19. Scope and Applicability

This Privacy Policy describes how Wali Marriage LLC, doing business as “Wali Marriage” (“Company,” “we,” “us,” or “our”), collects, uses, stores, shares, and protects information about you when you use the Wali: Halal Marriage App. This Privacy Policy applies to all users worldwide, including users in the United States, the European Economic Area, the United Kingdom, Canada, and all other jurisdictions where the App is available.

This Privacy Policy is incorporated by reference into our Terms of Service and forms part of the binding Agreement between you and the Company. By using the App, you consent to the data practices described in this Privacy Policy.

20. Information We Collect

20.1 Identity and Verification Data

• Full name or alias provided during registration

• Government-issued photo identification (passport, driver’s license, national ID)

• Facial biometric data collected through selfie and liveness verification (see Section 21)

• Phone number (primary identity key)

• Date of birth or age

20.2 Profile Data

• Profile photos (stored in blurred/hidden state by default until authorized reveal)

• City and approximate location

• Ethnicity (if voluntarily provided)

• Languages spoken

• Religious practice data: prayer frequency, masjid attendance, hijab or beard observance, self-assessed religiosity level

• Marriage intent data: timeline, relocation preferences, spouse preferences, values

• Bio and open-ended questionnaire responses

20.3 Communication Data

• All messages sent and received through the App’s chat system

• Match interest requests sent and received

• Photo unlock approvals and denials

• Wali approval and denial records

• Report submissions and moderation correspondence

• Messages sent and received in Wali Community Groups (see Section 23 and Terms Section 7.5)

20.4 Behavioral and Technical Data

• City (self-entered at registration; used for city-level distance bucketing visible to other users — see Section 23B)

• IP address and approximate IP-derived geographic location — used internally for fraud detection, waitlist eligibility, and abuse prevention only; NEVER shown to other users

• Device type, operating system version, and unique device identifiers

• App usage patterns: session duration, feature usage, navigation patterns

• Interaction timing: when messages are sent, when requests are reviewed

• Trust score inputs: behavioral signals used to calculate internal trust scoring

• Screenshot detection events

• **We do NOT collect: **live GPS location, continuous location tracking, foreground or background location permissions, or any location data at sub-city precision.

20.5 Wali Relationship Data

• Identity and verification documents of linked Walis

• Documentation establishing the guardianship relationship

• Verification media submitted for relationship confirmation

• Records of Wali actions taken within the platform

20.6 Financial and Transactional Data

• Subscription tier and billing history

• Transaction identifiers from payment processors

• Referral activity and reward redemption records

We do not directly store full payment card numbers, bank account details, or other sensitive financial data. Such data is handled exclusively by our payment processors.

20.7 Marriage Confirmation Data

• If you participate in the marriage confirmation flow described in Product Specification Section 14, we collect: your indication of a spouse, your spouse’s confirmation or denial, the approximate marriage month and year, and any success-story content you separately consent to share

• Success-story content is collected only with explicit two-sided consent and is retained only while both spouses maintain active consent

20.8 Data You Provide Indirectly

We also collect information you provide through interactions with our support team, moderation submissions, appeals, and any communications with the Company outside the App.

22. How We Use Your Information

We use the information we collect for the following purposes:

22.1 Platform Operation

• To create, maintain, and secure your account

• To verify your identity and prevent fraud and duplicate accounts

• To provide the core matchmaking functionality of the App

• To enforce the Wali system and all platform rules

• To process subscription payments and manage billing

22.2 Safety and Moderation

• To monitor communications for violations of our content policies

• To calculate and maintain Trust Scores for fraud and abuse detection

• To investigate reports of violations and take appropriate moderation actions

• To respond to legal requests and prevent harm

• To detect, investigate, and prevent fraudulent activity

22.3 Platform Improvement

• To analyze usage patterns and improve the App’s features and functionality

• To troubleshoot technical issues and improve performance

• To develop and test new features

22.4 Communication

• To send you notifications about your account, matches, and messages

• To send you important legal and policy updates, including updates to this Agreement that require re-acknowledgment (see Part IV)

