UK GDPR | v1.0 | 1 April 2026

UK GDPR Compliant

Privacy Policy

UmmahLeads is committed to protecting your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Last updated: 1 April 2026

ZeroTracking cookies

Sumsub EUKYC provider

ZK-ProofCredit scoring

30 daysResponse time

Other documents:Terms of Service Legal Notice AML/KYC Compliance

Article 1 — Data Controller

The data controller responsible for the processing of personal data collected on the UmmahLeads platform is:

Identity

QUANTUM AIAA LTD — Private limited by shares (Company No. 15495744), registered at Companies House, England & Wales. Registered office: 20 Wenlock Road, London N1 7GU, England.

Contact emails

Data requests: privacy@ummahleads.app. General enquiries: contact@quantumaiaa.com.

DPO contact

Data Protection Officer, QUANTUM AIAA LTD, 20 Wenlock Road, London N1 7GU, England. Email: privacy@ummahleads.app. You may contact the DPO for any question relating to the processing of your personal data.

Article 2 — Data Collected

UmmahLeads collects different categories of personal data depending on your use of the Platform:

Mandatory data

Crypto wallet address (public by nature on the blockchain). This data is essential to access Platform services.

KYC data (if >USD 1,000)

Full name, date of birth, nationality, identity document (passport, national ID card or driving licence), verification selfie. This data is collected and processed by our partner Sumsub under our legal obligations relating to anti-money laundering.

Optional data

Email address (for notifications and communications), phone number (required for the use of AI voice agents), country of residence (for service personalisation).

Transaction data

History of transactions carried out via the Platform. This data is recorded transparently and immutably on the Polygon blockchain and is public by nature.

Technical data

IP address (anonymised), browser type, operating system, language preference. This data is collected automatically during your browsing.

Article 3 — Purposes of Processing

Your personal data is processed for the following purposes:

Service provision

Performance of Platform services: lead generation, SmartMatch AI, services marketplace, Islamic financing, staking and DAO governance.

KYC/AML compliance

Identity verification and anti-money laundering in compliance with applicable UK, international and local regulations.

Service improvement

Anonymised analysis of Platform usage to improve user experience, optimise SmartMatch algorithms and develop new features.

AI voice agents

Processing of telephone calls via AI voice agents for lead qualification, viewing scheduling and user support.

Marketing (with consent)

Communication about new services, features and promotions. Direct marketing is subject to your prior consent and you may unsubscribe at any time.

Article 4 — Legal Basis for Processing

Each processing of personal data relies on a legal basis compliant with the UK GDPR:

Consent (Article 6(1)(a) UK GDPR)

Registration on the Platform, subscription to marketing communications and the recording of voice calls are based on your free, specific, informed and unambiguous consent.

Performance of contract (Article 6(1)(b) UK GDPR)

The processing of data necessary for the provision of Platform services (lead generation, SmartMatch, marketplace, financing) is based on the performance of the contract (Terms of Service).

Legal obligation (Article 6(1)(c) UK GDPR)

The collection of KYC data and implementation of AML procedures are based on legal obligations relating to anti-money laundering and counter-terrorism financing.

Legitimate interest (Article 6(1)(f) UK GDPR)

Service improvement, Platform security and fraud prevention are based on the legitimate interest of QUANTUM AIAA LTD, in compliance with your rights and freedoms.

Article 5 — Retention Periods

Your personal data is retained for the following periods, in compliance with legal obligations and data minimisation principles:

KYC data

5 years from account closure or the last transaction, in compliance with legal retention obligations relating to anti-money laundering.

Transaction data

7 years from the transaction date, in compliance with accounting and tax obligations. On-chain data is by nature immutable and permanent.

Inactive accounts

Data associated with an inactive account (no login, no transaction) is deleted after a period of 3 years of inactivity, following prior notification.

Voice recordings

12 months from the date of recording, in accordance with Article 17 of the UK GDPR (right to erasure). Recordings may be deleted earlier upon simple request.

Article 6 — Processors and Recipients

QUANTUM AIAA LTD engages the following processors for the processing of your personal data. Each processor is bound by a data processing agreement (DPA) compliant with the UK GDPR.

Supabase (database hosting)

Supabase Inc. — Database hosted in the European Union (eu-west region). Supabase is UK GDPR compliant and SOC 2 Type II certified.

Vercel (web hosting)

Vercel Inc. — 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Web application hosting and CDN. International transfer governed by the UK International Data Transfer Agreement (IDTA).

Bland.ai (voice agents)

Bland.ai — United States. Processing of telephone calls via AI voice agents. International transfer governed by the UK International Data Transfer Agreement (IDTA). Recordings are encrypted and deleted after 12 months.

Sumsub (KYC)

Sumsub — European Union. Identity verification and KYC/AML procedures. KYC data is encrypted and stored in the EU.

Polygon (blockchain)

Polygon / Matic Network — Decentralised blockchain network. On-chain transactions are public by nature and are not subject to centralised processing. The wallet address is the only data published on-chain.

