← Home/Privacy Policy

⚠️ DRAFT FOR LEGAL REVIEW — NOT LEGAL ADVICE

This document has been drafted to accelerate review by qualified counsel. It has NOT been reviewed by an attorney licensed in your jurisdiction. Do not present this to end users, sign it, or rely on it for any legal decision until a qualified lawyer has reviewed, edited, and approved it. Fikra LLC and the drafter assume no liability for use of this template.

Masjid Fikra Privacy Policy

Last updated: [TO BE FILLED]

This Privacy Policy describes how Fikra LLC ("Fikra", "we", "us") collects, uses, and shares personal information in connection with the Masjid Fikra platform and giving pages (the "Services"). Each masjid using our platform ("Masjid") is an independent organization and is the primary custodian of data about its own donors, members, and staff. Fikra LLC processes that data on the Masjid's behalf.

1. What We Collect

From Masjid staff and administrators

  • Identity information from our authentication provider (Clerk): email, name, organization membership.
  • Role and permission assignments within a Masjid.
  • Technical logs: IP address, user-agent, device metadata, request timestamps.

From donors (on giving pages)

  • Name.
  • Email address (optional, used for receipts).
  • Donation amount and designated fund.
  • Payment method metadata returned by Stripe (e.g., last four digits of card, brand). We never see, store, or transmit full card numbers or bank account numbers; those are handled by Stripe.

From members and member applicants (future feature)

  • Name, contact information, mailing address.
  • Date of birth.
  • Shahada date (if applicable, self-reported).
  • Photo identification (for membership verification).
  • Family members listed on a household application (optional).

From Masjids (organizational data)

  • Legal name, doing-business-as name, mailing address.
  • EIN (Employer Identification Number).
  • IRS 501(c)(3) determination letter (if applicable).
  • Bank routing details — collected by Stripe during Connect onboarding; Fikra LLC does not store these.

2. Why We Collect It

  • Operate and deliver the Services to Masjids and their donors.
  • Generate donation receipts and support donor and Masjid tax compliance.
  • Authenticate users and enforce access controls.
  • Prevent fraud, abuse, and security incidents.
  • Respond to support requests.
  • Comply with applicable law.

Even where not strictly required by US law, we use these bases as a framework:

  • Contract — processing necessary to deliver the Services the Masjid subscribed to.
  • Legitimate interest — security, fraud prevention, product improvement, aggregate analytics.
  • Consent — where applicable, e.g., optional email fields on a donor form.
  • Legal obligation — retaining donation records to support tax substantiation.

4. Who We Share With

We share personal information only with the service providers required to operate the Services:

| Provider | Purpose | | ---------------- | ------------------------------------------------------------------------------------------ | | Stripe, Inc. | Payment processing and Connect onboarding for each Masjid. | | Clerk | Authentication, session management, and identity. | | Resend | Transactional email (receipts, password resets, notifications). | | Tigris | S3-compatible object storage for documents (e.g., uploaded IRS letters, member photo IDs). | | Railway | Application and database hosting. |

Each provider is bound by its own privacy and security commitments.

We never sell personal data. We never share personal data with advertisers. We never use donor or member information for ad targeting.

We may disclose information if required by law, valid legal process, or to protect the rights, safety, or property of Fikra LLC, our users, or the public.

5. Where Data Is Stored

Primary application data is stored in the United States (Railway, Tigris). Stripe may process and store payment data globally per Stripe's own policies. Clerk and Resend may operate infrastructure in the US and other regions per their policies.

6. How Long We Keep It

  • Active data — while the Masjid's subscription is active and the user account is in use.
  • After termination — up to 60 days of soft-deletion for operational recovery, then hard-deletion, except where law requires longer retention.
  • Donation receipts and supporting records — retained for up to 7 years to support IRS-recognized donor substantiation and the Masjid's own records.
  • Security logs — typically up to 12 months.

7. Your Rights

Depending on where you live, you may have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion (subject to legal retention obligations);
  • request a portable export of your data;
  • object to or restrict certain processing.

To exercise these rights, email [email protected] (or [email protected] until that mailbox is live). If your data is held on behalf of a specific Masjid, we may direct your request to that Masjid as the data controller.

8. Security

  • TLS encryption in transit.
  • Encryption at rest for database and object storage.
  • Postgres row-level security (RLS) enforces tenant isolation between Masjids.
  • Least-privilege database roles — application runtime does not run as a superuser.
  • Secret scanning and branch protection on source repositories.
  • Zero-trust posture is a stated day-one commitment.

We are working toward formal attestations (e.g., SOC 2) but do not currently hold any such certification.

No online system can be guaranteed secure; we will notify affected users and Masjids promptly in the event of a breach of personal data as required by law.

9. Children

The Services are not directed at children under 13. We do not knowingly collect personal information directly from children. If a membership application lists a minor family member, that information is submitted by a consenting adult applicant on the child's behalf and is handled under the adult applicant's consent. If you believe we have collected information from a child contrary to this policy, contact us and we will delete it.

10. International Users

The Services are operated from the United States and are intended for use by US masjids. If you access the Services from outside the US, you consent to the transfer and processing of your information in the United States.

11. Cookies

We use Clerk session cookies strictly to keep you signed in and secure. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics that profile individuals.

12. California Residents (CCPA)

California residents have rights under the California Consumer Privacy Act, including the right to know, the right to delete, the right to correct, and the right to non-discrimination for exercising their rights. We do not sell or share personal information as those terms are defined under the CCPA. Californian users may exercise their rights using the contact details below.

13. Changes and Contact

We may update this Privacy Policy from time to time. For material changes we will provide at least 30 days' notice on our site and, where reasonably practical, by email.

Questions: [email protected] (or [email protected]).

Building in publicWe’re shipping Masjid Fikra one masjid at a time. Subscribe for the occasional update — what we shipped, what we learned, what’s next.
Stay in touch

The occasional product update. No spam, no fundraising.

masjid fikra
One system for every surface your masjid runs on.
Fikra LLC
Silver Spring, MD · DC metro
© 2026 Fikra LLC
Product
OverviewPricingPilot programSign in
Community
Browse masjidsContact
Legal
TermsPrivacy
made in sacramento · not affiliated with any masjid listed on this sitestatus: all systems normal
Privacy Policy — Masjid Fikra