Privacy Policy

1. Introduction

nafs ("we," "our," or "us") is an Islamic lifestyle application developed by NAFS TECHNOLOGIES LLC. nafs helps Muslims manage their daily religious practices including prayer tracking, Quran reading, cycle/period tracking, journaling, dhikr and tasbih, fasting records, and Islamic learning.

This Privacy Policy explains what information the app uses, how it is handled, how we protect it, and your rights regarding your data. We are committed to respecting your privacy and handling your personal information with care.

By using nafs, you agree to the handling and use of information as described in this Privacy Policy. If you do not agree, please do not use the app.

2. Information the App Uses

2a. Account Information

When you create an account, you provide the following:

• Email address: used for authentication and account recovery
• Display name: optional, used for personalization
• Authentication provider: whether you signed in via email/password, Apple Sign-In, or Google Sign-In
• User ID: a unique identifier generated by our authentication service

You may also use nafs in guest mode without creating an account. Guest mode limits certain features such as cloud sync.

2b. Religious Practice Data

The app stores the following data on your device as you use it:

• Prayer completions: which prayers you mark as completed each day
• Fasting records: days you mark as fasting (Ramadan and voluntary)
• Missed fasts: count of missed obligatory fasts
• Madhab (school of thought): used to determine prayer time calculation rules
• Calculation method: your preferred astronomical method for prayer times (e.g., ISNA, MWL, Egyptian)
• Prayer time offsets: manual minute adjustments to calculated prayer times
• Adhan preferences: selected notification sounds for each prayer

2c. Health & Cycle Data

If you opt in to cycle tracking, the app records the following on your device:

• Period start and end dates
• Flow intensity (light, medium, heavy)
• Symptoms: pain, mood, physical symptoms, and other indicators you select
• Mood and pain levels
• Sleep quality
• Notes: free-text notes attached to cycle logs (encrypted at rest)
• Health conditions: optional selections such as PCOS, perimenopause, or breastfeeding, used to improve prediction accuracy

This data is stored locally on your device by default and is never synced to the cloud unless you explicitly create an encrypted backup.

2d. Journal Entries

If you use the journaling feature, the app stores:

• Free-text entries you write
• Associated metadata: date, optional location, weather context, verse references

Journal entries that you choose to sync are stored in your cloud account. Local-only entries remain on your device.

2e. Quran & Learning Data

To enhance your Quran and learning experience, the app tracks the following on your device:

• Last-read mushaf page (per surah, to resume where you left off)
• Favorite surahs and reciters
• Memorization progress: Names of Allah you mark as memorized
• Tasbih sessions: dhikr count, duration, and target (auto-pruned after 30 days)
• Earned badges: achievements in the dhikr system
• Completed morning/evening adhkar dates
• Guide completion status: which learning guides you have finished

2f. Location Data

The app requests location access for specific features:

• Prayer time calculation: your GPS coordinates are used to calculate accurate prayer times for your location
• Qibla direction: your location is used to determine the direction of the Kaaba

Location data is processed locally on your device. We do not store your GPS coordinates on our servers. You may provide manual coordinates instead of granting location permission.

2g. Device & Technical Data

The app uses limited technical information:

• Device identifier: a SHA-256 hashed device ID used for backup identification (not personally identifiable or fingerprintable)
• iOS version and app version: for compatibility and debugging
• Crash logs: collected via standard iOS crash reporting to improve app stability

We do not use advertising identifiers (IDFA) or any third-party analytics or tracking SDKs.

2h. Subscription Data

If you subscribe to nafs+:

• Subscription status: whether you have an active subscription and its tier
• Purchase receipts: validated through Apple's StoreKit framework

We do not have access to your payment method, credit card details, or billing address. All payment processing is handled entirely by Apple.

3. How Your Information Is Used

Your data is used on your device to:

• Provide core features: calculate prayer times, display Quran content, track cycle data, maintain journal entries, run dhikr counters
• Generate cycle predictions: using algorithmic models based on your logged cycle history to estimate future period dates, fertile windows, and ovulation
• Sync data across devices: if you are signed in, eligible data syncs via encrypted cloud storage
• Personalize content: display gender-appropriate Islamic guides, filter by madhab, show relevant duas
• Send notifications: prayer time reminders, cycle predictions, fasting reminders, and dua of the day (all optional and configurable)
• Improve the app: diagnose crashes, fix bugs, and improve performance using anonymized technical data
• Process subscriptions: verify subscription status to unlock premium features

We may also:

• Use shared content for marketing: content you generate through the App's sharing and reflection features (e.g., reflection cards, shareable quotes) may be used in our marketing and promotional materials, as described in our Terms of Service. This applies only to content produced through sharing features, not to your private data.

