TL;DR
- No data selling. Your data is never sold to anyone. Ever.
- AI never generates Islamic content. All Quran, hadith, and du'as come from our curated database.
- Your reflections are private. AI only sees heart-state metadata, never your personal reflections.
- Your du'a list is local-only. It never leaves your device and is never synced to our servers.
- Analytics are opt-in. Crash reporting requires your consent before activation.
- You can delete everything. Request full account and data deletion at any time.
Hudur is a Du'a and Muraqaba companion for Muslims. We take your privacy seriously — especially when it touches your spiritual practice. This policy explains what we collect, what we don't, and why.
1. What We Collect
| Data | Purpose | Storage |
|---|---|---|
| Email & display name | Account authentication | Supabase (encrypted) |
| Spiritual profile | Depth level (guided / steady / deep) | Supabase |
| Heart-state metadata | Session matching & AI guidance | Supabase |
| Session metadata | Duration, exchange count, depth level | Supabase |
| Preferences | Language, theme, notification settings | Device & Supabase |
| Push notification token | Reminders & notifications | Supabase & FCM |
2. What We Don't Collect
- Your du'a list — stored locally on your device only, never synced.
- Reflection content — AI receives heart-state metadata only, never your written reflections.
- Health or biometric data — we don't access HealthKit or biometric sensors.
- Precise location — we don't request or store your location.
- Contacts — we never access your address book.
3. How AI Works in Hudur
Hudur uses Google Gemini as a Muhasaba facilitator — not a therapist, scholar, imam, or mufti. Here's exactly how it works:
- All Islamic content is curated. Quran verses, hadith, and du'as come exclusively from our verified content database. AI never generates Islamic texts.
- Heart-state matching. Your selected heart state (e.g. shukr, sabr, qabd) is shared with the AI to match you with appropriate du'as and reflections.
- Edge Functions as proxy. All AI requests are routed through Supabase Edge Functions. No API keys live on your device.
- Session limits enforced. A maximum of 5 exchanges per session and 3 sessions per day, to protect the practice's integrity.
4. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Authentication, database, Edge Functions | Account data, session metadata |
| Google Gemini | AI Muhasaba guidance (via Edge Functions) | Heart state, depth level (anonymized) |
| Firebase Crashlytics | Crash reporting (opt-in) | Device info, crash logs |
| Firebase Cloud Messaging | Push notifications | Device token |
| RevenueCat | Subscription management | Purchase data, anonymous user ID |
| Cloudflare R2 | Audio content delivery | None (read-only CDN) |
| Apple / Google Sign-In | Authentication | Email (via OAuth) |
5. Your Rights
You have the right to:
- Access — request a copy of all data we hold about you.
- Delete — request complete deletion of your account and associated data.
- Portability — receive your data in a machine-readable format.
- Opt out — disable analytics and crash reporting at any time.
- Withdraw consent — revoke any previously granted permissions.
To exercise any of these rights, email salam@hudur.app. We will respond within 30 days.
6. Data Retention
- Active account — data is retained while your account is active.
- Deleted account — all data is permanently deleted within 30 days of your request.
- Crash logs — automatically purged after 90 days.
- Session metadata — retained for practice history; deleted with the account.
7. Children's Privacy
Hudur is designed for Muslim adults aged 18 and above. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8. Changes to This Policy
We may update this policy from time to time. Significant changes will be communicated in the app. Continued use of Hudur after changes constitutes acceptance of the updated policy.