Effective date: 15 April 2026 Last updated: 15 April 2026 Version: 1.0

0. Plain-language summary (TL;DR)

Muhasaba is a local-first personal deen tracker. Everything you enter in the app — your amals, completions, notes, categories, and settings — stays on your device. We do not have a server that stores your content, and we cannot read it.

In release builds of the app, we collect two kinds of anonymous diagnostic data through Google’s Firebase service:

  1. Usage analytics — which buttons you tap and which screens you open (event names only, no user content). This helps us understand how the app is used and what to improve.
  2. Crash reports — technical information when the app crashes, so we can fix bugs.

We do not know who you are. We do not collect your name, email, phone number, precise location, contacts, photos, or any advertising identifier. We do not sell or share your data with advertisers. We do not profile you, target you with ads, or combine your data with other sources.

If you email our support address, we will see whatever you write (and, if you choose “Send Bug Report,” your device model and app version). That is the only way personal data would ever reach us, and only if you choose to write to us.

The rest of this policy is the long, legally-precise version of the paragraphs above.

Table of contents

1. Who we are / data controller

The Muhasaba mobile application (“Muhasaba”, “the app”, “we”, “us”, “our”) is developed and published by:

Because Muhasaba is an independent, single-developer project, we have not appointed a Data Protection Officer (DPO). A DPO is not mandatory under GDPR Art. 37 for our processing activities (no large-scale, systematic, or special-category processing). If this changes, this policy will be updated.

2. Scope of this policy

This policy applies to the Muhasaba mobile application, distributed via the Apple App Store (iOS and iPadOS) and the Google Play Store (Android), and to any successor build targeting macOS or the web through the same codebase.

This policy does not apply to:

3. Data we collect

We group the data we process into four categories:

3.1 Content you create inside the app (stored only on your device)

The app stores the following locally in an SQLite database on your device, using the Drift library. This content never leaves your device through our systems. It is not uploaded, synced, or backed up by us.

Data Where stored Leaves your device?
Amals (acts of worship you track): title, frequency, target count, weekly/monthly schedule, default-checked flag, reminder time, sort order, icon, category, timestamps Device SQLite (Amals table) No
Categories: name, icon, sort order Device SQLite (Categories table) No
Daily completions and your personal notes Device SQLite (Completions table) No
Hidden-day markers (transient) Device SQLite (HiddenDays table) No
App settings: locale, theme, rollover hour, start-of-week, view mode Device SQLite (SettingsKv table) No

Your device’s operating system may back up the app’s local data to iCloud (iOS) or Google Drive (Android) as part of OS-level backups you control in system settings. Those backups are governed by Apple’s or Google’s terms and are outside our access. You can disable them in your device settings.

3.2 Usage analytics (Firebase Analytics — release builds only)

In release builds of the app, we use Google Firebase Analytics (provided by Google LLC and, for EEA/UK/Swiss users, Google Ireland Limited) to collect anonymous usage telemetry. Firebase Analytics is not enabled in debug or developer builds of the app.

Events recorded. We log events when you interact with core features so we can understand what’s used and spot regressions. They fall into these categories:

Each event carries at most a handful of categorical parameters (e.g. frequency: daily, theme_mode: light). No free-form text — amal titles, category names, notes, etc. — is ever included. The complete, up-to-date list of event names and parameters is available on request at mukashi.dev@gmail.com.

User properties recorded. Two pseudonymous user properties are attached to the analytics stream:

Device and technical information collected by Firebase Analytics by default. In addition to the events above, Firebase Analytics automatically records a limited set of technical signals with each event. These come from Google’s SDK, not our code:

We do not configure Firebase Analytics to collect the iOS Advertising Identifier (IDFA) or Android Advertising ID (AAID). We do not use Google Signals, Google Ads integration, or audience-building features.

3.3 Crash and performance diagnostics (Firebase Crashlytics — release builds only)

When the app crashes or throws an uncaught exception in a release build, we use Google Firebase Crashlytics to record:

We do not attach any custom user identifier, tags, or log messages to crash reports. Only uncaught Flutter and Dart exceptions are captured — nothing the app intentionally logs.

Crashlytics is explicitly disabled in debug builds (FirebaseCrashlytics.instance.setCrashlyticsCollectionEnabled(!kDebugMode)), so no crashes are reported from development builds.

Although crash stack traces are not designed to contain personal data, it is theoretically possible that a crash that occurs while you are typing (for example in a note or amal title) could include fragments of that text in an exception message. We do not intentionally capture such text, and we have reviewed the app to minimise this risk, but we disclose it here for transparency.

