Privacy Policy
Last updated: 2026-05-24
Data Controller
Masjida ApS ("Masjida", "we", "us", or "our") is the data controller responsible for the processing of personal data as described in this privacy policy. Masjida operates the platforms masjida.com, minmoske.dk, and mojdzemat.ba.
Registered address: Åbenråvej 10, 4200 Slagelse, Denmark
CVR: 44177099
Email: [email protected]
Controller vs. Processor
Masjida acts in two different roles depending on the data:
| Scenario | Data Controller | Data Processor |
|---|---|---|
| Mosque admin accounts, billing, platform usage | Masjida ApS | — |
| Mosque member data (profiles, memberships, payments) | The Mosque / Organisation | Masjida ApS |
Where a mosque uses Masjida to manage its members, a Data Processing Agreement (DPA) governs the relationship between the mosque (controller) and Masjida (processor). A copy is available on request at [email protected].
What Data We Collect
2.1 Mosque Administrator Accounts
- Full name, email address, phone number (optional)
- Password (stored as a bcrypt hash with 12 salt rounds — never plaintext)
- Role and permissions within the mosque
- Terms of Service acceptance timestamp, marketing consent preference
- Last login timestamp
2.2 Mosque Member Accounts
- Full name, email address, phone number (optional)
- Password (bcrypt-hashed)
- Address: street, city, postal code (optional, set by the mosque)
- Date of birth (optional)
- Membership plan, subscription status, and billing history
- Union-specific fields (e.g., union member number, if configured)
- Custom fields defined by the mosque — vary per mosque
- Terms of Service acceptance timestamp, marketing consent preference
- Email verification status, last login timestamp
2.3 Mosque & Organisation Data
- Mosque name, contact email, phone number, address
- Company registration number (e.g., CVR, Org.nr — optional)
- Logo and branding images
- Geographic coordinates (latitude/longitude — optional, for prayer time calculation)
- Website configuration and settings
2.4 Payment & Billing Data
- Billing account name and linked member
- Invoice history: amounts, dates, payment status
- Payment method type (e.g., Visa, MasterCard, MobilePay, bank transfer)
- For cards: last 4 digits, card brand, expiry month/year
- Tokenised payment reference (encrypted — not the actual card number)
- Recurring payment agreement identifiers (e.g., Vipps/MobilePay agreement ID)
We do not store credit card numbers or full payment credentials. Card payments are processed by Stripe, mobile payments by Vipps/MobilePay — in their own PCI DSS-compliant environments. We only store tokenised references.
2.5 Donation Data
- Donor name (optional — anonymous donations supported)
- Donor email, donation amount, message
- Tax deduction preference
- Tax identification number (e.g., CPR number in Denmark) — collected only when the donor explicitly opts in to tax deduction. Encrypted at rest using AES encryption. Never logged in plaintext. Shared only with the mosque for statutory tax reporting.
2.6 Event Registration Data
- For members: linked member profile, ticket type, registration status, check-in status
- For guest registrations: name, email, phone (optional), ticket type
- Confirmation codes (cryptographically generated)
2.7 Content & Uploads
- News articles, event descriptions, and announcements
- Uploaded images (JPEG, PNG, GIF, WebP — max 5 MB) and documents (PDF — max 10 MB)
- Files stored on EU-based S3-compatible storage, organised by mosque ID
2.8 Technical Data
- IP address, browser type, operating system (from server access logs)
- Error logs and performance data for platform stability
We do not use any third-party analytics, tracking pixels, advertising cookies, or behavioural tracking tools. No data is shared with Google Analytics, Facebook, or any advertising network.
How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and maintain the Masjida platform | Performance of contract (Art. 6(1)(b)) |
| Manage mosque memberships and subscriptions | Performance of contract (Art. 6(1)(b)) |
| Process payments and generate invoices | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (invoices, password resets) | Performance of contract (Art. 6(1)(b)) |
| Display prayer times, events, and news | Performance of contract (Art. 6(1)(b)) |
| Process tax-deductible donations (CPR number handling) | Legal obligation (Art. 6(1)(c)) + consent (Art. 6(1)(a)) |
| Send marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
| Send push notifications | Consent (Art. 6(1)(a)) |
| Improve the platform, fix bugs, ensure stability | Legitimate interest (Art. 6(1)(f)) |
| Prevent fraud and ensure platform security | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal and tax obligations | Legal obligation (Art. 6(1)(c)) |
Data Sharing & Third Parties
We share personal data only when necessary and with appropriate safeguards:
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Card payment processing | Payment amount, card details (directly) | EU / US (SCCs) |
| Vipps/MobilePay | Mobile payment processing | Payment amount, agreement details | EU (Nordics) |
| Mollie | Payment processing | Customer email, payment amount | EU (Netherlands) |
| Email provider | Transactional email delivery | Recipient email, email content | EU |
| Cloud hosting | Infrastructure | All platform data (encrypted) | EU |
| S3 storage | File & image storage | Uploaded files | EU |
We do not sell, rent, or trade personal data to third parties for marketing or advertising purposes.
