# ShiaNūr — Privacy Policy
**Effective date:** 2026-05-18
**Last updated:** 2026-05-18
This Privacy Policy explains what information the ShiaNūr mobile application
(the **"App"**) collects, how it is used, who it is shared with, and the
choices you have. ShiaNūr is operated by the ShiaNūr team (the
**"Developer," "we," "us," "our"**).
If you have any questions, contact us at:
**privacy@shianur.com**
---
## 1. Summary
- ShiaNūr is a free, Shia-focused Islamic devotional application: Qur'an
reader, prayer times, Qibla, Islamic calendar, missed-prayer (Qaḍāʾ)
tracker, duas, ziyarat and other worship content.
- We collect the **minimum** information needed to run the App.
- We **do not** sell or rent your data.
- We **do not** run analytics, ad networks, or third-party tracking.
- We **do not** profile you for advertising.
- Most of your personal devotional data (reading progress, qaḍāʾ counts,
favorites, worship history) stays **on your device** and is never sent to
our servers.
- You can sign in anonymously, with Apple, with Google, or with Email.
- You can delete your account and associated data from inside the App at any
time (**Me → Account → Delete account**).
---
## 2. Information we collect
### 2.1 Account information (only if you create an account)
| Information | Source | Purpose |
|---|---|---|
| Email address | You, via Email sign-up or your Apple/Google sign-in provider | Authentication, account recovery |
| Display name (optional) | You, or your Apple/Google profile | Greeting in the App ("Salam, …") |
| Unique account identifier (UID) | Generated by Firebase Authentication | Link your account to your own private data |
If you use **Sign in with Apple**, Apple may provide us with a private relay
email address (e.g. `xxx@privaterelay.appleid.com`). We treat this the same
as any other email address and never attempt to resolve it back to your real
address.
You may also use the App **without signing in** (anonymous mode). In that
case Firebase generates a temporary UID for you; we collect no email or name.
### 2.2 Approximate location (only if you grant permission)
The App uses your device location for:
- Computing **local prayer times** (Fajr, Dhuhr, ʿAṣr, Maghrib, ʿIshāʾ).
- Pointing the **Qibla compass** toward Mecca (your coordinates are required
to compute the bearing from your position to the Kaaba).
Location is read **on-device only** by the operating system and the
`geolocator`, `geocoding`, `flutter_qiblah` and `adhan` libraries. The
**raw GPS coordinates are not transmitted to our servers** and are not stored
in your account. You can revoke location permission at any time in your
device's Settings; prayer times will fall back to a manually selected city
and the Qibla compass will prompt you to enable location or enter your city
manually.
### 2.2a Device sensors (Qibla compass)
The Qibla compass also reads your device's **magnetometer, accelerometer
and gyroscope** to determine the direction your device is pointing and to
keep the compass needle stable when you tilt the device. This sensor data
is processed **on-device only**, in real time, and is never recorded,
stored, or transmitted to our servers. On iOS, access to motion sensors
requires the `NSMotionUsageDescription` permission (which the system will
prompt you to grant); on Android, motion sensors do not require a runtime
permission. You can stop using the compass at any time by leaving the
screen.
### 2.3 Worship-related data you create
When signed in, the following data is synced to a private area of our
Firestore database under `users/{your-uid}/`:
- App settings (language, theme, notification preferences)
- Profile preferences (display name, preferred reciters)
- Qaḍāʾ (missed-prayer) counts and history
- Reading-continuity state (last Qur'an page / surah / ayah)
- Favorites and favorite folders
This data is private to your account. It is **not** shared with other users,
advertisers, or any third party.
