Last updated: April 4, 2026
1. PURPOSE AND SCOPE
This Privacy Policy explains how personal data is processed in connection with the digital service known as Ukhti (the Platform), including the website available in particular at https://ukhti.me, its authenticated areas, related APIs, localized public pages, and the hosted mobile wrapper when that wrapper loads the same online service.
This policy is intended to satisfy transparency requirements under the General Data Protection Regulation (GDPR), applicable French data-protection law, and related ePrivacy rules where they apply.
It reflects the Platform's current business organization, legal documentation, and main technical flows identifiable in the codebase reviewed on April 4, 2026. If the service changes materially, this policy may be updated accordingly.
This policy should be read together with our Legal Notices and our Cookie Policy.
2. CONTROLLER
The controller of the personal-data processing described in this policy is:
Business name: Louala
Trading name: Ihsan Labs
SIREN: 800 525 362
Business address: 36 Rue de la Commanderie, 54000 Nancy, France
General contact: General contact
Legal and data-protection contact: Legal contact
Abuse or unlawful-content reports: Abuse reports
In this policy, we, us, and our refer to Louala, trading as Ihsan Labs.
3. HOW WE COLLECT PERSONAL DATA
We may collect personal data:
- directly from you when you register, complete your profile, publish content, contact us, subscribe to communications, use community features, create listings, open support tickets, or make payments or donations;
- automatically from your browser, device, or app session when you use the Platform, including authentication, security, error, and technical usage data;
- from third-party services that you choose to use with the Platform, such as Google sign-in or payment-service providers; and
- from other users when they interact with you on the Platform, for example by sending you messages, invitations, notifications, event information, comments, reports, or marketplace interactions.
4. CATEGORIES OF PERSONAL DATA WE MAY PROCESS
4.1 Account, identity, and registration data
Depending on the flow used, we may process your username, first name, last name, email address, password hash, registration tokens, email-confirmation data, registration status, sponsorship/referral information, and pending-registration records.
If you choose Google sign-in or a Google-assisted registration flow, we may also process a Google subject identifier and basic Google account profile data such as given name, family name, and display name returned for that flow.
The current codebase also includes registration-related security and eligibility controls, including pending-user records and a voice-sample-based check used in certain registration flows.
4.2 Profile, settings, and community data
We may process profile and account-setting data such as biography, avatar, banner, country, region, city, address, phone number, nationality, languages, marital status, visibility preferences, search visibility, online-status preferences, notification preferences, and social-link fields such as YouTube, Instagram, or TikTok links.
We also process user-generated content and community activity data, including publications, comments, reactions, reposts or quotes, group participation, event participation, follows, friendships, blocks, reports, reviews, badges, and other community interactions made available by the Platform.
4.3 Messaging, diary, support, and moderation data
We may process private-messaging data, message attachments or related metadata, notification content, support and assistance ticket content, report content, moderation records, and user communications sent through inbox, support, or similar features.
The Platform also includes a diary feature that stores encrypted diary payloads and related key-management material.
4.4 Marketplace, events, teaching, and transaction-related data
When relevant features are used, we may process marketplace listings, product or service descriptions, photos, prices, delivery preferences, listing contact options, purchase or sale workflow data, review data, event details, event location information, attendee interactions, teaching-related participation data, subscription status, donation status, payment-provider references, and billing or accounting records.
When Mollie checkout or similar payment flows are used, we may receive and store transaction confirmations, customer IDs, payment IDs, subscription IDs, invoice-related metadata, and related status updates. Based on the current implementation, we do not store your full bank-card number or full payment credentials in our own systems when checkout is handled on a payment provider's controlled page.
4.5 Technical, device, location, and security data
We may process IP addresses, timestamps, device and browser information, operating-system information, request identifiers, authentication and security tokens, session data, language preferences, page URLs, API endpoints, application logs, error traces, severity levels, stack traces, and related debugging or anti-abuse information.
If you use localization features, we may also process location data that you provide manually or that is derived from device-permission flows, including country, region, city, address, and, where you authorize it, approximate or precise geographic coordinates used to determine a nearby location or personalize local discovery features.
4.6 Communications and marketing data
If you contact us or subscribe to updates, we may process contact-form content, inbound correspondence, newsletter-subscription records, unsubscribe status, and outbound communication preferences.
