Privacy Policy

Effective 2026-05-13. Last updated 2026-05-13.

Qardon.org ("we", "us", "qardon.org") is an independent 501(c)(3) nonprofit organization operating a member-funded, interest-free lending pool. This Privacy Policy explains what data we collect, how we use it, and your rights regarding it.

1. What we collect

• Identity data: legal name, email address, residence country, phone number (where required for loan applications and KYC).
• Membership data: monthly commitment amount, contribution history, agreement timestamps, commitment changes.
• Financial data (loan applicants only): annual income, employer, employment tenure, monthly debt payments, self-reported credit score range, and the official credit report we pull with your FCRA consent.
• Recovery claim data (claimants only): calamity type, date, asset affected, estimated loss, factual description, and documentation you upload.
• Technical data: IP address, user-agent, referrer URL, source_masjid_id when applicable, session cookies, and standard server logs.

2. What we do NOT collect

We do not collect, store, or share data about your religion, ethnicity, race, national origin (beyond residence country for jurisdiction routing), or sexual orientation. No demographic factors enter any lending or Recovery decision (per the federal Equal Credit Opportunity Act and equivalent regulations).

3. How we use your data

• Identity verification (KYC) — to confirm you are who you say you are.
• Lending decisions — to assess creditworthiness using standard underwriting criteria (income, employment, credit history). Never demographic factors.
• Recovery claim review — to verify the calamity event happened and process payouts.
• Tax receipts — to issue annual donation receipts referencing our EIN (once issued).
• Service operations — to send transactional emails (confirmations, reminders, status updates).
• Aggregate impact reporting — to publish anonymized, country-level rollups of pool activity.

4. Who we share data with

• KYC vendor (Persona or Stripe Identity, to be finalized) — for identity verification.
• Credit bureau (TransUnion / Equifax / Experian via an aggregator) — for FCRA-authorized credit reports.
• Payment processors (Stripe Connect for fiat; smart contracts for USDC) — to process contributions and disbursements.
• Cloud infrastructure (Cloudflare) — for hosting, databases, and file storage.
• Auditor & legal counsel — for annual audit and legal compliance.
• Third-party verification (insurance, police, hospital) — for Recovery claim verification, only with your explicit consent on the claim form.

We do not sell your data. Ever. To anyone.

5. Data retention

We retain data as long as needed to operate the platform, comply with law, and document our charitable mission. Loan and donation records are retained per IRS and FCRA requirements. You may request deletion of non-mandated personal data at any time via contact@qardon.org; we will honor it to the extent permitted by law.

6. Your rights

Depending on your jurisdiction, you may have rights including: access to your data, correction of inaccurate data, deletion, data portability, and objection to processing.

• US (CCPA): California residents may exercise CCPA rights via contact@qardon.org.
• EU/UK (GDPR): EU and UK residents may exercise GDPR rights, including the right to lodge a complaint with a supervisory authority.
• FCRA (loan applicants): you have the right to request a copy of your credit report and dispute inaccurate information.

7. Security

We use TLS 1.3 for data in transit, encryption at rest for sensitive fields, role-based access controls, and audit logging. Payment data is handled by Stripe Checkout (PCI scope at zero on our side). Recovery claim documents are stored in encrypted Cloudflare R2 buckets with presigned-URL access only.

8. Children

The platform is not directed at children under 13. We do not knowingly collect data from anyone under 18 without parental authorization where required.

9. Changes to this policy

We will post material changes here with an updated effective date and notify active members by email.

10. Contact

Privacy questions: contact@qardon.org. EU/UK GDPR: contact@qardon.org (a designated DPO will be named when applicable).

This policy is subordinate to our Terms of Service and the Donor Waqf Agreement. Conflicts are resolved in that order.