Haya Back to home

Trust

Privacy Policy

Effective date: [DATE TO BE SET BEFORE PUBLICATION] / Last updated: [DATE TO BE SET BEFORE PUBLICATION]

Pre-publication draft. This document reflects Haya's intended data practices and is being finalised with UAE-qualified counsel before launch. Items shown in [brackets] are placeholders that will be filled in before publication.

1. Who we are

Haya ("Haya", "we", "us", "our") is a halal-conscious matrimony and serious-relationships platform that helps Muslim adults find compatible partners for long-term relationships and marriage.

The controller of your personal data is:

  • Legal entity: [COMPANY LEGAL NAME]
  • Registered address: [REGISTERED ADDRESS]
  • Jurisdiction of incorporation: [JURISDICTION]
  • Trade licence / registration number: [NUMBER]
  • Contact for privacy matters: [[email protected]]
  • Data Protection Officer or representative (if appointed): [NAME / EMAIL]

If you are a resident of the United Arab Emirates, this policy is written to comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") and the regulations issued by the UAE Data Office. If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar data-protection rules, additional protections may apply and are described in section 13.

2. Scope

This policy describes the personal data we collect through the Haya mobile application, the Haya website, and any related services (together, the "Service"). It does not cover services operated by third parties to which we link or which integrate with the Service. Where third parties act as independent controllers of your data — for example Apple, Google, or your mobile network operator — their privacy notices apply in addition to this one.

3. Eligibility

The Service is intended only for adults aged 18 years or older who are legally permitted to use a matrimony and relationships service in the jurisdiction where they are located. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us at the address in section 1 and we will delete it.

4. Categories of personal data we collect

We collect personal data only to operate the Service, keep our community safe, comply with the law, and improve the product. Categories are grouped below by purpose.

4.1 Account and authentication data

When you create an account we collect:

  • Mobile phone number (used as your login identifier)
  • First and last name
  • One-time verification codes sent by SMS for phone sign-in (handled by Twilio — see section 7)

4.2 Profile data

When you complete your Haya profile we collect the information you choose to provide, including:

  • Display name
  • Date of birth (used to confirm you are 18+ and to compute your age for matching; your exact date of birth is not displayed on your profile)
  • Gender
  • A short bio (free-form text)
  • Profile photographs
  • Education level
  • Nationalities and the country you grew up in
  • Marital status (for example never married, separated, divorced)
  • Whether you have children
  • Halal eating preference
  • Smoking status
  • Interests and personality traits selected from preset options
  • Preferred chat language

4.3 Sensitive personal data

The following data is treated as sensitive personal data under the UAE PDPL and as special-category data under GDPR-style frameworks. We only process it on the basis of your explicit consent, which you give by entering it into your profile:

  • Religion and religious practice — including your sect (Sunni, Shia, other, or prefer-not-to-say), your level of religious practice, and the faith-related tags you select.
  • Information that may relate to relationship preferences — including your stated dating intent and the gender field used to apply Haya's male-to-female and female-to-male matching rule.
  • Biometric data — when you complete identity verification we collect, through our verification partner Veriff, an image of a government-issued identity document and a short selfie video used for liveness detection and face matching (see sections 4.7 and 7).
  • Precise location — when you grant the relevant permission, we collect your device's latitude and longitude to power discovery and distance calculations (see section 4.6).

You can withdraw your consent for any of these categories at any time by editing your profile, turning off the relevant permission on your device, or deleting your account. Withdrawing consent will prevent us from offering features that depend on that data.

4.4 Preferences and matching data

To produce relevant suggestions we collect your matching preferences:

  • Preferred age range
  • Dating intent (for example marriage, get-to-know, serious, curious)
  • Getting-to-know timeline and marriage timeline
  • The gender field used to apply opposite-gender matching
  • Preferred location and search radius (in kilometres)
  • Whether you have enabled global discovery

4.5 Activity and behavioural data

The Service generates and records data about how you use it so we can rank, deliver, and improve recommendations:

  • Which profiles we have shown you, which you actually viewed, skipped, liked, or super-liked, and which were resurfaced later
  • The position of a profile in your feed, the algorithm version, and an internal compatibility score with a non-personal score breakdown
  • Which of your photos was shown to a given viewer and how many times
  • Match events, introductions sent or received, and the status of each
  • Messages you send and receive within Haya chats, including their timestamps and read receipts
  • Translations and AI-suggested message openers (see section 4.9)
  • Reports you submit about other users, blocks you place, and any safety actions taken on your account
  • App diagnostic information such as device model, operating-system version, app version, and crash data when you choose to share it

4.6 Location data

If you grant your device's location permission, we collect your approximate or precise location to:

  • Show you people within your chosen search radius
  • Estimate distance on profile cards
  • Power the "global discovery" toggle when you turn it on
  • Detect obvious location spoofing for safety

We store your most recent location and a coarse history needed to operate discovery; we do not continuously track you in the background. You can change or revoke location permission at any time in your device settings.