• To respond to your inquiries and provide customer support

• To send marketing and promotional communications, subject to your opt-out rights

22.5 Legal Compliance

• To comply with applicable laws, regulations, and legal process

• To exercise or defend our legal rights

• To enforce this Agreement and our Community Guidelines

23. The Wali Access System and Community Groups — Privacy Disclosures

23.1 No Privacy as Between User and Wali

When a Wali is linked to your account, the Wali is granted access to all communications within the App’s chat system that involve your account. This includes both real-time access and historical access as described in Terms Section 4.3. By linking a Wali to your account, you consent to the Wali’s access to your communications through the App. Any man who communicates with a woman who has a linked Wali is hereby notified that the Wali may access those communications.

23.2 Disclosure to All Parties

The presence of a Wali and the Wali’s potential access to conversations is disclosed to all parties in any chat through a visible banner. All users of the App are deemed to have received notice that any chat involving a woman with a linked Wali may be monitored by that Wali.

23.3 Company Not Responsible for Wali Actions

The Company is not responsible for the use that any Wali makes of information accessed through the platform. The Company does not control what a Wali does with information they view through the App outside of the App’s platform. Users who have concerns about Wali conduct should report it through the App’s reporting system.

23.4 Wali Community Groups and Profile Sharing

If a Wali is a member of a Wali Community Group (see Terms Section 7.5) and seeks to share a linked woman’s profile in that group, the woman receives a notification and must affirmatively approve the share. A shared profile card contains age, city, religiosity, and bio, but does not contain the woman’s name or photographs. By using the App, each user acknowledges that: (a) this per-share consent mechanism is the exclusive method by which a Wali may share the user’s profile in a Community Group; (b) approved shares are visible to other members of that Community Group; and (c) the Company is not responsible for further disclosure made by Community Group members outside the App.

23A. Administrative Access and Audit Logging

23A.1 Categories of Staff Access

The Company’s administrative system defines four staff role categories, with graduated data access:

• Level 1 Administrators: may access any user data as necessary to operate the platform, respond to legal process, investigate fraud, or protect user safety

• Lower-Level Administrators: may access operational data and user records, but have no access to financial withdrawal functions

• Moderators: may view profile content and flagged chat content only in the context of an active report, appeal, or verification review; may not browse user data outside that context

• Customer Support Agents: may view non-sensitive account data (profile, subscription status, support history); are structurally prohibited from viewing chat content, government ID data, or biometric data

23A.2 Conditions Under Which Staff Access Occurs

• In response to a user report or user-initiated support request

• In the course of verification review (identity, wali relationship, age)

• To investigate suspected abuse, fraud, or safety risks detected by automated systems or user reports

• To comply with applicable law, legal process, or governmental request

• To enforce the Terms of Service and Community Guidelines

• To respond to a privacy rights request or data breach

• As necessary to maintain, troubleshoot, or secure the platform

23A.3 Audit Logging of Staff Access

Every staff access to user data — including every view of chat content, government ID data, biometric data, and financial records — is logged to an append-only, tamper-evident audit log. The audit log records the identity of the staff member, the timestamp, the specific data accessed, the context (ticket, report, or justification), and the action taken. The audit log is retained for at least seven (7) years and is reviewed by Level 1 Administrators for anomalous patterns.

23A.4 User Right to an Access Report

Users may request a record of staff access to their account data by submitting a privacy rights request under Section 27. The Company will provide, within the response window applicable under GDPR or CCPA, a summary describing: the dates of staff access, the categories of staff roles involved, the categories of data accessed, and the purpose of access. For access that occurred in connection with an active investigation, the Company may withhold specifics until the investigation is closed, as permitted by applicable law.

23A.5 Financial Controls — Disclosure

Financial withdrawals from the platform’s revenue accounts are available only to Level 1 Administrators and are subject to multi-party approval gates, withdrawal destination pre-registration, and a daily threshold. These controls are intended to protect user funds associated with refunds, credits, and legal obligations, and to prevent insider compromise. The specific control values are published in the Company’s internal security policy and reviewed periodically.

