Data Processing Agreement (DPA)

1. What Types of Personal Data Does Najda Collect?

Najda collects the following categories of personal data:

  • Identification Data:
    • Name (limited to first name, as stipulated in the Terms and Conditions of Use and Privacy Policy).
    • Email address.
    • Photograph (optional, submitted at the user’s discretion).
  • Mental Health Data: Information pertaining to the user’s mental health, directly provided by the user during registration or interactions with therapists (Privacy Policy, Article 1).
  • Conversation Logs: Data arising from communications between clients and therapists via the platform, noting that sessions themselves are not recorded (Teleconsultation Consent Notice).
  • Payment Data: Information required to process the mandatory "donations" constituting payment for services (Terms and Conditions of Use, Section 4).
  • Browsing Data: Information gathered through cookies or analogous technologies concerning activity on the website or application (Privacy Policy, Article 1.2).

These categories are expressly referenced in the Privacy Policy (Article 1), the Terms and Conditions of Use (Section 6), and are consistent with the platform’s operational framework.

2. For What Purposes Are These Data Processed?

Najda processes the aforementioned data for the following purposes:

  • Provision of Therapy Services: To facilitate tailored interactions between clients and therapists, incorporating Islamic values where applicable (Privacy Policy, Article 2; Terms and Conditions of Use, Section 2).
  • User Account Management: To establish, maintain, and customize accounts, thereby ensuring seamless access to services (Privacy Policy, Article 2.1).
  • Platform Improvement: To enhance website functionality and user experience through analytical tools (Privacy Policy, Article 2.1).
  • Legal Compliance: To fulfill regulatory requirements in jurisdictions where Najda operates, including data retention obligations in the event of disputes (Terms and Conditions of Use, Section 7; Privacy Policy, Article 5).
  • Technical Support: To identify users for the purpose of addressing assistance requests or resolving technical issues (Privacy Policy, Article 2.1).

These purposes are comprehensively outlined in the Privacy Policy (Article 2) and align with the services delineated in the Terms and Conditions of Use.

3. Does Najda Engage Subprocessors to Process the Data? If So, What Are Their Roles?

Najda does indeed engage subprocessors for specific data processing activities, with their roles delineated as follows:

  • NoCode Platform: Utilized for application development and secure data storage within a database (Terms and Conditions of Use, Section 6; Privacy Policy, Article 3).
  • Payment Processors: Tasked with managing financial transactions associated with the mandatory "donations" for services (Terms and Conditions of Use, Section 4).
  • Therapists: While independent contractors (Therapist Service Agreement, Section 1.1), they function as data processors by managing client information in the course of their professional responsibilities (Privacy Policy, Article 4; Therapist Service Agreement, Section 4).

No additional third parties are granted access to the data, save in instances of legal mandate or with the user’s explicit consent (Privacy Policy, Article 4.2).

4. In Which Countries Does Najda Operate, and Where Are the Data Stored or Processed?

  • Countries of Operation: Najda conducts its operations in:
    • The United Arab Emirates (UAE), its base of establishment (Terms and Conditions of Use, Section 13).
    • The United States, adhering to regulations such as COPPA and CCPA (Privacy Policy, Article 8; Therapist Service Agreement, Section 1).
    • The United Kingdom, in compliance with the UK GDPR (Privacy Policy, Article 8; Therapist Service Agreement, Section 3).
    • Other English-speaking jurisdictions, including Canada, Australia, and New Zealand, subject to laws such as PIPEDA and the Privacy Act (Therapist Non-Disclosure Agreement, Section 1.2; Privacy Policy, Article 8).
  • Data Storage: Data is securely stored in a NoCode database, presumed to be located in the UAE, as per the Privacy Policy (Article 7), which states that data is not transferred beyond the "national territory" (interpreted as the UAE). Nonetheless, cross-border transfers may occur due to Najda’s international operations.

5. What Security Measures Are in Place to Protect the Data?

Najda employs the following security measures to safeguard the data:

  • Encryption: Sensitive information, including communications and health data, is protected using industry-standard encryption protocols (Privacy Policy, Article 3.3; Teleconsultation Consent Notice, Section 3).
  • Strict Access Controls: Access is restricted to the founder (data controller) and the assigned therapist, with stringent oversight for any additional interventions (Privacy Policy, Article 3.2; Terms and Conditions of Use, Section 6).
  • Anonymization: Sensitive data is anonymized where necessary to prevent unauthorized identification (Privacy Policy, Article 3.3).
  • Prohibition of External Tools: Therapists are required to retain all data within the Najda platform, prohibiting the use of third-party tools (Therapist Service Agreement, Section 4.2).
  • Breach Notification: In the event of a data breach, Najda undertakes to notify affected users and relevant authorities without undue delay (Privacy Policy, Article 3.4; Teleconsultation Consent Notice, Section 3).

