. Children's data

Hidayah is designed for use by madrasas and Islamic schools that educate children. Personal data about children is uploaded by the madrasa as data controller. Hidayah does not market the Service to children directly and does not collect children's data through our marketing website.

Customer madrasas are responsible for obtaining any parental consent required under UK GDPR (and equivalent local laws) before uploading children's data into the Service. Parents have the right to access, correct, and request deletion of their children's data — these requests should be directed first to the madrasa, which can also raise the request with Hidayah.

6. Sharing personal data

We do not sell personal data. We share personal data only with:

  • Service sub-processors who help us operate the Service (e.g. cloud hosting providers, email delivery, error monitoring, analytics). All sub-processors are bound by data processing agreements that require them to handle data securely and only on our instructions.
  • Stripe Inc. and Stripe Payments UK Ltd, our payment processor, for the processing of card and direct-debit payments. See Stripe's Privacy Policy.
  • Customer organisations: staff and parents of a given madrasa can see relevant data within that madrasa, in line with the role-based permissions configured by the madrasa.
  • Law enforcement and regulators, where we are legally required to do so.
  • Successor entities in the event of a merger, acquisition, or sale of assets — subject to the continuation of this Privacy Policy.

6.1 Sub-processors we currently use

  • Hosting: infrastructure provider in the UK / EU.
  • Payments: Stripe.
  • Email delivery: a transactional email provider.
  • Error monitoring: Bugsnag (or equivalent).

An up-to-date list is available on request to [email protected].

7. International data transfers

We aim to host customer data within the United Kingdom or European Economic Area (EEA). Some sub-processors (notably Stripe) may transfer data internationally. Where this happens, we rely on appropriate safeguards under UK GDPR — typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or a UK adequacy decision.

8. Data retention

We retain personal data only as long as needed:

  • Customer account data: retained while the customer's subscription is active, plus up to 30 days after termination, after which it is deleted or anonymised (unless the customer requests earlier deletion or longer retention).
  • Student / guardian / teacher data uploaded by a customer: retained as instructed by the customer madrasa. On termination, this data is returned to the customer (where requested) and then deleted within 90 days.
  • Financial records (invoices, payment history): retained for at least 6 years to meet UK accounting and tax obligations.
  • Backups: backups are retained on a rolling basis and overwritten as part of normal backup rotation.

9. Cookies

We use only the cookies necessary to operate the Service — primarily session cookies that keep you signed in. We do not use third-party advertising cookies. We may use limited, privacy-respecting analytics. You can disable cookies in your browser, but the Service may not function fully without session cookies.

10. Security

We take security seriously. Our measures include:

  • TLS encryption of all data in transit.
  • Encryption of sensitive data at rest.
  • Strict logical isolation between customer organisations (multi-tenant scoping).
  • Role-based access control inside the Service and within our team.
  • Regular vulnerability scanning, code review, and dependency updates.
  • Regular backups, with documented disaster-recovery procedures.

No system is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify the affected customer without undue delay and, where required by law, the relevant supervisory authority within 72 hours.

11. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent (where processing is based on consent).
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

If you are a parent, student, or teacher whose data is held by a madrasa using Hidayah, please contact that madrasa first — they are the data controller. We will assist them in fulfilling your request.

If you are a Hidayah customer, contact [email protected]. We will respond within 30 days.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. For material changes, we will notify customers by email or in-app notice before the change takes effect.

13. Contact us

For privacy or data protection questions: