Privacy Policy
At Kanz ul Ilm International, your privacy is a sacred trust. This Policy governs the collection, use, retention, and protection of personal data across our global academic platform, in full compliance with international privacy law including GDPR, UK GDPR, CCPA, PIPEDA, and POPIA.
1. Information We Collect
We apply the principle of data minimisation — collecting only what is strictly necessary. Categories of personal data we may collect:
| Category | Examples | Source |
|---|---|---|
| Identity Data | Full name, preferred name | Enrolment form |
| Contact Data | Email, WhatsApp number, country | Enrolment / contact form |
| Academic Data | Course, learning level, frequency | Admission application |
| Technical Data | IP, browser, device, session data | Automatic (cookies) |
| Usage Data | Pages visited, time on site | Analytics |
| Communications Data | Enquiry messages, WhatsApp chats | Forms / WhatsApp |
We do not collect Sensitive Special Category data (health, ethnicity, religion, biometrics) unless explicitly provided with separate consent.
2. Legal Basis for Processing (GDPR Art. 6)
Under EU/UK GDPR, every act of processing must rest on a documented lawful basis. We rely on the following:
ART. 6(1)(b) — CONTRACT
Processing enrolment details to fulfil or take steps to enter into a contract (admission & course delivery).
ART. 6(1)(a) — CONSENT
Where you opt in to receive newsletters or promotional communications. Consent is freely given, specific, and may be withdrawn at any time.
ART. 6(1)(f) — LEGITIMATE INTERESTS
Analytics and site security, where our interest in operating a safe, effective platform does not override your fundamental rights.
ART. 6(1)(c) — LEGAL OBLIGATION
Where applicable law requires retention or disclosure of certain records (e.g., financial or regulatory requirements).
3. How We Use Your Information
Your data is used solely for the following documented, legitimate purposes — never for any purpose incompatible with the original basis of collection:
- ✓ Processing and responding to enrolment enquiries and formal admission applications.
- ✓ Scheduling and coordinating free trial sessions and ongoing 1-on-1 academic classes.
- ✓ Sending transactional communications: class confirmations, scheduling updates, academic notices.
- ✓ Academic updates, new course announcements, and institutional news — only where prior consent has been given.
- ✓ Improving and maintaining website performance and security through anonymised analytics.
- ✓ Complying with legal obligations and responding to lawful requests from competent authorities.
- ✓ Processing referrals where a student nominates a friend, with both parties' knowledge.
We will never use your data for automated decision-making or profiling that produces legal or similarly significant effects without explicit consent.
4. Data Retention Schedule
We retain personal data only as long as necessary for its stated purpose or as required by law:
| Data Type | Retention Period | Basis |
|---|---|---|
| Active student records | Enrolment + 2 years | Contract |
| Enquiry data (non-enrolled) | 12 months from last contact | Legitimate interest |
| Financial / fee records | 7 years | Legal obligation |
| Analytics (anonymised) | 26 months rolling | Legitimate interest |
| Consent records | 3 years after withdrawal | Legal obligation |
| Complaint / data request records | 3 years | Legal obligation |
On expiry, data is securely and permanently deleted or irreversibly anonymised. You may request early deletion under the Right to Erasure (Section 9).
5. Cookies & Tracking Technologies
We use the following categories of cookies:
STRICTLY NECESSARY
Always ActiveSession management, security tokens, dark/light theme preference. Cannot be disabled without breaking core functionality.
ANALYTICAL / PERFORMANCE
Consent RequiredAnonymised usage statistics to understand visitor behaviour. Data is aggregated and never linked to individuals.
FUNCTIONALITY
Consent RequiredPWA install prompt, enhanced platform features. Disabling may reduce experience quality.
We do not use advertising, third-party tracking, or data-broker cookies. Manage preferences via your browser settings or by contacting us.
6. Third-Party Services & Processors
We engage only a minimal set of trusted processors. Where they handle personal data on our behalf, appropriate Data Processing Agreements (DPAs) are in place:
WhatsApp Business (Meta Platforms)
Student communication & scheduling. End-to-end encrypted. Subject to Meta's Privacy Policy. Jurisdiction: USA.
Google Fonts (Alphabet Inc.)
Typography rendering (Cormorant Garamond, DM Sans, Amiri). A connection is established with Google servers; no student personal data is transmitted. Jurisdiction: USA.
CDN Libraries (Tailwind CSS, Lucide, Unpkg)
Open-source libraries for interface rendering. No personal data shared beyond standard HTTP metadata.
We do not embed advertising networks, social media trackers, data brokers, or affiliate marketing scripts.
7. International Data Transfers
As a global academy serving students across UK, USA, Canada, Australia, Europe, and beyond, data may be processed across jurisdictions. All cross-border transfers are protected by:
- ✓ Standard Contractual Clauses (SCCs): EU-approved clauses for all transfers to third countries without an adequacy decision.
- ✓ Adequacy Decisions: Where the European Commission recognises adequate protection in the destination country.
- ✓ Processor DPAs: Binding agreements with all processors confirming GDPR-equivalent standards.
- ✓ TLS 1.2+ Encryption: All transmissions encrypted regardless of destination jurisdiction.