4.7 Identity-verification data

When you choose to complete identity verification, you are redirected to our verification partner Veriff. Veriff captures:

  • A photograph or scan of a government-issued identity document
  • A short selfie or video used for liveness detection and face matching
  • The name, date of birth, and document number extracted from your ID

Haya itself does not retain the ID document or selfie. We receive from Veriff only:

  • A verification session identifier and decision (approved, declined, resubmission requested, expired)
  • The reason and reason code if your check is declined
  • Whether the name and date of birth on your ID matched the values on your Haya profile
  • The timestamp of the decision and when it expires

Veriff is an independent controller of the biometric and identity-document data it captures. Their processing is governed by the Veriff privacy notice.

4.8 Subscription and payment data

If you purchase Haya Plus or any other paid feature, the in-app purchase is processed by Apple (App Store) or Google (Google Play). Haya does not receive or store your full payment card number, bank details, or government tax identifiers.

Through our subscriptions partner RevenueCat, we receive and store:

  • A subscription identifier and the product purchased (for example "Plus monthly")
  • The current period start and end dates, renewal state, cancellation, and refund events
  • A store transaction identifier from Apple or Google
  • Webhook events from RevenueCat that record the lifecycle of your subscription

4.9 Communications and AI assistance

Haya uses AI models hosted by Google (the Gemini family) to provide three optional features:

  • Profile builder — a conversational helper that turns short answers into a polished profile draft. We send the AI service the inputs you provide during the session and store the resulting draft and a summary.
  • Message translation — when you translate a chat message, we send the message body and a small amount of context (such as your preferred chat language) to the AI service and store the translation and a confidence score.
  • Suggested openers — when you start a chat, we may generate suggested opening messages from your match's profile context (such as their interests, traits, and bio).

These features are optional. We do not use your private chat messages, your photos, or your contacts to train any third-party AI model. AI processing occurs as described in section 7.

4.10 Push and device data

To deliver push notifications we collect:

  • Your device push token (from Apple Push Notification service for iOS, Firebase Cloud Messaging for Android)
  • Your platform (iOS or Android), an Expo app-instance identifier, and an optional device identifier
  • Notification delivery and read events tied to your account

4.11 Contact-list matching (optional)

If you grant permission to access your device contacts, we compute a one-way HMAC-SHA-256 hash of each phone number on the device and store only the hashes. We use these hashes to hide Haya profiles that match your contacts (for example to keep your relatives from appearing in your feed). We do not store the original phone numbers from your address book, we do not upload your contacts' names, and we never use this data for marketing or to invite people who are not already on Haya. You can revoke this permission at any time, after which we delete the stored hashes for your account.

4.12 Safety, reporting, and moderation data

When you report another user, block another user, or are the subject of a report, we record:

  • Who took the action, who the subject is, when it happened, and the stated reason
  • Free-text details you choose to provide in a report
  • The decision a moderator reaches and the action taken on the account

We may also record limited details about content that has been removed for safety reasons even after the content itself is deleted, so that we can enforce our rules consistently.

4.13 Waitlist data (pre-launch)

If you signed up to be notified before Haya was generally available, we collected your email, optional phone number, optional name, and the source you came from. This data is used only to send you launch updates and to seed your account if you choose to create one.

5. How we use your data and our lawful basis

We process personal data for the purposes set out below. For each purpose, we identify the lawful basis under the UAE PDPL (and, where relevant, GDPR Article 6 / Article 9 equivalents):

