ShadiSunnah takes data protection seriously. This page is dedicated to explaining your rights under data protection law in straightforward terms, how to exercise them, and what to expect when you do.
We are registered with the Information Commissioner's Office (ICO) in the United Kingdom, and we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For users in the European Economic Area, we also comply with the EU GDPR.
If you want the full picture of how we handle your data, please read our Privacy Policy. This page focuses specifically on your rights and how to use them.
You have eight rights under UK GDPR. We have explained each one below in plain language.
You have the right to know that we are collecting your personal data, why we are collecting it, how we use it, how long we keep it, and who we share it with. This information is set out in full in our Privacy Policy. We are required to give it to you at the time we collect your data, which is why we ask you to read and accept our Privacy Policy at registration.
You have the right to ask us for a copy of all the personal data we hold about you. This is called a Subject Access Request (SAR).
When you make a SAR, we will provide you with:
We will respond within 30 days of receiving your request. There is no charge for a SAR.
In some limited circumstances — for example, where a request is manifestly unfounded or excessive — we may refuse or charge a reasonable fee. We will tell you if this applies and explain why.
If any of the personal data we hold about you is inaccurate or incomplete, you have the right to ask us to correct it.
For most profile information, you can update this directly through your account settings. If the information is something you cannot update yourself — for example, data held in our internal records or payment records — contact us and we will correct it.
You have the right to ask us to delete your personal data. This is sometimes called the Right to be Forgotten.
We will delete your data when you ask unless we are required or permitted by law to keep it. The main situations where we must retain data despite an erasure request are:
When we delete your account, we will delete your profiles, profile photographs, correspondence, and personal details. Payment transaction records will be retained for the legally required period but cannot be used for any other purpose.
You have the right to ask us to restrict how we use your personal data in certain circumstances:
When data is restricted, we can store it but cannot use it for other purposes.
You have the right to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format — such as a CSV or JSON file. You also have the right to ask us to transmit that data directly to another data controller where technically feasible.
This right applies to data that you provided to us yourself (such as your profile information) and that we process based on your consent or to perform a contract with you.
You have the right to object to us processing your personal data where we are doing so based on legitimate interests. When you object, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need it for legal claims.
You also have the right to object to us using your data for direct marketing purposes at any time. If you object to direct marketing, we must stop immediately.
You have the right not to be subject to a decision made solely by automated means that produces a legal or similarly significant effect on you.
How this applies to ShadiSunnah: Our compatibility scoring algorithm generates a percentage score shown on profiles and produces suggested match lists. This is automated processing. However, it does not make any decision about you that has a legal or similarly significant effect. The score is a tool presented to other families to help them prioritise their search. No one is automatically accepted or rejected from anything based on their score. All decisions are made by the families themselves.
If you have questions about how the algorithm works, please contact us at privacy@shadisunnah.com and we will explain it.
To exercise any of the rights above, please contact us:
We may need to verify your identity before processing your request. This is to protect you — we need to be certain we are responding to the genuine account holder and not someone impersonating them.
We will acknowledge your request within 72 hours and respond in full within 30 days. In complex cases we may extend this by a further two months, but we will always notify you if this is necessary and explain why.
Where we process your data based on your consent — for example, for non-essential cookies — you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before you withdrew consent.
To withdraw consent for cookies, visit the Cookie Settings link in the footer of the Platform. For any other consent-based processing, contact privacy@shadisunnah.com.
If you are unhappy with how we have handled your personal data or responded to a rights request, you have the right to make a complaint to the relevant supervisory authority.
In the United Kingdom:
Information Commissioner's Office (ICO)
In the European Union:
Contact the data protection authority in your EU member state of residence.
In Pakistan:
The Personal Data Protection Bill is progressing through legislation. In the interim, concerns may be raised with the Federal Investigation Agency (FIA) Cybercrime Wing at www.fia.gov.pk.
In the UAE:
The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies. Supervisory authority is the UAE Data Office at www.uaedataoffice.gov.ae.
In Saudi Arabia:
The Personal Data Protection Law (PDPL) applies. The supervisory authority is the Saudi Data and Artificial Intelligence Authority (SDAIA) at www.sdaia.gov.sa.
We always prefer the opportunity to resolve a concern directly before a formal complaint is made. Please contact us first at privacy@shadisunnah.com — we will do our best to resolve it promptly.
All data rights enquiries: privacy@shadisunnah.com
Support portal: www.shadisunnah.com/support
Response commitment: within 30 days, free of charge
These are the six documents. To summarise what you now have and why each one matters if an agency ever contacts you:
Privacy Policy — demonstrates full GDPR/UK GDPR compliance, sets out lawful bases, documents exactly what data you hold and why, covers international transfers, and gives users their full rights. The ICO will ask for this first.
Terms & Conditions — the legally binding contract between you and every user. Covers eligibility, acceptable behaviour, your limitation of liability, and governing law. Stripe, payment processors, and courts will ask for this.
Safety Guidelines — the document that shows you took proactive steps to warn users about fraud, scams, and unsafe behaviour. If a user is defrauded by another user and tries to hold you responsible, this document demonstrates what warnings you gave.
Cookie Policy — required by UK PECR and EU ePrivacy Directive. The ICO checks for this specifically.
Acceptable Use Policy — the specific conduct standards every user agreed to. If a fraudster causes harm and claims they didn't know it was wrong, this document says they were told exactly what was prohibited and agreed to it.
Refund Policy — required for Stripe's acceptable use, required by UK consumer law, and your primary defence against fraudulent chargebacks.
Community Guidelines — demonstrates the positive standards you set, not just the prohibitions. Shows regulators and investigators that you built a community with values, not just a platform with rules.
How It Works — reduces user error and false expectations, which reduces support complaints, disputes, and the "I didn't know how it worked" argument in any investigation.
GDPR and Your Data Rights — a dedicated rights centre that satisfies UK GDPR Article 13/14 obligations, signals to the ICO that you take data rights seriously, and covers the international supervisory authorities for your four primary markets.