All Privacy Policies

INTRODUCTION

This Privacy Policy ("Privacy Policy") applies to Wahed Limited NGA ("Wahed") website at www.wahed.com/nga (the "Website") or the mobile digital application through which the service is delivered (the “Mobile App”). This Privacy Policy covers the collection, processing and other use and disclosure of personal data under the Nigeria Data Protection Act 2023 ("NDPA") and the General Data Protection Regulation ("GDPR"). For the purpose of the NDPA and GDPR we are the data controller/user and any enquiry regarding the collection or processing of your data should be sent to our email: nigeriasupport@wahed.com. For the purpose of this Privacy Policy, the terms "we", "us" and "our" refer to Wahed. "You" refers to you as the user of the Website or the Mobile App. This Privacy Policy has been developed as an extension of our commitment to combine the highest-quality services with the highest level of integrity in dealing with all users of the Website or Mobile App. It is designed to assist you in understanding how we collect, use and safeguard personal information you provide to us and to assist you to make informed decisions. We will treat personal data that you provide through the Website according to this Privacy Policy, the NDPA and the GDPR. This statement will be continuously assessed and updated against new technologies, business practices and our customers' needs. 

PLEASE REVIEW THIS PRIVACY POLICY CAREFULLY.

By visiting and/or submitting information to or through this Website or the Mobile App, you agree to be bound by the terms and consent to the collection, use, disclosure, retention and processing of your information as described in this Privacy Policy, the NDPA and the GDPR.

Exclusion

You might find links to third party websites on our website. These websites should have their own privacy policies, which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

Amendments to the Privacy Policy

This Privacy Policy will come into effect on 22nd of September, 2025 (the "Effective Date"). Although most changes are likely to be minor, we may change our Privacy Policy from time to time, to reflect changes to the Website, customer feedback and applicable law and at our sole discretion. If we decide to change our Privacy Policy, we will post those changes on this page so that you are always aware of what information we collect, how we use it, and under what circumstances we disclose it. We will at all times notify you of any changes or updates. We will not make retroactive changes that reduce your privacy rights unless we are legally required to do so. Your continued use of the Website and/or the Wahed mobile application after any change in this Privacy Policy will constitute your acceptance of the amended Privacy Policy.

This policy is intended to establish prudent and effective guidelines on the ways in which Wahed Limited collects, uses and protects personal information of its users under the Nigeria Data Protection Act. 2023 (NDPA) and General Data Protection Regulation (GDPR). We are committed to protecting your personal information and right to privacy.

OVERVIEW

Wahed designed this Privacy Policy to treat your personal information as private and confidential. This policy describes how we collect, use, process, disclose and protect your personal data (Personal Data).

This privacy policy sets out how Wahed treats personal data we collect from you, provided to us, and it will be processed by us. Kindly review this Privacy Policy carefully to understand our approach and praxis concerning your personal data and how we treat it. By assessing or using our services, Mobile app or Website, you agree to this Privacy Policy and our Terms of Use.

CONSENT

Wahed requires your explicit consent to collect and process your Personal Data where consent is the lawful basis for processing under the Nigeria Data Protection Act, 2023 (NDPA) and, where applicable, the General Data Protection Regulation (GDPR). By consenting to this Privacy Policy, you acknowledge and agree to the collection, use, disclosure, retention, and processing of your Personal Data as described herein.

If we request Sensitive Personal Data (such as biometric information), you will be notified of the purpose and manner of use at the time of collection, and your explicit consent will be obtained before such processing takes place.

You may withdraw your consent at any time by contacting our Data Protection Officer at nigeriasupport@wahed.com. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal. For further details, please refer to the Withdrawal of Consent section of this Policy.

CONDITIONS FOR PROCESSING OR COLLECTING PERSONAL DATA

Wahed or any third party acting on its behalf shall only process your Personal Data if at least one of these conditions are met:

• Consent: this refers to any freely given, specific, informed, and unambiguous indication through a statement or a clear affirmative action that signifies your agreement to the processing of your Personal Data by Wahed. Wahed does not intend to seek consent that may engender direct or indirect propagation of atrocities, hate, criminal acts, and anti-social conducts.
• Contract: processing is necessary for the performance of a contract or entering into a contract at your request.
• Legal obligation: processing is necessary for compliance with a legal obligation to which Wahed is subject.
• Vital interest: processing is necessary to protect your vital interests or those of another natural person.
• Public interest: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Wahed.

PERSONAL DATA WE COLLECT

We collect and process personal data that you provide directly to us, data generated by your use of our Mobile Application or Website visits, and information obtained from authorised third parties. This includes:

• Identification Data: full name(s), date of birth, government-issued identification numbers (including Bank Verification Number (BVN) and National identification number (NIN)), and copies of official documents such as a passport, government-issued identity card, driver’s licence, voter’s ID or national ID card.
• Biometric Data:
  
  • Device-native biometrics (fingerprint or face recognition): used solely for secure login. This data is stored only on your device within its secure hardware. Wahed does not collect, store, or transmit this data.
  • Facial orientation and expression data: captured during liveness checks, confirming that the user is a real person. This data is used exclusively for real-time analysis during the verification process. It is transmitted securely to our authorised identity verification provider to carry out these checks.
  • Selfie images for identity verification (KYC): transmitted securely to our authorised identity verification provider for compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations. The face image is securely stored by our authorised identity verification provider on their servers for a period of ninety (90) days. This period is set by default for audit purposes.
• Contact Data: residential and postal address, e-mail address, and mobile number.
• Financial Data: bank account details, debit or credit card numbers, transaction history, transaction time, account name, and payment information, value of the transaction in Naira, photos and other information you attach to your transaction.
• Demographic Data: gender, date of birth, zip code, and related attributes.
• Technical and Device Data: IP address, browser type, operating system, device identifiers, and geolocation derived from GPS or Wi-Fi.
• And we record your discussion with us if you contact us or we contact you.

Certain personal Information such as genetic and biometric, race or ethnic origin, religion or similar beliefs, health status, sex life, political opinions or affiliations, trade union memberships or other information prescribed by the commission is characterized as sensitive (“Sensitive Personal Data”) and subject to stricter regulation than other personal information. Before providing it to us, we urge you to carefully consider whether to disclose your Sensitive Personal Data to us. If you do provide Sensitive Personal Data to us, you consent to its use and disclosure for the purposes and in the manner described in this Privacy Policy.

Use of Facial Data

When you use our identity verification feature, the Wahed Mobile App captures your facial orientation and expression data (for liveness) and your facial image (or selfie) through your device’s camera systems via the SDKs provided by our authorised identity verification provider.

Liveness Data:

• What is collected: face 3D spatial orientation and facial expressions.
• Purpose of collection: this is exclusively used for real-time analysis during the verification process to confirm that the selfie being taken is of a live user, for the purposes of authentication and fraud reduction and it is not stored. Its usage is strictly limited to the liveness detection function.
• Storage and sharing: it is transmitted securely to our authorised identity verification provider to carry out these checks. The spatial orientation/facial expression data is not submitted by our authorised identity verification provider to any third or first parties.

Once liveness is verified, the user’s face image (or selfie) is captured.

Selfie Data: 

• What is collected: a face image (selfie).
• Purpose of collection: the user’s face image is captured to authenticate the identity of the user.
• Storage and sharing: The face image is retained by our authorised identity verification provider, which is securely stored on their servers for a period of ninety (90) days. This period is set by default for audit purposes.

