Privacy Policy

Al Sirat ("we," "our," "ours") is a mobile application that provides an Islamic AI assistant (MySheikh), prayer times tracking with notifications, access to Qur'an, Hadith, and Du'a, and personal spiritual practice tracking. We consider privacy protection as a sacred trust (amānah). This document explains what data we collect, why, how we protect it, and your rights.

• Account; Email (optional), first name, madhab, language → Stored on device + encrypted Firestore → Never shared • Location; GPS coordinates once per request → Device only (cached 30 days) → Never shared • Spiritual Journey; Prayers, Qur'an pages, dhikr, charity, fasting → Encrypted Hive + optional Firestore sync → Never shared • MySheikh History; Questions + answers → Encrypted Hive + optional Firestore sync → OpenAI receives only the question + Islamic excerpts (no PII) • Analytics; Crash reports, performance → Firebase Crashlytics → Google (anonymized) • Payment; Managed exclusively by Apple/Google We NEVER collect: continuous location tracking, contacts, photos, microphone, browsing history, biometric data, or financial information.

• Prayer times calculation; Legitimate interest (core service) • MySheikh responses; Contract execution • Multi-device sync; Consent (toggle switch) • Stability improvement; Legitimate interest (anonymized)

• In transit; TLS 1.3, certificate pinning • At rest (device); Hive AES-256 • At rest (cloud); Firestore AES-256 + security rules (UID-only access) • API Keys; Server-side, rotated every 90 days • Backups; Encrypted, retained 180 days

• OpenAI; Receives question + Islamic excerpts for response generation (openai.com/policies) • Google Firebase; Anonymized crash & metrics for stability (firebase.google.com/support/privacy) • Apple / Google; Purchase receipt (no card details) for subscriptions We never sell or rent any personal data.

• Minimum age: 13 years • Parental consent required for under 13 (email verification) • No behavioral advertising

• Access; Settings → Data Management → Export JSON • Rectification; Edit profile anytime • Erasure; Settings → Delete Account (cloud data deleted within 30 days) • Objection / Restriction; Disable sync or analytics • Portability; Export JSON • Withdraw Consent; Disable sync

• Local (device); Until uninstall or deletion • Cloud (active account); As long as account exists • Cloud (inactive); Deleted after 24 months • OpenAI Logs; 30 days (OpenAI policy)

• Firebase: us-central1 (United States) • Standard Contractual Clauses (GDPR) in place

Major changes → in-app notification + email (if provided). Continued use = acceptance.

Data Protection Officer Email: privacy@sirat.io