1. Who we are
iTafakkur (the "App") is published by Syed Altaf Hussain, an individual developer operating under the brand eDrop, based in the Kingdom of Saudi Arabia. We are the data controller for the information described in this policy.
For any privacy question, contact us at support@itafakkur.com. We aim to respond within 7 days.
2. Summary (the short version)
- We collect the minimum data needed to run the App: your account info, your in-app activity (chats, journal, habits, bookmarks), and — only if you grant permission — your device location for prayer times and Qibla direction.
- We do not sell your data, ever.
- We use trusted third-party services (Supabase, OpenAI, Apple, Google, Microsoft, Aladhan, Quran.com) to provide core features. Each is named and described below.
- You can delete your account and all your data from inside the App at any time.
- We comply with GDPR (EU/UK), CCPA (California), and the Saudi Personal Data Protection Law (PDPL).
3. Data we collect
3.1 Information you provide
- Account: email address, name, optional username, optional country and phone number.
- Authentication: if you sign in with Apple, Google, or Microsoft, we receive your name and verified email from that provider — we never see your password.
- In-app content: messages you send to the AI assistant, journal entries, habit tracking, dhikr counts, bookmarks, prayer/Qibla settings, language preference.
- Feedback: messages you send via the in-app "Send Feedback" form.
3.2 Information collected automatically
- Device location (only with your permission): used to calculate prayer times and Qibla direction. Location is sent to our backend and to Aladhan API (no other sharing). We do not store historical location.
- Authentication tokens: issued by Supabase on sign-in, stored locally on your device, refreshed automatically.
- Crash + diagnostic data (App Store / Play Store level): if you opt in to share diagnostics with Apple or Google, those reports may be shared with us by them. We use them only to fix bugs.
- No advertising identifiers, no cross-site trackers, no analytics SDKs.
4. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the core app features (chat, journal, habits, prayer times, Qibla, dhikr, study paths) | Contract |
| Authenticate you and keep your session alive | Contract |
| Calculate prayer times and Qibla based on your location | Consent (location) |
| Send you prayer-time reminders if you enable notifications | Consent |
| Generate AI responses for your chat questions and journal prompts | Contract |
| Respond to your support requests | Legitimate interest |
| Detect and prevent abuse (rate-limiting daily chat quota) | Legitimate interest |
5. Third-party services we use
iTafakkur relies on a small number of trusted services to deliver core features. Each receives the minimum data needed for its function. We have reviewed the privacy practices of each service and do not share data beyond what they require to operate.
| Service | Purpose | Data sent |
|---|---|---|
| Supabase | Database, authentication, storage | Account info, in-app content, auth tokens |
| OpenAI | AI chat responses, journal prompts, content translations | Your chat messages and prompt content (no personal identifiers attached) |
| Aladhan | Prayer times, Hijri date conversion | Your latitude / longitude coordinates |
| Quran.com API | Verse translations in your language | Verse reference (e.g. "2:286"), language code |
| IslamCan.com | Streaming Azaan recordings | Your IP address (standard for any web request) |
| Apple Sign In | Optional sign-in method | Email + name (only when you choose to sign in with Apple) |
| Google OAuth | Optional sign-in method | Email + name (only when you choose to sign in with Google) |
| Microsoft OAuth | Optional sign-in method | Email + name (only when you choose to sign in with Microsoft) |
| Railway | Backend hosting (US) | API request data in transit (encrypted via HTTPS) |
6. Where your data is stored
Your account and in-app content are stored on Supabase's servers (currently in the United States). Your data is encrypted in transit (TLS) and at rest (Supabase manages disk encryption). Backups are retained by Supabase per their standard policy.
AI processing (OpenAI) happens in the United States and Europe, depending on routing. OpenAI does not use API content to train its models per their enterprise terms, which our backend uses.
7. How long we keep your data
- Account + in-app content: kept as long as your account is active. Deleted within 30 days of account deletion.
- Daily chat quota counter: automatically purged after 30 days.
- Prayer time + Hijri date cache: non-personal, refreshed daily.
- Verse translation cache: non-personal scriptural content, kept indefinitely.
- Crash logs (if Apple/Google share with us): kept up to 90 days.
8. Your rights
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate data (you can edit your profile in the App)
- Delete your account and all associated data (Profile → Delete Account inside the App)
- Withdraw consent for location and notifications at any time (in iOS/Android system settings)
- Export a copy of your data (email us and we'll provide a JSON export within 30 days)
- Object to processing or lodge a complaint with your local data protection authority
To exercise any of these rights, email support@itafakkur.com.
9. Children's privacy
iTafakkur is rated 4+ on the App Store / Everyone on Google Play. We do not knowingly collect data from children under 13 (or under 16 in the EU) without verifiable parental consent. If you believe a child has provided us with personal data without parental consent, contact support@itafakkur.com and we will delete it promptly.
10. Security
We use industry-standard security measures including TLS 1.3 for all data in transit, asymmetric (ES256) JWT authentication, row-level security on the database, and credential rotation on a regular schedule. No system is perfectly secure, but we apply best-in-class practices and will notify affected users within 72 hours of any confirmed breach affecting their personal data.
11. Changes to this policy
We may update this policy as the App evolves (new features, new third-party services, regulatory changes). When we make material changes, we will update the "Last updated" date above and, where significant, notify you in-app on next launch. Continued use of the App after a change constitutes acceptance.
12. Contact
13. Governing law
This policy is governed by the laws of the Kingdom of Saudi Arabia, without prejudice to mandatory consumer protection rights you may have under your local law (e.g. GDPR if you are in the EU/UK, CCPA if you are in California).