Legal

Privacy Policy

Last updated: 24 March 2026

At Qurra we take your privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it. Please read this policy carefully. By using the Service you acknowledge that you have read and understood it.

References to "Qurra", "we", "us", or "our" mean the operator of the Qurra platform. References to "you" mean any person who accesses or uses the Service.

1. Data We Collect

We collect information in the following categories:

Account & Authentication Data

  • Email address
  • Password (stored as a one-way hash — we never see your plain-text password)
  • Google account ID and OAuth tokens (if you sign in via Google)
  • Session token, IP address, and browser/device user-agent (to maintain and secure your session)
  • Email verification status

Profile Data

  • Full name and display nickname
  • Gender
  • Date of birth
  • Height and weight
  • Ethnicity
  • City and country of residence
  • Whether you are a revert to Islam
  • Bio / personal description
  • Preferred Islamic scholars or speakers
  • Community profile image and cover image, where uploaded (stored in Cloudflare R2 object storage)
  • Matching preferences (e.g. preferred age range, ethnicities)

Wali (Guardian) Data — Female Users Only

  • Wali's full name
  • Wali's phone number
  • Preferred contact method for the wali

By providing your wali's details you confirm that you have obtained their consent to share this information with us and, where you initiate contact with a prospective match, with that user.

Interaction & Activity Data

  • Match requests sent and received (including any accompanying message)
  • Match status (pending, accepted, rejected)
  • Profile views (tracked to power the notifications system)
  • Last active timestamp
  • Community memberships and follows

Billing & Payment Data

  • Stripe customer ID
  • Subscription status, plan, and billing period dates (cached from Stripe)
  • Payment method summary (card brand and last 4 digits — provided by Stripe, not stored by us directly)
  • Match Credits balance
  • Promotional code redemptions

Full payment card details (card number, CVV) are handled exclusively by Stripe and are never transmitted to or stored on Qurra's infrastructure.

Technical & Usage Data

  • IP address (retained in session records)
  • Browser and device type (user-agent string)
  • Page and feature interactions (inferred from server-side request logs)

We use PostHog for product analytics (page views, feature usage, session events). PostHog may set analytics cookies on your device. See Section 10 for details and your opt-out options. We do not use advertising pixels or fingerprinting scripts.

2. How We Use Your Data

We use the data we collect to:

  • Provide and operate the Service — create and authenticate your account, display your profile to prospective matches, and facilitate match requests.
  • Personalise your experience — filter profiles according to your stated preferences.
  • Process payments — manage subscriptions and Match Credits via Stripe.
  • Send transactional communications — email verification, match notifications, and billing receipts. We do not send marketing emails without your explicit consent.
  • Ensure safety and security — detect and prevent fraud, abuse, and unauthorised access.
  • Improve the Service — understand how features are used to prioritise improvements.
  • Comply with legal obligations — respond to lawful requests from authorities where required.

3. Legal Bases for Processing (GDPR)

If you are located in the United Kingdom or European Economic Area, we rely on the following legal bases under UK GDPR / EU GDPR:

  • Contract performance — processing necessary to provide you with the Service you have signed up for (e.g. account management, displaying your profile, processing payments).
  • Legitimate interests — security, fraud prevention, and improving the Service, where those interests are not overridden by your rights.
  • Legal obligation — where we are required to process data by law.
  • Explicit consent — for the processing of special category data. Your religious affiliation and ethnicity are special categories under GDPR. By voluntarily including these in your profile you provide your explicit consent for us to process them for the purpose of matrimonial matchmaking. You may withdraw consent at any time by removing this information from your profile or deleting your account.

4. Third-Party Services

We share data with the following third parties, only to the extent necessary:

Provider Purpose Data Shared
Stripe Payment processing & billing management Email address, payment card details, billing events
Google Optional social sign-in Google account ID, email, display name (only if you choose Google sign-in)
Cloudflare Infrastructure — compute, database, storage, and CDN All data processed by the Service (as a data processor under a DPA with Cloudflare)
PostHog Product analytics — page views, feature usage, session events Anonymised usage events, IP address (anonymised), browser/device info, analytics cookies

We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers.

5. Data Storage & International Transfers

All data is stored and processed on Cloudflare's infrastructure. Cloudflare operates data centres globally, including within the UK, EEA, and the United States. Where data is transferred outside the UK or EEA, Cloudflare provides appropriate safeguards under standard contractual clauses or equivalent mechanisms.

Stripe and Google maintain their own international transfer mechanisms in compliance with applicable data protection law. We encourage you to review their privacy policies for details.

6. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, your profile and personal information are deleted from our active databases. Residual data may persist in automated backups for up to 90 days, after which it is permanently purged.

Billing records (transaction history, Stripe customer IDs) may be retained for up to 7 years to comply with financial record-keeping obligations.

Interaction records (match request history) are deleted along with your account. We do not retain a shadow profile after account deletion.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — correct inaccurate or incomplete data (most profile data can be updated directly in the app).
  • Erasure — request deletion of your data ("right to be forgotten"). You can delete your account at any time via the Settings page.
  • Restriction — request that we limit processing of your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office).

8. Security

We implement industry-standard technical and organisational measures to protect your data, including:

  • Encryption of data in transit via HTTPS/TLS.
  • Passwords hashed using a strong one-way algorithm (never stored in plain text).
  • Session tokens that are cryptographically generated and validated server-side.
  • Access to production data restricted to authorised personnel only.
  • Community images served only via authenticated, authorised requests.

No system is perfectly secure. In the unlikely event of a data breach affecting your rights, we will notify you and the relevant authority as required by law.

9. Children

The Service is not directed to anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has created an account, please contact us immediately at [email protected] and we will delete the account promptly.

10. Cookies & Tracking

Strictly Necessary Cookies

We use a single, strictly necessary session cookie to keep you signed in. This cookie does not track you across other websites and does not contain advertising identifiers. No consent is required for strictly necessary cookies under applicable law.

Analytics Cookies (PostHog)

We use PostHog to understand how the Service is used so we can improve it. PostHog sets cookies (prefixed ph_) on your device to distinguish returning visits and track usage events. These cookies do not identify you personally and are not used for advertising.

Under UK PECR and EU ePrivacy law, analytics cookies require your consent. When you first visit the Service we will ask for your permission before any PostHog tracking begins. You may withdraw consent at any time by clicking "Cookie preferences" in the footer, or by enabling the Do Not Track setting in your browser (we honour DNT signals).

PostHog is configured to anonymise IP addresses before storage. Data collected by PostHog is processed in accordance with PostHog's privacy policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or via an in-app notice before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For any privacy-related questions, requests, or concerns, please contact us:

Qurra — Data Enquiries
[email protected]