If we are legally required to disclose data (e.g., by court order or regulatory request), we will do so only to the extent required by law, and we will notify affected users where legally permitted.
International Data Transfers
All primary data storage is within the European Union (EU) or European Economic Area (EEA). Where a sub-processor operates outside the EU/EEA (e.g., Stripe in the US), transfers are protected by EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.
As mosques in different European countries use Masjida, member data is accessible to mosque administrators in their respective country. This intra-EEA access does not constitute a restricted international transfer under GDPR.
Data Storage & Security
6.1 Technical Measures
- Encryption in transit (TLS 1.2+/HTTPS on all connections)
- Sensitive data encrypted at rest (tax IDs, payment credentials)
- Passwords hashed with bcrypt (12 salt rounds)
- JWT-based authentication with short-lived access tokens (15 min) and refresh tokens (7 days)
- Role-based access control per mosque
- Multi-tenant isolation — all database queries scoped by tenant ID
- Files stored in tenant-isolated S3 folders
- Content Security Policy, X-Frame-Options, and other security headers
6.2 Organisational Measures
- Principle of least privilege for internal access
- Regular dependency updates and security reviews
- No plaintext logging of passwords, tokens, or tax identification numbers
6.3 Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of account + 30 days | Contract |
| Inactive accounts | Deleted after 24 months of inactivity | Legitimate interest |
| Payment & invoice records | 5 years from transaction date | Danish Bookkeeping Act (Bogføringsloven) |
| Tax deduction data (CPR) | 5 years from the relevant tax year | Danish tax legislation |
| Server/error logs | Up to 12 months | Legitimate interest |
| Push notification tokens | Until unsubscribed or expired | Consent |
| Deleted mosque tenant data | Permanently deleted after 30 days | Contract |
Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access (Art. 15) — Request a copy of your personal data
- Right to rectification (Art. 16) — Correct inaccurate or incomplete data
- Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten")
- Right to restrict processing (Art. 18) — Limit how we use your data
- Right to data portability (Art. 20) — Receive your data in a machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time
Mosque Members
Contact your mosque first, as they are the data controller. If the mosque is unresponsive, contact Masjida and we will assist.
Mosque Administrators
Contact us directly at [email protected].
We will respond within 30 days as required by GDPR. In complex cases, we may extend this by an additional 60 days with notice.
You have the right to lodge a complaint with your local data protection authority. In Denmark, this is the Danish Data Protection Agency (Datatilsynet): www.datatilsynet.dk.
Cookies & Local Storage
Masjida uses only strictly necessary storage mechanisms. We do not use third-party advertising or tracking cookies.
| Storage | Type | Purpose | Duration |
|---|---|---|---|
| Auth token | localStorage | Maintain login session | Until logout (15 min / 7 day refresh) |
| User profile cache | localStorage | Display user info | Until logout |
No cookie consent banner is required because we do not use any cookies for tracking, analytics, or advertising purposes. The storage used is strictly necessary for the service to function.
Children's Data
Masjida does not directly target children. However, mosque memberships may include minors (e.g., family memberships where parents register their children).
- Members under 16 cannot create their own accounts — a parent or guardian must register them.
- The mosque (as data controller) is responsible for obtaining appropriate parental or guardian consent in compliance with GDPR Article 8 and applicable national law.
- Parents or guardians may exercise GDPR rights (access, erasure, etc.) on behalf of their children.
Religious Data & Special Categories
Mosque membership inherently implies religious affiliation, which is classified as special-category data under GDPR Article 9. Processing is permitted under the following bases:
- Art. 9(2)(d) — processing by a not-for-profit body with a religious aim, where processing relates solely to members or former members and data is not disclosed outside the organisation without consent.
- Art. 9(2)(a) — explicit consent of the data subject, obtained at registration.
Each mosque is responsible for ensuring it has a valid legal basis for processing special-category data about its members, and for conducting a Data Protection Impact Assessment (DPIA) where required.
Multi-Tenant Data Isolation
Masjida is a multi-tenant platform. Each mosque's data is logically isolated at both the application and database levels:
Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will notify users via the platform and/or by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Contact Us
If you have any questions about this privacy policy, your personal data, or wish to exercise your GDPR rights, please contact us:
Masjida ApS
Åbenråvej 10, 4200 Slagelse, Denmark
CVR: 44177099
Email: [email protected]