We do not:

• Sell your personal information to anyone
• Use your private data (journals, cycle logs, health records) for advertising
• Build advertising profiles
• Share your data with data brokers
• Perform automated decision-making that produces legal effects

4. Data Storage & Security

Local-First Architecture

nafs is designed with a local-first architecture. Your most sensitive data, including cycle logs, health conditions, and HealthKit data, is stored on your device and never leaves it unless you explicitly choose to create a backup.

Encryption

We employ multiple layers of encryption to protect your data:

• Cycle notes: encrypted using AES-256-GCM before storage on device
• Backup files: encrypted using PBKDF2 key derivation (600,000 iterations) combined with AES-GCM authenticated encryption
• Sensitive settings: stored in the iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly protection, meaning they are not included in unencrypted device backups
• Encryption keys: managed via the device's Secure Enclave (hardware-backed) with biometric authentication gates where applicable

Network Security

All data transmitted between your device and our cloud services is encrypted using HTTPS/TLS.

5. Cloud Sync & Backups

What Syncs to the Cloud (if signed in)

• Prayer completions
• Fasting records
• Journal entries
• Missed fasts count
• App settings and preferences

What Stays on Your Device Only

• Cycle/period logs and health data
• HealthKit data
• Location coordinates
• Health condition selections
• Tasbih session history
• Encryption keys

Encrypted Backups

You may create encrypted backups of your cycle data:

• Local backups: exported as .nafs files, encrypted with a password you choose
• Cloud backups: optionally stored in your cloud account, fully encrypted before upload

Important: If you lose your backup password, we cannot recover your encrypted backup data. There is no password reset for backup files.

6. Third-Party Services

These services are required for specific features. Your private data (journals, cycle logs, health records) is never shared with any of them.

nafs uses the following third-party services:

No personally identifiable information is shared with any audio content providers. Only audio file requests are made using surah and reciter identifiers. We do not share your identity, location, or any personal data with these providers.

7. HealthKit

nafs integrates with Apple HealthKit only if you explicitly grant permission:

• Read: menstrual flow data, to import period history into the cycle tracker
• Write: cycle log entries, to export your tracked data to Apple Health

Our HealthKit practices comply with Apple's HealthKit guidelines:

• HealthKit data is never synced to our cloud servers
• HealthKit data is never shared with third parties
• HealthKit data is never used for advertising or marketing
• HealthKit data is stored only on your device
• HealthKit access can be revoked at any time in iOS Settings > Privacy & Security > Health

8. Notifications

nafs may send local notifications for:

• Prayer time reminders: configurable per prayer, with custom adhan sounds
• Cycle predictions: upcoming period and fertile window estimates
• Fasting reminders: suhoor and iftar times during Ramadan
• Dua reminders: daily Islamic supplications
• Wudu reminders: optional ablution reminders

Privacy Protections for Notifications

• Notification content uses generic text and does not display sensitive health information on the lock screen
• All notification categories are individually configurable. You can enable or disable each type
• Notifications are entirely optional and the app functions fully without them

9. Children's Privacy

nafs is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently received data from a child under 13, we will promptly delete it.

For users in the European Union and European Economic Area, parental or guardian consent is required for users under the age of 16, in accordance with the General Data Protection Regulation (GDPR).

If you are a parent or guardian and believe your child has provided personal information to us, please contact us at support@nafs.fyi so we can take appropriate action.

10. Your Rights

You have the following rights regarding your personal data:

Access

You can view all data stored by the app at any time. You can export your cycle data via encrypted backup files.

Deletion

• Individual records: delete any prayer log, cycle entry, journal entry, or other record from within the app
• Full account deletion: delete your entire account from Settings, which permanently removes all cloud-stored data (this action is irreversible)
• Local data: uninstalling the app removes all local data from your device

Correction

You can edit any logged entry (cycle logs, journal entries, prayer records, missed fasts, and symptoms) at any time.

Portability

Export your cycle data in the encrypted .nafs backup format for transfer to another device or for personal records.

Opt-Out

You may opt out of the following at any time:

• Cloud sync: use the app entirely offline with a local-only account
• Notifications: disable all or individual notification categories
• HealthKit: revoke access in iOS Settings
• Location: deny permission or provide manual coordinates
• Cycle tracking: skip cycle features entirely during onboarding

PIPEDA (Canada)

Canadian residents have the right to access, correct, and withdraw consent for their personal information.