8. Data Security Measures
We implement technical and organisational security measures proportionate to the risk:
🔒 HTTPS / TLS
All traffic encrypted via TLS 1.2+ (HTTPS enforced site-wide).
🛡 Access Controls
Role-based access; only authorised personnel handle personal data.
🗃 Data Minimisation
Only strictly necessary data is collected for stated purposes.
🧹 Secure Deletion
Data beyond retention periods is permanently and securely deleted.
📋 Staff Training
Administrative staff trained on data handling and confidentiality obligations.
🔐 No Third-Party Sale
Your data is never sold, rented, or commercially traded.
In the unlikely event of a breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours (GDPR Art. 33–34).
9. Your Data Protection Rights (GDPR / UK GDPR)
We respond to all verified requests within 30 days (extendable to 3 months for complex cases, with notice):
Right of Access (Art. 15)
Request a copy of all personal data we hold about you (Subject Access Request).
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data without undue delay.
Right to Erasure — "Right to be Forgotten" (Art. 17)
Request deletion where processing is no longer necessary or lawful. Certain legal obligations may require retention of specific records.
Right to Restriction of Processing (Art. 18)
Restrict processing while a complaint or accuracy dispute is being resolved.
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format (e.g., JSON, CSV) for transfer to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing (with immediate effect for the latter).
Rights re: Automated Decision-Making (Art. 22)
Right not to be subject to decisions based solely on automated processing producing legal or significant effects. We do not engage in such processing.
To exercise any right, email info@kanzulilm.com with subject "Data Rights Request". We may require proof of identity. All requests are free of charge unless manifestly unfounded or excessive.
10. California Residents — CCPA / CPRA Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by CPRA grants you additional rights:
- ✓ Right to Know: Categories and specific pieces of personal information collected and from which sources.
- ✓ Right to Delete: Request deletion of personal information, subject to limited legal exceptions.
- ✓ Right to Opt-Out of Sale / Sharing: We do not sell or share your personal information for cross-context behavioural advertising.
- ✓ Right to Correct: Request correction of inaccurate personal information we maintain.
- ✓ Right to Limit Sensitive Data Use: Restrict use of sensitive personal information to purposes strictly necessary for service delivery.
- ✓ Right to Non-Discrimination: You will not receive discriminatory service or pricing for exercising CCPA rights.
Submit verified CCPA requests to info@kanzulilm.com with subject "CCPA Privacy Request". We respond within 45 calendar days.
11. Children's Privacy & Parental Consent
Kanzulilm International welcomes students of all ages within a safe, supervised academic environment:
- ✓ For students under 13 (USA — COPPA) or under 16 (EU/UK — GDPR), verifiable parental or guardian consent is required before processing any personal data.
- ✓ All enrolment enquiries for minor students must be submitted by a parent or legal guardian.
- ✓ Children's data is handled with enhanced confidentiality and never used for marketing or profiling.
- ✓ Parents and guardians may access, correct, or request deletion of their child's data at any time via info@kanzulilm.com.
- ✓ If we discover data has been collected from a minor without appropriate consent, we will delete it promptly.
12. Data Breach Response Policy
In the unlikely event of a personal data breach, our response protocol:
Immediate containment — isolate the affected system to prevent further exposure.
Internal investigation — assess scope, nature, and impact; identify affected individuals.
Notification to the relevant Supervisory Authority (e.g., ICO, DPC) as required by GDPR Art. 33, where a risk to individual rights is identified.
Direct notification to affected individuals if breach poses a high risk to their rights and freedoms (GDPR Art. 34), including nature, likely consequences, and remedial measures taken.
13. Complaints & Supervisory Authority
We take all privacy concerns seriously. If dissatisfied with our handling of your data:
- 1. Contact us first at info@kanzulilm.com — we will investigate and respond within 30 days.
- 2. If unresolved, lodge a complaint with your national Data Protection Authority:
🇬🇧 United Kingdom
ICO — ico.org.uk
🇮🇪 Ireland / EU
DPC — dataprotection.ie
🇺🇸 USA (California)
CA AG — oag.ca.gov
🇨🇦 Canada
OPC — priv.gc.ca
🇦🇺 Australia
OAIC — oaic.gov.au
🇵🇰 Pakistan
NCERT / PTA — national authority
14. Policy Updates
This Policy is updated whenever material changes occur to our data practices, legal landscape, or third-party integrations. We notify you of significant changes by:
- ✓ Sending email notification to enrolled students and active enquirers where changes are material.
- ✓ Displaying a site-wide notice for 14 days following any substantive revision.
15. Contact Us & Data Protection Officer
For all privacy enquiries, Subject Access Requests, deletion requests, or concerns regarding this Policy, contact our designated privacy team:
Kanzulilm International — Privacy & Data Team
📧 info@kanzulilm.com | office@kanzulilm.com
📞 +92 324 4449333 (WhatsApp Business)
📍 Walled City, Lahore, Pakistan
Response time: within 30 calendar days of receipt of a verified request.
Kanzulilm International · Est. 2009 · Serving the global Muslim community with authentic Islamic education.
This Policy was prepared in accordance with GDPR (EU) 2016/679, UK GDPR, CCPA (California Civil Code § 1798.100 et seq.), PIPEDA, the Australian Privacy Act 1988, and Pakistan's PDPA framework.