Zakatable
Privacy Terms Refund DPA Back to home

Privacy Policy

Effective date: June 15, 2026

This Privacy Policy explains what information Zakatable collects, how we use it, who we share it with, and the choices you have. It applies to the Zakatable platform — our marketing site, the community ("client") portal, the organization ("admin") portal, the Zakatable mobile app, and the APIs that connect them.

We have tried to write this in plain English. If anything here is unclear, email us at [email protected] and we will explain it.


Who we are

Zakatable is a B2B software-as-a-service platform built for small US-based mosques, Islamic charities, and 501(c)(3) nonprofits that distribute Zakat and other forms of community assistance. Zakatable is operated by Bright Thought Technologies, an Arizona-based company. The data controller for the platform's operational data is Bright Thoughts Technologies, LLC. When you submit an application for assistance to a specific nonprofit through Zakatable, that nonprofit is the data controller for your application data; Bright Thoughts Technologies, LLC acts as the data processor on the nonprofit's behalf for that application.


What we collect

Information you give us

  • Account information: your name, email, phone number, language preference.
  • Organization information (for organization administrators): your role, the name and EIN of the nonprofit you represent, address, service area, banking details for disbursements (handled by our payment processor — see "Sub-processors" below).
  • Application data (for applicants): everything you provide on an assistance request — address, household size, monthly income, employment, identification documents you upload, the description of your need, and any follow-up information you send through the platform's messaging.
  • Communications: messages you send through Zakatable's in-app messaging, email replies, AI phone-intake call transcripts (when an organization uses our optional AI phone assistant).
  • Optional: profile photo, demographic information you choose to provide.

Information we collect automatically

  • Device + usage data: IP address, browser type, device type, OS, the pages you visit on our site, the actions you take in the portal. We use this for security (rate-limiting, fraud detection), debugging, and to improve the product.
  • Session cookies: essential session cookies required to keep you signed in. We do NOT use tracking pixels, advertising cookies, or third-party analytics that build cross-site profiles. We do not load Facebook Pixel, Google Analytics, or similar.
  • Geolocation: when you submit an application, we capture the approximate location (city/postal-code level) so the platform can match you to organizations within range. We do not track your real-time location in the background.

Information from third parties

  • Identity verification: when an organization requires identity verification, our identity-verification provider may collect a government-issued ID, a selfie, and biometric template data for the limited purpose of confirming the document is genuine and matches you. We receive only the verification result (verified / failed / flagged), not the underlying document.
  • EIN verification: at organization signup, we look up the EIN you provide against a public IRS nonprofit registry to confirm 501(c)(3) status. This is a public-record lookup, not a credit check.

How we use it

We use the information we collect to:

  • Deliver the service: match applications to organizations within service range, route messages, process subscription payments, send transactional email and SMS, and generate AI-assisted assessments when an organization has opted into AI features.
  • Protect the platform: detect fraud, prevent abuse, enforce our Terms of Service, comply with anti-money-laundering and sanctions-screening obligations.
  • Comply with the law: respond to lawful requests from courts and regulators, retain donation records for the period the IRS requires nonprofits to retain them.
  • Communicate with you: send service-related notices, product updates (only if you opted in), and respond to your support requests.
  • Improve the product: aggregate, de-identified usage data informs feature priorities.

We do NOT sell your personal information. We do NOT use your data to train third-party AI models. The AI features that draft assessments use the model provider's enterprise API under terms that prohibit training on customer data.


Who can see your data

Zakatable is multi-tenant and strictly scoped per organization. By default:

  • Organization administrators see ONLY data for applications and members that belong to their own organization.
  • Applicants see only their own applications, messages, and uploaded documents.
  • Zakatable's internal super-administrators may access data for support and incident response, with all access logged in an immutable audit trail.

We never expose one organization's data to another. We never expose one applicant's data to other applicants.


Sub-processors

We use a small number of carefully vetted third-party service providers to deliver the platform. Each is bound by a data processing agreement (or equivalent contractual term), processes data only on our instructions, and receives only the minimum data needed for its function. By category, these providers support:

Category Purpose Data categories
Payment processing Subscription billing and disbursements Org admin name + email, bank routing data, payment amounts
Identity verification Confirming an applicant's identity when an organization requires it Government ID, selfie, biometric template (held by the provider; we receive only the result)
Communications delivery Sending transactional email and SMS (verification codes, invitations, notifications) Recipient email/phone, message body
AI processing AI-assisted application assessment and the optional AI phone-intake assistant Application text fields and, for phone intake, call audio/transcripts. NOT used to train the providers' models.
Infrastructure & security Cloud hosting, content delivery, and DDoS/WAF protection Request metadata (IP, URL), cached responses
Address & registry lookups Address autocomplete/geocoding and public nonprofit-registry (EIN) verification Address strings, IP location (when GPS unavailable), EIN (public record)

To protect commercially sensitive information, we do not publish the names of the individual vendors in each category. A current list of our sub-processors, their purposes, and their locations is available on request — email [email protected]. If we add or change a sub-processor in a way that materially affects how your data is processed, we will notify organization administrators at least 30 days in advance.