Use of True Depth API

Our authorised identity provider’s SDK utilizes the TrueDepth API to detect faces on the device for liveness detection, confirming that the user is a real person. The TrueDepth data is used exclusively for real-time analysis during the verification process and is not stored. Once liveness is verified, we proceed to capture the user’s facial image. Importantly, TrueDepth data is never persistently stored on the user’s device nor transmitted outside the device. Its usage is strictly limited to the liveness detection function.

NON-PERSONAL AND TECHNICAL INFORMATION

In addition to the Personal Data described above, we collect certain non-personal or technical information when you access or use our mobile application or website. This may include:

• Technical Data: browser type, internet service provider, IP address, operating system, and web pages visited.
• Usage Data: information about what you have searched for and viewed while using the Services.
• Marketing Preferences: records of your decision to subscribe to or withdraw from receiving marketing communications.
• Metadata: information related to items you upload or share, such as the date, time, or location where a photograph or video was taken.
• Location Data: derived from GPS, Wi-Fi, or other device signals, to support compliance requirements and tailor onboarding flows regionally.
• Other Derived Information: information made available by you or others that may indicate the current or prior location of a user.

This information is collected automatically through cookies, device identifiers, SDKs, and similar technologies, and is used to:

• Ensure secure onboarding and compliance with applicable KYC/AML obligations;
• Strengthen authentication and fraud-prevention measures;
• Improve the design, functionality, and performance of our Services; and
• Enhance the overall user experience.

HOW WE COLLECT INFORMATION

The types of information we collect and how we process it depend on how you use and access our Services. Information may be collected in the following ways:

1. Directly from You
   
   1. When you create an account to use our Services, complete onboarding, submit identity documentation, or contact us for help or information.
   2. When you voluntarily provide Personal Data through our mobile application or website.
2. Automatically through Use of Our Services
   
   1. Certain technical and usage data are automatically collected when you interact with our website or mobile application, including IP address, device type, operating system, browser type, geolocation, page views, clicks, and navigation history.
   2. This information may be gathered using cookies, server logs, SDKs, and similar data collection tools, as described further below.
3. From Social Media (Optional)
   
   1. If you choose to connect your Wahed account through a social media platform (such as Facebook Connect), we may receive information from that platform in line with your privacy settings.
4. From Business Partners and Service Providers
   
   1. Trusted third parties engaged to support our business operations — such as identity verification providers, KYC/AML service providers, cloud hosting partners, authentication providers, SMS gateways, and payment processors — may collect Personal Data about you through our Services and share it with us under strict confidentiality and security obligations, unless mentioned otherwise in this Policy.

We may combine the information collected from these sources and use the combined data as described in the How We Use Your Data section of this Policy.

Cookies And Data Collection Tools

Our Services use cookies and other similar tools to enable secure functionality, improve performance, and analyse usage.

Categories of Cookies:

1. Essential Cookies: Necessary for login, navigation, and core security. These cannot be disabled.
2. Analytics Cookies: Help us understand how users interact with our Services by collecting anonymous usage data.
3. Marketing Cookies: Track browsing behaviour to deliver tailored content and advertising. You may opt out of these.

User Consent and Management:
By using our Services, you consent to the use of cookies as described. You may:

• Accept All Cookies (enable all categories).
• Reject Non-Essential Cookies (allow only essential cookies).

Other Data Collection Tools:
In addition to cookies, we may use tools such as web beacons and server logs to help improve your experience. These tools may capture details about the device used to access the Services, including operating system type, browser type, domain, country, and time zone.

Such information does not ordinarily identify you personally and is primarily used for statistical analysis, fraud detection, security monitoring, and performance improvement.

HOW WE USE YOUR DATA

We may process the information we collect/you provide to us in accordance with the Nigeria Data Protection Act, 2023 (NDPA) and GeneralData Protection Regulation (GDPR). This information is primarily used to enable us to provide our services to you. In addition, we may use the information for the following purpose(s): 

• Verifying your identity and carrying out Know-Your-Customer (KYC) and anti-money laundering checks;
• Providing, managing, and improving our Services;
• Securing accounts through authentication, liveness detection, fraud prevention measures and to detect illegal activities; or for archival and backup purposes in connection with the provision of services;
• Processing transactions and maintaining accurate records;
• Complying with legal, regulatory, and tax obligations;
• To operate, improve and personalize the products and services we offer, and to give each user a more consistent and personalized experience when interacting with us;
• To communicate with you and notify you about any changes to our website or Mobile Application, such as improvements or service/product changes, that may affect our services; 
• Communicating with you about your account and updates to our Services;
• To better understand how users access and use the Website and Mobile application, for the purposes of trying to improve our services and to respond to user preferences, including language and location customization, personalized help and instructions, or other responses to users’ usage of the Website or the App;
• To help us develop our new products and services and improve our existing products and services;
• To provide users with advertising and direct marketing that is more relevant to you;
• To enforce any other applicable policies; and
• To assess the effectiveness of and improve advertising and other marketing and promotional activities on or in connection with the Website or the App.

Without your personal data, we may not be able to provide or continue to provide the Services you require.

AUTOMATED DECISION-MAKING AND PROFILING

We may use your Personal Data as part of automated processing activities designed to provide, improve, and tailor our Services. These activities may include:

• Real-time onboarding and identity verification (KYC/AML);
• Risk and suitability analysis through questionnaires that take into account your financial objectives, and risk tolerance;
• Portfolio recommendations and product eligibility assessments; and
• Client segmentation and some fraud prevention checks.

These processes may result in decisions about you that affect the services we provide, including the type of portfolio or product we recommend, or the terms under which they are offered. However, these recommendations are not binding. You remain free to override the suitability profile and select a different investment option where permitted.

You have the right not to be subject solely to automated decision-making that significantly affects you. You may object to, or request human intervention in, such decisions at any time by contacting us using the details in the Contact Information section of this Policy. Please note that if you withdraw consent to certain automated processes, this may limit or prevent our ability to provide Services to you.

SHARING AND DISCLOSURE OF PERSONAL DATA

We may disclose or share your Personal Data with third parties which include our affiliates, employees, officers, service providers, agents, and partners, only as permitted by law and as may be reasonably necessary for the purposes set out in this policy. Wahed may disclose Personal Data to or share it  with the following parties:

• Wahed may disclose Personal Data to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries in order to perform services requested or functions initiated by users. In addition, we may disclose Personal Data in order to identify a user in connection with communications sent through the Website. 
• With third-party service providers performing services on our behalf; these third party service providers may include: cloud service providers, technology providers, identity verification providers, broker dealer/custodians and other third parties that may be required for the provisions of our services as might be deemed necessary for our function. These services may include but are not limited to identity verification, liveness detection, authentication, SMS delivery, cloud hosting, and payment processing. These providers act strictly as data processors under Wahed’s instructions and are bound by confidentiality and security obligations.
• We share information, including Personal Data, with our service providers to perform the functions for which we engage them (such as hosting and data analyses). We may share information as needed to operate other related services.
• With professional advisers, auditors, or contractors under confidentiality obligations where required for legitimate business purposes.
• We also may share information that we collect from users, as needed, to enforce our rights, protect our property or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions. We will disclose Personal Data as we deem necessary to respond to a subpoena, regulation, binding order of a data protection agency, legal process, governmental request or other legal or regulatory process. We may also share Personal Data as required to pursue available remedies or limit damages we may sustain.
• We may share Personal Data about you in an aggregated form, that is, in a statistical or summary form that does not include any personal identifiers, with third parties in order to discover and reveal trends about how users like you interact with our services.
• We may transfer information, including your Personal Data, in connection with a merger, sale, acquisition or other change of ownership or control by or of us or any affiliated company {in each case whether in whole or in part). When one of these events occurs, we will use reasonable efforts to notify users before your information is transferred or becomes subject to a different privacy policy.