UK GDPR

UK residents have the same rights as EEA residents under the UK General Data Protection Regulation.

Australian Privacy Act

Australian residents may access and correct their personal information and lodge complaints with the Office of the Australian Information Commissioner.

You also have the right to lodge a complaint with your local data protection supervisory authority.

11. Data Retention

We do not engage in:

• Automated profiling or scoring
• Targeted advertising
• Data sales to third parties
• Behavioral tracking across apps or websites

12. International Users & Compliance

GDPR (European Union / European Economic Area)

If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation:

• Lawful basis for processing: We process your data based on (a) your consent (e.g., opting in to cycle tracking, enabling notifications) and (b) legitimate interest (e.g., providing core app functionality, improving stability)
• Right of access: request a copy of your personal data
• Right to rectification: correct inaccurate data
• Right to erasure: request deletion of your data ("right to be forgotten")
• Right to data portability: receive your data in a structured format
• Right to restriction of processing: limit how we use your data
• Right to object: object to processing based on legitimate interest
• Right to withdraw consent: withdraw consent at any time without affecting prior processing

To exercise these rights, contact us at support@nafs.fyi. We will respond within 30 days. You also have the right to lodge a complaint with your local Data Protection Authority.

UK GDPR (United Kingdom)

Users in the United Kingdom have the same rights as outlined under the EU GDPR above. The supervisory authority for UK users is the Information Commissioner's Office (ICO) at ico.org.uk.

CCPA (California, United States)

If you are a California resident, the California Consumer Privacy Act provides you with the following rights:

• Right to know: what personal information we handle, use, and disclose
• Right to delete: request deletion of your personal information
• Right to opt-out of sale: we do not sell your personal information to anyone
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact us at support@nafs.fyi.

Australian Privacy Act

If you are located in Australia, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988. Your data may be held on infrastructure located in the United States (Google Cloud). You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

PIPEDA (Canada)

If you are located in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). We handle information based on your consent, and you have the right to access and correct your personal information. Complaints may be directed to the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

International Data Transfers

Our cloud infrastructure is provided by Google Cloud, with servers located in the United States. For users in the EU/EEA and UK, data transfers to the US are conducted under Standard Contractual Clauses (SCCs) as adopted by the European Commission, ensuring adequate data protection.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this document
• Notify you via an in-app notice or through an app update
• Provide at least 30 days' notice before material changes take effect

Your continued use of nafs after the updated Privacy Policy becomes effective constitutes your acceptance of the changes.

14. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

• Consent: cycle tracking, HealthKit integration, cloud sync, push notifications
• Contract: providing the app's core features when you create an account
• Legitimate interest: crash reporting, anonymized analytics for app improvement

You can withdraw consent at any time through the app's settings. Withdrawing consent does not affect the lawfulness of prior processing.

15. International Data Transfers

Our cloud infrastructure is hosted in the United States (Google Cloud). If you are located outside the United States, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses and our service provider's compliance certifications to ensure adequate protection of your data during transfer.

16. Automated Decision-Making

The app uses an on-device machine learning model to predict future cycle dates, fertile windows, and ovulation timing. These predictions are algorithmic estimates processed entirely on your device. They do not produce legal effects or similarly significant decisions affecting you. You can disable cycle predictions at any time in the app's settings.

17. Biometric Data

If you enable biometric app lock, nafs uses Face ID or Touch ID via Apple's LocalAuthentication framework. Biometric data is processed entirely by Apple's Secure Enclave on your device. We never access, store, or transmit your biometric data.

18. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will notify affected users within 72 hours via email (if an account email is on file) and through an in-app notice. We will also notify relevant supervisory authorities as required by applicable law.

19. Push Notifications

Prayer time reminders, cycle prediction alerts, fasting reminders, and daily dua notifications are all optional and configurable in the app's notification settings. Notification scheduling uses locally stored data on your device. We do not send push notification content through remote servers.

20. Data Minimization

We follow the principle of data minimization in all aspects of the App:

• We collect only the minimum amount of data necessary to provide each feature
• Cycle tracking data is stored locally by default and never synced without your explicit consent
• Location data is processed on-device and never stored on our servers
• Analytics data is anonymized and aggregated before any processing
• We do not collect device advertising identifiers (IDFA/GAID)
• Tasbih session data is automatically pruned after 30 days to minimize stored data
• Guest mode allows full use of core features without providing any personal information
• We regularly review our data collection practices to ensure we are not collecting more than necessary

We will not ask you for information that is not directly relevant to the feature you are using. If we need additional data for a new feature, we will clearly explain why and obtain your consent before collecting it.

