Privacy Policy
Effective: · Last updated:
This Privacy Policy describes how Almanar AI (“we,” “our,” or “us”) collects, uses, stores, and protects your information when you use Siraj (the “App”), an Islamic companion mobile application that provides Quran reading, prayer times, adhkar with custom-category support, hadith collections, downloadable PDF books, a fasting tracker (Ramadan log, qaḍāʾ balance, kaffāra and fidya calculator), a zakat calculator with ḥawl reminder, and an AI assistant.
By creating an account or using the App, you consent to the practices described in this policy.
2.1 Information You Provide Directly
- Account information — your email address and display name when you register.
- Password — stored only as a one-way hash (bcrypt). We never store, view, or transmit your plain password.
- OAuth sign-in data — if you sign in with Apple or Google, we receive your email address, name (when provided by the provider), and a unique provider identifier. We do not receive your password.
- User-generated content — custom adhkar (with categories and titles you assign), bookmarks, ayah notes, khatma labels, reading progress, fasting logs, qaḍāʾ balance, kaffāra completion records, zakat calculations and line items, and PDF reading positions.
- AI chat messages — text messages you send to the in-app AI assistant.
2.2 Information Collected Automatically
- Device information — device model, operating system, app version, and a randomly generated session identifier used to manage your active logins.
- Location — Location access is required to calculate accurate prayer times and qibla direction. If you deny location permission, these features will not be available. Location data is processed on your device and is not transmitted to or stored on our servers.
- Usage data — Quran reading position, dhikr counts, prayer logs, fasting logs, zakat calculations, and bookmarks. These are stored locally on your device and uploaded to our servers only when you manually trigger a backup using the Backup button. Backups are incremental: only rows changed since the previous backup are sent.
- Reminder schedules — when you opt in to local notifications (prayer times, daily werd, fasting sunan such as Monday/Thursday or Ayyām al-Bīḍ, ḥawl date), the schedule is stored only on your device via the operating system’s notification scheduler. We do not see when or whether a notification fired.
2.3 What We Do Not Collect
- We do not access your contacts, photos, calendar, microphone, or messages.
- We do not collect biometric data.
- We do not use advertising identifiers, ad networks, or cross-app trackers.
- We do not use third-party analytics SDKs.
We use the collected information to:
- Operate the App's features (Quran reader, adhkar, prayer times, qibla, AI assistant, hadith reader, PDF book reader, fasting tracker, zakat calculator);
- Authenticate your identity and keep your account secure;
- Calculate prayer times and qibla direction from your location;
- Synchronize your data across your devices when you manually trigger a backup;
- Deliver the local notifications you have opted into (prayer alerts, daily werd reminders, fasting sunan reminders such as Monday/Thursday, Ayyām al-Bīḍ, ʿArafah, ʿĀshūrāʾ, Six of Shawwāl, and the first nine of Dhū al-Ḥijjah; zakat ḥawl-date reminder);
- Send transactional emails (verification codes, password resets);
- Respond to your support requests;
- Diagnose technical issues and improve App reliability.
We do not use your data for advertising, profiling, or sale to third parties.
The App relies on the following service providers, each with their own privacy practices:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Cloud Platform (Cloud Run) | Backend hosting | All data sent to our backend |
| Prisma Postgres | Encrypted database storage | All synced user data |
| Firebase | Authentication helpers | Auth identifiers |
| Sign in with Apple | Apple authentication | Apple-issued identity token |
| Google Sign-In | Google authentication | Google-issued identity token |
| Google Gemini API | Powers the in-app AI assistant | Chat messages you submit to the AI |
| Internet Archive (archive.org) | Hosts the public-domain PDF book catalogue | None — PDFs are downloaded directly from archive.org to your device. We do not proxy the download. |
| SMTP email provider | Sends verification & reset emails | Email address |
Messages you send to the AI assistant are forwarded to the Google Gemini API for processing and response generation. Do not include sensitive personal information in AI conversations. PDF book downloads contact archive.org directly from your device so we never see which books you download.
- All communication between the App and our backend is encrypted in transit using HTTPS (TLS 1.2 or higher).
- Passwords are hashed with bcrypt before storage.
- Authentication uses short-lived JSON Web Tokens (JWT) with rotating refresh tokens. On your device, refresh tokens and access tokens are stored in the operating system’s secure keystore (iOS Keychain on Apple devices, Android EncryptedSharedPreferences backed by the Android Keystore). On our servers, refresh tokens and password-reset codes are stored only as SHA-256 hashes; the raw values exist only briefly in the request that issues them.
- Sign-in with Apple and Google are accepted only when the provider attests that the email address has been verified, preventing account takeover via unverified provider identities.
- Server data is stored in encrypted-at-rest databases hosted in European Union data centers.
- Backup and authentication endpoints are protected by per-user rate limits and strict input validation (length caps, type checking, and per-row ownership enforcement so a backup payload can never overwrite another user's data).
- On-device data is held in a sandboxed SQLite database accessible only to the Siraj app on your device.
Despite these safeguards, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
We do not sell your personal information. We disclose data only:
- To service providers listed in Section 4, strictly to operate the App;
- For legal compliance when required by law, court order, or governmental request;
- To protect rights and safety of our users, the public, or our service.
You have the right to:
- Access — view your account information and synced data inside the App.
- Correct — edit your display name and email at any time in Settings → Edit Profile.
- Delete — permanently delete your account and all associated server-side data via Settings → Edit Profile → Delete Account. This action is irreversible.
- Withdraw consent — disable location, notifications, or cloud sync at any time in App or device settings.
- Object / restrict — for users in the EU, EEA, or UK, you may exercise additional rights under the GDPR, including filing a complaint with your supervisory authority.
To exercise any of these rights, contact us at team@almanar.ai. We will respond within 30 days.
You can permanently delete your account from within the App:
- Open Settings.
- Tap Edit Profile.
- Scroll to the bottom and tap Delete Account.
- Confirm.
Upon deletion:
- All your server-side personal data (profile, bookmarks, reading progress, custom adhkar, AI chat history, prayer logs, fasting logs, zakat calculations) is permanently removed.
- All your active sessions are revoked.
- Your locally stored data is cleared from your device on next launch.
- If you signed in with Apple, you may additionally revoke Siraj's access from your Apple ID at appleid.apple.com.
- Active accounts — data is retained for as long as your account exists.
- Deleted accounts — personal data is permanently removed immediately upon deletion.
- Server backups — operational backups are retained for up to 30 days for disaster recovery and then permanently deleted.
- Email logs — transactional email metadata may be retained by our SMTP provider per their own retention policy.
Siraj is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at team@almanar.ai and we will delete it promptly.
Your data is processed and stored in European Union data centers. If you access Siraj from outside the EU, your information will be transferred to and processed in the EU. By using the App, you consent to this transfer.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the App or by email. The “Last Updated” date at the top of this policy reflects the most recent revision. Continued use of the App after changes are posted constitutes your acceptance of the revised policy.
If you have questions, concerns, or requests about this Privacy Policy or your personal data, contact us at:
Almanar AIEmail: team@almanar.ai
We aim to respond within 7 business days.