4.7 Special-category or otherwise sensitive data
Some optional profile fields and some user-generated content may reveal information about religious beliefs or practice, such as creed-related fields, jurisprudence-school preferences, and religious-practice indicators. This kind of information may qualify as special-category personal data under Article 9 GDPR.
We ask that you provide this type of information only if you genuinely wish to use the corresponding feature. Visibility settings may affect whether such information remains private, is shared with selected audiences, or is made public on the Platform.
5. SOURCES OF DATA WE MAY RECEIVE FROM THIRD PARTIES
Depending on the feature used, we may receive personal data from third parties such as:
- Google Identity Services, when you choose a Google sign-in or Google-assisted registration flow;
- payment providers, especially Mollie, when you start, complete, cancel, or renew a subscription or other checkout flow;
- push-notification infrastructure, including Firebase Cloud Messaging or related mobile infrastructure, when mobile notifications are enabled;
- map or geocoding services, including OpenStreetMap or Nominatim-related resources, when you use localization or mapping features; and
- other users, when they message you, invite you, mention you, report content involving you, or otherwise interact with your account or content.
6. PURPOSES OF PROCESSING AND LEGAL BASES
| Purpose | Main legal basis | Main data concerned |
|---|---|---|
| Creating and managing accounts, authenticating users, and operating registration flows | Performance of a contract or steps taken at the user's request before entering into a contract; legitimate interests for account security and abuse prevention | Registration data, login data, pending-account data, Google sign-in data, security tokens |
| Providing core social and community features | Performance of a contract | Profile data, publications, comments, reactions, follows, friendships, groups, events, marketplace and related interactions |
| Operating private messaging, diary, notifications, and support tools | Performance of a contract; legitimate interests in service continuity, support, moderation, and incident handling | Messages, diary content, support tickets, notification data, related metadata |
| Processing payments, subscriptions, donations, accounting, and billing records | Performance of a contract; legal obligations for accounting and recordkeeping | Payment-provider references, subscription records, invoices, billing metadata, donation records |
| Securing the Platform, preventing fraud and abuse, handling moderation, investigating incidents, and maintaining logs | Legitimate interests; legal obligations where applicable | Security logs, error logs, reports, IP addresses, technical identifiers, moderation and compliance records |
| Sending operational emails, alerts, and service notifications | Performance of a contract; legitimate interests in operating the service and informing users about relevant events | Email address, notification preferences, event and account activity data |
| Managing newsletters or similar optional informational communications | Consent where required by law; legitimate interests where a lawful exemption applies | Email address, subscription status, subscription source, communication logs |
| Providing localization and map-based features | Performance of a contract for manually entered location data; consent where device-permission-based location access is used | Country, region, city, address, map preferences, coordinates when permission is granted |
| Processing optional religion-related profile data or content that reveals sensitive beliefs | Your explicit consent where required by Article 9 GDPR, and/or the fact that you chose to make such data public through the Platform, subject to applicable law | Optional creed, jurisprudence-school, religious-practice and similar profile or content fields |
| Complying with legal requests, enforcing our rights, defending claims, and retaining essential audit records | Legal obligations; legitimate interests in establishing, exercising, or defending legal claims | Account records, transaction records, deletion audits, moderation records, support records, logs |
Where we rely on legitimate interests, these interests generally include operating a secure community platform, preventing abuse and fraud, investigating incidents, defending our legal rights, assisting users, and improving service reliability. When required, we balance these interests against your rights and freedoms.
7. WHEN PROVIDING DATA IS NECESSARY OR OPTIONAL
Some data is necessary to create an account, authenticate you, secure the Platform, process a transaction, or provide a feature you request. If you do not provide that data, we may be unable to create the account, complete the transaction, deliver the requested feature, or keep the service secure.
Other data is optional, including many profile fields, social links, parts of your biography, precise device location, newsletter subscription, and optional religion-related profile fields. Choosing not to provide optional data should not prevent access to the core service, except where a specific feature intrinsically depends on that information.
8. VISIBILITY OF YOUR DATA ON THE PLATFORM
Ukhti is a community platform. Some profile information, user-generated content, marketplace listings, event information, reviews, and social interactions may be visible to other users or, depending on the feature and the visibility settings applied, to broader audiences.
You are responsible for the information you decide to publish, disclose in messages, include in listings, or make visible through profile settings. This is especially important for optional data capable of revealing religion, beliefs, daily habits, contact details, or location.
