CE
ComplyEngine
Open Platform

Privacy Policy

Last updated: 1 April 2026

1. Data Controller

Islamic Open Finance™ (“we”, “us”) is the data controller for personal data processed through ComplyEngine. Our Data Protection Officer can be contacted at dpo@islamicopenfinance.com.

2. Data We Collect

We collect and process the following categories of personal data:

  • Account information (name, email, organisation, role)
  • AI system metadata (system names, descriptions, risk classifications)
  • Assessment and incident records
  • Usage data (access logs, feature usage, session data)
  • Technical data (IP address, browser type, device information)

3. Lawful Basis

We process personal data on the following legal bases under Article 6 GDPR: (a) performance of our contract with you; (b) compliance with legal obligations under the EU AI Act; (c) our legitimate interests in providing and improving the Service; (d) your consent where applicable.

4. Data Retention

We retain personal data for as long as necessary to provide the Service and comply with legal obligations. AI system registration data and assessment records are retained for the duration required by the EU AI Act (minimum 10 years for high-risk systems). You may request deletion of your account data at any time.

5. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)

To exercise these rights, contact dpo@islamicopenfinance.com.

6. International Transfers

Data is processed within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or adequacy decisions.

7. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption at rest and in transit, access controls, and regular security assessments.

8. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.