Purpose Examples UAE PDPL lawful basis
Operating your account and providing the Service Account creation, sign-in, profile delivery, messaging, matching Performance of a contract with you (Art. 4(2))
Showing you compatible profiles Discovery feed, intros, scoring, resurfacing rotation Performance of a contract; legitimate interests in offering the core product (Art. 4(7))
Identity verification and trust Veriff check, name and date-of-birth match, badge display Performance of a contract; legitimate interests in safety; compliance with applicable law
Processing payments and subscriptions Recording purchases and renewals received from Apple, Google, and RevenueCat Performance of a contract
Sending operational messages Match notifications, message notifications, security alerts Performance of a contract; legitimate interests
Safety, fraud, and abuse prevention Reports, blocks, moderation, contact-list filtering, spoof detection Legitimate interests in protecting our community; compliance with applicable law
Processing sensitive data (religion, gender-based matching, biometrics, precise location) Faith fields, opposite-gender matching, Veriff KYC, location-based discovery Your explicit consent (Art. 5) — withdrawable at any time
Service improvement and analytics Crash reports, aggregated usage analytics, ranking-model evaluation Legitimate interests, balanced against your rights
Marketing or product updates that we send to you directly Launch announcements, optional newsletter Consent — we will ask before sending and you can unsubscribe at any time
Complying with legal obligations Tax records, lawful access requests, regulator inquiries Compliance with a legal obligation

We do not use your data to make solely automated decisions that produce legal or similarly significant effects on you. Our matching algorithm assists with discovery but does not, on its own, decide whether you can use the Service.

6. Halal and respectful-conduct framing

Haya is designed for serious, long-term, halal-conscious connections. We do not require any user to identify as Muslim, and we welcome anyone of any background who is here for serious, respectful relationships. We do however prohibit sexually explicit content, nudity, harassment, scams, and other behaviour that conflicts with our community guidelines and with the laws of the United Arab Emirates, including but not limited to:

  • UAE Federal Decree-Law No. 34 of 2021 on combatting rumours and cybercrime
  • UAE Federal Decree-Law No. 31 of 2021 (the UAE Penal Code) as it relates to public decency

If you upload or send content that violates these standards we may remove the content, suspend or terminate your account, and where required disclose information to competent authorities — see section 11.

7. Third parties that process data on our behalf

We use the following sub-processors and partners. Each operates under a written agreement requiring them to protect your data and to use it only for the purposes we instruct.

Provider What they do Categories of data Location of processing
Google Cloud Platform Hosts our API, AI agent service, database, and file storage All account, profile, activity, and media data me-central1 (Doha, Qatar) — Gulf region
Google Cloud Storage Stores profile photos and chat media Photos and media you upload Same region as above
Google (Gemini API) Powers profile-builder, message translation, and suggested openers The inputs you submit to those features and limited profile context Google AI infrastructure
Twilio Sends SMS one-time passwords for phone sign-in Phone number, country code, verification status Twilio global infrastructure (US/EU)
Veriff Identity verification (KYC) Government ID image, selfie, name, date of birth, document number Veriff EEA-based infrastructure (Estonia)
RevenueCat Subscription management and webhook delivery for in-app purchases Subscription identifiers, transaction IDs, entitlement state RevenueCat US infrastructure
Apple (App Store) iOS app distribution and in-app purchase processing Apple ID purchase data Apple global infrastructure
Google (Google Play) Android app distribution and in-app purchase processing Google account purchase data Google global infrastructure
APNs / FCM Push notification delivery Device push token and notification payload Apple / Google infrastructure
Expo Mobile app build, OTA updates, push relay App instance identifier, push token, crash data Expo infrastructure (US)

We do not sell your personal data and we do not share it with advertising networks for behavioural advertising.

8. International transfers

Haya processes your personal data inside the Gulf region. Our primary database, application servers, and file storage run in Google Cloud's me-central1 region (Doha, Qatar).

Some of our partners are based outside the UAE — notably Veriff (European Union), RevenueCat (United States), Twilio (United States and European Union), and Google's Gemini AI service. When personal data is transferred outside the UAE, we rely on one or more of the following safeguards permitted by the UAE PDPL:

  • A transfer to a country that the UAE Data Office considers to provide an adequate level of protection
  • Standard contractual clauses or equivalent contractual safeguards with the recipient
  • Your explicit consent to the transfer (for example when you opt into Veriff identity verification)
  • The transfer being necessary to perform a contract we have with you (for example to deliver a subscription you purchased through Apple or Google)

You can request a copy of the safeguards we rely on by contacting us at the address in section 1.

9. Data retention

We keep personal data only for as long as we need it. The table below summarises our default retention; specific records may be kept longer if required by law, by a regulator, or to handle a dispute.