Where the Platform offers field-level or audience-level visibility settings, we use those settings to determine the intended display scope of relevant information, but no internet-connected service can guarantee zero redistribution by recipients once information has been shared with them.
9. RECIPIENTS OF PERSONAL DATA
9.1 Internal recipients
Your data may be accessed internally only by persons who need it for their duties, such as technical administration, support, moderation, security, payments administration, legal handling, or customer communications.
9.2 Service providers acting for us or supporting the service
Depending on the relevant feature and deployment state, your data may be processed by service providers or infrastructure partners involved in hosting, content delivery, email transmission, security, storage, logging, payment integration, notification delivery, or similar technical operations. Based on the current legal notices and deployment information, this includes hosting infrastructure currently identified with Scaleway for the main web service.
Such providers are used only where necessary for the service and are expected to process data under appropriate contractual, security, and confidentiality terms.
9.3 Third-party services you choose to use or trigger
Some features involve third-party services that may process data under their own responsibility, according to their own legal documents. Based on the current implementation, this may include in particular:
- Google Identity Services for optional sign-in flows;
- Google / Firebase Cloud Messaging for mobile push notifications where enabled;
- Mollie for subscriptions, checkout, and related payment flows;
- Ko-fi for the donation widget embedded on the donation page;
- YouTube when user content is rendered as an embedded video; and
- OpenStreetMap, Nominatim, and similar map resources when map or geolocation-related features are used.
These third parties may receive technical connection data such as IP address, browser information, and page context when the relevant feature is loaded or used. Their own privacy and cookie documentation applies in addition to this policy.
9.4 Authorities, claimants, and legal recipients
We may disclose personal data to courts, regulators, law-enforcement bodies, hosting providers, legal advisers, insurers, or other authorized recipients when necessary to comply with the law, answer valid legal requests, protect the rights or safety of users or third parties, investigate abuse, or establish, exercise, or defend legal claims.
10. INTERNATIONAL TRANSFERS
The Platform is operated from France, but some services, providers, embedded resources, or technical tools used in connection with the Platform may involve access to or transfer of personal data outside France or outside the European Economic Area (EEA).
This may happen in particular when you use third-party authentication, third-party payment services, mobile push-notification infrastructure, embedded video, donation widgets, mapping resources, or external technical providers whose infrastructure or support operations extend beyond the EEA.
Where a transfer outside the EEA is subject to GDPR transfer rules, we aim to rely on an appropriate legal mechanism, such as:
- an adequacy decision adopted by the European Commission;
- the European Commission's current standard contractual clauses, together with supplementary measures where required; or
- another transfer mechanism permitted by Chapter V GDPR.
Because some third-party integrations are activated only when you choose to use them, the exact transfer paths may depend on the features you load.
11. RETENTION
We keep personal data for no longer than necessary for the purposes for which it is processed, subject to legal-retention obligations, dispute handling, backup cycles, security needs, and claim-preservation requirements.
| Category | Main retention logic |
|---|---|
| Account and profile data | Generally kept while your account remains active, then deleted, anonymized, or archived on a limited basis when the account is closed, subject to backups and legal exceptions. |
| Pending registration and pre-check data | Kept for the time necessary to complete, secure, expire, clean up, or administratively review the registration flow. |
| Publications, comments, listings, reviews, groups, event records, and similar user content | Generally kept until deleted by the user, removed by moderation, or deleted as part of account closure or retention cleanup, subject to technical backups and evidentiary needs. |
| Private messages, diary data, support tickets, and related metadata | Generally kept while needed to provide the service, maintain account continuity, support moderation, respond to incidents, or handle legal or support needs, unless deleted sooner where the feature allows it. |
| Payment, subscription, invoice, and accounting records | Kept for the period required by applicable accounting, tax, and evidentiary rules, which may extend up to 10 years where French law requires it. |
| Security logs, error logs, moderation records, and anti-abuse data | Kept for the period reasonably necessary for security, fraud prevention, service reliability, incident analysis, moderation, and defense of rights. |
| Push-notification tokens and notification routing data | Kept while the token is active and associated with your device or until it is invalidated, replaced, deregistered, or becomes obsolete. |
| Newsletter subscription data | Kept until you unsubscribe, object where applicable, or the list is cleaned up for inactivity or compliance reasons. |
| Deleted-account audit records | A limited audit trail may be retained after account deletion, including identifiers such as username, email, deletion reason, and deletion timestamp, where necessary for compliance, security, fraud prevention, or defense of legal claims. |
| Cookies and browser-side storage | Retention varies by tool and is described in the Cookie Policy. |
Backup copies and technical replicas may survive for a limited time after deletion before being overwritten in the ordinary course of disaster-recovery or backup rotation.
