Privacy Policy

1. Introduction

This Privacy Policy ("Policy") governs the collection, use, processing, storage, sharing, and protection of personal information by Qaswa Connect ("we," "us," "our," or "Company"), a mobile application platform that connects Muslims with their local masjid communities.

Developer: Qaswa Connect (Eterna Labs LLC)
Location: United States
Contact: support@qaswaconnect.com

By accessing or using the Qaswa Connect mobile application ("App"), you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service. If you do not agree, you must not use the App.

2. Legal Basis and Compliance

This Privacy Policy complies with applicable privacy laws and regulations, including but not limited to:

• Federal Trade Commission Act (FTC Act) and FTC Privacy Rules (United States)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• General Data Protection Regulation (GDPR) (European Union)
• Children's Online Privacy Protection Act (COPPA) (United States)
• Apple App Store Guidelines and Google Play Store Developer Policies

These protections and rights apply to all users regardless of geographic location, unless otherwise specified by applicable law.

3. Information We Collect

3.1 Personal Information You Provide

We collect personal information that you voluntarily provide when creating an account, using features, or communicating with us:

• Account Information: Full name, email address, phone number (optional), password (encrypted)
• Profile Data: Age or age range, gender (male/female), interests and preferences, profile photo (optional)
• Payment Information: Donation amounts, payment method details (processed and stored securely by Stripe; we do not store complete credit card numbers)
• Donation Records: Donation history, recurring donation preferences, designated masjids, donor name (if not anonymous), optional messages
• Communications: Messages sent through in-app chat, comments on posts, event RSVPs, volunteer sign-ups, support inquiries
• User-Generated Content: Posts, comments, photos, videos, and other content you create or share

3.2 Information Collected Automatically

• Device Information: Device model, operating system and version, unique device identifiers (IDFA, Android Advertising ID), device settings
• Usage Data: Features accessed, screens viewed, time spent in app, actions taken, app crashes and errors, performance metrics
• Location Data: Precise geolocation (GPS coordinates) when you grant permission, used to show nearby masjids; approximate location derived from IP address
• Network Information: IP address, connection type (WiFi, cellular)
• Push Notification Tokens: Device tokens to send notifications about prayer times, events, and announcements

3.3 Information from Third-Party Services

If you authenticate using third-party services, we may receive:

• Google Sign-In: Name, email address, profile photo
• Apple Sign-In: Name (optional), email address (real or private relay), user identifier

4. How We Use Your Information

4.1 Service Provision

• Create, maintain, and authenticate your account
• Provide core app features (prayer times, events, donations, messaging)
• Process and fulfill donation transactions
• Send transactional notifications (donation receipts, event confirmations)
• Respond to your inquiries and provide customer support

4.2 Personalization

• Show nearby masjids based on your location
• Filter content by gender preferences
• Recommend relevant events and content based on your interests
• Remember your preferences and settings

4.3 Safety, Security, and Legal Compliance

• Detect, prevent, and investigate fraud, abuse, and security threats
• Enforce our Terms of Service and community guidelines
• Comply with legal obligations, court orders, and law enforcement requests
• Protect the rights, property, and safety of Qaswa Connect, our users, and the public

4.4 Analytics and Improvement

• Analyze usage patterns and trends to improve app functionality
• Monitor app performance, crashes, and errors
• Generate aggregated, anonymized statistics

5. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.1 Service Providers

We share information with the following third-party service providers. Each receives only the data necessary to perform their specific function:

• Stripe, Inc. — We use Stripe to process donations. When you make a donation, your name, email address, and payment information are shared with Stripe. Stripe is PCI DSS Level 1 certified. View Stripe's Privacy Policy.
• Supabase, Inc. — We use Supabase for database hosting and backend infrastructure. Donor records (name, email, donation amount, masjid) are stored in Supabase-hosted PostgreSQL databases with encryption at rest (AES-256). Data is hosted in the United States. View Supabase's Privacy Policy.
• Netlify, Inc. — We use Netlify for website hosting. Netlify receives your IP address and browser information (User-Agent) in standard access logs when you visit our website. Netlify does not use cookies for tracking. View Netlify's Privacy Policy.
• Expo (for mobile app) — Push notification delivery and over-the-air updates for the mobile application.
• Google Maps (for mobile app) — Location services and mapping for finding nearby masjids.
• Resend — Transactional email delivery for donation receipts and account notifications.

These service providers are contractually obligated to use your information only as necessary to provide services to us and are prohibited from using it for their own purposes.

Fonts: We use Inter and Playfair Display fonts. These are self-hosted on our servers via Next.js — no requests are made to Google servers when you visit our website.

5.2 With Masjids

When you make a donation, the recipient masjid receives your name (unless anonymous), email, donation amount, and optional message. When you RSVP to events or join groups, relevant information is shared with masjid administrators.

5.3 For Legal Reasons

We may disclose your information if required by law or if we believe in good faith that such disclosure is necessary to comply with legal obligations, enforce our Terms, protect against fraud, or protect the rights and safety of our users and the public.