Wahed may share Personal Data with third parties if you have given us your consent to do so or:

• in the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets;
• if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;
• if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation or in order to enforce or apply our Website Terms and other agreements, but we will endeavor to minimise such disclosure to only that reasonably necessary and, where possible, to provide you with notice of such disclosure; and/or
• to protect the rights, property, or safety of Wahed, the Website, our users and any third party we interact with to provide the Website.

Wahed does not sell personal data to any third party.

Transfer of Personal Data Abroad

Any transfer of personal data outside Nigeria shall be conducted in accordance with the NDPA and subject to adequate safeguards. Such transfers may occur where:

• The receiving country or organisation ensures an adequate level of data protection.
• You have explicitly consented to the transfer after being informed of potential risks.
• The transfer is necessary for performance of a contract with you, or to take steps at your request.
• The transfer is required for the conclusion or performance of a contract in your interest.
• The transfer is necessary for important public interest, legal claims, or vital interests.

In all cases, Wahed ensures that contractual and technical measures are in place to maintain the confidentiality and security of your data.

DATA RETENTION, STORAGE, AND SECURITY

We retain your data for a period of seven (7) years. We also retain Personal Data from closed accounts to comply with applicable law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation and other actions permitted by law.

The security of your Personal Data is important to us. We shall take all appropriate security and organizational measures to prevent unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of personal data under our control.

However, the security of information transmitted through the internet can never be guaranteed. We are not responsible for any interception or interruption of any communications through the internet or for changes to or losses of data. Users of the Website are responsible for maintaining the security of any password, user ID or other form of authentication involved in obtaining access to password-protected or secure areas of any of our digital services. In order to protect you and your data, we may suspend your use of any of the services, without notice, pending an investigation, if any breach of security is suspected. Access to and use of password protected and/or secure areas of any of the services is restricted to authorized users only. Unauthorized access to such areas is prohibited and may lead to criminal prosecution.

YOUR RIGHTS

Under the NDPA, you have the following rights in relation to your Personal Data. You may exercise these rights at any time by contacting our Data Protection Officer using the details in the Contact Information section.

1. Right to be Informed
   You are entitled to clear, transparent information about how and why we process your Personal Data, the categories of data involved, our lawful bases, recipients or categories of recipients, retention periods, and any transfers to third countries together with the corresponding safeguards.
2. Right of Access
   You may obtain confirmation as to whether we process your Personal Data and receive a copy of such data, together with the information required by NDPA, without unreasonable delay. Requests may be made via email to nigeriasupport@wahed.com or by calling +17652123831.
3. Right to Rectification
   You may require us to correct inaccurate Personal Data and to complete incomplete data without undue delay.
4. Right to Erasure (“Right to be Forgotten”)
   You may request the deletion of your Personal Data where, for example, the data are no longer necessary for the purposes collected, you have withdrawn consent and there is no other lawful basis, or the data have been unlawfully processed. We may continue to retain certain data where retention is required for legal, regulatory, tax, or compliance purposes, or for the establishment, exercise, or defence of legal claims.
5. Right to Restrict Processing
   You may request that we restrict processing of your Personal Data in specific circumstances (for example, while we verify accuracy or where processing is unlawful and you request restriction rather than erasure). During restriction, we will store your data but not otherwise process it except for legal claims or with your consent.
6. Right to Object
   You may object at any time to processing based on legitimate interests, including profiling on that basis, and we will cease such processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is required for legal claims. You may object at any time to processing for direct marketing, and we will stop such processing immediately.
7. Right to Data Portability
   Where processing is based on consent or on a contract and carried out by automated means, you may request to receive your Personal Data in a commonly used, machine-readable format and/or request that we transmit those data to another data controller where technically feasible.
8. Right to Withdraw Consent
   Where we rely on your consent, you may withdraw it at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal, and we may continue processing where another lawful basis applies. Please refer to the Withdrawal of Consent section for more information.
9. Rights in Relation to Automated Decision-Making (including Profiling)
   You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where such processing is used, you may request human intervention, express your point of view, and contest the decision.
10. Right to Lodge a Complaint
    You may lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe our processing violates NDPA. We encourage you to contact us first so we can address your concerns promptly.

HOW TO EXERCISE YOUR RIGHTS

To exercise any of your rights, you may contact our Data Protection Officer using the details provided in the Contact Information section of this Policy. For security, we may ask you to verify your identity before fulfilling your request, for example by confirming the email address associated with your Wahed account or other reasonable means. When submitting a request, please provide:

1. Your full name; and
2. A clear description of the right you wish to exercise.

If we decline a request, we will provide a clear explanation of our reasons and inform you of your options to escalate the matter, including to NDPC.

Withdrawal Of Consent

You are not obliged to permit us to process your personal data. If you do not wish us to do so, you may withhold your consent by writing to us at nigeriasupport@wahed.com. If you have previously given your consent for us to process your data for a specific purpose, you may withdraw or amend that consent at any time by providing a written notice to us. Such withdrawal or variation will not affect the lawfulness of processing carried out prior to our receipt of your notice.

LINKS TO THIRD PARTY WEBSITES AND SERVICES

You may use the Website to link to third party websites. If you use any link, you leave the Website. Your use of any third party website will be subject to that third party's terms and conditions. We do not monitor the content of third party web sites and any links provided are for your convenience only.

A link to any other website does not mean that we guarantee, approve or endorse the information or products available or the quality or accuracy of information presented on it.

We do not operate or control and have no responsibility for the information, products and/or services found on any external websites, unless expressly stated on such external websites. Nor do such links represent or endorse the accuracy or reliability of any information, products and/or services provided on or through any external websites, including, without limitation, warranties of any kind, either express or implied, warranties of title or non-infringement or implied warranties of merchantability or fitness for a particular purpose. You assume complete responsibility and risk in your use of any external sites.

If you decide to visit a third party website, you are subject to its privacy policy and practices, not this privacy policy. We encourage you to carefully review the legal and privacy notices of all other digital services that you visit.

PRIVACY OF CHILDREN

Wahed respects the privacy of children. We do not knowingly collect names, email addresses or any other personally identifiable information from children. We do not knowingly market to children nor do we allow children under 18 to open online accounts. 

The Wahed app will only allow users that are aged 18 or above to register as mentioned on this document. If false information is entered by the client, this will be checked by our authorised identity verification provider as well as our internal KYC teams and the account will be blocked from signing up further.

Consequently, Wahed shall not be liable for any use or processing of Personal Data of persons under the age of 18.

If as a parent or guardian, you become aware that your child or ward child has provided us with any information without your consent, please contact us through the details provided in this Privacy Policy.

GOVERNING LAW

This Policy is made pursuant to the Nigeria Data Protection Act 2023 (NDPA), Global Data Protection Regulation (GDPR) and other relevant Nigeria laws and regulations. Where any provisions of this Policy is deemed inconsistent with a law or regulations, such provisions shall be subject to the overriding law or regulations.

