Privacy Policy

01

Introduction

Halal Investment Hub (“we,” “us,” or “our”) is operated by Himo Tech (hereafter “the Company”), a technology company based in Ontario, Canada. This Privacy Policy applies to personal data collected through halalinvesthub.com(the “Platform”).

The Platform is currently in a market validation phase. We collect expressions of interest from prospective investors and Islamic centers to assess demand before launching a regulated investment product. No investment transactions occur through the Platform at this time.

This policy is designed to comply with the General Data Protection Regulation (GDPR) and UK GDPR, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec’s Law 25 (Act 25), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and other applicable data protection legislation.

02

Data We Collect

We collect only what is necessary for the purpose of market validation. We collect two categories of personal data, depending on which waitlist form you complete.

Investor Waitlist

When you register your interest as an investor, we collect:

• Full name — to personalize future communications
• Email address — primary point of contact
• Country of residence — to understand applicable regulations and investor eligibility
• Occupation (optional) — to understand our investor community
• Phone number (optional) — for follow-up if you choose to provide it
• Intended capital range (e.g., CAD $5K–$10K) — to assess soft-circled capital for validation purposes
• Investment philosophy (financial-first, spiritually-motivated, or balanced) — to tailor platform communications

Islamic Center & Mosque Waitlist

When you register your center’s interest, we collect:

• Organization name
• Your name and role within the organization
• City and country
• Email address and optional phone number
• Current property situation (renting, planning first purchase, etc.) — to understand your center’s needs
• Estimated property value range — to assess the scale of capital required

Technical and Server-Side Data

Our servers temporarily process your IP address for rate-limiting purposes (to prevent automated abuse of the waitlist forms). IP addresses are not stored in our database; they are held only in server memory for the duration of the rate-limit window (60 seconds) and discarded thereafter.

We do not use cookies, tracking pixels, session analytics scripts, or any third-party marketing trackers on this Platform.

03

How We Use Your Data

We use your personal data solely for the following purposes:

• Market validation — aggregating anonymized capital-interest data to assess whether there is sufficient demand to proceed to a regulated investment product launch.
• Waitlist management — keeping a record of interested parties to contact when the platform moves to a live product phase.
• Investor/center communications— sending periodic updates on the platform’s development status (infrequent; no marketing spam).
• Regulatory preparation — understanding the geographic spread of our prospective user base to determine which securities and fintech licences to obtain.

We will never sell, rent, or trade your personal data to third parties for marketing purposes.

04

Legal Basis for Processing

GDPR / UK GDPR (EU & UK Users)

Our legal basis is consent (Article 6(1)(a) GDPR). By submitting a waitlist form, you freely and unambiguously consent to us processing your data for the purposes described above. You may withdraw consent at any time by contacting us (see Section 9).

We rely on legitimate interests (Article 6(1)(f)) for server-side rate-limiting (temporary IP processing), as this is necessary to protect the integrity of our systems and proportionate to that goal.

PIPEDA & Quebec Law 25 (Canadian Users)

We collect, use, and disclose personal information with your knowledge and consent, which you provide by submitting the waitlist form. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

CCPA / CPRA (California Users)

We process your personal information as a businessfor the purposes disclosed above. We do not “sell” or “share” personal information as defined under CCPA/CPRA. Your rights under California law are described in Section 8.

05

Data Retention

We retain your personal data for whichever of the following periods is shorter:

• Until the Platform transitions to a live regulated product and you are onboarded or decline; or
• 24 months from the date of submission.

After this period, data is deleted from our database. You may also request deletion at any time (see Section 8). When we delete data, we remove all personally identifiable fields; aggregated, anonymized statistics (e.g., total number of registrations by country) may be retained indefinitely for business planning.

06

Data Sharing & Third-Party Processors

We share your personal data with a limited number of trusted third-party processors who act on our instructions and are contractually bound to protect your data:

We share data with no other third parties. We do not use Google Analytics, Meta Pixel, HubSpot, Mailchimp, or any other marketing or analytics platform that would receive your personal data.

If we are required to disclose data by law, court order, or government authority, we will notify you to the extent permitted by law before complying.

07

International Data Transfers

Your personal data may be transferred to and stored in the United States, where Supabase’s primary data infrastructure operates. This transfer is subject to appropriate safeguards:

• EU/EEA users: Transfer is governed by Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR).
• UK users: Transfer is governed by the UK International Data Transfer Agreement (IDTA) or equivalent UK SCCs.
• Canadian users: Transfer is covered by our contractual agreement with Supabase, which provides comparable protection to PIPEDA requirements.

08

Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any right, contact us at the address in Section 10.

All Users

• Right to Access — Request a copy of the personal data we hold about you.
• Right to Rectification / Correction — Request correction of inaccurate or incomplete data.
• Right to Erasure / Deletion — Request that we delete your personal data. We will comply within 30 days unless we have a legal obligation to retain it.
• Right to Withdraw Consent — Withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

EU / UK Users (GDPR / UK GDPR)

• Right to Restriction — Request restriction of processing while a dispute is resolved.
• Right to Data Portability — Receive your data in a machine-readable format and transfer it to another controller.
• Right to Object — Object to processing based on legitimate interests.
• Right to Lodge a Complaint — You may lodge a complaint with your national supervisory authority (e.g., the ICO in the UK, your Member State’s DPA in the EU).

California Users (CCPA / CPRA)

• Right to Know — Know the categories and specific pieces of personal information we collect, use, and disclose.
• Right to Delete — Request deletion of personal information we have collected.
• Right to Opt-Out of Sale/Sharing — We do not sell or share personal information; this right is already protected by default.
• Right to Non-Discrimination — We will not discriminate against you for exercising any CCPA right.
• Right to Correct — Request correction of inaccurate personal information.

Canadian Users (PIPEDA / Quebec Law 25)

• Right of Access — Request access to your personal information and information about how it is used and disclosed.
• Right to Correction — Request correction of inaccurate, incomplete, or out-of-date information.
• Right to Complaint — File a complaint with the Office of the Privacy Commissioner of Canada (OPC) or, for Quebec residents, with the Commission d’accès à l’information (CAI).

We will respond to all verified rights requests within 30 calendar days. For complex requests, we may extend this period by a further 30 days and will notify you.

09

Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• TLS encryption for all data in transit
• Row-Level Security (RLS) policies on our database — waitlist data is not publicly readable
• Restricted database access (service-role key stored server-side only; never exposed to browsers)
• No third-party tracking scripts that could exfiltrate form data

No method of transmission over the Internet or electronic storage is 100% secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within the timeframes required by applicable law (72 hours under GDPR; 30 days under PIPEDA; without unreasonable delay under CCPA).

10

Children’s Privacy

The Platform is intended solely for individuals aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it without delay.

11

Changes to This Policy

We may update this Privacy Policy as the Platform evolves (e.g., when we onboard new data processors, obtain regulatory approvals, or expand to new jurisdictions). When we make material changes, we will notify registered waitlist members by email at least 14 days before the changes take effect. Continued use of the Platform after that date constitutes acceptance of the updated policy.

The “Last updated” date at the top of this page reflects the most recent revision. Prior versions are available on request.

12

Contact Us

For any privacy-related questions, requests to exercise your rights, or to report a concern, please contact our Privacy Officer:

EU/EEA residents may also contact our GDPR representative via the same email address. If your concern is not resolved to your satisfaction, you have the right to escalate to your local supervisory authority.