QUICK OVERVIEW

We respect your privacy. Here's what you need to know:

✓ What we collect: Email, payment info, IP addresses, device fingerprints, API usage logs
✓ Why: To run the service, prevent fraud, process payments, comply with laws
✓ Who we share with: Payment processors (Stripe), hosting providers, fraud prevention services
✓ How long: 90 days for most logs, 7 years for financial records
✓ Your rights: Access, delete, export your data anytime
✓ We DON'T: Sell your data, share with advertisers, or use for unrelated purposes

Questions? Email privacy@mumin.ink

Full details below ↓

TABLE OF CONTENTS

1. Introduction and Scope
2. Data Controller Information
3. Personal Data We Collect
4. How We Use Your Data
5. Legal Bases for Processing (GDPR)
6. Data Retention and Deletion
7. Who We Share Data With
8. International Data Transfers
9. Your Privacy Rights
10. Security Measures
11. Cookies and Tracking Technologies
12. Children's Privacy
13. Changes to This Policy
14. Contact Us

1. INTRODUCTION AND SCOPE

1.1 Purpose of This Policy

This Privacy Policy explains how Mumin Hadith API ("we", "us", "our") collects, uses, stores, shares, and protects personal information from users ("you", "your") of our API service.

This Policy applies to:

• Our website (api.mumin.ink)
• Our API service
• User dashboard and account management interfaces
• All communications with users

1.2 Agreement to This Policy

By creating an account, using our Service, or providing us with personal information, you agree to this Privacy Policy.

If you do not agree, please do not use our Service.

1.3 Applicable Laws

We comply with:

• GDPR (General Data Protection Regulation) - EU Regulation 2016/679
• UK GDPR - UK data protection laws
• CCPA/CPRA (California Consumer Privacy Act)
• Uzbekistan Law on Personal Data (2019)
• Other applicable data protection laws

1.4 Relationship to Terms of Service

This Privacy Policy supplements our Terms of Service (ToS). In case of conflict regarding privacy matters, this Policy prevails.

2. DATA CONTROLLER INFORMATION

2.1 Who Controls Your Data

Data Controller:
Mumin Hadith API
Mumin Hadith API (MuminHadith.com)
Yunusabad District, 14, 2nd Flowery Street
Tashkent, 100000
Republic of Uzbekistan

Email: privacy@mumin.ink
Support: support@mumin.ink
Data Protection Contact: dpo@mumin.ink

2.2 EU Representative

For users in the European Union, our EU representative for GDPR matters is:

We do not currently have an EU establishment or representative.

2.3 Supervisory Authority

EU residents may lodge complaints with their national data protection authority. Find your authority at: https://edpb.europa.eu/about-edpb/board/members_en

3. PERSONAL DATA WE COLLECT

We collect several categories of personal data. Below is a comprehensive list.

3.1 Account Registration Data

What we collect:

• Email address (required)
• Password (stored as encrypted hash)
• Account creation timestamp
• IP address at registration
• Device information at registration

Source: Provided directly by you during registration

Why we collect: To create and manage your account, authenticate you, send service communications

3.2 Payment and Financial Data

What we collect:

• Payment method type (credit card, cryptocurrency, etc.)
• Payment processor transaction IDs
• Purchase amounts and dates
• Billing country
• Currency used
• IP address at time of payment
• Device fingerprint at time of payment

What we DON'T collect:

• ❌ Full credit card numbers
• ❌ CVV/security codes
• ❌ Bank account numbers
• ❌ Cryptocurrency private keys

These are collected and stored solely by our payment processors (Stripe, cryptocurrency payment gateways), not by us.

Source: Provided during payment transactions

Why we collect: To process payments, issue receipts, prevent fraud, comply with tax laws

3.3 API Usage Data

What we collect:

• API requests (endpoint accessed, timestamp, response status)
• API Key used for each request
• Request volume and frequency patterns
• Error logs and debugging information
• Credit consumption records
• Rate limit violations

Source: Automatically generated when you use our API

Why we collect: To provide the Service, monitor performance, enforce rate limits, detect abuse

3.4 Device and Technical Data

What we collect:

• IP addresses (IPv4 and IPv6)
• User agent strings (browser type, version, operating system)
• Device fingerprints - unique identifier created from:
  • Screen resolution and color depth
  • Timezone offset
  • System language and locale
  • Browser plugins and extensions
  • Canvas fingerprint (HTML5 rendering characteristics)
  • WebGL fingerprint (graphics processing unit info)
  • Hardware characteristics (CPU cores, device memory)
  • Font list
  • Audio context fingerprint
• Geolocation (country, region, city derived from IP address)
• Referrer URLs (where you came from)
• Network information (ISP, ASN)