23B. Location Data — Privacy Model

23B.1 What Location Data We Collect

• Your city — self-entered at account registration and editable at any time in Settings

• Your IP address and IP-derived approximate region — used internally for fraud detection, waitlist eligibility, abuse pattern detection, and compliance with applicable law

23B.2 What Location Data We Do Not Collect

• Live device GPS coordinates

• Continuous or periodic location tracking

• Foreground or background location permissions (the App does not request either)

• Neighborhood-level, street-level, or sub-city-level location

• Location data from third-party data brokers

23B.3 How Location Is Displayed to Other Users

When another user sees your profile, they see your city and a bucketed distance label (e.g., ‘In your city,’ ‘5–15 miles,’ ‘Outside [state]’) computed server-side from the cities each of you entered. They never see your exact coordinates, street address, neighborhood, or a numeric distance below 5 miles. Bucket granularity is capped at 5 miles by platform design and cannot be overridden by any admin, moderator, or user-configurable setting.

23B.4 Internal Use of IP-Derived Location

Your IP-derived approximate location is used internally for: (a) detecting fraudulent account creation from suspicious regions, (b) enforcing regional waitlist eligibility, (c) correlating referral activity for abuse detection (Section 13.5 of the Product Specification), and (d) complying with legal obligations including sanctions and export controls (Terms Section 14.6). IP-derived location is never made visible to other users, never sold, and never used for advertising.

23B.5 Your Rights Over Location Data

• You may change your entered city at any time in Settings; the change takes effect immediately for all future discovery and distance displays

• Deleting your account removes your city data per the retention schedule in Section 26

• Requesting a data export (Section 27) includes your entered city and your IP history at a day-level granularity

• California and EEA users retain all rights described in Section 27 with respect to location data

24. Chat Permanence — No-Deletion System

24.1 Permanent Message Storage

All messages sent through the App’s matching-system chat are permanently stored and cannot be deleted, edited, or retracted by any user after sending. This is a fundamental and disclosed feature of the platform designed to support accountability, safety, and Wali oversight. By using the App’s chat features, you expressly consent to this permanent storage policy.

24.2 Scope of Permanence

Message permanence applies to all matching-system chat content, including: text messages, system messages, and any notifications within chat threads. It applies regardless of whether the other party in the conversation has terminated their account, been banned, or is otherwise no longer using the App.

24.3 Exception for Wali Community Group Messages

Messages within Wali Community Groups are governed by a different deletion policy, as described in Terms Section 7.5.4: the sender may delete a message within 24 hours of posting, and a Group Admin may delete a message at any time. This is a deliberate design difference from matching-system chats.

24.4 Account Deletion and Chat Data

The permanent storage policy for matching-system messages is subject to the following limitations imposed by applicable law: (a) upon valid account deletion request, the content of messages will be deleted from user-facing systems within thirty (30) days; (b) metadata — including sender identifiers, recipient identifiers, timestamps, and moderation flags — may be retained for safety and legal compliance purposes for up to two (2) years; (c) content that is subject to a legal hold, ongoing investigation, or law enforcement request may be retained indefinitely until such hold is lifted.

SMS / Text Messaging Program

When you provide your mobile phone number, you consent to receive SMS text messages from Wali Marriage. The categories of messages we send are: (a) one-time passcodes for phone verification during registration and login; (b) transactional account notifications such as profile approval and match requests; and (c) customer support replies.

Message frequency varies based on your activity. Message and data rates may apply. You can opt out at any time by replying STOP to any message, and reply HELP for help.

No mobile information, including your phone number and SMS opt-in consent, will be shared with or sold to third parties or affiliates for marketing or promotional purposes. We share your mobile number only with our SMS delivery provider strictly to send the messages described above, and that provider is contractually prohibited from using it for any other purpose.

25. Data Sharing and Third-Party Disclosure

25.1 We Do Not Sell Your Data

We do not sell, rent, or lease your personal information to third parties for their own marketing or commercial purposes.

