Privacy Policy

1. Who We Are

MaktabMate Ltd ("we", "our", "us") provides a cloud-based school management platform ("MaktabMate" or "the Service") designed for Islamic supplementary schools (maktabs) in the United Kingdom.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

• Each maktab (organisation) using MaktabMate is the data controller for the personal data of their students, parents, and staff.
• MaktabMate Ltd acts as a data processor, processing personal data on behalf of each maktab in accordance with our Data Processing Agreement.
• MaktabMate Ltd acts as a data controller for data we collect directly, such as account registration information and billing data.

Contact: [email protected]
Website: maktabmate.co.uk
ICO Registration: C1889637

2. What Data We Collect

2.1 Data Processed on Behalf of Maktabs (Processor Role)

When a maktab uses our platform, we process the following categories of personal data on their behalf and under their instructions:

Student Data

• Full name, date of birth, gender
• Class and programme enrolment
• Attendance records
• Academic progress (Maktab reading progress, Hifdh/Qur'an memorisation progress, syllabus completion)
• House points and behavioural records
• Homework assignments and completion status
• Fee and payment records

Parent/Guardian Data

• Full name, email address, phone number
• Relationship to student
• Communication history within the platform

Staff Data (Teachers, Headteachers, Office Staff)

• Full name, email address, phone number
• Role and class assignments
• Clock-in/clock-out records (including geolocation data for verification purposes)
• Communication history within the platform

2.2 Data We Collect Directly (Controller Role)

• Account registration details (name, email, organisation name)
• Billing and subscription information (processed via Stripe)
• Technical data (IP addresses, browser type, device information) collected automatically when you use the Service
• Support correspondence

3. Special Category Data

By virtue of using a platform designed for Islamic schools, personal data processed through MaktabMate may reveal religious affiliation. This constitutes special category data under Article 9 of the UK GDPR.

Each maktab, as the data controller, is responsible for establishing a lawful basis for processing this data. The most appropriate conditions are typically:

• Article 9(2)(d): Processing carried out by a not-for-profit body with a religious aim, relating to members or persons in regular contact with it; or
• Article 9(2)(a): Explicit consent of the data subject (or parent/guardian for children).

4. Children's Data

MaktabMate processes personal data relating to children (persons under 18). We recognise that children's data requires enhanced protection under the UK GDPR and the ICO's Children's Code (Age Appropriate Design Code).

We are committed to:

• Processing only the minimum data necessary to provide the educational management service
• Not using children's data for marketing, profiling, or any purpose beyond the core service
• Setting privacy-protective defaults (student data is only accessible within their own maktab)
• Ensuring children's best interests are a primary consideration in our platform design

MaktabMate is not designed to be accessed directly by children. It is used by parents, teachers, and school administrators on behalf of students.

5. Lawful Basis for Processing

Our lawful bases for processing personal data are:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the MaktabMate service under our agreement with each maktab.
• Legitimate interests (Article 6(1)(f)): Processing necessary for the operation, security, and improvement of the platform, where these interests are not overridden by the rights of data subjects.
• Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements, such as financial record-keeping.
• Consent (Article 6(1)(a)): Where required, such as for optional communications.

6. How We Store and Protect Data

6.1 Data Storage

• Platform data is stored in Google Cloud Firestore, located in the United Kingdom (europe-west2, London).
• User authentication is managed by Firebase Authentication. Please note that Firebase Authentication data is stored on servers in the United States.
• Our website is hosted by IONOS on servers within the European Union (Germany).

6.2 Google's Role as Infrastructure Provider

MaktabMate uses Google Cloud Platform (Firebase) to host and store data. It is important that maktabs understand the following:

• Google acts as a sub-processor — they provide the infrastructure on which your data is stored and processed.
• Your data is stored on Google's servers. While it is encrypted at rest (AES-256) and in transit (TLS), Google holds the encryption keys as part of their standard infrastructure management.
• Google is contractually prohibited from accessing, using, or sharing your data for any purpose other than providing the cloud infrastructure service. This is governed by Google's Data Processing and Security Terms.
• Google employees may only access customer data when there is a documented business need related to infrastructure operation, and all access is logged and audited.
• Google cannot use your data for advertising, AI training, product improvement, or any purpose beyond infrastructure provision.
• Google holds ISO 27001, ISO 27017, ISO 27018, and SOC 1/2/3 certifications, and undergoes regular independent audits.