These measures are designed to uphold the confidentiality and integrity of the data, notwithstanding Najda’s lack of HIPAA certification (Terms and Conditions of Use, Section 6).

6. How Does Najda Handle User Requests Regarding Their Rights (Access, Rectification, Deletion)?

Najda addresses user rights in the following manner:

  • Process: Users may request access, rectification, or deletion of their data by submitting an email to inquiry@najda.io (Privacy Policy, Article 5.2; Terms and Conditions of Use, Section 7).
  • Timelines: Such requests are processed expeditiously, except where retention is mandated by law (e.g., for dispute resolution) (Privacy Policy, Article 5.2; Terms and Conditions of Use, Section 7).
  • Covered Rights: Pursuant to applicable laws (GDPR, CCPA, PDPL 2021), users are entitled to rights of access, rectification, deletion, portability, restriction, or objection to processing (Privacy Policy, Article 6).

The Privacy Policy (Article 6) elaborates on these rights, ensuring a clear and accessible procedure via email.

7. Are There Cross-Border Data Transfers? If So, to Which Countries?

  • Existence of Transfers: Cross-border data transfers are indeed possible, owing to:
    • Therapists potentially being located in jurisdictions distinct from those of the clients (Therapist Service Agreement, Section 4; Privacy Policy, Article 7).
    • Najda’s global operational scope (UAE, United States, United Kingdom, etc.), necessitating data exchanges across jurisdictions.
  • Countries Involved: Data may be transferred to jurisdictions where therapists are based, potentially encompassing the UAE, United States, United Kingdom, Canada, Australia, or other English-speaking countries (Therapist Service Agreement, Section 3; Privacy Policy, Article 8).
  • Safeguards: While the Privacy Policy (Article 7) asserts that no transfers occur outside the "national territory" (UAE), it stipulates that, if required, standard contractual clauses (SCC) or other approved mechanisms will be employed in compliance with GDPR and other applicable laws (Privacy Policy, Article 7).

8. Where Are the Therapists Located? Are They in the Same Country as the Clients, or Can They Be in Different Countries?

  • Location: Therapists operate on a global basis and may reside in different countries from the clients (Therapist Service Agreement, Section 4; Privacy Policy, Article 8).
  • Geographic Flexibility: Therapists are not required to be located in the same jurisdiction as their clients. For instance:
    • In the United States, they must hold a license valid in the client’s state (Therapist Service Agreement, Section 3.1).
    • In the United Kingdom, registration with the HCPC or an equivalent body is mandatory (Therapist Service Agreement, Section 3.1).
    • In other jurisdictions, equivalent local licensure is required.
  • Implication: This geographic dispersion underscores Najda’s international framework and may entail cross-border data transfers (Therapist Service Agreement, Section 4).

9. Who Are the Data Subjects?

The data subjects include:

  • Clients: Individuals utilizing therapy services via the Najda platform (Privacy Policy, Article 1; Terms and Conditions of Use, Section 2).
  • Therapists: Professionals delivering consultation services, whose data (e.g., licenses, qualifications) are collected for account management and verification purposes (Therapist Service Agreement, Section 3; Privacy Policy, Article 4).

Conclusion

The foregoing responses are grounded in the provided documentation (Therapist Service Agreement, Therapist Non-Disclosure Agreement, Privacy Policy, Teleconsultation Consent Notice, Terms and Conditions of Use). Should additional details be required for the preparation of a Data Processing Agreement (DPA) or other purposes, kindly advise. Otherwise, this submission fully addresses the inquiries posed.

Legal
Privacy Policy
Terms of Service
Teleconsultation Consent Notice
Financial Responsibility Agreement
Therapist Service Agreement
Medical Disclaimer
Data Processing Agreement (DPA)
Contact
Najda offers emotional and spiritual support rooted in faith, not clinical therapy. For medical or psychological conditions, consult a licensed professional.
Najda © 2025