AMENDMENTS TO THE PRIVACY POLICY

We may update our privacy policy from time to time, to reflect changes to the mobile Application or Website, customer feedback and applicable rules and regulations. We will at all times notify you of any changes or updates.

CONTACT INFORMATION

We welcome any queries, comments, or concerns about this Privacy Policy or our data protection practices. You may contact our Data Protection Officer at:

• Email: nigeriasupport@wahed.com
• Telephone: +17652123831

If you are dissatisfied with how we collect or process your Personal Data, you also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC), the competent supervisory authority for data protection in Nigeria:

• Email: info@ndpc.gov.ng or dpo@ndpc.gov.ng 

This Privacy Policy will be reviewed on an annual basis, or sooner where required to reflect changes in law, regulation, or our business practices.

Policy effective since August 2017

Last Revised Date - June 2023

Notification of Privacy Policy:

At Wahed Invest LLC, protecting your privacy is very important to us. As a financial services firm, we collect and use non-public personal information (NPI) in order to provide our clients (prospective, current, or former) with a broad range of financial services as effectively and conveniently as possible. We are providing this notification to inform you of the types of NPI we collect, our privacy safeguards and sharing practices. We handle all NPI in accordance with this policy.

What is NPI? What Types of NPI does Wahed Invest Collect and from Whom Do We Collect it?

Non-public personal information (NPI) is confidential personal information about you that we obtain in connection with providing financial services or products to you. We generally collect non-public personal information about you from the following sources:

• Information we receive from you on applications or other forms (e.g., name, address, income, etc);
• Information about your transactions with us, our service providers, or other parties to transactions; 
• Information we may receive about you from unaffiliated financial service providers (e.g., custodians, insurance agents, attorneys, and consumer reporting agencies);
• Your responses to surveys that we might ask you to complete for research purposes; and
• Details of transactions you carry out through our digital application and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our app.

Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

• Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website.
• Information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically is only statistical data and does not include personal information, but we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

• Estimate our audience size and usage patterns.
• Store information about your preferences, allowing us to customize our Website according to your individual interests.
• Speed up your searches.
• Recognize you when you return to our Website.

The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.
• Web Beacons. Pages of our Website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

We do not collect personal information automatically, but we may tie this information to personal information about you that we collect from other sources or you provide to us.

How is your NPI Utilized?

We do not disclose any non-public personal information (NPI) about you without your express consent, except as permitted and required by law. We only share your non-public personal information to:

1. Employees of our firm,
2. Our subsidiaries and affiliates.
3. Unaffiliated service providers such as account custodians (i.e., broker-dealers, banks and mutual fund companies),
4. Account aggregation services chosen by mutual agreement, and
5. Others who need to know such information in order to provide products or services to you.

We will also receive non-public personal information from some or all of the entities listed above. Disclosure of non-public personal information to such parties is unrestricted and facilitated by your agreement and consent.

We may also disclose your personal information:

• To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
• To enforce or apply our terms of use and other agreements.
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Wahed Invest LLC, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

How do We Protect your Personal Information?

We maintain physical, electronic and procedural safeguards to protect your non-public personal information. Our safeguards include measures to protect your information prior to, during and upon termination of our financial services engagement (i.e., disposal of your data).

DISCLOSING PERSONAL INFORMATION TO NON-AFFILIATED THIRD PARTIES

We do not sell, share or disclose your personal information to persons or entities other than as described above. We will not share or disclose such information to non-affiliated third-party marketing companies.

YOUR STATE PRIVACY RIGHTS

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information. To learn more about California residents' privacy rights, visit here. California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our App that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to support@wahed.com.

Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:

• Confirm whether we process their personal information.
• Access and delete certain personal information.
• Data portability.
• Opt-out of personal data processing for targeted advertising and sales.

Colorado, Connecticut, and Virginia also provide their state residents with rights to:

• Correct inaccuracies in their personal information, taking into account the information's nature processing purpose.
• Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise any of these rights please submit an appropriate notice to legal@wahedinvest.com. To appeal a decision regarding a consumer rights request, submit an appeal referencing the original request to legal@wahedinvest.com.

FUTURE POLICY REVISIONS

This policy may change to reflect updates in our practices, procedures or regulatory requirements concerning the collection and use of NPI. As our client, you will receive notifications at least annually and our revisions or changes to this policy will be highlighted in our annual notifications. If you have any questions regarding our privacy policy, please do not hesitate to contact your investment advisor representative or you may write to, email, or call us at:

27 East 28th Street
8th floor
New York, NY 10016

Website: www.wahedinvest.com
Phone: +1-855-976-4747
Email: uscompliance@wahedinvest.com

We are providing this notification to you in accordance with Federal and State regulations.

Introduction

This policy contains the Privacy statement. This policy applies to Wahed Invest Ltd (referred to as ‘Wahed’).

Privacy Statement (data collection and storage)

Wahed Invest understands that its use of your information requires your trust. Wahed Invest is committed to the highest standards of data privacy and will only use your information for clearly described purposes and in accordance with your data protection rights. This statement contains details of the data processing that will take place.

Data Controller and Data Processor

A Data Controller under GDPR is the entity that determines the purposes, conditions and means of the processing of personal data.
The Data Processor is the entity that processes data on behalf of the Data Controller. Wahed Invest and Maydan Capital Ltd as "WahedX" and "Wahed Ventures", is the data controller for your personal information. All other Third Parties act as data processors in respect of your personal information held by Wahed Invest Ltd. Wahed Invest Ltd is the controller and responsible for its website and app. We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights (See ‘Rights to Erasure’ section), please contact us using the information set out in the contact details section (‘Contact us’ section).

What we collect

In order to create an account with Wahed Invest and Maydan Capital Ltd as "WahedX" and "Wahed Ventures", we need to collect some personal details , as well as other information.

How we collect your information:

We use different methods to collect data from and about you including through:
Your interactions with us: You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you :

• apply for our products or services;
• create an account on our website;
• subscribe to our service or publications;
• request marketing to be sent to you;
• enter a competition, promotion or survey; or
• give us feedback or contact us.

Automated technologies or interactions.
As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies [server logs] and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details. Third parties or publicly available sources. We will receive personal data about you from various third parties [and public sources] as set out below:
Technical Data is collected from the following parties:

• Amazon Web Services
• Onfido
• Google Analytics
• Companies House
• Wealthkernel
• Plaid Inc

Information you give to us:

• Name and address
• Date of birth, nationality and national identifier/ national insurance number
• Payment information
• Bank account information & debit card
• Risk questionnaire answers
• Investment experience and sources of wealth
• Gender
• Health questions

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyze general trends in how users are interacting with our website to help improve the website and our service offering.

