1. Who We Are
QurbanApp is a proprietary SaaS platform developed and operated by FLEX InfoTech Limited ("we", "us", "our"). We provide Qurbani order management software to mosques, halal businesses, Islamic charities and Qurbani coordinators globally.
This Privacy Policy applies to all users of the QurbanApp platform, including administrators, store staff, and customers of organisations using our service. It also applies to visitors to our marketing website at qurbanapp.com.
Data Controller: FLEX InfoTech Limited, Australia
Contact: privacy@qurbanapp.com
2. Data We Collect
2.1 Account & Registration Data
- Full name, email address, phone number
- Organisation name, type and location
- Login credentials (passwords are hashed and never stored in plain text)
- Billing information (processed via our payment provider; we do not store card numbers)
2.2 Order & Operational Data
- Qurbani order details: animal type, share allocation, cutting instructions, recipient name
- Delivery addresses, zone allocations and pickup preferences
- Payment records: amounts, methods, status (not full card details)
- Generated Qurbani certificates and associated metadata
2.3 Usage & Technical Data
- IP addresses, browser type, device type
- Pages visited, features used, session duration
- Error logs and performance data for platform improvement
2.4 Communications
- Messages sent via our contact form or support channels
- Email correspondence with our team
We do not collect: biometric data, racial or ethnic origin data, religious belief data (beyond what is necessary to operate a Qurbani-specific service), or data from children under 16 without verified parental consent.
3. How We Use Your Data
| Purpose | Data Used | Basis |
|---|
| Provide the QurbanApp platform and its features | Account, order, operational data | Contract performance |
| Process payments and manage subscriptions | Billing information, account data | Contract performance |
| Generate and deliver digital Qurbani certificates | Order data, customer email | Contract performance |
| Customer support and responding to enquiries | Account, communication data | Legitimate interests |
| Platform security and fraud prevention | Technical, usage data | Legitimate interests |
| Platform improvement and analytics | Anonymised usage data | Legitimate interests |
| Legal compliance and regulatory obligations | All relevant data | Legal obligation |
| Marketing communications (with consent) | Email address, name | Consent |
We do not sell, rent or trade your personal data to third parties for marketing purposes. Ever.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following lawful bases as defined by the General Data Protection Regulation (GDPR) and UK GDPR:
- Article 6(1)(b) — Contract: Processing necessary to perform the service you have subscribed to
- Article 6(1)(c) — Legal obligation: Processing required to comply with applicable laws
- Article 6(1)(f) — Legitimate interests: Platform security, fraud prevention, service improvement — where these do not override your rights
- Article 6(1)(a) — Consent: Marketing emails and optional analytics cookies — withdrawable at any time
5. Data Sharing & Third Parties
We share your data only where strictly necessary:
- Payment processors (e.g. Stripe) — for subscription billing. They are PCI-DSS compliant and we do not store card data ourselves.
- Email delivery providers — for transactional emails including certificates and notifications. Bound by data processing agreements.
- Cloud hosting providers — our platform is hosted on secure infrastructure. Providers are contractually bound to our data protection standards.
- Legal authorities — where required by law, court order or regulatory obligation.
All third-party processors are bound by Data Processing Agreements (DPAs) requiring them to protect your data to at least the standard of this policy. We do not share data with advertising networks, data brokers or any party for commercial marketing purposes.
6. Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
- Active account data: Retained for the duration of your active subscription
- Post-cancellation: Account and operational data retained for 30 days, during which you may export your data. Permanently deleted thereafter unless retention is required by law.
- Financial records: Retained for 7 years as required by Australian tax law
- Support communications: Retained for 2 years
- Anonymous analytics: May be retained indefinitely as they cannot identify individuals
Your data is yours. You can request a full export of your operational data (orders, certificates, customer records) at any time from within the platform or by contacting us.
7. Your Rights
Depending on your location, you have the following rights regarding your personal data:
Under GDPR (EEA / UK users)
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements
- Right to restriction — request we limit processing of your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
Under Australian Privacy Act
- Right to access personal information we hold about you
- Right to request correction of inaccurate or incomplete information
- Right to complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs
To exercise any of these rights, contact us at privacy@qurbanapp.com. We will respond within 30 days.
8. Security
We implement industry-standard technical and organisational security measures including:
- TLS/SSL encryption for all data in transit
- Encryption at rest for sensitive data including passwords (bcrypt hashing) and financial records
- Access controls — role-based permissions limiting staff access to data they need
- Regular security assessments and vulnerability testing
- Incident response procedures — we will notify affected users of material data breaches within 72 hours where required by GDPR
No system is impenetrable. We cannot guarantee absolute security but we commit to best-practice standards and prompt, transparent communication if a breach occurs.
9. Cookies & Tracking
We use cookies on our marketing website and platform for the following purposes:
- Essential cookies: Required for login sessions and platform functionality. Cannot be disabled without breaking the service.
- Analytics cookies: To understand how users interact with our platform (e.g. pages visited, features used). We use privacy-respecting analytics that do not share data with advertising networks.
- Preference cookies: To remember your settings and preferences.
You may manage non-essential cookies via your browser settings. Disabling analytics cookies will not affect your use of the platform.
10. International Data Transfers
QurbanApp operates globally. Your data may be processed in Australia and, depending on our infrastructure providers, in other countries. For transfers outside the EEA, we ensure appropriate safeguards are in place including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfers only to countries deemed to provide adequate protection, or with appropriate safeguards
- Data processing agreements with all international processors
11. Children's Privacy (Under 13)
QurbanApp is a business platform not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@qurbanapp.com and we will delete it promptly.
12. Australian Privacy Act Compliance
FLEX InfoTech Limited is based in Australia and complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Specifically:
- APP 1 — We maintain this open and transparent Privacy Policy
- APP 3 — We collect only information reasonably necessary for our functions
- APP 5 — We notify individuals of the purpose of collection at the time of collection
- APP 6 — We use and disclose personal information only for the primary purpose of collection or a directly related purpose
- APP 11 — We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access
- APP 12 & 13 — We provide access to and correction of personal information upon request
Complaints may be directed to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
13. Bangladesh Data Protection
For users and data subjects in Bangladesh, we are committed to aligning our practices with Bangladesh's evolving data protection framework, including principles established under the Digital Security Act 2018 and emerging data protection legislation. We:
- Collect only the minimum personal data required for service provision
- Process data transparently and only for stated purposes
- Provide Bangladeshi users with access and correction rights equivalent to those described in Section 7
- Do not transfer Bangladeshi user data to countries without adequate protections without appropriate safeguards
For specific enquiries relating to Bangladeshi data subjects, contact privacy@qurbanapp.com.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will:
- Notify active subscribers by email at least 30 days before changes take effect
- Display a prominent notice on the platform dashboard
- Update the "Last updated" date at the top of this page
Continued use of QurbanApp after changes take effect constitutes acceptance of the updated policy.