Privacy Policy

The categories of data Safa may store about you:

• Account info — if you sign in, your email or a passphrase-derived identifier, and an authentication token.
• Mosque & location — the mosque you select and its coordinates so Safa can fetch your local prayer times. You can choose to use a generic location instead.
• Daily activity — which tasks you mark complete (prayers, adhkar, Qur’an reading, water, etc.), per-day counts, and any custom tasks you add.
• Reflections — mood check-ins, journal entries, and notes you write inside the app.
• Cycle data (optional) — if you use the Daurah tracker. This stays on your device and in your encrypted account only; it’s not used for anything else.
• Quran.com integration (optional) — if you connect a Quran.com account, an OAuth token is stored so Safa can read and write your Quran.com bookmarks and notes on your behalf. We never see your Quran.com password.
• Device basics — operating system, app version, and timezone, used to render the right calendar and UI.

Safa has no advertising SDKs, no third-party analytics that profile you across apps, and no social-graph tracking. We don’t buy data from data brokers. The app contains no behavioral trackers in third-party libraries beyond what you grant explicitly (e.g. the Quran.com OAuth scopes).

• Render your daily Salah times against your chosen mosque.
• Sync your task completions, journal, and Qur’an reading progress across your devices when you sign in.
• Send local notifications for prayer reminders and check-ins (you can turn each one off in Settings).
• When connected, exchange and refresh Quran.com OAuth tokens so your bookmarks and notes stay in sync.
• Diagnose crashes and bugs (anonymized — never tied back to who you are).

Most of your data lives on your device, in AsyncStorage. When you sign in, an encrypted copy syncs to our backend (Supabase, hosted in the EU). We use industry-standard encryption in transit (HTTPS) and at rest. The Quran.com OAuth token is stored securely and never exposed in app logs or shared with third parties.

• Aladhan API — for prayer times and Hijri date conversion. We send the mosque coordinates and the date you ask about; Aladhan returns the times.
• Al Qur’an Cloud — for the Qur’an reader pages (Uthmani Arabic + Sahih International English). We send the requested page number; the response is cached locally.
• Quran.com Foundation (optional) — when you connect a Quran.com account. Their privacy practices apply to data you store with them; ours apply to the OAuth token we hold on your behalf.
• Supabase — our authentication and account-sync backend.
• Apple & Google — to deliver the app through the App Store / Play Store.

We don’t share your account data with these third parties beyond what’s strictly needed to provide the feature you requested.

You can, at any time:

• Access a copy of your data — email us and we’ll send it.
• Correct or update anything wrong via the app or by emailing us.
• Delete your account and all server-side data from inside the app (Settings → Delete account) or by emailing us. Local on-device data is wiped when you sign out and clear the app.
• Disconnect Quran.com — revokes the OAuth token we hold and forgets it.
• Object to specific processing or withdraw consent for optional features.

Safa is intended for users 13+ (or 16+ in regions where that is the local minimum). We do not knowingly collect data from younger children. If you believe a minor has used Safa, contact us and we’ll delete the account.

We keep your data for as long as your account is active. If you delete your account, server-side data is removed within 30 days. Crash diagnostics (if any) are retained for up to 90 days for debugging.

When we make material changes we’ll update the “Last updated” date above and, for significant changes, notify you inside the app or by email. Continued use of Safa after a change means you accept the updated policy.

Questions, requests, or concerns: muslimah.app.acc@gmail.com. We’ll get back to you in a few working days, in shaa Allah.