Why we need to collect this information

Wahed Invest are required under General Data Protection Regulation 2016/679 to explain the lawful basis of processing of your information.
We collect this information primarily to satisfy legal requirements and to enable us to provide the services required under your contract with us.
GDPR Article 6 (1) Lawfulness of processing requires:

Processing shall be lawful only if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The types of lawful basis we rely upon are:

Legal, for example verifying your identity or complying with regulatory obligations, such as MiFID II.
Contract and legitimate interest, for example your email address and telephone number to contact you.
Consent, for example implicit consent would be the collection of your payment information for an optional service and explicit consent is for marketing or health information (special category data). Vital interest, for example if the account holder passes away, we’re required to liaise and allow access to the next of kin. Where explicit consent is required we will seek this from you, for example Marketing preferences and Pension. In order for Wahed Invest to provide you with a Personal Pension, we’re required to gather some health information, this is a special category under GDPR and therefore requires explicit consent. However, in the vast majority of cases explicit consent is not required, and implicit consent is inferred to perform our responsibilities under the contract. Where explicit consent is required and not provided it may result in non-benefit of service, or the inability to open an account with Wahed Invest, Maydan Capital Ltd as "WahedX" and "Wahed Ventures" and iWaqf CT.

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reason;

• Performance of the contract
• Verify your identity
• To ensure the product and service is suitable
• Internal record keeping and record retention for legal requirements
• We may use the information to improve our products and services, by internal analysis of company data.
• We will only use your information for the purpose it was collected.
• Where explicit consent is given we will also use this information for marketing purposes
• Correspondence regarding your account via email, telephone
• Notify you of any changes to our service
• Tracking of your activity on our website

Who We Share Your Information With

Personal data is processed by Wahed Invest and may also be shared with its subsidiaries and affiliates, including Maydan Capital Ltd as "WahedX", "Wahed Ventures" and iWaqf Charitable Trust ( “iWaqf CT”) based in the UK. Wahed Invest Ltd and iWaqf CT have a Data Sharing agreement in place which sets out the purpose of sharing specific data, covers what happens to the data at each stage and sets standards that help all the parties involved in sharing data to be clear about their roles and responsibilities. For the purposes of the contract we are required to share your information with third parties, the situations in which we share this information are detailed below.

• Regulatory bodies or the police to comply with our legal obligations.
• Fraud prevention agencies, and other organisations in order to detect and prevent financial and other crime.
• Data, service and software providers to help improve and maintain our website
• Suppliers, business partners and affiliates where necessary for the performance of the contract, including sub-contractors.
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.
• If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

If data is processed in countries outside the EU, Wahed Invest uses EU standard agreements, including suitable technical and organizational measures, to ensure that your personal data is processed in accordance with the European level of data privacy. If you want to access the actual protections for data transfer to other countries, please request a copy of this information by emailing uksupport@wahed.com

International Data Transfers

Your personal data will only be stored or transferred within the UK, EU or US using standard contractual clauses, or other safeguards that have been approved by the relevant regulatory body.

Your rights Subject Access Requests

You’re entitled under the GDPR Article 15 ‘right of access’ to request the personal data that Wahed Invest holds on you. You can request a copy of this information by emailing uksupport@wahed.com If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

The Right to Erasure

You’re entitled under the GDPR Article 17 ‘right to erasure’ to request the deletion of personal data that Wahed Invest and our third parties hold on you. You can request this by emailing uksupport@wahed.com Please note, this does not affect any information required to be stored under record retention laws, more information on the retention period is set out below.

Retention Period

We will retain your personal data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law. Once Wahed has obtained your personal data, it will be maintained securely in Wahed's system for the period necessary to fulfill the purposes for which the data was collected (see above). Once a Registered User, you may terminate your membership of the App by contacting Wahed (uksupport@wahed.com).
Wahed may retain your personal data even after you have closed your account if retention is reasonably necessary to comply with our legal obligations, meet regulatory requirements, resolve disputes between users, prevent fraud and abuse, or enforce this Privacy Policy and other relevant terms. Once your personal data is no longer required, we will securely delete or anonymize it.

How to change your privacy preferences

You can change your preferences, or withdraw your consent in relation to how Wahed Invest uses your personal information in one of the following ways:
You are also able to request information about your data stored at Wahed Invest as well as request the correction, deletion or restriction of your personal data for analytics and/or marketing use.

• By sending an email to uksupport@wahed.com
• Or by writing to us at:
  87-89 Baker Street,
  London,
  W1U 6RJ,
  United Kingdom

Under certain conditions you have the right to require us to:

• Provide you with further detail on the use we make of your information
• Provide you with a copy of your information
• Update any inaccuracies in the information we hold about you
• Delete any information about you that we no longer have a lawful ground to use
• Remove you from any direct marketing lists when you object or withdraw your consent
• Provide you with your personal information in a usable electronic format and transmit it to a third party (right to data portability)
• Restrict our use of your personal information
• Cease carrying out certain processing activities based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights.

Your exercise of these rights is subject to certain exemptions to safeguard the public interest e.g. the prevention or detection of crime (GDPR Article 6 (1) (e)). If you are dissatisfied with our use of your information or our response to any exercise of these rights you have the right to complain to your data protection authority, this in the UK is the Information Commissioner's Office https://ico.org.uk We would, however, appreciate the chance
to deal with your concerns before you approach the ICO so please contact us in the first instance.

Security

We are committed to ensuring that your information is safe and secure. In order to prevent unauthorized access or disclosure, we utilize physical, electronic and managerial procedures to safeguard and secure the information we collect. There is also a lot that you can do to help us keep your account safe. We recommend that you
take the following actions:
Do not disclose your login and password details with anyone and don't store them on your device(s). If you feel someone may know your login details or if you lose your device then contact us immediately to prevent unauthorized access to your account.
Access your account using the best security offered by your browser to maintain the security of your account, this for example would be incognito for Google Chrome and Private browser for Safari.
If possible, keep your device’s operating system updated with the latest security patches and upgrades. Older software may have security vulnerabilities that could expose you to additional risks. You may also want to consider using a reputable brand of anti-virus software.

If We Contact You

When Wahed Invest contacts you we will never ask you to disclose your full security credentials. Be cautious about opening links contained in SMS messages or emails and beware of phishing scams. Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers. If you think your security details have been compromised then contact us immediately to prevent unauthorized access to your account.

Changes to Our Privacy Policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy. We keep our privacy policy under regular review. This version was last updated on 21st February 2024. Historic versions can be obtained by contacting us. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

Third Party Links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Contact Details

If you would like to contact us regarding our Privacy Policy, please contact us via:

‍Email: uksupport@wahed.com

‍Telephone: +44 808 169 6662 (freephone customer service number)

Or visit us at:
87-89 Baker Street,London,W1U 6RJ,United Kingdom

INTRODUCTION

1. Privacy Policy

This Privacy Policy ("Privacy Policy") applies to Wahed Technologies Sdn. Bhd ("Wahed") and Wahed X Sdn Bhd s("Wahed Ventures") website at www.wahed.com/my (the "Website"). This Privacy Policy covers the collection, processing and other use and disclosure of personal data under the Personal Data Protection Act 2010 ("PDPA") and the General Data Protection Regulation ("GDPR"). For the purpose of the PDPA and GDPR we are the data controller/user and any enquiry regarding the collection or processing of your data should be sent to our email: malaysiasupport@wahedinvest.com For the purpose of this Privacy Policy, the terms "we", "us" and "our" refer to Wahed. "You" refers to you as the user of the Website. This Privacy Policy has been developed as an extension of our commitment to combine the highest-quality services with the highest level of integrity in dealing with all users of the Website. It is designed to assist you in understanding how we collect, use and safeguard personal information you provide to us and to assist you to make informed decisions. We will treat personal data that you provide through the Website according to this Privacy Policy, the PDPA and the GDPR. This statement will be continuously assessed and updated against new technologies, business practices and our customers' needs.