12. SECURITY AND CONFIDENTIALITY
We implement measures designed to protect personal data against unauthorized access, unlawful disclosure, accidental loss, destruction, or alteration. Depending on the system and feature, these measures may include HTTPS/TLS in transit, password hashing, token-based access control, permission management, logging, rate-limiting, backups, operational access restriction, and security review or incident handling procedures.
Some Platform features use application-level encryption or encrypted payload formats, including certain diary and private-messaging components. However, the current implementation also includes administrative recovery or decryption capabilities for some encrypted features. As a result, such features must not be understood as zero-knowledge or operator-inaccessible storage in the strict sense.
Where access to message, diary, support, moderation, or security data is necessary for lawful moderation, security operations, incident response, support handling, fraud prevention, legal compliance, or defense of rights, authorized personnel or administrators may access relevant data within the limits of their responsibilities and applicable law.
No system can guarantee absolute security. You should also protect your credentials, choose a strong password, and avoid voluntarily publishing sensitive information unless necessary.
13. AUTOMATED PROCESSING AND ACCOUNT-ACCESS CONTROLS
The current Platform includes automated checks and rules used for registration integrity, abuse prevention, fraud reduction, security monitoring, content or request handling, and service operations. This includes, in certain registration flows, a voice-sample-based check used as part of the platform's access-control or eligibility logic.
Where a decision based solely on automated processing would significantly affect you, you may request human review, express your point of view, and contest the result by contacting Legal contact.
14. YOUR RIGHTS
Subject to the conditions and limits set by applicable law, you may have the following rights:
- Right of access: obtain confirmation that we process your data and access relevant information about that processing.
- Right to rectification: request correction of inaccurate or incomplete personal data.
- Right to erasure: request deletion of personal data in the cases provided by law.
- Right to restriction: request temporary restriction of certain processing in the cases provided by law.
- Right to object: object to certain processing based on our legitimate interests, including direct marketing where applicable.
- Right to data portability: receive certain data you provided to us in a structured, commonly used, and machine-readable format where the legal conditions are met.
- Right to withdraw consent: where processing relies on consent, withdraw that consent at any time for the future.
- Rights relating to automated decision-making: request human intervention, express your view, and challenge a qualifying automated decision where applicable.
You can exercise rights by contacting Legal contact or General contact. We may ask for information reasonably necessary to verify your identity and protect the data against unauthorized disclosure.
We generally aim to respond within one month, subject to lawful extensions where the request is complex or numerous.
15. COOKIES, LOCAL STORAGE, AND SIMILAR TECHNOLOGIES
The Platform uses cookies and similar browser-side technologies for authentication, security, language preferences, session continuity, payment-return flows, localization state, interface preferences, and optional third-party features.
Details about the cookies and browser storage currently identifiable in the Platform, including strictly necessary cookies and optional third-party integrations, are set out in our Cookie Policy.
16. CHILDREN AND MINORS
The Platform is not intended to be used in breach of the age rules that apply to the user under applicable law.
When French law applies and a processing activity relies on consent in connection with the direct offer of information-society services to a child, a minor under the age of 15 cannot validly consent alone; parental-authority involvement is required under the applicable legal framework.
If you believe that a child's personal data has been provided to us unlawfully, please contact us promptly at Legal contact.
17. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes to the Platform, our business organization, integrated services, legal requirements, or transparency commitments. The version in force is the version published on the Platform with the update date shown at the top of this document.
18. COMPLAINTS AND CONTACT
For questions, requests, or complaints relating to personal data, you may contact:
Louala / Ihsan Labs
36 Rue de la Commanderie
54000 Nancy
France
General contact: General contact
Legal and privacy contact: Legal contact
If you believe that the processing of your personal data infringes applicable law, you also have the right to lodge a complaint with the competent supervisory authority. In France, this is the CNIL (https://www.cnil.fr/fr/plaintes).