25.2 Sharing Within the App

Profile information is shared with other users in accordance with the visibility rules described in the App. Your anonymized profile data (age, city, religiosity, bio) is visible to men browsing the platform. Your full profile is visible to women and to linked Walis in accordance with the App’s rules. Chat content is accessible to chat participants and linked Walis as described herein.

25.3 Service Providers

We share data with third-party service providers who perform functions on our behalf, including:

• Identity verification providers — receive identity documents and biometric data for verification processing

• Cloud hosting and infrastructure providers — host and process data on our behalf

• Payment processors — process subscription and purchase payments

• Analytics providers — provide aggregated, anonymized usage analytics

• Email and push notification providers — deliver notifications to users

All service providers are contractually required to: (a) use personal data only for the purposes for which it was disclosed; (b) implement reasonable security measures; (c) not sell or further disclose personal data; and (d) comply with applicable privacy law.

25.3.1 Sightengine (Image Content Moderation)

We share user-uploaded photographs with Sightengine, an automated image moderation service operated by Kozelo SAS, 16 bis rue d'Odessa, 75014 Paris, France ("Sightengine"). Sightengine processes these photographs to automatically detect content that violates our Community Guidelines and content standards, including but not limited to sexual content, nudity, violence, weapons, illegal substances, and self-harm imagery. This processing is performed before the photograph is made visible on the platform.

Categories of data shared: user-uploaded image files and a unique per-request identifier. We do not share user names, contact information, profile data, or biometric identifiers with Sightengine.

Sightengine acts as a data processor under our instruction; Wali Marriage LLC remains the data controller. Sightengine has no direct relationship with our users and processes your photographs only at our direction. Our relationship with Sightengine is governed by a Data Processing Agreement between Wali Marriage LLC and Kozelo SAS. Sightengine retains submitted images for the time needed to provide the moderation service and for a reasonable period thereafter to support audits, legal compliance, and dispute resolution, in accordance with their privacy policy. Sightengine may use sub-processors to assist with its services and maintains contractual restrictions on their access, use, and disclosure of your data.

Sightengine is located in the European Union. By using the platform, you acknowledge that your photographs will be transferred internationally from the United States to France for moderation processing, subject to the protections of the Data Processing Agreement referenced above and applicable contractual safeguards.

You may exercise your data rights regarding Sightengine's processing of your photographs by contacting us at izharbid@walimarriage.com. We will coordinate with Sightengine to fulfill your request. Sightengine's privacy policy is available at https://sightengine.com/policies/privacy.

25.4 Legal Disclosures

We may disclose your information, including communication content, without prior notice to you when we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce this Agreement; (c) protect the rights, property, or safety of the Company, its users, or the public; (d) prevent or investigate possible wrongdoing; or (e) respond to an emergency involving risk to life.

25.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. You will be notified of such transfer and the privacy protections applicable to your data, and you will have the opportunity to delete your account if you do not wish your information to be transferred.

26. Data Retention Schedule

27. User Rights — GDPR, CCPA, and Applicable Law

27.1 Rights Available to All Users

Regardless of your jurisdiction, you have the following rights with respect to your personal data:

• Right to Access: you may request a copy of the personal data we hold about you

• Right to Correction: you may request correction of inaccurate or incomplete data

• Right to Deletion: you may request deletion of your personal data, subject to the limitations in Section 24 and our legal obligations

• Right to Portability: you may request a machine-readable copy of your personal data

• Right to Opt Out of Marketing: you may opt out of marketing communications at any time

27.2 Additional GDPR Rights (EEA and UK Users)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and applicable UK data protection law:

• Right to Restrict Processing: you may request restriction of processing of your data in certain circumstances

• Right to Object: you may object to processing based on legitimate interests

• Right to Withdraw Consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing

• Right to Lodge a Complaint: you have the right to lodge a complaint with your local data protection supervisory authority

Legal bases for processing under GDPR include: (a) contract performance (operating your account); (b) legitimate interests (fraud prevention, safety, platform improvement); (c) legal obligation (compliance with law); and (d) explicit consent (biometric data, sensitive religious data, marketing).