Source: Automatically collected from your device and browser

Why we collect: Security, fraud prevention, abuse detection, authentication, account protection

Important Note on Device Fingerprinting:

Device fingerprinting creates a unique identifier for your device without using cookies. This helps us:

• Detect fraudulent account creation
• Identify when multiple accounts are created from the same device (ban evasion)
• Protect against automated bot attacks
• Detect suspicious login patterns
• Link related fraudulent activities

We use this for security and fraud prevention only, not for advertising or tracking across websites.

Legal Basis (GDPR): Legitimate interest (Article 6(1)(f)) - necessary for security and fraud prevention. Our legitimate interest in protecting our Service and users from fraud is not overridden by your privacy interests, as device fingerprinting is minimally intrusive and essential for security.

3.5 Communication Data

What we collect:

• Emails sent between you and us
• Support ticket contents
• Chat transcripts (if live chat is available)
• Survey responses
• Feedback submissions

Source: Provided by you when you contact us

Why we collect: To provide customer support, respond to inquiries, improve our Service

3.6 Inferred and Derived Data

What we create:

• Fraud risk scores (algorithmic assessment of account risk)
• Account trust levels
• Behavioral patterns
• Usage predictions
• Abuse likelihood scores

Source: Derived from analysis of the data described above

Why we create: To detect fraud, prevent abuse, improve security, optimize Service

3.7 Data We Do NOT Collect

We do not collect:

• ❌ Precise geolocation (GPS coordinates)
• ❌ Biometric data
• ❌ Genetic data
• ❌ Health information
• ❌ Political opinions
• ❌ Religious beliefs (beyond providing Islamic content)
• ❌ Trade union membership
• ❌ Sexual orientation
• ❌ Criminal history (unless you provide it)

4. HOW WE USE YOUR DATA

4.1 Service Provision

Purpose: To provide the API service you signed up for

Activities:

• Creating and managing your account
• Authenticating your identity
• Processing API requests
• Managing your credit balance
• Providing access to hadith data
• Maintaining user dashboard
• Delivering customer support

Data used: Account data, API usage data, payment data

4.2 Payment Processing

Purpose: To handle financial transactions

Activities:

• Processing credit purchases
• Generating receipts and invoices
• Managing refunds (when applicable)
• Preventing payment fraud
• Complying with tax regulations
• Maintaining financial records

Data used: Payment data, account data, IP addresses, device fingerprints

4.3 Security and Fraud Prevention

Purpose: To protect our Service, users, and business from fraud and abuse

Activities:

• Detecting fraudulent accounts
• Identifying suspicious patterns
• Preventing automated abuse (bots, scrapers)
• Protecting against DDoS attacks
• Detecting account compromise
• Preventing chargebacks fraud
• Identifying ban evasion
• Monitoring for Prohibited Uses (as defined in our ToS)

Data used: All categories, especially device fingerprints, IP addresses, usage patterns

Legal basis: Legitimate interest in security and fraud prevention

4.4 Service Improvement and Analytics

Purpose: To understand how users interact with our Service and improve it

Activities:

• Analyzing usage patterns
• Identifying performance issues
• Optimizing API endpoints
• Understanding feature popularity
• Testing new features
• Conducting A/B tests

Data used: API usage data, anonymized behavioral data

Note: Analytics are typically performed on aggregated, anonymized data

4.5 Communications

Purpose: To send necessary and optional communications

Types of communications:

Transactional (required):

• Account creation confirmations
• Password reset emails
• Payment receipts
• Security alerts (suspicious login, API key compromise)
• Inactivity warnings
• Service disruption notifications
• Terms or Policy updates

Marketing (optional):

• Product updates and new features
• Service tips and best practices
• Educational content about hadith collections

You may opt out of marketing emails via the unsubscribe link in each email or by contacting us. You cannot opt out of transactional emails.

Data used: Email address, account data

4.6 Legal Compliance

Purpose: To comply with legal obligations

Activities:

• Responding to lawful government requests
• Complying with court orders or subpoenas
• Cooperating with law enforcement
• Meeting tax reporting requirements
• Complying with financial regulations
• Enforcing our Terms of Service
• Defending against legal claims

Data used: Any data relevant to the legal matter

4.7 Business Transfers

In the event of a merger, acquisition, sale of assets, or bankruptcy, your personal data may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have.