6.3 Security Measures

• All data is encrypted in transit using HTTPS/TLS.
• All data is encrypted at rest using AES-256 encryption (provided by Google Cloud).
• Access to data is controlled through role-based permissions enforced by Firestore Security Rules.
• Complete data isolation between organisations — one maktab cannot access another's data.
• Only authorised MaktabMate personnel (currently the sole developer/director) have access to the Firebase console and production data.

7. International Data Transfers

The majority of personal data is stored in the United Kingdom (Google Cloud, London region). However, Firebase Authentication data is processed and stored in the United States.

These transfers are protected by:

• Google's compliance with the EU-U.S. and UK-U.S. Data Privacy Framework
• Google's Data Processing and Security Terms, which include Standard Contractual Clauses (SCCs)
• Google's ISO 27001 and SOC 2 certifications

8. Data Sharing and Sub-processors

We do not sell personal data to any third party. We share data only with the following sub-processors, who are necessary to provide the Service:

• Google Firebase (Firestore, Authentication): Database storage and user authentication. Data stored in the UK (Firestore) and US (Authentication).
• Stripe: Payment processing for subscription billing. Processes billing data only.
• IONOS: Website hosting. Serves static files only; no personal data is stored.
• EmailJS: Transactional email delivery. Processes email addresses and names for notifications.

Some data processing occurs entirely within the user's browser (e.g., PDF generation via jsPDF, Excel export via SheetJS). No personal data is transmitted to external servers for these operations.

9. Data Retention

Personal data is retained for as long as a maktab's account remains active and for a reasonable period thereafter to allow for data export.

• Active accounts: Data is retained for the duration of the service agreement.
• Closed accounts: Data is deleted within 90 days of account closure, unless retention is required by law (e.g., financial records for up to 6 years under HMRC requirements).
• Individual records: Maktabs can delete individual student/staff records at any time through the platform.

10. Your Rights

Under the UK GDPR, data subjects have the following rights. For data processed on behalf of a maktab, requests should be directed to the relevant maktab in the first instance, as they are the data controller:

• Right of access: You can request a copy of your personal data.
• Right to rectification: You can request correction of inaccurate data.
• Right to erasure: You can request deletion of your data in certain circumstances.
• Right to restrict processing: You can request restriction of processing in certain circumstances.
• Right to data portability: You can request your data in a machine-readable format.
• Right to object: You can object to processing based on legitimate interests.

How to Request Data Deletion

To request deletion of your personal data:

• Parents, teachers, and staff: Contact your maktab headteacher directly, or email us at [email protected] with the subject line "Data Deletion Request".
• Headteachers (account holders): Email [email protected] with the subject line "Account Deletion Request". We will delete your organisation's data, including all student, staff, and parent records, within 30 days.
• Maktabs can delete individual student and staff records at any time directly through the platform without needing to contact us.

We will acknowledge all deletion requests within 7 days and complete them within 30 days. If we cannot fulfil a request (e.g., due to legal retention requirements), we will explain why.

11. Data Breaches

In the event of a personal data breach, we will:

• Notify the affected maktab(s) without undue delay
• Report the breach to the Information Commissioner's Office (ICO) within 72 hours where required
• Notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms
• Document the breach and our response, regardless of severity

12. Cookies

MaktabMate uses the following types of cookies:

• Essential cookies: Required for the platform to function, including authentication session tokens and Firebase service cookies. These cannot be disabled.
• Preference cookies: Store your choices such as theme preference (light/dark mode) and organisation selection. These are stored in your browser's local storage.

We do not use cookies for tracking, advertising, or third-party analytics. When you first visit our website, a cookie consent banner will ask for your preference. You can change your cookie preferences at any time by clearing your browser's local storage.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify maktabs of any material changes via email or through the platform. The "Last updated" date at the top of this policy indicates when it was las