Data Retention
Account, profile, preferences, and matching data While your account is active. After deletion, permanently deleted or irreversibly anonymised within 30 days, except where law requires longer retention.
Chat messages While both participants have active accounts. When either account is deleted, messages from the deleted user are removed from the remaining user's view within 30 days.
Profile photographs and uploaded media Deleted with the related profile or chat record. Backups are overwritten on our standard backup rotation (typically 30 days).
Discovery candidates and events Up to 24 months for safety reviews and aggregated ranking improvements.
Identity-verification decisions (Haya side) While your account is active, plus up to 24 months afterwards for fraud prevention. Veriff retains the underlying biometric data under its own policy.
Subscription and payment records At least 7 years where required by tax or financial-reporting law.
Safety reports, blocks, and moderation records Up to 5 years, even if the reported account is deleted.
Refresh tokens and session identifiers Until they expire or you sign out.
Push tokens Until you log out, uninstall the app, or revoke the permission.
Contact-list hashes Until you revoke contact permission or delete your account.
Waitlist email and details Until you create an account or unsubscribe, after which deleted within 30 days.

10. Your rights

Subject to the UAE PDPL and any other privacy laws that apply to you, you have the right to:

  • Be informed about how we use your data (this notice)
  • Access a copy of the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Delete your data, subject to the retention rules in section 9 and to legal obligations that require us to keep certain records
  • Restrict or object to certain processing, including direct marketing
  • Withdraw consent at any time where we rely on consent (including for sensitive personal data)
  • Data portability — receive your data in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you
  • Lodge a complaint with the UAE Data Office or, if you are located elsewhere, the supervisory authority in your country

To exercise any of these rights, write to us at the address in section 1. We will respond within the timeframe required by applicable law (under the UAE PDPL we will respond within 30 days, extendable once by a further 30 days where the request is complex). We may need to verify your identity before acting on your request.

You can also:

  • Edit most profile information directly in the Haya app
  • Turn off location, contacts, notifications, and other permissions in your device settings at any time
  • Delete your account directly from the app's settings

We may disclose personal data to a court, regulator, law-enforcement authority, or other competent body when we believe in good faith that doing so is necessary to:

  • Comply with a valid legal request under the laws of the UAE or another jurisdiction where we operate
  • Enforce our Terms of Service or investigate suspected breaches
  • Protect the rights, property, or safety of Haya, our users, or the public

Where the law permits, we will notify you before disclosing your data so that you can seek to challenge the request.

12. Security

We use a combination of technical and organisational measures to protect your data, including:

  • Encryption of data in transit using TLS
  • Encryption of data at rest in Google Cloud
  • HMAC-SHA-256 hashing of contact-list phone numbers, with the original numbers discarded
  • Cookie-based sessions and refresh tokens with explicit expiry
  • Role-based access controls on production data, with access limited to authorised staff
  • Logging and monitoring of administrative activity
  • A vulnerability management programme and a process for handling reports from security researchers

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify the UAE Data Office and, where required, the affected users in accordance with the timelines set out in the UAE PDPL.

13. Region-specific notices

13.1 United Arab Emirates

We process your data in accordance with the UAE PDPL and the regulations of the UAE Data Office. References in this policy to "personal data", "sensitive personal data", "controller", "processor", and "data subject" have the meanings given in the UAE PDPL.

13.2 European Economic Area and the United Kingdom

If you are located in the EEA or the UK, the General Data Protection Regulation (or the UK GDPR) applies to our processing of your personal data. The legal bases set out in section 5 map to Article 6 and Article 9 of the GDPR. Our representative in the EEA or the UK is: [APPOINT IF REQUIRED]. You have the right to lodge a complaint with your local data-protection authority.

13.3 Other Gulf states

If you are located in Saudi Arabia, Bahrain, Qatar, Kuwait, or Oman, the local data-protection regime in your country will apply alongside (or instead of) the UAE PDPL. Where local law gives you stronger rights, those rights take precedence.

13.4 California

If you are a California resident, you have rights under the California Consumer Privacy Act, including the right to know, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising.

14. Cookies and similar technologies

The Haya mobile application does not rely on browser cookies for its core functionality. The Haya website uses a small number of strictly necessary cookies and storage entries to remember your session and your cookie-banner choice. If we add analytics or advertising cookies in future, we will update this policy and ask for consent where required.

15. Changes to this policy

We may update this policy from time to time. When changes are material we will notify you in-app, by SMS, or by another reasonable means before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised. If you continue to use Haya after a change takes effect, you accept the updated policy; if you do not agree, you can stop using the Service and delete your account.

16. How to contact us

If you have any questions about this policy or about how we handle your data, please contact:

  • Email: [[email protected]]
  • Postal address: [REGISTERED ADDRESS]
  • Data Protection Officer / representative (if appointed): [NAME / EMAIL]

If we have not satisfactorily addressed your concern, you may contact the UAE Data Office or the data-protection authority in your country.