5. LEGAL BASES FOR PROCESSING (GDPR)

For users in the European Union, UK, and other jurisdictions requiring specification of legal bases, we process your data under the following legal grounds:

5.1 Contractual Necessity (GDPR Article 6(1)(b))

Processing necessary to perform our contract with you (the Terms of Service):

• Account creation and management
• API service provision
• Payment processing
• Credit balance management
• Customer support

Data: Account data, payment data, API usage data

5.2 Legitimate Interests (GDPR Article 6(1)(f))

Processing necessary for our legitimate interests, which are not overridden by your rights:

Our legitimate interests:

• Security and fraud prevention - protecting our Service and users from abuse
• Service improvement - optimizing performance and features
• Direct marketing - informing users about relevant features (subject to opt-out)
• Business operations - maintaining records, analyzing trends
• Legal defense - protecting against claims and enforcing our rights

Balancing test: We have assessed that these interests do not override your privacy rights because:

• Processing is minimally intrusive
• Data is necessary for the stated purposes
• You have transparency through this Policy
• You have rights to object and control your data

Data: Device fingerprints, IP addresses, usage patterns, analytics data

5.3 Legal Obligation (GDPR Article 6(1)(c))

Processing necessary to comply with legal requirements:

• Tax reporting and financial record-keeping
• Responding to lawful government requests
• Anti-money laundering (AML) checks
• Sanctions screening

Data: Transaction records, account data

5.4 Consent (GDPR Article 6(1)(a))

Processing based on your explicit consent:

• Marketing communications (you may withdraw consent anytime)
• Optional cookies and tracking (where required)
• Participation in surveys or research

Data: Email address, survey responses

You may withdraw consent at any time by emailing privacy@mumin.ink or using unsubscribe links.

5.5 Special Note on Device Fingerprinting

Device fingerprinting is processed under legitimate interest (Article 6(1)(f)) for security and fraud prevention purposes.

We have conducted a balancing test and determined:

• ✅ Our interest in security is compelling
• ✅ Device fingerprinting is necessary (less intrusive alternatives are insufficient)
• ✅ Impact on your privacy is minimal (no cross-site tracking, security use only)
• ✅ You have transparency through this disclosure
• ✅ You can object (though this may prevent service use)

6. DATA RETENTION AND DELETION

6.1 Retention Principles

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law.

6.2 Retention Periods by Data Type

| Data Category | Retention Period | Reason | |---------------|------------------|---------| | API Request Logs | 90 days | Performance monitoring, debugging | | Account Data (active) | While account active | Service provision | | Account Data (closed) | 90 days after closure | Grace period for reactivation | | Transaction Records | 7 years after transaction | Tax compliance, legal defense | | Payment Processor Data | Per processor's policy | Not in our control | | Support Communications | 2 years after last contact | Quality assurance, disputes | | Fraud Evidence | Indefinitely | Legal defense, fraud prevention | | Anonymized Analytics | Indefinitely | No longer personal data | | Device Fingerprints | While account active + 90 days | Fraud detection, security |

6.3 Automatic Deletion

After retention periods expire, data is automatically:

• Deleted permanently from production systems, OR
• Anonymized (removal of all identifiers), OR
• Archived in encrypted offline storage (for legal compliance only)

6.4 Exceptions to Deletion

We may retain data beyond standard periods if:

• Required by law (tax audits, legal holds, investigations)
• Necessary for legal defense (pending or threatened litigation)
• Subject to regulatory investigation
• Evidence of fraud or Terms violations

Even in these cases, data is stored securely and access is restricted.

6.5 User-Requested Deletion

You may request deletion of your account and data at any time (see Section 9.3). We will comply within 30 days, subject to legal retention requirements.

7. WHO WE SHARE DATA WITH

7.1 Third-Party Service Providers

We share data with trusted service providers who help us operate our business. They process data on our behalf under strict confidentiality agreements.

