Data Protection
Privacy & GDPR Policy
This Privacy and Data Protection Policy ("Policy") is issued by Malik Systems Ltd (Company No. 17265815), registered in England and Wales, operating under the trading name Qaboolify.
Malik Systems Ltd is the registered Data Controller for all personal data collected and processed in connection with qaboolify.com. This Policy sets out how we collect, use, store, share, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable UK data protection legislation.
1. Data Controller Identity
The Data Controller for all personal data processed via qaboolify.com is Malik Systems Ltd, a private limited company incorporated in England and Wales (Company Registration No. 17265815). Registered address available at Companies House.
For all data protection enquiries, requests to exercise your rights, or complaints regarding our data processing activities, please contact our Data Protection contact at: privacy@qaboolify.com.
Malik Systems Ltd is registered with the Information Commissioner's Office (ICO) as a Data Controller.
2. Categories of Personal Data Collected
Identity and Registration Data: full name, date of birth, gender, email address, and password (stored as a one-way cryptographic hash — Malik Systems Ltd does not store or have access to plaintext passwords at any time).
Profile Data: profile photographs, biographical description, city and country of residence, ethnicity, religious sect, prayer practice, marital status, education level, occupation, height, and other optional fields a Member chooses to complete on their profile.
Matrimonial Preference Data: preferences in respect of a potential spouse, including age range, location, religious observance, and lifestyle criteria.
Communication Data: the content of messages exchanged between Members on the Platform, and data relating to the Wali/Guardian chaperoning feature including guardian identity and permission settings.
Transactional and Billing Data: subscription tier, billing cycle, purchase history, and payment status. Note: Malik Systems Ltd does not collect, store, or have access to full payment card numbers, CVV codes, or bank account details at any stage. All payment card data is processed exclusively and directly by our certified payment service provider in compliance with PCI-DSS standards.
Identity Verification Data: government-issued identity documents submitted for the ID Verified Badge feature are processed exclusively by our independent third-party identity verification partner. Such documents are not stored by Malik Systems Ltd at any point and are subject to the verification partner's own data retention and security policies.
Technical and Usage Data: IP address, browser type, operating system, device identifiers, pages accessed, features used, session duration, click-stream data, and error logs.
3. Lawful Basis for Processing
Malik Systems Ltd processes personal data on the following lawful bases under Article 6 of the UK GDPR:
(a) Contract Performance (Article 6(1)(b)): Processing necessary to fulfil our contractual obligations to Members, including operating the Platform, facilitating introductions, delivering subscription features, and processing payments.
(b) Legitimate Interests (Article 6(1)(f)): Processing necessary to pursue Malik Systems Ltd's legitimate interests, including fraud prevention, platform security, abuse detection, and service improvement, where such interests are not overridden by the data subject's rights.
(c) Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable UK law, including financial record-keeping obligations and responses to lawful authority requests.
(d) Consent (Article 6(1)(a)): Where we rely on consent, we will request it clearly and separately. Members may withdraw consent at any time by contacting privacy@qaboolify.com.
Special category data (religious beliefs) is processed under Article 9(2)(a) UK GDPR — explicit consent provided during registration — as it is inseparable from the core matrimonial service.
4. Purposes of Processing
To operate and deliver the matrimonial introduction service: creating and displaying Member profiles to compatible Members, facilitating the Wali Guardian framework, and enabling Platform communications.
To process payments and manage subscriptions: recording subscription status, billing history, and one-time purchase records.
To verify Member identity: coordinating identity verification with our third-party verification partner for the ID Verified Badge feature.
To ensure Platform safety and integrity: detecting and investigating fraudulent registrations, impersonation, harassment, and policy violations.
To communicate with Members: sending transactional and service emails including email address verification, password resets, subscription confirmations, cancellation confirmations, and service updates.
To improve the Platform: analysing aggregated, anonymised usage data to identify areas for product improvement.
Malik Systems Ltd does not sell, rent, or trade personal data to any third party for marketing or commercial purposes.
5. Data Sharing and Third-Party Processors
Malik Systems Ltd may share personal data with the following categories of third-party data processors, solely for the purposes described and under binding Data Processing Agreements (DPAs) that require those processors to maintain appropriate security and confidentiality:
Cloud Infrastructure: Cloudflare, Inc. (data hosting, content delivery, and DDoS protection).
Payment Processing: our certified payment service provider (subscription billing and one-time purchase processing). No card data is passed to or stored by Malik Systems Ltd.
Email Delivery: Resend (transactional and service email delivery).
Identity Verification: our third-party identity verification partner (processing ID documents for the ID Verified Badge — documents are not retained by Malik Systems Ltd).