27.3 California Privacy Rights — CCPA

California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: you may request disclosure of the categories and specific pieces of personal information collected about you

• Right to Delete: you may request deletion of your personal information, subject to certain exceptions

• Right to Correct: you may request correction of inaccurate personal information

• Right to Opt Out of Sale: we do not sell personal information, but you may submit a request to confirm this

• Right to Non-Discrimination: we will not discriminate against you for exercising your California privacy rights

In the preceding twelve months, we have collected the following categories of personal information as defined by CCPA: identifiers; biometric information; internet and network activity; geolocation data; and inferences drawn from the above. We have not sold or shared personal information for cross-context behavioral advertising.

27.4 How to Exercise Your Rights

To exercise any of the above rights, contact us at izharbid@walimarriage.com with your request. We will respond within: (a) 45 days for CCPA requests (extendable by an additional 45 days with notice); (b) 30 days for GDPR requests (extendable by up to two additional months with notice). We may require verification of your identity before processing your request.

28. Children’s Privacy and COPPA Compliance

28.1 Prohibition on Minors

The App is strictly prohibited for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take immediate steps to terminate the account and delete the associated data.

28.2 COPPA Compliance

While the App is not directed at children under 13 within the meaning of the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq., we comply with COPPA by prohibiting use of the App by anyone under 18, and by promptly deleting any data collected from such individuals upon discovery.

28.3 Reporting Suspected Underage Users

If you have reason to believe that a user of the App is under 18 years of age, please report this immediately through the App’s reporting system or by contacting us at izharbid@walimarriage.com. We will investigate and take appropriate action, which may include account termination and referral to appropriate authorities.

28.4 Parental or Guardian Actions

If you believe your child under 18 has created an account using your information or otherwise, contact us immediately at izharbid@walimarriage.com. We will promptly terminate the account and delete all associated data upon verification of the report.

29. Security Practices and Disclaimer

29.1 Security Measures

We implement reasonable and appropriate technical and organizational security measures designed to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These measures include: encryption of data in transit using TLS; encryption of data at rest for sensitive data categories including government ID data and biometric data; access controls restricting data access to authorized personnel; audit logging of access to sensitive data; and regular security assessments.

29.2 Security Disclaimer

NO SECURITY SYSTEM IS IMPENETRABLE. WE CANNOT GUARANTEE THE SECURITY OF OUR SYSTEMS OR YOUR DATA. BY USING THE APP, YOU ACKNOWLEDGE THAT YOU PROVIDE YOUR PERSONAL INFORMATION AT YOUR OWN RISK. IN THE EVENT OF A DATA BREACH, WE WILL NOTIFY AFFECTED USERS AS REQUIRED BY APPLICABLE LAW. SEE SECTION 34 FOR OUR BREACH NOTIFICATION POLICY.

30. International Data Transfers

Your information may be stored and processed in the United States or in any other country where we or our service providers maintain facilities. By using the App, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws than your home country.

For transfers of personal data from the European Economic Area or United Kingdom to countries not recognized as providing adequate data protection (including the United States), we rely on appropriate safeguards including Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms as required by applicable law.

31. Automated Decision-Making and AI Systems

We use automated systems — including artificial intelligence and machine learning — to make or assist in making certain decisions that affect your use of the App. These automated systems are used to:

• Block messages that contain prohibited content in real time

• Calculate and update your Trust Score based on behavioral signals

• Determine your visibility and priority in the discovery system

• Flag accounts for human moderation review based on behavioral patterns

Some of these decisions may significantly affect your access to the App’s features, including reducing your visibility in discovery or restricting your ability to send requests. These automated decisions are not solely determinative — human reviewers are involved in consequential decisions such as account restrictions and bans.

If you are located in the EEA or UK, you have the right under GDPR Article 22 to not be subject to a decision based solely on automated processing that produces significant legal or similarly significant effects. Where automated decision-making does significantly affect you, you may request human review of the decision through our appeals process as described in the App.

