OpenAyah - Your Quran and Hadith Companion
Last Updated: January 31, 2026
Welcome to OpenAyah. We are committed to protecting your privacy and being transparent about how we handle your information. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding your personal information.
Quick Summary: OpenAyah is designed with privacy in mind. We collect only the minimum data necessary to provide you with a personalized Quran reading experience. We do not sell your data, we do not show advertisements, and we do not track you across other apps or websites.
OpenAyah is a mobile application developed to help users read, study, and engage with the Quran and Hadith collections. Our mission is to provide a beautiful, distraction-free reading experience while respecting your privacy.
Data Controller:
Kitaby LTD
Email: privacy@kitaby.app
Website: https://kitaby.app
| Data Type | When Collected | Purpose |
|---|---|---|
| Email Address | When you create an account | Account authentication, password recovery, important service notifications |
| Name | When you sign in with Apple or Google | Personalization (display name in app) |
| Reading Progress | As you read the Quran | Track your position, display progress statistics, sync across devices |
| Bookmarks & Notes | When you save verses or add notes | Store your personal annotations for later reference |
| App Preferences | When you customize settings | Remember your theme, font size, translation preferences, and reading settings |
| Data Type | What We Collect | Purpose |
|---|---|---|
| Device Information | Device model, operating system version, app version | Ensure app compatibility, troubleshoot issues |
| Usage Analytics | Features used, reading sessions (stored locally) | Calculate your reading streaks and statistics |
| Crash Reports | Technical error logs (if app crashes) | Fix bugs and improve app stability |
OpenAyah is designed to respect your privacy. We explicitly do not collect:
We use your information only for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide app functionality - Display Quran text, track reading progress, save bookmarks | Contract Performance |
| Sync data across devices - Keep your progress consistent when you use multiple devices | Contract Performance |
| Process subscriptions - Manage premium features and payment processing | Contract Performance |
| Send service notifications - Password resets, account security alerts | Legitimate Interest |
| Improve the app - Analyze crash reports to fix bugs | Legitimate Interest |
| Respond to support requests - Help you when you contact us | Contract Performance |
We do NOT use your information for:
To provide OpenAyah's features, we work with the following trusted third-party service providers:
| Service | Provider | Purpose | Data Shared |
|---|---|---|---|
| Supabase | Supabase Inc. | User authentication, secure cloud data storage | Email, encrypted password, reading progress, settings |
| Apple Sign-In | Apple Inc. | Optional secure login method | Name, email (with Apple's privacy relay option) |
| Google Sign-In | Google LLC | Optional secure login method | Name, email, profile picture |
Privacy Policies: Supabase | Apple | Google
| Service | Provider | Purpose | Data Shared |
|---|---|---|---|
| RevenueCat | RevenueCat Inc. | Manage subscriptions and in-app purchases | Device ID (IDFV on iOS), anonymous user ID, purchase history, subscription status |
| Apple App Store | Apple Inc. | Process iOS payments | Handled directly by Apple - we do not receive payment details |
| Google Play | Google LLC | Process Android payments | Handled directly by Google - we do not receive payment details |
Important: We never receive, store, or have access to your credit card numbers, bank account details, or payment credentials. All payment processing is handled securely by Apple, Google, and RevenueCat.
Privacy Policy: RevenueCat
| Service | Provider | Purpose | Data Shared |
|---|---|---|---|
| Quran.com Audio CDN | Quran Foundation | Deliver Quran recitation audio files | IP address (standard web request), verses requested |
| Tarteel.ai | Tarteel AI | Word morphology and dictionary data | IP address, word lookup requests |
| Cloudflare CDN | Cloudflare Inc. | Deliver language packs and app assets | IP address (standard web request) |
Privacy Policies: Quran.com | Tarteel.ai | Cloudflare
OpenAyah does not include any advertising SDKs, tracking pixels, or behavioral analytics services. We do not use:
Most of your data is stored locally on your device using encrypted storage:
If you create an account, the following data is synced to our secure cloud servers (Supabase):
We implement industry-standard security measures to protect your data:
We retain your data only as long as necessary to provide our services:
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account |
| Reading progress & bookmarks | Until you delete your account |
| Local app data | Until you uninstall the app or clear data |
| Crash reports | 90 days |
| Support correspondence | 2 years after resolution |
When you delete your account, we delete or anonymize your personal data within 30 days, except where we are required by law to retain certain information.
You have the following rights regarding your personal data:
You can view your data within the app (Settings > Account) or request a complete export of your data by contacting us.