PLEASE REVIEW THIS PRIVACY POLICY CAREFULLY.‍

By visiting and/or submitting information to or through this Website, you agree to be bound by the terms and consent to the collection, use, disclosure, retention and processing of your information as described in this Privacy Policy, the PDPA and the GDPR.

2. Exclusion

You might find links to third party websites on our website. These websites should have their own privacy policies, which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

3. Amendments to the Privacy Policy

This Privacy Policy will come into effect on 15th April 2024 (the "Effective Date"). Although most changes are likely to be minor, we may change our Privacy Policy from time to time, to reflect changes to the Website, customer feedback and applicable law and in our sole discretion. If we decide to change our Privacy Policy, we will post those changes on this page so that you are always aware of what information we collect, how we use it, and under what circumstances we disclose it.  We encourage you to frequently check this page for any changes to the Privacy Policy. We will not make retroactive changes that reduce your privacy rights unless we are legally required to do so. Your continued use of the Website after any change in this Privacy Policy will constitute your acceptance of the amended Privacy Policy.

INFORMATION WE COLLECT

4. Types of Information

We collect various kinds of information that you provide to us as well as information we obtain from your use of the Website. Some of the types of information that we collect include:

Personal Data

Information associated with or used to identify or contact a specific person. Personal Data includes: (1) contact data (such as name, address, postal address, e-mail address, telephone number and employer); (2) financial information (such as credit card number); (3) demographic data (such as gender, date of birth and zip code); and (4) certain Usage Data (defined below), such as IP address.

Certain personal information, such as information about personal health or racial or ethnic origins, is characterized as sensitive ("Sensitive Personal Data") and subject to stricter regulation than other personal information. Before providing it to use, we urge you to carefully consider whether to disclose your Sensitive Personal Data to us. If you do provide Sensitive Personal Data to us, you consent to its use and disclosure for the purposes and in the manner described in this Privacy Policy.

Usage Data

Information about an individual's online activity that, by itself, does not identify the individual, such as:

technical information, including your browser type, service provider, IP address, operating system and webpages visited;

information about what you've searched for and looked at while using the Website; or

metadata, which means information related to items you made available through the Website, such as the date, time or location that a shared photograph or video was taken or posted.

Generally, we do not consider Usage Data as Personal Data because Usage Data by itself usually does not identify an individual. Personal Data and Usage Data may be linked together. Different types of information also may be linked together and, once linked, may identify an individual person. Some Usage Data may be Personal Data under applicable law.

Location Data

A category of Personal Data collected about the location of a mobile device or computer, including:

the location of the mobile device or computer used to access the Website derived from GPS or WiFi use;

the IP address of the mobile device or computer or internet service used to access the Website; and; and

other information made available by a user or others that indicates the current or prior location of the user.

5. How We Collect Information

Whether we collect certain types of information and how we process it depends on how you use and access the Website. Some information is collected automatically through use of cookies and similar data collection tools. We collect information about you in the following ways:

From You We collect information from you when you:

Use our services. We collect Personal Data from you when you create an account to use one of our services, contact us for help or information or otherwise voluntarily provide your Personal Data.

Connect with social media though the Website. The Website may offer you the ability to use Facebook Connect or other social media services (collectively, "Social Media") in conjunction with certain services. When you access the Website through your Facebook or other Social Media account, the Website may, depending on your privacy settings, have access to information that you have provided to the Social Media platform. We may use this information for the purposes described in section 6.

From Our Business Partners and Service Providers

Third parties that assist us with our business operations also collect information (including Personal Data and Usage Data) about you through the Website and share it with us. We may combine the information we collect from you with information from other sources and use the combined information as described in this Privacy Policy.

Usage Data

We also automatically collect Usage Data when you interact with the Website.

From cookies and other data collection tools

Our Website uses cookies. We use cookies to gather information about your computer for our services and to provide statistical information regarding the use of our Website. Such information will not identify you personally - it is statistical data about our visitors and their use of our Website. This statistical data does not identify any personal details whatsoever. We may also gather information about your general internet use by using a cookie file. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer, as cookies contain information that is transferred to your computer's hard drive. They help us to improve our Website and the service that we provide to you by tracking users' navigation habits and storing users' password, customizing users' experience with the Website; enabling us to analyze technical and navigational information; and helping to detect and prevent fraud.

We also use other cookies and other data collection tools (such as web beacons and server logs), which we collectively refer to as "data collection tools," to help improve your experience with the Website. For example, data collection tools help us remember users and make the services more relevant to them.

The Website also may use data collection tools to collect information from the device used to access the Website, such as operating system type, browser type, domain and other system settings, as well as the operating system used and the country and time zone in which the computer or device is located.

Web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to manage and delete cookies, visit www.allaboutcookies.org Some web browsers (including some mobile web browsers) provide settings that allow a user to reject cookies or to alert a user when a cookie is placed on the user's computer, tablet or mobile device. Most mobile devices also offer settings to reject mobile device identifiers.

All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular parts of our Website.

6. How We Use Your Information

We may process the information we collect/you provide to us in accordance with the PDPA and GDPR. This information is primarily used to enable us to provide our services to you. In addition, we may use the information for the following purposes:

to operate, improve and personalize the products and services we offer, and to give each user a more consistent and personalized experience when interacting with us;

for customer service, security, to detect fraud or illegal activities, or for archival and backup purposes in connection with the provision of services;

to communicate with users and to notify them about any changes to our Website, such as improvements or service/product changes, that may affect our services;

to better understand how users access and use the Website, for the purposes of trying to improve our services and to respond to user preferences, including language and location customization, personalized help and instructions, or other responses to users' usage of the Website;

to help us develop our new products and services and improve our existing products and services;

to provide users with advertising and direct marketing that is more relevant to you;

to enforce any other applicable policies; and

to assess the effectiveness of and improve advertising and other marketing and promotional activities on or in connection with the Website.

In order to provide you with a better experience and to improve the services, information collected through the Website may be used in an aggregated or individualized manner.

For example, personal information collected during use of one of the services may be used to suggest particular content that can be made available to the user on another service or be used to try to present more relevant advertising in another service.

7. How We Share and Disclose Your Information

We may share and disclose information as described at the time information is collected or as follows:

When you consent

We may share Personal Data with third parties if you have given us your consent to do so or:

in the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets;

if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;

if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation or in order to enforce or apply our Website Terms and other agreements, but we will endeavor to minimise such disclosure to only that reasonably necessary and, where possible, to provide you with notice of such disclosure; and/or

to protect the rights, property, or safety of Wahed, the Website, our users and any third party we interact with to provide the Website.

If you do not want us to use your data, you will have the opportunity to withhold your consent to this when you provide your details to us on the form on which we collect your data, or you can do so by writing to malaysiasupport@wahedinvest.com

In the same manner, if you have given us consent to use your data for a particular purpose you can revoke or vary that consent at any time.

To perform services

We may disclose Personal Data to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries in order to perform services requested or functions initiated by users. In addition, we may disclose Personal Data in order to identify a user in connection with communications sent through the Website. With third party service providers performing services on our behalf We share information, including Personal Data, with our service providers to perform the functions for which we engage them (such as hosting and data analyses). We may share information as needed to operate other related services.