32. California Privacy Rights — Supplemental Disclosures

In addition to the rights described in Section 27.3, California residents are entitled to the following information under the Shine the Light Law (Cal. Civ. Code § 1798.83) and the California Online Privacy Protection Act (CalOPPA):

• We do not disclose personal information to third parties for their own direct marketing purposes without your consent

• California residents may request information about categories of personal information shared with third parties for direct marketing purposes by contacting izharbid@walimarriage.com

• Under the California Consumer Privacy Act, you may designate an authorized agent to make requests on your behalf. We require authorized agents to provide written proof of authorization

• Do Not Track: our App does not currently respond to Do Not Track browser signals because no uniform industry standard for such signals has been adopted for mobile applications. If such a standard is adopted, we will update this policy.

33. Texas and Illinois Biometric Data — Supplemental Disclosures

33.1 Illinois (BIPA)

If you are an Illinois resident, the following disclosures apply pursuant to the Illinois Biometric Information Privacy Act (740 ILCS 14/):

• We have a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric data — this Section constitutes that policy

• We will not sell, lease, trade, or profit from your biometric data

• We will not disclose your biometric data without your consent except as described in Section 21.5

• You have the right to bring a private action under BIPA for violations of this Section

33.2 Texas (CUBI)

If you are a Texas resident, the following disclosures apply pursuant to the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001 et seq.):

• We capture biometric identifiers for the purpose of identity verification

• We do not sell, lease, or disclose biometric identifiers to third parties except as described in Section 21.5

• We store biometric identifiers using reasonable security measures

• We destroy biometric identifiers within the retention period specified in Section 21.4

34. Data Breach Notification Policy

In the event of a data breach that compromises the security of your personal information, we will:

• Investigate the breach and take appropriate steps to contain and remediate it

• Notify affected users without unreasonable delay, and within the time frames required by applicable law (e.g., within 72 hours under GDPR; within 30 days under applicable U.S. state laws)

• Notify applicable regulatory authorities as required by law

• Provide affected users with information about: the nature of the breach; the categories of data affected; the likely consequences of the breach; the measures we have taken; and steps you can take to protect yourself

• For breaches involving biometric data, comply with any additional notification requirements under applicable state biometric privacy laws

35. Changes to This Privacy Policy

We may update this Privacy Policy at any time. We will provide notice of material changes by posting the revised policy in the App with an updated effective date, and by notifying you through in-app notification or email. If you continue to use the App after the effective date of the revised policy, you are deemed to have accepted the changes. If you do not agree to the revised policy, you must discontinue use and delete your account.

See Part IV of this document for the in-app implementation specification describing how material changes to this Privacy Policy are presented to the user for re-acknowledgment, including scrolling, the acknowledgment checkbox, and the acceptance receipt.

36. Contact and Data Protection Officer

For all privacy-related inquiries, rights requests, data breach reports, or questions about this Privacy Policy, contact us at:

• Privacy / Legal Email: izharbid@walimarriage.com

• Mailing Address: Wali Marriage LLC, 9155 Beloit Avenue, Bridgeview, Illinois 60455

36.1 Data Protection Officer

Wali Marriage LLC has not designated a formal Data Protection Officer at this time. Until a DPO is appointed, all GDPR-related inquiries, access requests, correction requests, deletion requests, and complaints should be directed to izharbid@walimarriage.com. The Company commits to appointing a qualified Data Protection Officer before the App is made available to users located in the European Economic Area or the United Kingdom.

36.2 EU / UK Representative

Wali Marriage LLC will appoint a Representative in the European Union and a Representative in the United Kingdom, each pursuant to Article 27 of the applicable GDPR, before the App is made available to users located in those regions. Until such Representatives are appointed, EEA and UK users should direct their inquiries to izharbid@walimarriage.com. The names and contact details of the appointed Representatives will be published in this Section when available.

36.3 Complaints to Supervisory Authorities

If you are an EEA or UK user, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection law. For EU users, the lead supervisory authority will be determined based on our establishment and the nature of the complaint.