21. Purpose Limitation

Your data is used only for the purposes stated in this Privacy Policy. We will not:

• Repurpose your prayer data for any use other than tracking your worship
• Use your cycle data for any purpose other than cycle tracking and prediction
• Apply your journal entries for any use other than providing the journaling feature
• Share your Quran reading history with third parties for any reason
• Use your dhikr and tasbih data for any purpose other than progress tracking
• Cross-reference your data across different features without your knowledge
• Use your data to build behavioral profiles for advertising or marketing purposes
• Sell, license, or otherwise commercialize your personal data in any form

If we ever need to use your data for a new purpose not described in this Privacy Policy, we will notify you in advance and obtain your consent before proceeding.

22. Your Choices and Controls

You have control over your data and how the App works. Available settings include:

Account and Data

• Create or delete your account at any time
• Enable or disable cloud sync
• Create and manage encrypted backups
• Export your cycle data as encrypted .nafs files
• Choose between guest mode and account mode

Privacy Controls

• Grant or revoke location permission
• Grant or revoke HealthKit access
• Enable or disable biometric app lock (Face ID / Touch ID)
• Control which data syncs to the cloud
• Choose your preferred authentication method

Notifications

• Enable or disable prayer time reminders (per prayer)
• Enable or disable cycle prediction alerts
• Enable or disable fasting reminders
• Enable or disable daily dua notifications
• Configure notification sounds and preferences

Content and Personalization

• Select your madhab (school of thought) for prayer calculation
• Choose your preferred prayer time calculation method
• Adjust prayer time offsets manually
• Select your preferred Quran reciters
• Enable or disable the "For Her" features (cycle tracking)

All of these settings can be changed at any time within the App. Disabling a feature does not delete your existing data for that feature. To delete specific data, use the relevant deletion option within each feature or delete your entire account.

23. California "Do Not Sell or Share"

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• We do NOT sell your personal information as defined by the CCPA/CPRA
• We do NOT share your personal information for cross-context behavioral advertising
• We do NOT use sensitive personal information for purposes other than providing the App's features
• We do NOT process personal information for profiling in furtherance of decisions that produce legal or similarly significant effects
• You have the right to opt out of any future sale or sharing of personal information by contacting us at support@nafs.fyi
• We will not discriminate against you for exercising any of your CCPA/CPRA rights
• We will respond to verified consumer requests within 45 days

Because we do not sell or share personal information, there is no need to submit a "Do Not Sell or Share" request. However, if you have any concerns about how your data is handled, please contact us at support@nafs.fyi.

24. Data Portability and Access Requests

You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format:

• Cycle data: exportable as encrypted .nafs backup files through Settings > Backup and Transfer
• Prayer and fasting records: included in cloud sync data and accessible through the App
• Journal entries: stored locally on your device and accessible directly through the App
• Account information: available in Settings > Account

For formal data access requests under GDPR, CCPA, or other applicable law, contact us at support@nafs.fyi. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). There is no fee for the first request in any 12-month period.

25. Accountability and Governance

NAFS TECHNOLOGIES LLC is committed to data protection accountability:

• We maintain internal records of our data processing activities as required by GDPR Article 30
• We conduct periodic reviews of our privacy practices and data security measures
• We assess the privacy impact of new features before they are released
• We ensure that all third-party service providers we use maintain appropriate data protection standards
• We train our team on data protection principles and best practices
• We promptly investigate and address any reported privacy concerns
• We maintain clear data processing documentation

If you believe we have failed to comply with this Privacy Policy or applicable data protection law, please contact us at support@nafs.fyi. We take all complaints seriously and will investigate promptly.

26. Cookie and Tracking Policy

For our website (nafs.fyi):

• We use Vercel Analytics for anonymized, privacy-friendly website analytics
• We use Vercel Speed Insights for performance monitoring
• We do not use advertising cookies or tracking pixels
• We do not use third-party analytics that track you across websites
• We do not use social media tracking pixels or widgets
• No personal information is collected through our website analytics
• Our analytics do not use cookies to identify individual users

For the iOS App:

• The App does not use cookies
• The App does not use web tracking technologies
• The App does not use advertising SDKs
• NSPrivacyTracking is set to false in our App Store privacy declaration

27. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us:

For GDPR-related inquiries, you may also contact our data protection point of contact at the same email address.

This Privacy Policy applies to the nafs iOS application distributed through the Apple App Store.