Where your data is stored

Zakatable's primary database and application servers are operated on infrastructure in the United States. Some sub-processors operate in other jurisdictions (primarily the US and EU). We do not otherwise transfer personal data outside the United States.

For European users: where any transfer of personal data outside the EEA occurs through a sub-processor, that transfer is governed by the European Commission's Standard Contractual Clauses (SCCs).


How long we keep it

  • Active applications and donation records: at least 3 years after the calendar year of the donation or assistance, to satisfy IRS recordkeeping requirements for 501(c)(3) tax-deductible donations.
  • Audit logs (status changes, who-saw-what): 7 years, supporting potential audit or dispute resolution.
  • Account data (your login, profile): as long as your account is active. When you close your account, we delete or anonymize personal data within 30 days, except where law requires longer retention (donation records, see above). To protect the integrity of zakat distribution, we retain a non-reversible eligibility fingerprint (a salted cryptographic hash that contains no readable personal information) after account deletion. It is used solely to prevent duplicate assistance claims and cannot be used to reconstruct your identity or contact you.
  • AI phone-intake call recordings + transcripts: 90 days by default; individual organizations may configure a shorter window.
  • Webhook delivery logs: 90 days.
  • Backup snapshots: retained for 30 days on a rolling basis.

To request deletion of your personal data, see "Your rights" below.


Your rights

We respect the following rights for everyone using the platform, regardless of where you live:

  • Access: request a copy of the personal data we hold about you.
  • Correction: ask us to fix inaccurate information.
  • Deletion: ask us to delete your account and personal data (subject to legal retention obligations on donation records).
  • Portability: receive a copy of your data in a machine-readable format.
  • Objection: object to particular processing activities (for example, AI-assisted assessment).
  • Withdrawal of consent: withdraw consent you previously gave; this does not affect processing already performed.

EU/EEA/UK residents additionally have the rights described in Articles 15-22 of the GDPR. California residents have the rights described in the CCPA and CPRA — including the right to know what we collect, the right to delete, and the right to opt out of "sale" or "sharing" of personal information (Zakatable does NOT sell or share personal information for cross-context behavioral advertising).

To exercise any of these rights, email [email protected]. We will respond within 30 days. Self-service deletion in the portal is on our roadmap but not yet available.


Cookies

We use only essential session cookies required to keep you signed in. We do not use tracking pixels, third-party advertising cookies, or analytics cookies that profile you across sites. Because our cookie use is limited to essential session management, we do not currently display a cookie banner. If we add analytics or marketing cookies in the future we will update this policy and display a consent banner before activation.


Children

Zakatable is not directed at children under 13 and we do not knowingly collect personal information from them. Some applications submitted on the platform may include information about household members under 13 (for example, family-size questions for eligibility); that information is provided by a household adult and is handled under the protections in this policy. If you believe a child has provided us personal information directly, email [email protected] and we will delete it.


Security

We protect your data using current industry-standard controls:

  • Encryption in transit: all connections are encrypted using current industry-standard TLS.
  • Encryption at rest: stored data is encrypted at rest.
  • Access controls: role-based access scoped per organization; privileged access is logged in an immutable audit trail.
  • Secrets management: credentials are held in a dedicated secrets manager, never in source code.
  • Regular backups: encrypted backups with periodic restoration testing.

No system is perfectly secure. If we discover a breach affecting your data we will notify you within 72 hours (sooner if practical) and report to applicable regulators as required.


Changes to this policy

We may update this policy as the product changes. Material changes (expanding sub-processor list, broadening data use, shortening retention notice) will be announced by email to organization administrators at least 30 days in advance. The "Last updated" date at the top of this document always reflects the most recent change.


SMS / text messaging

If you provide your mobile phone number, Zakatable (operated by Bright Thoughts Technologies, LLC) may send you SMS text messages — including a one-time code to verify your number and updates about your account and your assistance application. You opt in by entering your number and checking the SMS consent box during sign-up; consenting to receive SMS is not a condition of using the service.

  • Message frequency varies based on your account and application activity.
  • Message and data rates may apply according to your mobile carrier's plan.
  • Reply STOP to any message to opt out at any time, or HELP for help. You can also reach support at 623-562-3870.

We do not sell, rent, or share your mobile phone number or your SMS opt-in consent with any third parties or affiliates for their own marketing purposes. Mobile opt-in information is used solely to deliver the messages described above.


Contact

The data controller for the platform's operational data is Bright Thoughts Technologies, LLC. For privacy questions, data requests, or to file a complaint, reach us by email or post:

Bright Thoughts Technologies, LLC
PO Box 904
Chandler, AZ 85225
Email: [email protected]

If you are not satisfied with our response, EU/EEA/UK residents may lodge a complaint with their local supervisory authority. California residents may contact the California Privacy Protection Agency.

Privacy· Terms· Refund· DPA

© 2026 Zakatable