DRAFT — This policy is under legal review (2026-04-25). Published for development purposes; will be replaced before public launch.
← Back to Ummat

Privacy Policy

Last updated: April 25, 2026

1. Who We Are

Ummat is operated by Ummat, an Islamic technology organization (501(c)(3) application pending). We operate ummat.app, a Muslim super-app providing prayer tools, Islamic content, community features, and charitable giving.

Data controller: Ummat — [email protected]

2. What We Collect

Data you provide:

  • Account information: email address, display name, and optional profile details (avatar, location, bio).
  • Prayer preferences: calculation method, school of thought, reminder settings (if using prayer time features).
  • Saved content: articles, quran bookmarks, hadith favourites you save within the app.
  • Donation history: amount, recipient organization, date. Payment card details are processed and held by Stripe — not stored by Ummat.
  • Community interactions: posts, comments, and reactions in community features.

Data collected automatically:

  • Location data: GPS coordinates when you use prayer times or Qibla direction. Used only for calculation. Not stored unless you save a location.
  • Usage data: features used, session duration, error reports.
  • Device information: device type, OS version, browser/app version.
  • IP address: rate limiting and geographic routing. Not stored beyond 30 days.

We do not sell your data. We do not build advertising profiles.

3. How We Use It

  • Deliver prayer times, Islamic content, community, and charitable giving features.
  • Process your donations and send donation receipts.
  • Sync your preferences and saved content across devices.
  • Send transactional emails (account verification, password reset, donation receipt).
  • Detect and prevent abuse, spam, and security incidents.
  • Comply with applicable law (tax records for donations, GDPR, CCPA).

GDPR lawful basis: contract performance, legitimate interests (security, fraud prevention), legal obligation (tax/payment records).

4. Who We Share With

VendorPurposeCountry / Safeguard
Hetzner Online GmbHServer hostingGermany (EU)
Vercel Inc.Web hostingUSA/EU — SCCs
Cloudflare Inc.CDN, DNSUSA/EU — SCCs
Stripe Inc.Payment processingUSA — SCCs
Elastic Email Inc.Transactional emailUSA/EU — SCCs
Google FirebasePush notifications (mobile)USA — SCCs

Full sub-processor list: ummat.pro/legal/sub-processors

5. Your Rights

  • Access — request a copy of all data we hold.
  • Correct — ask us to fix inaccurate data.
  • Delete — request deletion of your account and data.
  • Port — receive your data in machine-readable format.
  • Restrict / Object — limit or object to certain processing.

GDPR / UK-GDPR: Articles 15–22 apply. Response within 30 days. CCPA/CPRA: we do not sell your data.

Email: [email protected]

6. Children

Ummat App is not directed at children under 13 (US) or under 16 (EU). We do not knowingly collect data from minors below these ages. Contact [email protected] if you believe a child has provided data.

7. Retention

  • Account and preference data: until deletion + 30-day grace period.
  • Donation records: 7 years (tax/legal requirement).
  • Server logs (incl. IP): 30 days.
  • Anonymized analytics: up to 24 months.

8. International Transfers

Our servers are in Falkenstein, Germany (EU) via Hetzner. Some providers operate in the USA under Standard Contractual Clauses (EU 2021/914, Module 2).

9. Security

TLS 1.3 in transit. Encryption at rest for sensitive fields. Role-based access control. Security: [email protected]

10. Contact

Privacy: [email protected]
Security: [email protected]

Ummat (501(c)(3) application pending) — United States

Recent Updates (2026-04-25)

The following changes reflect P3 platform decisions that took effect April 2026:

  • Analytics — PostHog removed: PostHog is no longer used on any Ummeco product (decision D-P3-21). Ummat App does not currently deploy analytics on its web client. This policy will be updated if analytics are added.
  • Stripe payment data: When you complete a donation or Ummat+ subscription, payment card data is processed and stored exclusively by Stripe Inc. We receive only a payment intent token. Donation metadata (amount, recipient, date) stored on our servers is encrypted at rest using AES-256 envelope encryption within our Hetzner PostgreSQL database. Your card number, CVC, and billing address never touch our servers.
  • AI features: Ummat App embeds Islamic Q&A via ChatIslam. Any queries you submit are governed by ChatIslam's Privacy Policy. Ummat App itself does not retain a separate copy of AI conversation data.