For legal purposes

For legal purposes We also may share information that we collect from users, as needed, to enforce our rights, protect our property or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions. We will disclose Personal Data as we deem necessary to respond to a subpoena, regulation, binding order of a data protection agency, legal process, governmental request or other legal or regulatory process. We may also share Personal Data as required to pursue available remedies or limit damages we may sustain.

In aggregated form

We may share Personal Data about you in an aggregated form that is, in a statistical or summary form that does not include any personal identifiers, with third parties in order to discover and reveal trends about how users like you interact with our services.

During corporate changes

We may transfer information, including your Personal Data, in connection with a merger, sale, acquisition or other change of ownership or control by or of us or any affiliated company (in each case whether in whole or in part). When one of these events occurs, we will use reasonable efforts to notify users before your information is transferred or becomes subject to a different Privacy Policy.

8. Information Storage and Security

We retain information for a period of seven (7) years. We also retain Personal Data from closed accounts to comply with applicable law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation and other actions permitted by law. After this period, we dispose of it according to our data retention and deletion policies.

The security of your Personal Data is important to us. We shall take all appropriate security and organizational measures to prevent unauthorized access to, alteration of, disclosure of, accidental loss, and destruction of personal information under our control. When you register on Wahed website, we use a secure server. The secure server software (SSL) encrypts all information you input before it is sent to us. Furthermore, all of the sensitive data we collect is protected by several layers of encryption and several layers of security to prevent unauthorized access.

However, the security of information transmitted through the internet can never be guaranteed. We are not responsible for any interception or interruption of any communications through the internet or for changes to or losses of data. Users of the Website are responsible for maintaining the security of any password, user ID or other form of authentication involved in obtaining access to password protected or secure areas of any of our digital services. In order to protect you and your data, we may suspend your use of any of the services, without notice, pending an investigation, if any breach of security is suspected. Access to and use of password protected and/or secure areas of any of the services are restricted to authorized users only. Unauthorized access to such areas is prohibited and may lead to criminal prosecution.

9. Your Rights

The PDPA and GDPR give you the right and it is also important to us that you are able to access, review and request copy of the Personal information held about you by us. You are also entitled to have incorrect Personal Data about you corrected and you may in some cases ask us to restrict our processing in certain circumstances or delete your Personal Data. Please write to us or contact us by email if you wish to request confirmation of what personal information we hold relating to you. You can write to us by email to malaysiasupport@wahedinvest.com There is no charge for requesting that we provide you with details of the personal data that we hold. We will provide this information within 30 days of your requesting the data.

You also have the right to change the permissions that you have given us in relation to how we may use your data. You also have the right to request that we cease using your data or that we delete all personal data records that we hold relating to you. You can exercise these rights at any time by writing to us at the addresses detailed above.

The GDPR and PDPA also give you right to lodge a complaint with a supervisory authority, in particular in the state where you work, normally live or where any alleged infringement of data protection laws occurred if you consider that the processing of your Personal Data infringes these regulations.

10. Links to Third Party Websites and Services

The Services may contain links to third-party websites and services with which we have no affiliation. A link to any other website does not mean that we guarantee, approve or endorse the information or products available or the quality or accuracy of information presented on it.

We do not operate or control and have no responsibility for the information, products and/or services found on any external websites, unless expressly stated on such external website. Nor do such links represent or endorse the accuracy or reliability of any information, products and/or services provided on or through any external websites, including, without limitation, warranties of any kind, either express or implied, warranties of title or non-infringement or implied warranties of merchantability or fitness for a particular purpose. You assume complete responsibility and risk in your use of any external sites.

If you decide to visit a third party website, you are subject to its Privacy Policy and practices and not this Privacy Policy. We encourage you to carefully review the legal and privacy notices of all other digital services that you visit.

We welcome any queries, comments or requests you may have regarding this Privacy Policy. Please do not hesitate to contact us at malaysiasupport@wahedinvest.com

Version: May 3, 2019

Introduction

This Privacy Statement explains in a simple and transparent way how Wahed Invest Limited (in this Privacy Statement, the “Firm”, “us”, “we” and “our”) collects, uses and discloses your personal data, and your rights in relation to the personal data it holds. Our approach can be summarized as: the right people use the right data for the right purpose.

We are the data controller of your personal data and are subject to the ADGM Data Protection Regulation 2021 (hereafter referred to as the “Data Protection Regulations”).

This Privacy Statement supersedes any previous Privacy Statement or equivalent which you may have been provided with or seen prior to the effective date stated above.

1. Scope of this Privacy Statement

This Privacy Statement applies to the following individuals (“you”):

• Our past, present and prospective customers;
• Anyone involved in any transaction or interaction with us, whether it is in your personal capacity or as a representative of a legal entity (for example, director, a company manager, agent, legal representative, operational staff, other authorized representative, etc.); and
• Our employees, advisors, consultants or secondees.

2. How do we obtain your personal data?

We obtain your personal data as follows:

• From the information you provide to us when you meet or interact with us;
• From information about you provided to us by your company or an authorized intermediary;
• When you communicate with us by telephone, fax, email or other forms of electronic communication. In this respect, we may monitor, record and store any such communication;
• When you complete (or we complete on your behalf) client on-boarding or application or other forms;
• From your agents, advisers, intermediaries, and custodians of your assets; or
• From publicly available sources or from third parties, most commonly where we need to conduct background checks about you.

3. What types of personal data do we process?

We collect the following categories of personal data about you:

• Your name and contact information such as your home or business address, email address, telephone number and social media contact details;
• Biographical information which may confirm your identity including your date and place of birth, tax identification number, national insurance number, your passport number or national identity card and visa details, country of domicile and/or your nationality;
• Information relating to your financial situation such as income, expenditure, assets and liabilities, sources of wealth, as well as your bank account details;
• Information about your knowledge and experience in the investment field;
• An understanding of your goals and objectives in procuring our services;
• Information about your employment, education, family or personal circumstances, and interests, where relevant;
• Know our customer data as part of customer due diligence and to prevent fraudulent conduct or behavior that contravenes sanctions and to comply with regulations against money laundering, terrorist financing and tax fraud; and
• Where applicable and legally permissible audio-visual data such as surveillance videos, recording of phone or video calls or chats with our employees or offices. We can use these recordings to verify telephone orders, for fraud prevention or staff training purposes.
• Special categories of personal data is data relating to your health, ethnicity, religious and political beliefs, genetic or biometric data, or criminal data.
• We may process your special categories of personal data if:
• We have your explicit consent to do so; or
• We are required or allowed to do so by applicable local law (for instance to comply with money laundering and terrorism financing monitoring: we monitor your activity and may report it to the competent regulatory authorities).

4. What do we do with your personal data?

Processing means every activity that can be carried out in connection with personal data such as collecting, recording, storing, adjusting, organizing, using, disclosing, transferring or deleting it in accordance with applicable laws.

We only use your personal data under one of the following legal grounds:

• To conclude and carry out a contract with you;
• To comply with our legal obligations;
• For our legitimate business interests. This data processing may be necessary to maintain good commercial relations with all our customers and other concerned parties. We may also process your data to prevent and combat fraud and to maintain the security of your transactions and of the operations made by us;
• When we have your consent. In this case, you may withdraw your consent at any time.

We may process your data for the following purposes:

Administration

For example, when you wish to become our customer we are legally obliged to collect personal data that verifies your identity (such as a copy of your ID card or passport) and to assess whether we can accept you as a customer. We also need to know your postal, e-mail address or phone number to contact you.

