SirajSiraj

Privacy Policy

Effective: · Last updated:

1. Introduction

This Privacy Policy describes how Almanar AI (“we,” “our,” or “us”) collects, uses, stores, and protects your information when you use Siraj (the “App”), an Islamic companion mobile application that provides Quran reading, prayer times, adhkar with custom-category support, hadith collections, downloadable PDF books, a fasting tracker (Ramadan log, qaḍāʾ balance, kaffāra and fidya calculator), a zakat calculator with ḥawl reminder, and an AI assistant.

By creating an account or using the App, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information — your email address and display name when you register.
  • Password — stored only as a one-way hash (bcrypt). We never store, view, or transmit your plain password.
  • OAuth sign-in data — if you sign in with Apple or Google, we receive your email address, name (when provided by the provider), and a unique provider identifier. We do not receive your password.
  • User-generated content — custom adhkar (with categories and titles you assign), bookmarks, ayah notes, khatma labels, reading progress, fasting logs, qaḍāʾ balance, kaffāra completion records, zakat calculations and line items, and PDF reading positions.
  • AI chat messages — text messages you send to the in-app AI assistant.

2.2 Information Collected Automatically

  • Device information — device model, operating system, app version, and a randomly generated session identifier used to manage your active logins.
  • Location — Location access is required to calculate accurate prayer times and qibla direction. If you deny location permission, these features will not be available. Location data is processed on your device and is not transmitted to or stored on our servers.
  • Usage data — Quran reading position, dhikr counts, prayer logs, fasting logs, zakat calculations, and bookmarks. These are stored locally on your device and uploaded to our servers only when you manually trigger a backup using the Backup button. Backups are incremental: only rows changed since the previous backup are sent.
  • Reminder schedules — when you opt in to local notifications (prayer times, daily werd, fasting sunan such as Monday/Thursday or Ayyām al-Bīḍ, ḥawl date), the schedule is stored only on your device via the operating system’s notification scheduler. We do not see when or whether a notification fired.

2.3 What We Do Not Collect

  • We do not access your contacts, photos, calendar, microphone, or messages.
  • We do not collect biometric data.
  • We do not use advertising identifiers, ad networks, or cross-app trackers.
  • We do not use third-party analytics SDKs.
3. How We Use Your Information

We use the collected information to:

  • Operate the App's features (Quran reader, adhkar, prayer times, qibla, AI assistant, hadith reader, PDF book reader, fasting tracker, zakat calculator);
  • Authenticate your identity and keep your account secure;
  • Calculate prayer times and qibla direction from your location;
  • Synchronize your data across your devices when you manually trigger a backup;
  • Deliver the local notifications you have opted into (prayer alerts, daily werd reminders, fasting sunan reminders such as Monday/Thursday, Ayyām al-Bīḍ, ʿArafah, ʿĀshūrāʾ, Six of Shawwāl, and the first nine of Dhū al-Ḥijjah; zakat ḥawl-date reminder);
  • Send transactional emails (verification codes, password resets);
  • Respond to your support requests;
  • Diagnose technical issues and improve App reliability.

We do not use your data for advertising, profiling, or sale to third parties.

4. Third-Party Services

The App relies on the following service providers, each with their own privacy practices:

ServicePurposeData Shared
Google Cloud Platform (Cloud Run)Backend hostingAll data sent to our backend
Prisma PostgresEncrypted database storageAll synced user data
FirebaseAuthentication helpersAuth identifiers
Sign in with AppleApple authenticationApple-issued identity token
Google Sign-InGoogle authenticationGoogle-issued identity token
Google Gemini APIPowers the in-app AI assistantChat messages you submit to the AI
Internet Archive (archive.org)Hosts the public-domain PDF book catalogueNone — PDFs are downloaded directly from archive.org to your device. We do not proxy the download.
SMTP email providerSends verification & reset emailsEmail address

Messages you send to the AI assistant are forwarded to the Google Gemini API for processing and response generation. Do not include sensitive personal information in AI conversations. PDF book downloads contact archive.org directly from your device so we never see which books you download.

5. Data Storage and Security
  • All communication between the App and our backend is encrypted in transit using HTTPS (TLS 1.2 or higher).
  • Passwords are hashed with bcrypt before storage.
  • Authentication uses short-lived JSON Web Tokens (JWT) with rotating refresh tokens. On your device, refresh tokens and access tokens are stored in the operating system’s secure keystore (iOS Keychain on Apple devices, Android EncryptedSharedPreferences backed by the Android Keystore). On our servers, refresh tokens and password-reset codes are stored only as SHA-256 hashes; the raw values exist only briefly in the request that issues them.
  • Sign-in with Apple and Google are accepted only when the provider attests that the email address has been verified, preventing account takeover via unverified provider identities.
  • Server data is stored in encrypted-at-rest databases hosted in European Union data centers.
  • Backup and authentication endpoints are protected by per-user rate limits and strict input validation (length caps, type checking, and per-row ownership enforcement so a backup payload can never overwrite another user's data).
  • On-device data is held in a sandboxed SQLite database accessible only to the Siraj app on your device.

Despite these safeguards, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

6. Sharing of Information

We do not sell your personal information. We disclose data only:

  • To service providers listed in Section 4, strictly to operate the App;
  • For legal compliance when required by law, court order, or governmental request;
  • To protect rights and safety of our users, the public, or our service.
7. Your Rights

You have the right to:

  • Access — view your account information and synced data inside the App.
  • Correct — edit your display name and email at any time in Settings → Edit Profile.
  • Delete — permanently delete your account and all associated server-side data via Settings → Edit Profile → Delete Account. This action is irreversible.
  • Withdraw consent — disable location, notifications, or cloud sync at any time in App or device settings.
  • Object / restrict — for users in the EU, EEA, or UK, you may exercise additional rights under the GDPR, including filing a complaint with your supervisory authority.

To exercise any of these rights, contact us at team@almanar.ai. We will respond within 30 days.

8. Account Deletion

You can permanently delete your account from within the App:

  1. Open Settings.
  2. Tap Edit Profile.
  3. Scroll to the bottom and tap Delete Account.
  4. Confirm.

Upon deletion:

  • All your server-side personal data (profile, bookmarks, reading progress, custom adhkar, AI chat history, prayer logs, fasting logs, zakat calculations) is permanently removed.
  • All your active sessions are revoked.
  • Your locally stored data is cleared from your device on next launch.
  • If you signed in with Apple, you may additionally revoke Siraj's access from your Apple ID at appleid.apple.com.
9. Data Retention
  • Active accounts — data is retained for as long as your account exists.
  • Deleted accounts — personal data is permanently removed immediately upon deletion.
  • Server backups — operational backups are retained for up to 30 days for disaster recovery and then permanently deleted.
  • Email logs — transactional email metadata may be retained by our SMTP provider per their own retention policy.
10. Children's Privacy

Siraj is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at team@almanar.ai and we will delete it promptly.

11. International Data Transfers

Your data is processed and stored in European Union data centers. If you access Siraj from outside the EU, your information will be transferred to and processed in the EU. By using the App, you consent to this transfer.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the App or by email. The “Last Updated” date at the top of this policy reflects the most recent revision. Continued use of the App after changes are posted constitutes your acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests about this Privacy Policy or your personal data, contact us at:

Almanar AI
Email: team@almanar.ai

We aim to respond within 7 business days.