2.1 Who We Are and How to Contact Us

• Data Controller: The owner and operator company of the Raqmanah platform.
• The final version will include address details, phone number, email, and the contact method for privacy requests or the Data Protection Officer (DPO) – if applicable or if required by internal policies.

2.2 Types of Data We Collect Directly

• Account Creation Data: Name, ID/Residency number, Email, Mobile number, Encrypted password, Preferred language.
• Profile and Suitability Data: Nationality, City, Address, Profession, Employment status, Investment experience, Areas of interest, Investment preferences.
• Identity Verification Data: ID photos, Personal photo, Expiry dates, and any additional supporting documents required for verification or compliance.
• Bank Account and Payment Method Data: IBAN, Bank name, Account holder name, payment method references, or masked/encrypted data held by the service provider.
• Support and Communication Requests Data: Messages, attachments, complaint and inquiry logs, and any information provided by the user when contacting us.

2.3 Data That May Be Collected Indirectly

• Technical Data: IP address, device type, operating system, application version, browser type, access times, and technical logs
• Usage Data: Pages or screens accessed, opportunities viewed, in-app interactions, read notifications, and usage durations.
• Financial and Operational Transaction Data: Dates and values of deposits, withdrawals, reservations, allocations, returns, and transaction logs related to the wallet and subscriptions.
• Identity Verification and Compliance Data: Identity validation results, eligibility status, screening results related to watchlists or risks – according to the approved verification mechanisms.

2.4 Purposes of Data Collection

• Account creation and operation, user identity authentication, eligibility verification, and enabling access to platform services.
• Executing subscription and allocation processes, managing ownership, returns, voting, and account-related services.
• Compliance with legal and regulatory obligations, including anti-money laundering (AML) and counter-terrorism financing (CTF) requirements, as well as supervisory and auditing requirements.
• Protecting platform security, detecting fraud or misuse, and improving performance, user experience, and service quality
• Managing user communication, handling complaints and requests, service documentation, and continuous improvement.

2.5 Legal/Contractual Basis for Processing

• User consent where legally or contractually required
• Performance of a contract or pre-contractual steps, such as account creation, identity verification, executing subscriptions, and managing entitlements
• Compliance with relevant legal, regulatory, and supervisory obligations
• Achieving the platform’s legitimate interest in protecting its systems, improving its services, and preventing fraud, provided it does not conflict with the rights of data subjects.

2.6 Data Disclosure

• Disclosure may be made – to the extent necessary – to regulatory and supervisory authorities, competent government agencies, payment providers, banks, cloud infrastructure providers, identity verification providers, legal or professional advisors, or any party to whom disclosure is necessary for service execution or compliance.
• Data is only disclosed to the extent necessary and under appropriate contractual or legal controls to protect confidentiality and privacy.
• Specific data may be disclosed in the context of documenting contracts or transactions, or if requested under regulations or orders from competent authorities.

2.7 Data Storage and Retention

• Data is stored in secure environments that adopt appropriate technical and organizational protection controls, implementing encryption, backups, and mechanisms to limit unauthorized access.
• The platform retains data for as long as necessary to achieve the processing purpose or to fulfill contractual, legal, regulatory, accounting, or judicial obligations.
• Upon expiration of the applicable retention periods, data is destroyed or anonymized using secure means in accordance with the approved disposal policy.

2.8 Rights of Data Subjects

• The right to be informed about how data is collected and processed and the basis for it.
• The right to access data and request a copy of it whenever legally and technically possible.
• The right to rectify inaccurate or incomplete data
• The right to request data destruction or withdraw consent in cases permitted by law, taking into account any other legal bases for processing that may persist
• The right to lodge complaints or objections through the specified communication channels

2.9 Cookies and Technical Data

• The platform may use cookies or similar technologies to improve performance, save preferences usage analysis and personalizing the experience
• Users can control some of these technologies through device, application, or browser settings, depending on the available capabilities noting that disabling some of them may affect the quality of service

2.10 Information Security

• The platform adopts appropriate technical and organizational measures including – as needed – permissions management, encryption, logs, and monitoring, backups and security testing.
• Nevertheless, no method of transmission or electronic storage can be 100% guaranteed, and the user acknowledges the nature of the technical risks inherent in digital services.

2.11 Policy Update

• The platform may update this policy from time to time in accordance with operational, regulatory, or technical changes, and the updated version shall be effective from the date of its publication or when the user is notified.