You can update your account information directly in the app or by contacting us.
You can delete your account and all associated data at any time:
You can request a copy of all your data in a machine-readable format (JSON) by contacting us.
Where we process data based on your consent, you can withdraw consent at any time by adjusting your settings or contacting us.
You can request that we restrict processing of your data or object to certain processing activities.
To exercise any of these rights, contact us at privacy@kitaby.app. We will respond within 30 days.
OpenAyah is designed to be family-friendly and suitable for users of all ages. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA) without parental consent.
If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@kitaby.app, and we will take steps to delete such information.
For children using the app, we recommend:
Your data may be processed in countries outside your country of residence. Our service providers operate data centers in:
When we transfer data internationally, we ensure appropriate safeguards are in place:
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
You have the right to request that we disclose:
You have the right to request deletion of your personal information, subject to certain exceptions.
We do not sell your personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.
We will not discriminate against you for exercising your privacy rights.
| Category (per CCPA) | Collected? | Sold? | Shared for Ads? |
|---|---|---|---|
| Identifiers (email, name) | Yes | No | No |
| Commercial information (purchases) | Yes | No | No |
| Internet activity (app usage) | Yes | No | No |
| Geolocation data | No | No | No |
| Biometric information | No | No | No |
| Sensitive personal information | No | No | No |
To exercise your California privacy rights, contact us at privacy@kitaby.app or use the in-app account deletion feature.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws:
We process your data under the following legal bases:
In addition to the rights listed in Section 7, you have the right to:
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority:
In accordance with Apple's App Store requirements (effective May 2024), here is how our data collection aligns with Apple's privacy nutrition labels. This section uses Apple's exact terminology for App Store Connect.
The following data types are collected and linked to your identity:
| Apple Category | Data Type | Purpose | Tracking? |
|---|---|---|---|
| Contact Info | Email Address | App Functionality (authentication) | No |
| Contact Info | Name | App Functionality (personalization) | No |
| Identifiers | User ID | App Functionality (account management) | No |
| Identifiers | Device ID (IDFV) | App Functionality (subscription verification via RevenueCat) | No |
| Purchases | Purchase History | App Functionality (subscription management) | No |
| User Content | Other User Content (bookmarks, notes) | App Functionality (save and sync user annotations) | No |
| Usage Data | Product Interaction (reading progress) | App Functionality, Product Personalization | No |
The following data is collected but not linked to your identity:
| Apple Category | Data Type | Purpose |
|---|---|---|
| Diagnostics | Crash Data | App Functionality (bug fixes) |
| Diagnostics | Performance Data | App Functionality (stability) |
We do not collect the following data types:
OpenAyah does NOT track users.
Per Apple's definition, "tracking" means linking data with Third-Party Data for advertising or sharing with data brokers. We confirm:
Per Apple's requirements, we disclose data collection by third-party SDKs:
| SDK | Data Collected | Purpose |
|---|---|---|
| RevenueCat | Device ID (IDFV), Purchase History | Subscription management, fraud prevention |
| Supabase | Email, User ID, User Content | Authentication, cloud sync |
| Google Sign-In SDK | Email, Name (via OAuth) | Authentication only |
| Apple Sign-In | Email, Name (first sign-in only) | Authentication only |
Note: We do not include any advertising SDKs (Facebook, Google Ads, etc.) or analytics SDKs (Firebase Analytics, Amplitude, etc.).
Per Apple's May 2024 requirements, our app includes a Privacy Manifest declaring the following Required Reason APIs:
| API Category | Reason Codes | Why We Use It |
|---|---|---|
| File Timestamp | C617.1, 0A2A.1, 3B52.1 | Check file modification dates for cache management |
| User Defaults | CA92.1, C56D.1 | Store app preferences and settings |
| System Boot Time | 35F9.1 | Calculate elapsed time for animations/timers |
| Disk Space | E174.1, 85F4.1 | Check available space before downloading language packs |
Our Privacy Manifest declares NSPrivacyTracking: false and NSPrivacyCollectedDataTypes: empty (no tracking-related data collection).
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.
When we make material changes, we will:
We encourage you to review this policy periodically to stay informed about how we protect your information.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: privacy@kitaby.app
General Support: support@kitaby.app
Website: https://kitaby.app
We aim to respond to all privacy-related inquiries within 30 days.
To submit a formal data subject access request (DSAR), please email privacy@kitaby.app with the subject line "Data Subject Access Request" and include:
We may need to verify your identity before processing your request to protect your privacy.