### 2.4 Device permissions and what they're used for
| Permission | Why | Optional? |
|---|---|---|
| Location (when in use) | Prayer times + Qibla compass bearing | Yes |
| Motion & Fitness / Activity Recognition | Qibla compass tilt-compensation **and** Arbaʿīn walk step counter (on-device only) | Yes |
| Camera | AR Qibla view, profile photo capture, and ingredient-label scanning (on-device text recognition to help identify non-halal ingredients) | Yes |
| Photo Library (read) | Choose a profile picture / share-card image | Yes |
| Photo Library (add) | Save a profile picture or share-card image to your device | Yes |
| Notifications | Prayer-time and qaḍāʾ reminders (delivered locally by your device; no push servers are used) | Yes |
| Internet | Audio streaming, account sync, sign-in | Required |
### 2.4a Ingredient scanner (on-device text recognition)
The ingredient-label scanner uses **Google ML Kit Text Recognition** running
**entirely on your device**. The camera frames and the text extracted from
them are processed locally; they are **not uploaded to Google, to our
servers, or to any third party**, and they are not stored after the scan
ends. The matching of recognised text against a list of ingredients is
performed on-device against data bundled inside the App.
### 2.5 Information we **do not** collect
- We do **not** collect precise GPS history.
- We do **not** collect your contacts, calendar, or microphone.
- We do **not** integrate any advertising SDK.
- We do **not** integrate any third-party analytics SDK (no Firebase
Analytics, no Crashlytics, no Mixpanel, no Amplitude, no Sentry, etc.).
- We do **not** track you across other apps or websites.
- We do **not** use cookies (the App is not a web browser).
---
## 3. How your information is used
We use the information described above only to:
1. Authenticate your account.
2. Sync your personal devotional data between your devices.
3. Provide location-based features (prayer times, Qibla) — on-device only.
4. Send notifications you have opted in to.
5. Respond to your support requests.
6. Comply with our legal obligations.
We do **not** use your data to train AI models, sell to brokers, or build
advertising profiles.
---
## 4. Audio content
Recitations of the Qur'an, duas and ziyarat are streamed from servers we
operate at the `audio.shianur.com` domain. The underlying infrastructure is
hosted on **Amazon Web Services (AWS)**, acting as a sub-processor for
storage and content delivery.
When your device requests an audio file, the following technical information
is necessarily processed by AWS in order to deliver the file to you:
- Your **IP address** (used by the network to route the response back to
you).
- The **HTTP request line** (the audio file you asked for and the response
status).
- A **timestamp** and standard request headers (e.g. `User-Agent`).
This information is **not linked to your ShiaNūr account, email, or any
other identifier we hold about you**. We do **not** use it for advertising,
profiling, or analytics.
- We configure AWS access logs with a retention period of **at most 30
days**, after which they are automatically deleted.
- AWS itself is contractually bound to process this information only on
our instructions, in accordance with the AWS Data Processing Addendum
and (where applicable) the European Commission's Standard Contractual
Clauses.
- No third-party CDN, ad network or analytics provider receives your
request as part of audio playback.
If you would prefer not to share this information with AWS, you can avoid
streaming audio by simply not tapping the audio playback buttons; the rest
of the App (Qur'an text, duas/ziyarat text, prayer times, Qibla, calendar)
works without contacting our audio servers.
---
## 5. Sharing of information
We share information only with the following processors / sub-processors,
who are bound by contract to use it solely on our instructions:
| Processor | Purpose | Data shared |
|---|---|---|
| **Google Firebase Authentication** | Sign-in, account management | Email, UID, hashed credentials |
| **Google Cloud Firestore** | Storage of your synced devotional data | UID-scoped documents (see §2.3) |
| **Amazon Web Services (AWS)** | Audio file storage and delivery for `audio.shianur.com` | IP address, requested audio file, timestamp, standard HTTP headers (see §4) |
| **Apple** (Sign in with Apple) | Optional sign-in method | Apple-supplied email and name |
| **Google** (Sign in with Google) | Optional sign-in method | Google-supplied email and name |
We do **not** sell personal information. We do **not** share it with
advertisers or data brokers.
We may disclose information **without your consent** only when required by
law (e.g. a valid court order) or to protect the safety of users or the
public.
