Data Protection & Security

At Hi Umrah, we treat your personal data with the same reverence as your spiritual journey. Protecting your information is not just a legal obligation; it is a fundamental part of the trust you place in us as a platform serving pilgrims.

We implement multi-layered security standards built on global best practices in data protection. Every technical decision we make puts your privacy first.

All communications between your device and our platform are secured via TLS 1.3 (the latest HTTPS version). This means every character you type and every page you browse is fully encrypted while traveling across the internet.

We use Cloudflare's global network as an additional protection layer in front of our servers. Cloudflare blocks cyber attacks and suspicious traffic before it reaches our systems, while accelerating site loading through over 300 points of presence worldwide.

Your data doesn't just stay safe in transit; it is also encrypted when stored in our database. We use the AES-256-GCM encryption algorithm, the same algorithm approved by the U.S. National Security Agency (NSA) for protecting classified information.

• Travelers' real names are encrypted in the database and never appear in plain text, even to our technical team.
• Passwords are processed using the one-way bcrypt algorithm. Even if the entire database were breached, the original password cannot be recovered.
• Encryption keys are managed separately from the encrypted data, meaning access to the data alone is not enough to decrypt it.

We know that uploading a passport or ID scan requires significant trust. That's why we designed a dedicated protection system for sensitive documents that goes beyond standard encryption practices.

• Each document is encrypted with its own unique key (Per-Document Encryption). Even if one document's encryption key is compromised, all other documents remain safe.
• Documents are encrypted before leaving the application. Storage servers never see the original document content.
• Documents can only be accessed via short-lived presigned URLs that expire within minutes.
• Documents are not stored on public servers. They are kept in private containers separate from the rest of the site's files.
• Once a booking is confirmed, documents are locked and cannot be modified or replaced without an authorized support request.

We believe in the principle of data minimization. We do not retain your sensitive information longer than necessary to complete the service.

• Your basic account data (name, email, phone) remains as long as your account is active.
• Sensitive documents (passport and ID scans) are automatically and permanently deleted after the trip ends, within a period defined by platform administration.
• Deletion is irreversible. After the retention period expires, no one can recover the deleted documents.
• You can request complete deletion of your data at any time by contacting our support team.

Your account is the gateway to your data. That's why we provide multiple layers of protection to prevent unauthorized access.

• Two-Factor Authentication (2FA): You can enable 2FA via a TOTP app (such as Google Authenticator) to add an extra layer of protection when logging in.
• Recovery Codes: When enabling 2FA, you receive encrypted recovery codes to regain access if you lose your device.
• Brute Force Protection: Failed login attempts are automatically rate-limited to prevent guessing attacks.
• Cloudflare Turnstile Protection: We use Cloudflare's verification system instead of traditional CAPTCHA to protect you from bots without inconvenience.
• Session Expiry: Login sessions automatically expire after a period of inactivity.

Not everyone who works on the platform can see everything. We apply the Principle of Least Privilege to ensure each person only accesses what they need.

• Each entity on the platform is completely isolated from others and cannot access other entities' data.
• Permissions are divided across multiple levels, and each user can only access what their role requires.
• Sensitive operations are subject to strict permission controls and can only be executed by authorized personnel.
• All actions are automatically recorded in a detailed audit log including the actor's identity, IP address, and timestamp.

We carefully select our infrastructure to ensure maximum security and reliability.

• The site is protected by an advanced firewall that automatically blocks common cyber attacks before they reach our systems.
• The database is secured in an isolated private network not directly accessible from the internet.
• Uploaded files are stored in encrypted containers completely separate from application servers.
• Backups are encrypted and stored in geographically separate locations to ensure service continuity.
• Access to admin panels is restricted with additional protection layers in the production environment.

Despite all precautions, no system is 100% secure. That's why we have a clear response plan in case of any security breach.

• If any security breach is discovered, we will notify affected users via email as soon as possible.
• We will post a prominent announcement on the site explaining the nature of the incident and actions taken.
• We will fully cooperate with relevant authorities if required.
• We will take all necessary measures to contain the breach and prevent recurrence.

Transparency also means telling you what we don't do. These are firm commitments we never compromise on.

• We never sell your personal data to any third party.
• We do not use your data for targeted advertising or behavioral tracking.
• We do not share your sensitive documents with any entity outside the scope of the relevant booking.
• We do not store payment data (card numbers). All payments are processed through secure, certified payment gateways.
• We do not use AI algorithms to analyze your personal documents.
• We do not grant our employees unrestricted access to your data. All access is limited and logged.

Your data belongs to you. We hold it as custodians, and you have the right to full control over it.

• Right to Access: You can request a complete copy of all your data stored with us.
• Right to Rectification: You can modify or update any inaccurate information through your account settings.
• Right to Deletion: You can request permanent deletion of your account and all your data.
• Right to Data Portability: You can obtain a copy of your data in a portable format (JSON/CSV).
• Right to Object: You can object to processing of your data for specific purposes.
• Right to Withdraw Consent: You can withdraw your consent for cookies and third-party services at any time.

If you have any concerns about your data security, discover a security vulnerability, or wish to exercise any of your rights listed above, please contact our Data Protection Officer via email: [email protected]

We commit to responding to all data protection inquiries within a maximum of 72 business hours.