Payment Processors:

• Stripe, Inc. (credit/debit card processing)
• Cryptocurrency payment gateways (crypto transactions)
• Purpose: Process payments, detect payment fraud
• Data shared: Payment data, transaction amounts, email, IP address
• Location: USA (Stripe), various (crypto gateways)
• Their policies: https://stripe.com/privacy

Hosting and Infrastructure:

• Hetzner Online GmbH
• Purpose: Host our servers, databases, and application
• Data shared: All data (they host our infrastructure)
• Location: European Union (Germany and Finland)
• Security: SOC 2 Type II certified, encryption at rest and in transit

Email Service Providers:

• SendGrid (Twilio, Inc.)
• Purpose: Send transactional and marketing emails
• Data shared: Email addresses, email content
• Location: European Union

Fraud Prevention Services:

• MaxMind (IP geolocation and fraud scoring)
• N/A
• Purpose: Detect fraudulent activity, assess risk
• Data shared: IP addresses, device fingerprints, transaction data
• Location: USA
• Their policies: https://www.maxmind.com/en/privacy-policy

Analytics and Monitoring:

• Internal server logs (Self-hosted)
• Purpose: Monitor service performance, understand usage
• Data shared: Anonymized usage data
• Note: We do NOT use Google Analytics or similar advertising-based tools

7.2 Legal and Regulatory Authorities

We may disclose data to:

• Law enforcement agencies (in response to lawful requests)
• Courts (in response to subpoenas or court orders)
• Tax authorities (for tax compliance)
• Regulatory bodies (data protection authorities, financial regulators)
• Legal counsel (for legal advice and defense)

We disclose only the minimum data necessary and will notify you when legally permitted.

7.3 Business Transfers

If we are acquired, merge with another company, or sell assets, your data may be transferred to the successor entity. You will be notified via email and/or prominent notice on our website.

7.4 With Your Consent

We may share data with other parties when you explicitly consent to such sharing.

7.5 We Do NOT:

❌ Sell your personal data
❌ Share data with advertisers
❌ Rent or lease user lists
❌ Share data for others' marketing purposes
❌ Provide data to data brokers
❌ Use data for purposes unrelated to our Service

8. INTERNATIONAL DATA TRANSFERS

8.1 Where Your Data is Processed

Our infrastructure is located in Republic of Uzbekistan.

If you are located outside this jurisdiction, your data will be transferred internationally.

8.2 Transfers from the EU/UK

For users in the European Union or United Kingdom, we ensure adequate protection for international transfers through:

Option 1 - Adequacy Decision: If we transfer to countries with EU adequacy decisions (e.g., UK, Switzerland, Israel, Japan), no additional safeguards are required.

Option 2 - Standard Contractual Clauses (SCCs): For transfers to countries without adequacy decisions (e.g., USA), we use European Commission-approved Standard Contractual Clauses (2021 version).

Option 3 - Consent: We may obtain your explicit consent for specific transfers.

8.3 Additional Safeguards

We implement additional technical and organizational measures:

• End-to-end encryption for data in transit
• Encryption of sensitive data at rest
• Access controls limiting who can access EU user data
• Regular security audits
• Contractual commitments from service providers

8.4 Your Rights Regarding Transfers

You have the right to:

• Obtain information about transfer safeguards
• Object to transfers in certain circumstances
• Request a copy of Standard Contractual Clauses

Contact privacy@mumin.ink for more information.

9. YOUR PRIVACY RIGHTS

9.1 Rights Under GDPR (EU/UK Users)

If you are in the EU or UK, you have the following rights:

9.1.1 Right of Access

What: Obtain confirmation of whether we process your data and receive a copy
How: Email privacy@mumin.ink with "DATA ACCESS REQUEST"
Response time: 30 days
Format: JSON or CSV file with all your personal data

9.1.2 Right to Rectification

What: Correct inaccurate or incomplete data
How: Update directly in your dashboard OR email privacy@mumin.ink
Response time: 30 days

9.1.3 Right to Erasure ("Right to be Forgotten")

What: Request deletion of your data
How: Email privacy@mumin.ink with "DELETION REQUEST"
Response time: 30 days
Exceptions:

• Transaction records (7-year legal retention)
• Fraud evidence (legal defense purposes)
• Data required by law

9.1.4 Right to Restriction of Processing

What: Limit how we process your data in certain circumstances
When:

• You contest data accuracy (during verification)
• Processing is unlawful but you don't want deletion
• We no longer need data but you need it for legal claims
• You object to processing (pending verification)

How: Email privacy@mumin.ink with "RESTRICTION REQUEST"

9.1.5 Right to Data Portability

What: Receive your data in machine-readable format and transmit to another controller
How: Email privacy@mumin.ink with "DATA PORTABILITY REQUEST"
Format: JSON or CSV
Scope: Data provided by you or generated from your use

9.1.6 Right to Object

What: Object to processing based on legitimate interests
How: Email privacy@mumin.ink with "OBJECTION"
Effect: We will cease processing unless we demonstrate compelling legitimate grounds that override your interests

Special case - Direct Marketing: You have an absolute right to object to marketing. We will stop immediately.