---
## 6. Where your data is stored
- Firebase Authentication and Firestore data are stored in Google Cloud
data centers (region: **`us-central1`** or as configured in our Firebase
project, which may be changed for performance/regulatory reasons).
- Audio files and their access logs are stored on **Amazon Web Services
(AWS)** infrastructure operated by the ShiaNūr team. The current primary
AWS region is **`eu-west-1` (Ireland)**; this may be changed for
performance or regulatory reasons.
- Most devotional content (Qur'an text, duas, ziyarat, calendar) is **bundled
inside the App** and never leaves your device.
If you are in the **European Economic Area, the United Kingdom or
Switzerland**, your data may be transferred to and processed in the United
States or other countries that may not provide the same level of data
protection. Where applicable, transfers rely on the European Commission's
Standard Contractual Clauses and the GDPR's appropriate-safeguards
mechanism.
---
## 7. Data retention
- **Bundled content** stays on your device until you uninstall the App.
- **Device-only data** (reading progress, qaḍāʾ history, favorites) stays on
your device until you uninstall the App or clear its storage.
- **Account data** in Firestore is retained until you delete your account.
- After account deletion, your data is removed from Firestore within **24
hours** and from operational backups within **30 days**.
- Server access logs are retained for a maximum of **30 days**.
---
## 8. Your rights and choices
Regardless of where you live, you can:
- **Access** the personal information we hold about you.
- **Correct** inaccurate information (via the App's profile screen or by
emailing us).
- **Delete** your account and the data associated with it
(**Me → Account → Delete account**, or by emailing
privacy@shianur.com).
- **Export** a copy of your synced data (email us and we will provide a JSON
export).
- **Withdraw consent** for optional permissions at any time through your
device Settings.
- **Object to processing** or **restrict processing** where the law allows.
If you are in the **EEA, UK or Switzerland**, you have rights under the GDPR.
If you are in **California**, you have rights under the CCPA / CPRA. We do
not "sell" or "share" personal information for cross-context behavioral
advertising as those terms are defined under California law.
To exercise any right, email **privacy@shianur.com** from the address
associated with your account. We will respond within **30 days**.
If you believe we have not addressed your concern, you may complain to your
local data-protection authority. In the EEA, you can find your authority at
<https://edpb.europa.eu/about-edpb/about-edpb/members_en>.
---
## 9. Children's privacy
ShiaNūr is rated for ages 4+ on the App Store and Everyone on Google Play.
We do not knowingly collect personal information from children under the
age of **13** (or under **16** where required by local law) without verified
parental consent. If you believe a child has provided us with personal
information, please email **privacy@shianur.com** and we will delete it.
---
## 10. Security
We follow industry-standard practices to protect your information:
- All network traffic between the App and our servers is encrypted with
HTTPS / TLS.
- Firebase Authentication credentials are managed by Google and never stored
in plain text by us.
- Firestore access is enforced by per-user security rules (`users/{uid}/*`
is readable and writable only by the matching UID).
- We do not store payment information (the App is free and does not contain
in-app purchases).
No security measure is perfect. If you discover a vulnerability, please
contact **security@shianur.com** before publicly disclosing it.
---
## 11. Third-party services
The App may include links to external websites or content (e.g. references
to scholarly works). Those external sites have their own privacy policies
and are not governed by this policy. We are not responsible for the practices
of those third parties.
---
## 12. Changes to this Policy
We may update this Privacy Policy from time to time. If we make a material
change, we will:
- Update the "Last updated" date at the top of this page.
- Show an in-App notice the next time you open the App, where required.
Continued use of the App after a change means you accept the updated policy.
---
## 13. Contact
**ShiaNūr — Privacy Team**
Email: **privacy@shianur.com**
Account-deletion requests: **delete@shianur.com** (or use **Me → Account →
Delete account** inside the App)
Security disclosures: **security@shianur.com**
General support: **support@shianur.com**
---
*ShiaNūr is an independent project. The scholarly works, marājiʿ and
reciters referenced in the App are credited for attribution only; their
mention does not imply endorsement or affiliation.*
