Privacy Policy

Taqyid attaches great importance to the protection of your personal data. Taqyid is a brand of DIGIQUEST CONSULTING, a French SAS registered under SIREN 929 281 780, and provides a SaaS halal compliance platform to customers in the European Union and Malaysia. Our core infrastructure is hosted in the Asia-Pacific (Singapore) region to be close to our Malaysian users, with appropriate safeguards for international data transfers. This policy explains how we collect, use and protect your information in accordance with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi n°78-17 du 6 janvier 1978, as amended), and the Malaysian Personal Data Protection Act 2010 (PDPA), as amended in 2024–2025.

1. Data controller

The data controller is DIGIQUEST CONSULTING (operating under the brand Taqyid), registered in France (SIREN 929 281 780, 22 Rue du Docteur Bertrand, 70200 Lure) and contactable at contact@taqyid.com. A Data Protection Officer (DPO) is appointed to oversee compliance with GDPR and PDPA, including data subject requests and incident handling.

2. Data we collect

We collect only the data necessary when you register for early access and use the platform:

• Full name
• Professional email address
• Company name
• Your role in the company
• Technical logs and usage data (analytics and diagnostics)

We do not intentionally collect sensitive personal data (such as racial or ethnic origin, religious beliefs, biometric data, health data, or political opinions) and we ask you not to submit such data via the platform unless explicitly requested for a clearly identified legal purpose.

Business documents uploaded by you may contain personal data of third parties (for example, names on halal certificates, personnel training records, supplier contact information, or auditor identification details). You remain responsible for ensuring that you have a lawful basis under GDPR Article 6 and PDPA Section 6 to upload such data. Taqyid processes this data solely for the purpose of providing the compliance management service and does not use it for any independent purpose.

3. Purposes of processing

Your data is used to:

• Manage your registration for early access
• Provide and administer access to the platform
• Communicate with you about the service and its evolution
• Improve our services, features and user experience
• Produce anonymised or aggregated usage and performance statistics
• Monitor and diagnose technical errors and service performance (Sentry)
• Analyse product usage patterns and user behaviour within the application to improve features and user experience (PostHog)
• Manage user session caching and rate-limiting for security and performance (Upstash Redis)
• Automate internal operational workflows including lead management, onboarding, and administrative tasks (n8n)
• Send transactional notifications (Resend) and, with your consent, marketing communications about product updates and relevant content (Brevo). You may unsubscribe from marketing emails at any time using the link provided in each email.

4. Legal basis

The processing of your data is based on:

• Your consent when registering for early access and, where applicable, for analytics cookies
• Taqyid's legitimate interest in operating, securing and improving the service
• Performance of a contract for the provision and administration of the service
• Compliance with legal obligations under GDPR and PDPA where applicable

5. Data retention period

Your data is retained for the following periods:

• Early access registrations: 3 years after the last interaction
• Active customers: contract duration + 5 years (for legal and accounting obligations)
• Analytics cookies: maximum 13 months
• Halal compliance documentation (audit records, certificates, traceability logs, non-conformity reports): minimum 3 years from the date of creation, in accordance with JAKIM MHMS 2020 record-keeping requirements. This retention period may exceed the contract duration where required by applicable halal certification standards.
• Audit trail entries: retained in an immutable format (soft-delete) to maintain the integrity and traceability required by halal certification bodies and industry regulations. While your account and personal data can be fully deleted upon request, audit trail entries that form part of a regulatory compliance record may be retained in an anonymised or pseudonymised form to preserve the chain of evidence required for audit purposes.

Upon termination of your account, you may request a complete export of your data in a structured format (CSV or JSON) within 30 days. After this period, your data will be permanently deleted unless retention is required by law. For full details, please refer to our Data Processing Agreement and Terms of Service.