9.1.7 Right to Withdraw Consent

What: Withdraw consent for processing based on consent
How: Click "unsubscribe" in emails OR email privacy@mumin.ink
Effect: We stop processing based on that consent (doesn't affect lawfulness of past processing)

9.1.8 Right to Lodge Complaint

What: Complain to a data protection authority
Where: Your country's supervisory authority
Find yours: https://edpb.europa.eu/about-edpb/board/members_en

We encourage you to contact us first so we can address your concerns.

9.2 Rights Under CCPA (California Users)

If you are a California resident, you have:

9.2.1 Right to Know

Request disclosure of:

• Categories of personal information collected
• Sources of information
• Purposes of collection
• Categories of third parties we share with
• Specific pieces of information we hold

9.2.2 Right to Delete

Request deletion of personal information (subject to exceptions)

9.2.3 Right to Opt-Out of Sale

We do NOT sell personal information, so this right is not applicable.

9.2.4 Right to Non-Discrimination

We will not discriminate against you for exercising CCPA rights (e.g., denying service, charging different prices)

9.2.5 How to Exercise CCPA Rights

Email privacy@mumin.ink with "CCPA REQUEST" and specify which right you're exercising.

Verification: We must verify your identity before fulfilling requests. We may request additional information.

Response time: 45 days (may extend by 45 days with notice)

Authorized agents: Agents must provide proof of authorization

9.3 General Rights (All Users)

Regardless of location, you may:

Close your account:

• Dashboard → Settings → Delete Account
• OR email support@mumin.ink

Export your data:

• Dashboard → Settings → Export Data
• OR email privacy@mumin.ink

Opt out of marketing:

• Click "unsubscribe" in any marketing email
• OR email privacy@mumin.ink

Update your information:

• Dashboard → Settings → Edit Profile

9.4 Limitations on Rights

Your rights are not absolute. We may refuse requests that are:

• Manifestly unfounded or excessive
• Repetitive (if you've made same request recently)
• Impossible to fulfill (e.g., delete legally required records)
• Would harm others' rights or legal interests

We will explain any refusal.

9.5 No Fee (Usually)

We do not charge fees for exercising rights, except:

• If requests are clearly excessive or repetitive, we may charge a reasonable fee
• We will notify you of any fee before processing

10. SECURITY MEASURES

10.1 Our Commitment to Security

We implement industry-standard technical and organizational measures to protect your data from unauthorized access, disclosure, alteration, and destruction.

10.2 Technical Security Measures

Encryption:

• ✅ Data in transit: TLS 1.2+ encryption for all connections
• ✅ Data at rest: AES-256 encryption for sensitive data in databases
• ✅ Password storage: bcrypt hashing with salt (we never store plaintext passwords)
• ✅ API Keys: Stored as hashed values with high entropy

Access Controls:

• ✅ Role-based access control (RBAC) limiting employee data access
• ✅ Multi-factor authentication (MFA) for employee accounts
• ✅ Principle of least privilege (employees access only necessary data)
• ✅ Regular access reviews and revocation of unnecessary permissions

Network Security:

• ✅ Firewall protection
• ✅ Network segmentation (separation of production and development)
• ✅ DDoS protection
• ✅ Intrusion detection and prevention systems (IDS/IPS)
• ✅ Regular vulnerability scanning

Application Security:

• ✅ Secure coding practices
• ✅ Input validation and sanitization
• ✅ Protection against common attacks (SQL injection, XSS, CSRF)
• ✅ Regular security updates and patching
• ✅ Dependency vulnerability scanning

10.3 Organizational Security Measures

Personnel:

• ✅ Background checks for employees with data access
• ✅ Confidentiality agreements for all staff
• ✅ Regular security awareness training
• ✅ Clear data handling policies and procedures

Incident Response:

• ✅ Incident response plan
• ✅ Breach notification procedures
• ✅ Designated security team
• ✅ 24/7 monitoring for security events

Vendor Management:

• ✅ Due diligence on third-party providers
• ✅ Data processing agreements with strict security requirements
• ✅ Regular vendor security assessments

10.4 Regular Security Assessments

We conduct:

• Annual penetration testing by third-party security firms
• Quarterly vulnerability assessments
• Ongoing security monitoring and logging
• Regular review and update of security policies

10.5 Data Breach Notification

In the event of a data breach affecting your personal information:

We will:

1. Investigate and contain the breach immediately
2. Assess the risk to your data
3. Notify affected users within 72 hours (as required by GDPR)
4. Notify relevant supervisory authorities if required
5. Provide information on:
   • Nature of the breach
   • Data affected
   • Steps we've taken
   • Steps you should take
6. Offer assistance (e.g., credit monitoring if financial data exposed)

You will receive notification via:

• Email to your registered address
• Prominent notice on our website/dashboard

10.6 Limitations of Security

No system is 100% secure. While we implement strong security measures, we cannot guarantee absolute security.

Your responsibilities:

• Choose strong, unique passwords
• Never share your password or API keys
• Keep your devices secure
• Report suspicious activity immediately

We are not liable for breaches resulting from:

• Your failure to protect credentials
• Your violation of security requirements
• Unauthorized access by third parties beyond our control

See our Terms of Service Article 12 (Disclaimer of Warranties) and Article 13 (Limitation of Liability) for complete limitations.

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 What Are Cookies

Cookies are small text files stored on your device by websites you visit. They help websites remember information about your visit.

11.2 Cookies We Use

Strictly Necessary Cookies:

• Session cookies: Keep you logged in while using our Service
• Security cookies: Detect authentication abuse, prevent fraud
• Load balancing cookies: Distribute traffic across servers

These cookies are essential for the Service to function. You cannot opt out of strictly necessary cookies without disabling Service functionality.

Functional Cookies:

• Preference cookies: Remember your settings (language, timezone)
• Dashboard state: Remember your last viewed page, filters

These cookies improve your experience. You may opt out via browser settings, but this may limit functionality.

Analytics Cookies (if used):

• Usage analytics: Understand how users interact with our Service
• Performance monitoring: Identify errors and slow pages

You may opt out via browser settings or our cookie preference center (if implemented).

We Do NOT Use:

• ❌ Advertising cookies
• ❌ Third-party advertising networks
• ❌ Cross-site tracking cookies
• ❌ Social media tracking pixels (Facebook Pixel, Google Ads, etc.)

11.3 Local Storage and Similar Technologies

We may use:

• localStorage/sessionStorage: Store temporary data in your browser
• IndexedDB: Store larger amounts of structured data locally
• Service Workers: Enable offline functionality (if implemented)

These technologies function similarly to cookies and are governed by this Policy.

11.4 Device Fingerprinting

As described in Section 3.4, we use device fingerprinting for security and fraud prevention.

This is NOT a cookie but achieves similar identification purposes through analyzing device characteristics.

Legal basis: Legitimate interest in security (GDPR Article 6(1)(f))

11.5 Managing Cookies

Browser Controls: Most browsers allow you to:

• View cookies stored on your device
• Delete cookies
• Block future cookies
• Set preferences for specific websites

Instructions:

• Chrome: Settings → Privacy and security → Cookies
• Firefox: Settings → Privacy & Security → Cookies
• Safari: Preferences → Privacy → Cookies
• Edge: Settings → Privacy → Cookies

Note: Blocking strictly necessary cookies will prevent you from using our Service.

11.6 Do Not Track

Some browsers offer "Do Not Track" (DNT) signals. We do not respond to DNT signals because there is no industry standard for how to interpret them.

However, we do not track you across other websites regardless of DNT settings.

12. CHILDREN'S PRIVACY

12.1 Age Restrictions

Our Service is NOT intended for children under:

• 13 years old (general)
• 16 years old (EU residents)

We do not knowingly collect personal data from children below these ages.

12.2 Parental Consent

Users aged 13-17 (or 16-17 in EU) may use the Service only with verifiable parental or guardian consent.

12.3 If We Discover Underage Users

If we learn we have collected data from a child under the applicable age without parental consent:

1. We will delete the account immediately
2. We will delete all associated personal data
3. We will not use or disclose the data

12.4 Parents' Rights

Parents or guardians may:

• Request access to their child's data
• Request deletion of their child's data
• Refuse further collection of their child's data

Contact privacy@mumin.ink with proof of guardianship.

