Privacy Policy \u2014 Partner Program

Last updated: February 2026

1. Introduction

Islamic Open Finance™ (“IOF”, “we”, “us”, or “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect personal data submitted through the IOF Partner Program, including through partnership applications, the Partner Portal, and any related communications. It applies to prospective partners, enrolled partners, and their authorised representatives.

2. Data Controller

Islamic Open Finance™ is the data controller for personal data collected through the Partner Program. For privacy enquiries or to exercise your rights, contact our Data Protection team at: partnership@islamicopenfinance.com. We are registered as a data controller under applicable data protection law. Our Data Protection Officer (DPO) can be reached at the same address, marked “FAO: Data Protection Officer”.

3. Data We Collect

When you apply for or participate in the Partner Program, we collect: (a) Identity data — name, job title, company name, registration number; (b) Contact data — email address, telephone number, business address; (c) KYC/AML data — government-issued identification, beneficial ownership records, regulatory licence numbers; (d) Financial data — bank account details for revenue-sharing payments, tax identification numbers; (e) Technical data — API credentials, integration logs, access logs; (f) Usage data — how you interact with the Partner Portal and IOF APIs; (g) Communications data — records of correspondence, support tickets, meeting notes. We do not collect sensitive personal data (as defined under GDPR) unless strictly required by law or KYC obligations.

4. How We Collect Data

We collect data through: (a) Partnership application forms submitted at partnership.islamicopenfinance.com; (b) Direct communications via email, video calls, or in-person meetings; (c) Automated technical systems, including API logs and the Partner Portal; (d) Third-party due-diligence providers engaged for KYC and AML screening; (e) Publicly available sources such as company registries and regulatory databases.

5. Lawful Basis for Processing

We process your personal data on the following lawful bases under the UK GDPR and EU GDPR: (a) Contract performance — processing necessary to enter into and perform the Partner Agreement; (b) Legal obligation — KYC, AML, and regulatory compliance requirements; (c) Legitimate interests — fraud prevention, security monitoring, product improvement, and programme administration; (d) Consent — for optional marketing communications, which you may withdraw at any time by contacting partnership@islamicopenfinance.com.

6. How We Use Your Data

We use partner data to: (a) Process and evaluate partnership applications; (b) Conduct KYC, AML, and Shariah-conduct due diligence; (c) Administer the Partner Agreement and process revenue-sharing payments; (d) Provide access to the Partner Portal, APIs, and technical resources; (e) Send programme updates, training materials, and compliance notices; (f) Investigate and respond to complaints or disputes; (g) Comply with legal, regulatory, and audit obligations; (h) Improve the Partner Program and IOF’s products. We will not use your data for automated decision-making that produces significant legal effects without human review.

7. Data Sharing and Sub-Processors

We may share personal data with: (a) Sub-processors and service providers engaged to support programme operations (see our Sub-Processor List, available upon request); (b) KYC and AML screening providers, including sanctions screening databases; (c) Payment processors for revenue-sharing disbursements; (d) Legal and compliance advisers under confidentiality obligations; (e) Regulatory authorities when required by law. We require all third parties to maintain confidentiality and implement appropriate security measures. We do not sell partner personal data to any third party.

8. International Data Transfers

Your data may be transferred to, and processed in, countries outside the UK or European Economic Area (EEA), including the United States and other jurisdictions where IOF operates infrastructure. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK ICO and European Commission, or adequacy decisions where applicable.

9. Data Retention

We retain partner personal data for the duration of the Partner Agreement plus: (a) Seven (7) years for KYC, AML, and financial records to meet regulatory obligations; (b) Five (5) years for general contractual records and correspondence; (c) Three (3) years for technical logs and access records. Retention periods may be extended where required by law, legal proceedings, or regulatory investigations. Upon expiry of the applicable retention period, data is securely deleted or anonymised.

10. Your Rights Under GDPR

If you are located in the UK or EU, you have the following rights regarding your personal data: (a) Right of access — request a copy of data we hold about you; (b) Right to rectification — request correction of inaccurate data; (c) Right to erasure — request deletion of data where there is no lawful basis to retain it; (d) Right to restrict processing — request that we limit processing in certain circumstances; (e) Right to data portability — receive your data in a machine-readable format; (f) Right to object — object to processing based on legitimate interests; (g) Right to withdraw consent — where processing is based on consent. To exercise any right, contact partnership@islamicopenfinance.com. We will respond within thirty (30) days. If you are dissatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

11. Security Measures

We implement appropriate technical and organisational security measures to protect partner data, including: TLS 1.3 encryption in transit; AES-256 encryption at rest; role-based access controls with principle of least privilege; multi-factor authentication on all Partner Portal accounts; regular security assessments and penetration testing; incident response procedures aligned with ISO 27001. Despite these measures, no internet transmission is completely secure. We will notify you and relevant authorities of any data breach in accordance with applicable law.

12. Cookies and Tracking

The Partner Portal and partnership.islamicopenfinance.com use strictly necessary cookies to authenticate sessions and maintain security. We do not use advertising or third-party tracking cookies on partner-facing applications. A full cookie notice is available within the Partner Portal.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify enrolled partners of material changes via email to the registered contact address at least thirty (30) days before the updated policy takes effect. The date of the most recent update is shown below.

14. Contact Us

For any questions, concerns, or to exercise your data rights, please contact: partnership@islamicopenfinance.com. Postal address: Islamic Open Finance™ Privacy Team, as set out in your Partner Agreement. For urgent security or breach notifications, include “URGENT PRIVACY” in the subject line.

Back to Partner Program

© 2026 Islamic Open Finance™. All rights reserved.