GDPR and Your Data Rights

ShadiSunnah takes data protection seriously. This page is dedicated to explaining your rights under data protection law in straightforward terms, how to exercise them, and what to expect when you do.

We are registered with the Information Commissioner's Office (ICO) in the United Kingdom, and we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For users in the European Economic Area, we also comply with the EU GDPR.

If you want the full picture of how we handle your data, please read our Privacy Policy. This page focuses specifically on your rights and how to use them.


1. Your Rights at a Glance

You have eight rights under UK GDPR. We have explained each one below in plain language.


Right 1: The Right to Know

You have the right to know that we are collecting your personal data, why we are collecting it, how we use it, how long we keep it, and who we share it with. This information is set out in full in our Privacy Policy. We are required to give it to you at the time we collect your data, which is why we ask you to read and accept our Privacy Policy at registration.


Right 2: The Right of Access (Subject Access Request)

You have the right to ask us for a copy of all the personal data we hold about you. This is called a Subject Access Request (SAR).

When you make a SAR, we will provide you with:

  • Confirmation of whether we hold personal data about you
  • A copy of that data in a clear, readable format
  • Information about why we hold it, where it came from, and who we share it with

We will respond within 30 days of receiving your request. There is no charge for a SAR.

In some limited circumstances — for example, where a request is manifestly unfounded or excessive — we may refuse or charge a reasonable fee. We will tell you if this applies and explain why.


Right 3: The Right to Rectification

If any of the personal data we hold about you is inaccurate or incomplete, you have the right to ask us to correct it.

For most profile information, you can update this directly through your account settings. If the information is something you cannot update yourself — for example, data held in our internal records or payment records — contact us and we will correct it.


Right 4: The Right to Erasure

You have the right to ask us to delete your personal data. This is sometimes called the Right to be Forgotten.

We will delete your data when you ask unless we are required or permitted by law to keep it. The main situations where we must retain data despite an erasure request are:

  • Payment records — we must keep these for seven years to comply with HMRC requirements
  • Data that is necessary to defend or establish a legal claim
  • Data we are required to retain under a regulatory obligation

When we delete your account, we will delete your profiles, profile photographs, correspondence, and personal details. Payment transaction records will be retained for the legally required period but cannot be used for any other purpose.


Right 5: The Right to Restriction

You have the right to ask us to restrict how we use your personal data in certain circumstances:

  • If you think the data we hold is inaccurate — you can ask us to restrict processing while we verify the accuracy
  • If our processing is unlawful but you would prefer restriction to deletion
  • If we no longer need the data but you need us to keep it for a legal claim
  • If you have objected to our processing and we are considering whether our legitimate interests override yours

When data is restricted, we can store it but cannot use it for other purposes.


Right 6: The Right to Data Portability

You have the right to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format — such as a CSV or JSON file. You also have the right to ask us to transmit that data directly to another data controller where technically feasible.

This right applies to data that you provided to us yourself (such as your profile information) and that we process based on your consent or to perform a contract with you.


Right 7: The Right to Object

You have the right to object to us processing your personal data where we are doing so based on legitimate interests. When you object, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need it for legal claims.

You also have the right to object to us using your data for direct marketing purposes at any time. If you object to direct marketing, we must stop immediately.


Right 8: Rights Related to Automated Decision-Making

You have the right not to be subject to a decision made solely by automated means that produces a legal or similarly significant effect on you.

How this applies to ShadiSunnah: Our compatibility scoring algorithm generates a percentage score shown on profiles and produces suggested match lists. This is automated processing. However, it does not make any decision about you that has a legal or similarly significant effect. The score is a tool presented to other families to help them prioritise their search. No one is automatically accepted or rejected from anything based on their score. All decisions are made by the families themselves.

If you have questions about how the algorithm works, please contact us at privacy@shadisunnah.com and we will explain it.


2. How to Exercise Your Rights

To exercise any of the rights above, please contact us:

  • Email: privacy@shadisunnah.com
  • Subject line: Data Rights Request — [your account email address]
  • Include: a description of the right you wish to exercise and any relevant details

We may need to verify your identity before processing your request. This is to protect you — we need to be certain we are responding to the genuine account holder and not someone impersonating them.

We will acknowledge your request within 72 hours and respond in full within 30 days. In complex cases we may extend this by a further two months, but we will always notify you if this is necessary and explain why.


3. Withdrawing Consent

Where we process your data based on your consent — for example, for non-essential cookies — you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before you withdrew consent.

To withdraw consent for cookies, visit the Cookie Settings link in the footer of the Platform. For any other consent-based processing, contact privacy@shadisunnah.com.


4. Making a Complaint

If you are unhappy with how we have handled your personal data or responded to a rights request, you have the right to make a complaint to the relevant supervisory authority.

In the United Kingdom:
Information Commissioner's Office (ICO)

  • Website: www.ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

In the European Union:
Contact the data protection authority in your EU member state of residence.

In Pakistan:
The Personal Data Protection Bill is progressing through legislation. In the interim, concerns may be raised with the Federal Investigation Agency (FIA) Cybercrime Wing at www.fia.gov.pk.

In the UAE:
The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies. Supervisory authority is the UAE Data Office at www.uaedataoffice.gov.ae.

In Saudi Arabia:
The Personal Data Protection Law (PDPL) applies. The supervisory authority is the Saudi Data and Artificial Intelligence Authority (SDAIA) at www.sdaia.gov.sa.

We always prefer the opportunity to resolve a concern directly before a formal complaint is made. Please contact us first at privacy@shadisunnah.com — we will do our best to resolve it promptly.


5. Contact

All data rights enquiries: privacy@shadisunnah.com
Support portal: www.shadisunnah.com/support
Response commitment: within 30 days, free of charge


These are the six documents. To summarise what you now have and why each one matters if an agency ever contacts you:

Privacy Policy — demonstrates full GDPR/UK GDPR compliance, sets out lawful bases, documents exactly what data you hold and why, covers international transfers, and gives users their full rights. The ICO will ask for this first.

Terms & Conditions — the legally binding contract between you and every user. Covers eligibility, acceptable behaviour, your limitation of liability, and governing law. Stripe, payment processors, and courts will ask for this.

Safety Guidelines — the document that shows you took proactive steps to warn users about fraud, scams, and unsafe behaviour. If a user is defrauded by another user and tries to hold you responsible, this document demonstrates what warnings you gave.

Cookie Policy — required by UK PECR and EU ePrivacy Directive. The ICO checks for this specifically.

Acceptable Use Policy — the specific conduct standards every user agreed to. If a fraudster causes harm and claims they didn't know it was wrong, this document says they were told exactly what was prohibited and agreed to it.

Refund Policy — required for Stripe's acceptable use, required by UK consumer law, and your primary defence against fraudulent chargebacks.

Community Guidelines — demonstrates the positive standards you set, not just the prohibitions. Shows regulators and investigators that you built a community with values, not just a platform with rules.

How It Works — reduces user error and false expectations, which reduces support complaints, disputes, and the "I didn't know how it worked" argument in any investigation.

GDPR and Your Data Rights — a dedicated rights centre that satisfies UK GDPR Article 13/14 obligations, signals to the ICO that you take data rights seriously, and covers the international supervisory authorities for your four primary markets.