13. CHANGES TO THIS POLICY

13.1 Right to Modify

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in applicable laws
• New features or services
• User feedback

13.2 Notification of Changes

Material Changes: We will notify you of material changes via:

• Email to your registered address (30 days before effective date)
• Prominent notice on our website
• In-dashboard notification

Material changes include those that:

• Expand the types of data collected
• Change how we use data in significant ways
• Reduce your rights or protections
• Change data retention periods significantly

Non-Material Changes: Minor clarifications, formatting changes, or updates to contact information may be made without notice.

13.3 Effective Date

The "Last Updated" date at the top shows when the Policy was last modified.

Changes become effective:

• 30 days after notification (for material changes)
• Immediately (for non-material changes)

13.4 Your Options

If you disagree with changes:

1. Stop using the Service before the effective date
2. Request deletion of your account and data
3. Export your data before deletion

Continued use after the effective date = acceptance of changes

13.5 Version History

You may request previous versions of this Policy by emailing privacy@mumin.ink.

14. CONTACT US

14.1 General Inquiries

Email: privacy@mumin.ink
Subject line: Please include "PRIVACY INQUIRY" for faster response

Response time: We aim to respond within 5 business days

14.2 Data Subject Requests (GDPR/CCPA)

For exercising your privacy rights:

Email: privacy@mumin.ink
Subject line formats:

• "DATA ACCESS REQUEST" (to receive your data)
• "DELETION REQUEST" (to delete your data)
• "CCPA REQUEST" (California residents)
• "GDPR REQUEST" (EU/UK residents)
• "OBJECTION" (object to processing)

What to include:

1. Your full name
2. Account email address
3. Specific request
4. Proof of identity (if requested)

Response time: 30 days (may extend to 60 days for complex requests)

14.3 Data Protection Officer

Email: dpo@mumin.ink

For matters related to:

• GDPR compliance
• Data protection concerns
• Complaints about data handling
• DPA inquiries

14.4 Security Issues

Email: security@mumin.ink
Subject line: "SECURITY CONCERN" or "DATA BREACH REPORT"

For reporting:

• Suspected data breaches
• Security vulnerabilities
• Unauthorized access to your account
• Compromised API keys

14.5 Mailing Address

Mumin Hadith API
[Legal Entity Name]
Yunusabad District, 14, 2nd Flowery Street
Tashkent, 100000
Republic of Uzbekistan

14.6 EU Representative

We do not currently maintain an EU establishment.

APPENDIX A: GLOSSARY

Personal Data / Personal Information: Any information relating to an identified or identifiable person.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Data Controller: The entity that determines the purposes and means of processing personal data (us).

Data Processor: An entity that processes data on behalf of the controller (our service providers).

Data Subject: The person whose personal data is being processed (you).

GDPR: General Data Protection Regulation (EU Regulation 2016/679)

CCPA: California Consumer Privacy Act

Legitimate Interest: A legal basis for processing under GDPR where processing is necessary for legitimate purposes that are not overridden by individual rights.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.

Right to Erasure: Also known as "right to be forgotten" - the right to have personal data deleted.

Data Portability: The right to receive personal data in a structured, machine-readable format.

Anonymization: The irreversible process of removing all identifiers from data so it can no longer identify individuals.

Pseudonymization: Replacing identifiers with pseudonyms, making data less identifiable but potentially reversible.

Data Breach: Unauthorized access, disclosure, alteration, or destruction of personal data.

APPENDIX B: LEGAL BASES SUMMARY TABLE

Quick reference for EU/UK users on legal bases for each processing activity:

| Processing Activity | Legal Basis | GDPR Article | |-------------------|-------------|--------------| | Account creation | Contract | 6(1)(b) | | API service provision | Contract | 6(1)(b) | | Payment processing | Contract | 6(1)(b) | | Fraud prevention | Legitimate Interest | 6(1)(f) | | Device fingerprinting | Legitimate Interest | 6(1)(f) | | Security monitoring | Legitimate Interest | 6(1)(f) | | Service improvement | Legitimate Interest | 6(1)(f) | | Marketing emails | Consent | 6(1)(a) | | Tax compliance | Legal Obligation | 6(1)(c) | | Legal requests | Legal Obligation | 6(1)(c) | | Customer support | Contract + Legitimate Interest | 6(1)(b) + 6(1)(f) |

