Last Updated: April 22, 2026
1. Scope
This GDPR Policy applies to personal data processed by Amanah Invest in relation to individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland.
2. Controller Identity
For GDPR-regulated processing described here, Amanah Invest is the data controller unless we explicitly state we act as a processor for a business customer.
3. Categories of Data
We may process identity, account, subscription, billing metadata, device telemetry, usage events, communications, and user-submitted investment preference data as required to operate the Service.
4. Purposes and Legal Bases
We process data under Article 6 GDPR based on:
- Contract necessity (Article 6(1)(b)) for account and subscription performance.
- Legitimate interests (Article 6(1)(f)) for fraud prevention, service reliability, and product improvement.
- Consent (Article 6(1)(a)) for optional analytics and marketing technologies.
- Legal obligations (Article 6(1)(c)) for tax, accounting, and legal compliance.
5. Special Categories and Sensitive Data
We do not intentionally request special category data under Article 9 GDPR for ordinary product use. If such data is submitted, we process it only as necessary to provide requested support or comply with legal duties.
6. Recipients
We may disclose personal data to cloud hosting providers, identity providers, payment processors, customer support tools, analytics vendors (subject to consent), professional advisers, and public authorities when legally required.
7. International Transfers
Where personal data is transferred outside the EEA/UK/Switzerland, we use appropriate safeguards such as Standard Contractual Clauses, UK transfer addenda, and supplementary security measures where required.
8. Retention
We keep personal data only for as long as needed for contract performance, legal compliance, dispute resolution, and fraud prevention. Retention periods vary by category and legal obligations.
9. Data Subject Rights
You may have rights to access, rectification, erasure, restriction, objection, data portability, and withdrawal of consent. You also have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, subject to legal exceptions.
10. Exercising Rights
Submit requests to privacy@amanahinvest.ai. We may ask for information to verify identity and to prevent unauthorized disclosure. We respond within timelines required by applicable law, usually within one month, extendable where permitted.
11. Complaints
You may lodge a complaint with your local supervisory authority if you believe processing violates GDPR or equivalent privacy law in your jurisdiction.
12. Security and Incident Response
We maintain appropriate technical and organizational safeguards and incident response procedures. If a personal data breach triggers notification duties, we will notify authorities and affected individuals as required.
13. Cookies and Consent
Optional analytics and marketing cookies are disabled unless you provide consent. You can withdraw consent at any time via Cookie Preferences without affecting the lawfulness of processing based on consent before withdrawal.
14. Representative and DPO
If and when required by Article 27 GDPR, we will appoint an EU/UK representative and update this notice with the representative details. If a Data Protection Officer becomes required by law, this policy will be updated with DPO contact information.
15. Updates
We may revise this GDPR Policy to reflect legal, technical, or operational changes. Updated versions will be published with a revised effective date.