Performance of agreement to which you are a party or taking steps prior to entering into agreements

We use information about you when you enter into an agreement with us or when we have to contact you. We analyze information about you to assess whether you are eligible for our products and services.

Relationship management and marketing

We may ask you for feedback about our products and services, or record your conversations with us online, by telephone or in our office. We may share this with certain members of our staff to improve our offering or to customize products and services for you. If you don’t wish to receive these offers you have the right to object or to withdraw your consent by sending an email or telephoning us (see section “Our Contact Details” below).

Safety and security

We have a duty to protect your personal data and to prevent, detect and contain any breaches of your data. This includes personal data we are obliged to collect about you, for example to verify your identity when you become a customer. Furthermore, we not only want to protect you against fraud and cybercrime, we have also a duty to ensure the security and integrity of ourselves and the financial system as a whole by combatting crimes like money laundering, terrorism financing and tax fraud.

Compliance with legal obligations to which we are subject

We process your data to comply with a range of legal obligations and statutory requirements.

5. With whom do we share your personal data and for which reasons?

To provide you with our services, we share certain data within our corporate group or externally with third parties.

Whenever we share your personal data externally with third parties in countries without a deemed adequate level of protection for personal data, we ensure the necessary safeguards are in place to protect it. We rely hereby upon, amongst others:

• The conclusion or the execution of an agreement, a transaction or a third-party transaction in your favor;
• Requirements based on applicable local laws and regulations;
• When applicable, we use standardized contractual clauses in agreement with service providers to ensure personal data transferred to countries without an adequate level of protection for personal data comply with the ADGM Data Protection Regulations or GDPR, as applicable.
• Data transfer that are necessary for reasons of public interest;
• Your explicit consent;
• International treaties that protects personal data transferred to certain service providers abroad.

To comply with our regulatory obligations, we may disclose personal data to the relevant government, supervisory and judicial authorities such as:

• Public authorities, regulators and supervisory bodies such as the financial sector supervisors in the countries in which we operate.
• Tax authorities may require us to report customer assets or other personal data such as your name and contact details and other information about your organization. For this purpose, we may process your identification data such as your tax identification number or any other national identifier in accordance with applicable local law.
• Judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legitimate request.

To process certain financial services, we may have to share information about you and your organization with a bank or specialized financial company. We also share information with financial sector specialists, who assist us with financial services, for instance, in the following cases:

• Exchanging secure financial transaction messages;
• Payments and credit transactions worldwide;
• Processing electronic transactions worldwide;
• Settling domestic and cross-border security transactions and payment transactions; or
• Other financial services organization including stockbrokers, custodians, fund managers, fund administrators and portfolio service providers.

When we use other service providers or third parties to carry out certain activities in the normal course of business, we may have to share personal data required for a particular task. The service providers include:

• IT service providers who may provide application or infrastructure (such as cloud) services;
• Marketing activities or events and managing customer communications;
• Preparing reports and statistics, printing materials and designing products;
• Placing advertisements on apps, websites and social media;
• Legal, auditing or other special services provided by lawyers, notaries, trustees, company auditors or other professional advisors;
• Identifying, investigating or preventing fraud or other misconduct by specialized companies.

6. What are your rights and how do we respect them?

We respect your individual rights to determine how your personal data is used. These rights include:

Right to access information

You have the right to ask us for an overview of your personal data that we process.

Right of rectification

If your personal data is incorrect, you have the right to request us to rectify it. If we shared data about you with a third party and that data is later corrected, we will also notify that party accordingly.

Right to object processing

You can object us using your personal data for our own legitimate interests (for example, marketing). We will consider your objection and stop processing your data unless we assess that we have legitimate and imperious reasons that justify processing your data.

You can also object to receiving commercial messages from us (by e-mail, mail and phone) or for statistical purposes. When you become our customer, we may ask you whether you want to receive personalized offers. Should you later change your mind, you can choose to opt out of receiving these messages by sending an email to us (see section “Our contact details” below).

Right to restrict processing

You have the right to ask us to restrict using your personal data for the period necessary to us for our verifications if:

• You believe the information is inaccurate;
• we are processing your personal data unlawfully;
• you have objected to us processing your personal data for our own legitimate interests;
• you have the same right if we no longer need your personal data, but you want us to keep it for use in a legal claim.

Right to data portability

You have the right to ask us to transfer some of your personal data directly to you or to another company. This applies to personal data we process by electronic means and with your consent or because of a contract with you. Where technically feasible, we will transfer your personal data.

Right to erasure (also known as right to be forgotten)

Unless required by law, you may ask us to erase your personal data if:

• We no longer need it for its original purpose;
• You withdraw your consent for processing it;
• You object to us processing your data for our own legitimate interests (except for legitimate and compelling interests) or for commercial messages; or
• We unlawfully process your personal data.

Right to complain

Should you not be satisfied with the way we have responded to your concerns you have the right to submit a complaint to us. If you are still unhappy with our reaction to your complaint, you can escalate it to our Compliance Department. You can also contact the ADGM Office of Data Protection  https://www.adgm.com/operating-in-adgm/office-of-data-protection/for-individuals

Exercising your rights

You can also exercise your rights by contacting us (see section “Our contact details” below).

We aim to respond to your request as quickly as possible. In some instances, this could take up to one month. Should we require more time to complete your request, we will let you know how much longer we need and provide reasons for the delay. In certain legal cases, we may deny your request. If it’s legally permitted, we will let you know in due course why we denied it.

7. Are you obliged to provide us with your personal data?

In some cases, we are legally required to collect personal data, or your personal data may be needed before we may perform certain services and provide certain products. We undertake to request only the personal data that is strictly necessary for the relevant purpose. Failure to provide the necessary personal data may cause delays or lead to refusal of certain products and services.

8. How do we protect your personal data?

We take appropriate technical and organizational measures (policies, procedures, IT security, etc.) to ensure the confidentiality and integrity of your personal data and the way it’s processed. We apply an internal framework of policies and minimum standards across our business to keep your personal data safe. These policies and standards are periodically updated to keep them up to date with regulations and market developments.

In addition, our employees are subject to confidentiality obligations and may not disclose your personal data unlawfully or unnecessarily. To help us continue to protect your personal data, you should always contact us if you suspect that your personal data may have been compromised.

9. How long do we keep your personal data?

We will only retain your personal data for as long as we have a lawful reason to do so. In particular:

• Where we have collected your personal data as required by anti-money laundering legislation, including for identification, screening and reporting, we will retain that personal data for six years after the termination of our relationship, unless we are required to retain this information by another law or for the purposes of court proceedings; or
  ‍
• Otherwise, we will in most cases retain your personal data for a period of ten years after the termination of our contractual or other relationship with you in case any claims arise out of the provision of our services to you.

When your personal data is no longer necessary for a process or activity for which it was originally collected, we delete it, or bundle data at a certain abstraction level, render it anonymous and dispose it in accordance with the applicable laws and regulations.

10. Changes to this Privacy Statement

We may amend this Privacy Statement to remain compliant with any changes in law or to reflect how our business processes personal data. This version was created and published at the end of December 31, 2022 and enters into force on December 31, 2022. The most recent version is available on our website.

11. Our contact details

You can address your queries regarding this Privacy Statement to:

Compliance Officer, Wahed

Cloud Suite 213, 15th floor, Al Sarab Tower, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, United Arab Emirates

uaecompliance@wahed.com