Article 7 — International Data Transfers

Some of our processors are located outside the United Kingdom. Data transfers are governed by the following mechanisms:

UK International Data Transfer Agreement (IDTA)

Transfers to Vercel (USA) and Bland.ai (USA) are governed by the UK International Data Transfer Agreement (IDTA) approved by the Secretary of State, ensuring an adequate level of data protection.

Blockchain data

Data recorded on the Polygon blockchain is public and decentralised by nature. This data (wallet address, transactions) does not constitute a transfer to a third country within the meaning of the UK GDPR, as it is globally accessible without centralised control.

Supplementary measures

In addition to the IDTA, supplementary measures are implemented: encryption of data in transit (TLS 1.3) and at rest (AES-256), pseudonymisation of data where possible, and regular impact assessments.

Article 8 — Your Rights

Under the UK GDPR, you have the following rights over your personal data. You may exercise these rights by contacting privacy@ummahleads.app. Response time: 30 days maximum.

Right of access (Article 15 UK GDPR)

You have the right to obtain confirmation as to whether personal data concerning you is being processed, as well as access to such data and information relating to its processing.

Right to rectification (Article 16 UK GDPR)

You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay.

Right to erasure (Article 17 UK GDPR)

You have the right to obtain the erasure of your personal data where: the data is no longer necessary, you withdraw your consent, or the processing is unlawful. This right is limited by legal retention obligations (KYC, accounting).

Right to restriction (Article 18 UK GDPR)

You have the right to obtain the restriction of processing where you contest the accuracy of the data, the processing is unlawful, or QUANTUM AIAA LTD no longer needs the data.

Right to data portability (Article 20 UK GDPR)

You have the right to receive your personal data in a structured, commonly used and machine-readable format (JSON), and to transmit it to another controller.

Right to object (Article 21 UK GDPR)

You have the right to object to the processing of your personal data based on legitimate interest, including profiling. You may also object to direct marketing at any time.

Article 9 — Zero-Knowledge Technology

UmmahLeads uses zero-knowledge proof technologies to protect the financial data of its Users.

ZK credit scoring

The credit scoring used by the Platform relies on zero-knowledge proofs (zk-SNARKs). This means that the User's financial data is NOT stored, transmitted or accessible by QUANTUM AIAA LTD.

On-chain verification

Only a cryptographic hash (mathematical proof) is verified on-chain, attesting to the User's creditworthiness without revealing any personal financial data. This mechanism guarantees maximum privacy.

Minimisation principle

Zero-Knowledge technology is the most advanced application of the UK GDPR data minimisation principle: data that does not need to be collected simply is not.

Article 10 — Cookies and Local Storage

QUANTUM AIAA LTD is committed to respecting your privacy regarding cookies and trackers.

No tracking cookies

The website ummahleads.app does not use any tracking, behavioural analysis or targeted advertising cookies. No tools such as Google Analytics, Facebook Pixel or equivalent are deployed.

LocalStorage

The website exclusively uses the browser's localStorage to store the User's language preference. This data is strictly technical and is not transmitted to third parties.

Article 11 — AI Voice Agents and Call Recording

UmmahLeads deploys AI-powered voice conversational agents for lead qualification and customer support.

Call recording

Calls with AI voice agents may be recorded for service improvement and as evidence in the event of a dispute. Recording is subject to the prior consent of the caller.

Consent at start of call

Consent to recording is explicitly requested at the beginning of each call. The User or prospect may refuse recording without affecting the quality of service.

Right of refusal and deletion

You may refuse recording at any time. You may also request the deletion of an existing recording by contacting privacy@ummahleads.app. Recordings are automatically deleted after 12 months.

Voice processor

Calls are processed by Bland.ai (USA). Voice data is encrypted in transit and at rest. International transfer is governed by the UK International Data Transfer Agreement (IDTA).

Article 12 — Amendments to this Policy

QUANTUM AIAA LTD reserves the right to amend this Privacy Policy at any time.

30-day notice

Any material amendment to this policy will be notified to Users with a minimum notice period of 30 days, by email (if provided) and/or by notification on the Platform.

On-chain notification

Major amendments to the privacy policy may also be notified on-chain via an event emitted by the governance smart contract, ensuring immutable transparency.

Article 13 — Complaint to the ICO

If you believe that the processing of your personal data constitutes a violation of the UK GDPR, you have the right to lodge a complaint with the competent supervisory authority.

ICO — Information Commissioner's Office

The UK supervisory authority for data protection. Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Website: https://ico.org.uk. Telephone: 0303 123 1113.

Other authority

If you reside in another jurisdiction, you may also lodge a complaint with the data protection authority of your country of residence.

Prior contact

Before lodging any complaint, we invite you to contact us at privacy@ummahleads.app so that we can respond to your request and, where appropriate, remedy any non-compliant situation as promptly as possible.