Artificial Intelligence Features: OpenAI, L.L.C. (USA) — Premium Members who use AI-powered features (compatibility scores, icebreaker suggestions, profile coaching) have certain profile information processed by OpenAI via its API. This includes general profile data such as name, city, occupation, bio, and personality prompts. Where you have provided it, your own religious practice information (sect, prayer frequency, hijab or beard observance) may also be included, as this constitutes special category data under UK GDPR Article 9 that you have explicitly consented to share for the purpose of religiously-aligned matching. Only your own religious information is included in AI requests — a potential match's religious data is never sent to OpenAI without their own explicit consent. OpenAI processes this data under a Data Processing Agreement with Malik Systems Ltd and does not use API data to train its models. Malik Systems Ltd has executed a Modified Data Retention Amendment with OpenAI, activating Zero Data Retention (ZDR) on our organisation. Under ZDR, prompt data (including any religious practice information) is not stored by OpenAI after the API response is returned — no inputs or outputs are retained or logged for abuse monitoring. AI features are optional and only triggered on your demand (for example, when you open a compatibility score or request an icebreaker). You may choose not to use these features.
Beyond the above, Malik Systems Ltd will only disclose personal data to third parties where required to do so by applicable law, court order, or lawful request from a competent regulatory authority.
6. International Data Transfers
Some of our third-party processors may process personal data outside the United Kingdom. Where such transfers occur, Malik Systems Ltd ensures that appropriate safeguards are in place in accordance with UK GDPR transfer requirements, including UK International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs), or adequacy decisions issued by the UK Secretary of State.
In particular, OpenAI (USA) processes data under OpenAI's Data Processing Addendum, which incorporates Standard Contractual Clauses for international transfers. Resend (USA) and Cloudflare, Inc. (USA) process data under their respective DPAs with equivalent transfer safeguards. Our database is hosted by Neon on AWS EU-West-2 (Ireland), which benefits from the UK's adequacy decision for EEA transfers.
7. Data Retention
Malik Systems Ltd retains personal data only for as long as is necessary for the purposes set out in this Policy and in compliance with applicable legal obligations.
Active Member accounts: personal data is retained for the duration of the Member's active account.
Account deletion: upon a Member requesting deletion of their account (Settings → Account → Delete Account), Malik Systems Ltd will initiate a permanent deletion process within 30 days, after which all personally identifiable data will be irreversibly removed from live systems. Anonymised and aggregated data may be retained for statistical purposes.
Financial records: transactional and payment records are retained for a minimum of six (6) years in accordance with the Companies Act 2006 and HMRC requirements.
Identity verification documents: processed in real-time by our verification partner and not retained by Malik Systems Ltd.
8. Data Security
Malik Systems Ltd implements appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, destruction, or alteration, including:
Encryption in transit: all data transmitted between Members and the Platform is encrypted using TLS 1.3 or higher.
Encryption at rest: sensitive personal data fields are stored in encrypted form within our database infrastructure.
Password security: Member passwords are stored using a one-way PBKDF2 cryptographic hash function with a minimum of 100,000 iterations. Plaintext passwords are never stored or accessible by Malik Systems Ltd staff.
Access controls: access to personal data within Malik Systems Ltd is restricted to authorised personnel on a strict need-to-know basis.
No system can guarantee absolute security. In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, Malik Systems Ltd will notify the ICO within 72 hours in accordance with Article 33 UK GDPR and, where required, will notify affected individuals without undue delay.
9. Your Rights Under UK GDPR
Under UK GDPR, Members have the following rights in relation to their personal data:
(a) Right of Access (Article 15): You may request a copy of the personal data Malik Systems Ltd holds about you.
(b) Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
(c) Right to Erasure (Article 17): You may request deletion of your personal data ("right to be forgotten"), subject to applicable legal retention obligations.
(d) Right to Restriction of Processing (Article 18): You may request that we restrict processing of your data in certain circumstances.
(e) Right to Data Portability (Article 20): You may request a machine-readable copy of the personal data you have provided to us.
(f) Right to Object (Article 21): You may object to processing based on legitimate interests.
(g) Rights relating to automated decision-making: The Platform does not make solely automated decisions that produce legal or similarly significant effects.
To exercise any of the above rights, please submit a written request to privacy@qaboolify.com. Malik Systems Ltd will respond within 30 days of receipt of a valid request, in accordance with UK GDPR Article 12.
You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10. Cookies and Tracking Technologies
Qaboolify uses strictly necessary session cookies for the purposes of Member authentication and maintaining logged-in sessions. These cookies are essential to the operation of the Platform and cannot be disabled without impairing core functionality.
Qaboolify does not use advertising cookies, behavioural tracking cookies, or third-party retargeting technologies.
Members may clear all cookies via their browser settings at any time. Clearing session cookies will terminate the active login session.
11. Changes to This Policy
Malik Systems Ltd reserves the right to update or amend this Policy periodically to reflect changes in our data processing practices, legal obligations, or regulatory guidance.
Where amendments are material, Malik Systems Ltd will notify Members via email to their registered address not less than 14 days prior to the changes taking effect.
Continued use of the Platform following the effective date of any revised Policy constitutes acceptance of those revisions.