6. Data Security

We implement commercially reasonable security measures to protect your personal information:

• Encryption of data in transit using HTTPS/TLS protocols
• Encryption of sensitive data at rest in our databases
• Secure password hashing using industry-standard algorithms (bcrypt)
• Multi-factor authentication for administrative access
• Regular security audits and vulnerability assessments
• Limited employee access to personal data on a need-to-know basis
• Secure payment processing through PCI-DSS compliant providers (Stripe)

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Your Privacy Rights

7.1 Rights Under GDPR (EU Residents)

• Right to Access: Request a copy of the personal information we hold about you
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal information
• Right to Restrict Processing: Limit how we use your information
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent for processing at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 Rights Under CCPA/CPRA (California Residents)

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell personal information)
• Right to Correct: Request correction of inaccurate information
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

7.3 Exercising Your Rights

You have the right to:

• Access your personal data (request a copy of your donation history)
• Correct inaccurate personal data
• Delete your personal data (right to be forgotten)
• Object to processing of your data
• Data Portability (receive your data in a machine-readable format)

To exercise any of these rights, email privacy@qaswaconnect.com with your request. We will respond within 30 days. To verify your identity, we may ask you to confirm the email address associated with your donations.

Note: We may retain anonymized donation amounts and dates for tax and legal compliance even after personal data is deleted.

8. Cookies and Tracking Technologies

The App uses the following tracking technologies:

• Local Storage: To store user preferences, authentication tokens, and app state
• Analytics SDKs: To collect usage data and app performance metrics
• Crash Reporting: To identify and fix app crashes
• Advertising Identifiers: Device advertising IDs for analytics purposes only (we do not serve ads)

You can opt out of analytics tracking by disabling "Allow Analytics" in App Settings or by enabling "Limit Ad Tracking" on iOS or opting out of personalized ads on Android in device settings.

9. COPPA / Children's Privacy

The App is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent.

Minimum age: Users must be at least 13 years old to create an account and use the App. Users between 13 and 17 years of age must have parental or legal guardian consent to use the App, and their parent or guardian agrees to be bound by our Terms of Service on their behalf.

If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information as soon as possible. If you believe we have collected information from a child under 13, please contact us immediately at support@qaswaconnect.com.

10. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Policy:

• Account Data: Retained while your account is active
• Donation Records: Retained for 7 years for tax and legal compliance purposes
• Communications: Retained for 2 years or as needed for support purposes
• Usage Data: Aggregated and anonymized after 18 months

10.1 Data Deletion Process

When you request deletion of your personal data (via privacy@qaswaconnect.com), we follow this process:

1. Identity verification: We confirm the email address matches records in our system.
2. Anonymization of donation records: Your name is replaced with "Deleted Donor" and your email is replaced with a cryptographic hash (so it cannot be reversed but can verify future requests).
3. Third-party deletion: If a Stripe Customer object was created, we request its deletion via the Stripe API.
4. Confirmation: We send a deletion confirmation to your email before removing it from our records.
5. Logging: We record the deletion request date and completion date for compliance purposes.

IRS compliance exception: Under IRS regulations for 501(c)(3) organizations, we are required to retain financial transaction records for 7 years. When you request deletion, we anonymize your personal information (name and email) but retain the donation amount and date for legal compliance. After 7 years, all records are permanently deleted.

Contact form messages are deleted after 90 days. Usage data is aggregated and anonymized after 18 months.

11. International Data Transfers

Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses approved by the European Commission.

12. Religious Data (GDPR Article 9)

Qaswa Connect is a platform designed to serve Muslim communities. By using the App, you may provide or we may infer information about your religious beliefs and practices, which is considered "special category data" under GDPR Article 9.

We process this data based on your explicit consent (provided when you create an account and agree to this Policy) and for the legitimate purpose of providing the Services. This data includes:

• Masjid connections and preferences
• Prayer time notifications and preferences
• Participation in Islamic events and community features
• Donation history to religious institutions

You may withdraw your consent and request deletion of this data at any time by deleting your account or contacting us at support@qaswaconnect.com.

13. Biometric Data

Qaswa Connect does not collect, process, or store biometric data (e.g., fingerprints, facial recognition data, voiceprints). Any biometric authentication (such as Face ID or Touch ID) used to access the App is handled entirely by your device operating system and is never transmitted to or stored on our servers.

14. Data Breach Notification

In the event of a data breach that compromises the security of your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach (as required by GDPR)
• Notify relevant supervisory authorities as required by applicable law
• Provide information about the nature of the breach, the data affected, and steps being taken to address it
• Take immediate steps to contain the breach and prevent further unauthorized access
• Offer guidance on steps you can take to protect yourself

15. State-Specific Privacy Laws

In addition to the CCPA/CPRA (California), we comply with other applicable state privacy laws, including but not limited to:

• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)

Residents of these states may have additional rights regarding their personal information. To exercise these rights, contact us at support@qaswaconnect.com.

16. Masjid Data Processing

Masjid administrators who use Qaswa Connect to manage their masjid profiles and engage with their communities should be aware that:

• Masjid administrators may access certain user data (such as donor information, event RSVPs, and chat messages) as necessary to manage their masjid's operations within the App
• Masjids are responsible for their own compliance with applicable data protection laws regarding any user data they access through the App
• Masjid administrators agree to use user data only for legitimate masjid operations and not for unauthorized purposes
• We provide tools for masjid administrators to manage data access and comply with user requests regarding their data
• Masjid-related data (name, address, prayer times, events) is considered public information within the App

17. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@qaswaconnect.com
Subject Line: Privacy Inquiry
Company: Eterna Labs LLC
Website: qaswaconnect.com/privacy

We will respond to your inquiry within 30 days (or as required by applicable law).