APPENDIX C: DATA RETENTION SCHEDULE

Detailed retention schedule for transparency:

| Data Type | Retention Period | Disposal Method | Legal Basis for Retention | |-----------|------------------|-----------------|---------------------------| | Account email & password | Active account + 90 days | Secure deletion | Service provision | | API request logs | 90 days | Automatic deletion | Service provision | | IP addresses (logs) | 90 days | Automatic deletion | Security | | Device fingerprints | Active account + 90 days | Secure deletion | Fraud prevention | | Payment transactions | 7 years | Encrypted archival | Tax law compliance | | Support tickets | 2 years | Secure deletion | Quality assurance | | Fraud evidence | Indefinite | Secure encrypted storage | Legal defense | | Marketing consents | Until withdrawn + 90 days | Deletion | Consent compliance | | Anonymized analytics | Indefinite | N/A (not personal data) | No longer personal data | | Account deletion requests | 90 days | Proof of compliance | Legal compliance |

Disposal methods:

• Secure deletion: Overwriting data using industry-standard methods
• Automatic deletion: Scheduled database purge
• Encrypted archival: Long-term storage in encrypted, offline backups (no regular access)

APPENDIX D: THIRD-PARTY PROCESSORS

Complete list of third-party processors and their purposes:

| Provider | Purpose | Data Shared | Location | Privacy Policy | |----------|---------|-------------|----------|----------------| | Stripe, Inc. | Payment processing | Payment data, email, IP | USA | stripe.com/privacy | | NowPayments.io | Crypto payments | Transaction data | Various | /legal/privacy | | Hetzner Online GmbH | Infrastructure | All data | Germany/Finland | /legal/privacy | | SendGrid (Twilio, Inc.) | Email delivery | Email addresses, content | USA/EU | /legal/privacy | | MaxMind | IP geolocation | IP addresses | USA | maxmind.com/privacy | | N/A | N/A | N/A | European Union | /legal/privacy |

All processors are bound by:

• Data Processing Agreements (DPAs)
• Confidentiality obligations
• Security requirements
• GDPR compliance (for EU data)
• Standard Contractual Clauses (where applicable)

APPENDIX E: YOUR RIGHTS QUICK REFERENCE

EU/UK (GDPR) Rights:

| Right | What It Means | How to Exercise | |-------|---------------|-----------------| | Access | Get a copy of your data | Email: privacy@mumin.ink - "DATA ACCESS REQUEST" | | Rectification | Correct inaccurate data | Dashboard or email privacy@mumin.ink | | Erasure | Delete your data | Email: "DELETION REQUEST" | | Restriction | Limit processing | Email: "RESTRICTION REQUEST" | | Portability | Get data in portable format | Email: "DATA PORTABILITY REQUEST" | | Object | Object to processing | Email: "OBJECTION" | | Withdraw consent | Stop consent-based processing | Click unsubscribe or email | | Complain | Lodge complaint with authority | Contact your national DPA |

California (CCPA) Rights:

| Right | What It Means | How to Exercise | |-------|---------------|-----------------| | Know | Learn what data we have | Email: privacy@mumin.ink - "CCPA REQUEST - RIGHT TO KNOW" | | Delete | Delete your data | Email: "CCPA REQUEST - RIGHT TO DELETE" | | Opt-out of sale | Stop sale of data | N/A - we don't sell data | | Non-discrimination | No penalties for exercising rights | Automatic |

Response Time: 30 days (GDPR), 45 days (CCPA)
Cost: Free (unless excessive/repetitive)
Verification: We may request proof of identity

CERTIFICATION

This Privacy Policy complies with:

✅ GDPR (General Data Protection Regulation - EU)
✅ UK GDPR (UK Data Protection Act 2018)
✅ CCPA/CPRA (California Consumer Privacy Act)
✅ Uzbekistan Law on Personal Data (2019)
✅ ePrivacy Directive (Cookie Law)
✅ COPPA (Children's Online Privacy Protection Act - USA)
✅ PIPEDA (Personal Information Protection - Canada)

Frameworks referenced:

• GDPR Articles 6 (Lawfulness), 13-14 (Information), 15-22 (Rights)
• CCPA Sections 1798.100-1798.199
• Standard Contractual Clauses (2021)
• UNCITRAL Data Protection Principles

ACKNOWLEDGMENT

By using our Service, you acknowledge that:

✓ You have read this Privacy Policy in full
✓ You understand how we collect, use, and protect your data
✓ You understand your privacy rights and how to exercise them
✓ You agree to our data practices as described herein
✓ You understand this Policy may be updated with notice

Questions? Contact privacy@mumin.ink Companion Document: Terms of Service v3.0
Related Policies: Cookie Policy (if separate), Data Processing Agreement (for enterprise)