6. Data recipients

Your data may be shared with:

• Taqyid internal team: authorised staff only, on a need-to-know basis
• Technical providers: hosting, authentication, database, email delivery and analytics service providers acting as data processors on our behalf
• Cloud infrastructure: reputable cloud providers located mainly in the Asia-Pacific (Singapore) region, which host our application, databases and backups

Sub-processors:

All processors are contractually required to comply with confidentiality, security, and data protection obligations aligned with GDPR and PDPA. Your data is not sold to third parties and is not used for behavioural advertising. We will notify customers of any changes to our sub-processor list at least 30 days in advance.

7. Your rights (GDPR & PDPA)

Under GDPR and, where applicable, PDPA, you have the following rights:

• Right of access: obtain confirmation and a copy of your personal data
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure: request deletion of your data where legally permitted
• Right to restriction: request limitation of processing in certain cases
• Right to data portability: receive your data in a structured, commonly used and machine-readable format and have it transmitted to another controller where technically feasible, in line with GDPR and PDPA requirements
• Right to object: object to certain types of processing based on legitimate interest
• Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. This right applies under both GDPR (Art. 7) and PDPA 2010 as amended in 2025 (Section 38A).

To exercise these rights, please contact our DPO at: dpo@taqyid.com.

We aim to respond to requests as soon as reasonably possible and, where required, within the time limits set by applicable data protection laws.

You also have the right to lodge a complaint with the competent supervisory authority:

• For users in the European Union: Commission Nationale de l'Informatique et des Libertes (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. Website: www.cnil.fr
• For users in Malaysia: Jabatan Perlindungan Data Peribadi (JPDP / Department of Personal Data Protection), Ministry of Digital Malaysia. Website: www.pdp.gov.my

8. Data security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or disclosure, including:

• TLS/SSL encryption for data in transit
• Hosting on reputable cloud infrastructure in the Asia-Pacific (Singapore) region with strong physical and logical security controls
• Strict internal access control with a role-based access control (RBAC) system featuring 7 distinct roles and creator/validator segregation, ensuring that no single user can both create and approve compliance records
• Regular encrypted backups
• Periodic security reviews and monitoring of access logs

9. Cookies

We use cookies to operate the platform and improve your experience. You can disable non-essential cookies in your browser settings or via the consent banner. Types of cookies used:

• Essential cookies: necessary for the website and platform to function properly
• Analytics cookies: usage statistics which are anonymised or pseudonymised where possible and activated only with your consent
• Product analytics (PostHog): PostHog is configured to run on our EU Cloud instance. It uses first-party cookies for session identification within the application (app.taqyid.cloud). No cross-site tracking is performed. PostHog analytics are activated only with your consent.
• Email tracking: our marketing emails sent via Brevo may contain tracking pixels that record whether an email has been opened and which links have been clicked. This data is used to improve our communications. You can disable image loading in your email client to prevent this tracking, or unsubscribe from marketing emails at any time using the link provided in each email.

Cookies used on this site:

10. International transfers

Our core infrastructure (databases and application hosting) is located in the Asia-Pacific (Singapore) region. For EU-based users, this involves a transfer of personal data outside the European Economic Area.

Where your data is transferred to a country that is not subject to an adequacy decision, we implement appropriate safeguards (such as the European Commission's Standard Contractual Clauses and equivalent contractual protections, combined with technical and organisational measures) to ensure a level of protection consistent with GDPR and PDPA requirements. Some of our additional service providers (such as email and analytics tools) may also process data outside your country of residence under similar safeguards.

11. Data breach notification

In the event of a personal data breach that is likely to result in a significant risk to your rights and freedoms, Taqyid will notify the competent data protection authority as soon as practicable and, where required, within a maximum of 72 hours of becoming aware of the breach. Where the breach is likely to cause significant harm, affected individuals will also be informed without unnecessary delay — and in any event within seven (7) days of the initial notification to the relevant authority, in accordance with the Malaysian PDPA 2025 (Section 12B).

12. Changes to this policy

This policy may be updated from time to time. The date of the last update is shown at the top of this page. We will inform you in advance of any material changes that impact the way your data is processed.