GDPR Compliance
HajjPath is designed for organizations that need disciplined handling of personal data, clear controller and processor responsibilities, and dependable support for GDPR obligations.
GDPR
European Union
The General Data Protection Regulation sets the standard for lawful processing, transparency, data subject rights, and cross-border transfer safeguards. HajjPath supports organizations that process personal data connected to EU residents and need operational controls that align with those requirements.
Built for Accountability
Platform Controls
Our platform combines role-based access, audit trails, export tooling, deletion workflows, and secure infrastructure practices so teams can operate with a clear, documented approach to GDPR-aligned data protection.
Our Commitments
These principles guide how we design, build, and operate the HajjPath platform. Every feature is evaluated against these commitments before it reaches production.
Privacy by Design
Product decisions start with necessity, access boundaries, and retention expectations. We collect and expose only the data needed to run Hajj operations responsibly.
Lawful Basis & Records
Data processing activities are mapped to a valid legal basis, with records that help customers understand why data is collected and how it is used.
Data Subject Rights
Access, correction, export, restriction, and deletion requests should be actionable. HajjPath is built to support prompt response workflows for those rights.
Secure Data Handling
Encryption, least-privilege access, monitoring, and auditable changes help reduce exposure while keeping sensitive pilgrim and operational data protected.
Retention & Deletion
Retention periods should be explicit, proportionate, and reviewable. Customers can export structured data and manage deletion requests without vendor lock-in.
Breach Notification
Incident response is designed around rapid assessment, customer communication, and escalation within the timelines expected under GDPR where notification is required.
Data Processing Activities
The following table summarizes our primary data processing activities, their legal basis, the categories of data involved, and how long we retain that data.
| Activity | Legal Basis | Data Categories | Retention Period |
|---|---|---|---|
| Account registration | Contractual necessity | Name, email, organization, role | Duration of account + 90 days |
| Pilgrim record management | Contractual necessity / Legal obligation | Pilgrim PII, passport data, medical records | As required by national Hajj authority regulations |
| Payment processing | Contractual necessity | Billing name, payment method (tokenized) | 7 years (financial record-keeping) |
| Platform analytics | Legitimate interest | Usage data, feature interactions (anonymized) | 24 months |
| Customer support | Contractual necessity | Communication records, ticket details | 3 years after resolution |
| Regulatory reporting | Legal obligation | Aggregated pilgrim statistics, quota data | As required by applicable law |
| Marketing communications | Consent | Email address, name, preferences | Until consent is withdrawn |
| Security monitoring | Legitimate interest | Access logs, IP addresses, session data | 12 months |
Data Protection Contact
Our legal team oversees privacy matters and supports questions about how we handle personal data, cross-border transfers, and data subject rights requests related to GDPR-regulated processing.
Email: [email protected]
Response time: We aim to respond to all data protection enquiries within 5 business days.
Questions about data protection?
Whether you are evaluating HajjPath for your organization or need clarification on our GDPR posture, our team can help with data processing terms, security documentation, and implementation questions.