DRAFT · PENDING LEGAL REVIEW
This document has not yet been reviewed by a qualified lawyer. It is not final and should not be relied upon. A reviewed version will replace this page before public launch.

Legal · Shafaq

Privacy Policy

Draft · Last updated 30 March 2026

Who We Are

Shafaq is operated by Shafaq Pty Ltd, an Australian Proprietary Limited company registered under the Corporations Act 2001 (Cth) and regulated by ASIC. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Information We Collect

We collect the following categories of personal information when you use Shafaq:

Account information: email address, display name
Profile preferences: madhab, region, timezone
Spiritual activity: prayer logs, Quran reading sessions, dhikr records, fasting records, journal entries, du'a entries (entered by you voluntarily)
Financial calculations: zakat asset values and calculation results, if you choose to save them
Estate planning data: estate values and heir configurations entered into the Miraath planner, if you choose to save them
Waitlist submissions: email address and optional name and region

Location Data

Shafaq requests access to your device's location solely to calculate prayer times and Qibla direction for your area. Location data is processed on your device using an astronomical calculation library; it is not transmitted to or stored on our servers. We do not retain, log, or share your location. You may deny location access at any time via your browser or device settings; prayer times will then require you to enter your city manually.

How We Use Your Information

We use your personal information only to provide and improve the Shafaq service, including: creating and managing your account, storing your spiritual activity data so it persists across sessions and devices, generating your weekly Muhasabah insight (processed by the Anthropic API using only your aggregated activity counts, not your journal content), and communicating service updates if you are on our waitlist.

We do not use your information for advertising, profiling for commercial purposes, or any purpose other than operating the service.

We Do Not Sell Your Data

Shafaq does not sell, rent, or trade your personal information to any third party, for any purpose, under any circumstances.

Data Processors

We use the following third-party services to operate Shafaq:

Supabase (Supabase Inc.): our database, authentication, and backend infrastructure provider. Your data is stored in Supabase's hosted PostgreSQL database. Supabase hosts our data on Amazon Web Services in the Asia Pacific (Sydney) ap-southeast-2 region. Supabase processes data on our behalf under its Data Processing Agreement.
Anthropic (Anthropic PBC): used to generate weekly Muhasabah insights. Only aggregated, non-identifiable activity counts are sent to the Anthropic API; no personal data, no journal content. Anthropic's API terms apply.
Vercel Inc.: our web hosting provider. Vercel serves the Shafaq web application. Analytics are not enabled. Vercel may process standard web server logs (IP address, request path) in the ordinary course of hosting.

Data Retention

We retain your personal information for as long as your account is active. If you delete your account, your personal data will be deleted from our systems within 30 days, except where we are required by law to retain it for longer.

Your Rights

Under the Australian Privacy Principles, you have the right to: access the personal information we hold about you; request correction of inaccurate information; and make a complaint if you believe we have breached the Privacy Act. To exercise any of these rights, contact us via the link in the footer.

If you are located in the United Kingdom or European Economic Area, additional rights under UK GDPR / GDPR may apply. [Legal review required for this section before serving EU/UK users.]

Security

All data is transmitted over HTTPS. Authentication is managed by Supabase with Row Level Security (RLS) policies ensuring each user can only access their own data. We do not store passwords; authentication uses email/password hashing handled entirely by Supabase Auth.

Changes to This Policy

We will notify users of material changes to this policy by updating the effective date and, where appropriate, by email.

Contact

For privacy enquiries or to exercise your rights, contact Shafaq Pty Ltd via the contact link in the footer.