3.4 Data you send us by email (only if you choose to)

The app contains three support options in Settings that open a pre-filled email in your email client:

Emails are sent through your own email client using the operating system’s share sheet. We do not see or store anything until and unless you press “Send” in your email client, at which point the email reaches our inbox (mukashi.dev@gmail.com) via Google Gmail.

What we receive: your email address (as sender), anything you write, and — if you used “Report a bug” — the diagnostic body described above.

4. Data we do not collect

For the avoidance of doubt, Muhasaba does not collect, process, or have access to any of the following:

5. How we use data (purposes)

Data Purpose Why it is necessary
Local content (amals, completions, notes, settings) To provide the app’s core functionality Without it, the app cannot show you your tracker
Firebase Analytics events and properties To understand aggregate usage patterns, prioritise improvements, detect regressions (for example, if a feature suddenly stops being used) Product improvement
Firebase Crashlytics reports To detect, diagnose, and fix bugs and crashes App stability
Support emails To respond to your question, bug report, or feature request Customer support
Device info in bug reports To reproduce bugs that may be device- or OS-specific Technical support

We do not use any of the above for advertising, profiling, scoring, or automated decisions with legal or similarly significant effects.

6. Legal bases (EEA / UK / Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process personal data under the following legal bases (GDPR Art. 6; UK GDPR Art. 6; FADP Art. 31):

Processing Legal basis
Storing your content locally on your device Not a processing activity carried out by us — the controller is you, acting in a purely personal / household capacity (GDPR Art. 2(2)(c)). We have no technical access.
Firebase Analytics telemetry in release builds Legitimate interests (Art. 6(1)(f)): our interest in understanding how the app is used and improving it, balanced against your privacy interest. We have conducted a balancing assessment, concluding that the interest is legitimate, the processing is necessary and proportionate (pseudonymous, limited event set, no profiling, no advertising), and your reasonable expectations are met through this transparent disclosure. You have the right to object (see §11).
Firebase Crashlytics reports in release builds Legitimate interests (Art. 6(1)(f)): our interest in keeping the app stable and secure.
Replying to a support email you send Legitimate interests (Art. 6(1)(f)): responding to your enquiry.
Compliance with legal obligations (e.g. responding to a lawful order, defending claims) Legal obligation (Art. 6(1)(c)) or legitimate interests (Art. 6(1)(f)) as applicable.

Where the law of your country requires consent for analytics or diagnostics on a mobile device (for example, under national implementations of ePrivacy rules), we will introduce an in-app consent mechanism in a future release. If that release is not yet installed on your device, and you are in such a jurisdiction, please contact us to exercise your right to object, and we will treat the request as a withdrawal of the applicable legal basis.

7. Who we share data with

We share data only with the following categories of recipients, and only for the purposes listed:

Recipient Role Data received Purpose
Google LLC (US) / Google Ireland Limited (Ireland) — Firebase Analytics, Firebase Crashlytics, Firebase Core Processor on our behalf (GDPR Art. 28) Event stream (§3.2), crash reports (§3.3), automatically-collected device signals Analytics and crash reporting
Google LLC — Gmail Independent controller (inbound email service) The contents of any support email you send Email delivery to our inbox
Apple Inc. — App Store, in-app review Independent controller Whatever Apple collects when you install, review, or interact with the App Store listing Distribution and reviews
Google LLC — Google Play, in-app review Independent controller Whatever Google collects when you install, review, or interact with the Play Store listing Distribution and reviews
Legal and law-enforcement authorities Independent controllers Only what is required by valid legal process Compliance with law
A successor entity if Muhasaba is transferred, sold, or merged Controller Whatever data exists at the time Continuity of service

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not share personal information with data brokers.

The agreements we have in place with Google for Firebase (Google’s Data Processing Terms) contractually restrict Google from using the data for its own purposes beyond what is necessary to provide, secure, and maintain the Firebase services.

8. International data transfers

Muhasaba data processed through Firebase is transmitted to servers operated by Google. Google processes Firebase data in multiple regions; in practice, for our configuration, analytics and crash data may be processed in the United States and other countries where Google operates.

Where personal data is transferred from the EEA, UK, or Switzerland to a country that is not the subject of a European Commission adequacy decision (notably the United States for transfers outside the EU-U.S. Data Privacy Framework scope), the transfer is protected by:

You may request a copy of the relevant transfer mechanisms by contacting us.

9. Data retention

Data Retention period
Local content on your device (amals, completions, notes, settings) Until you delete it or uninstall the app. Uninstalling the app removes the local database.
Firebase Analytics events Google retains event-level data for 2 months by default (our configured setting); aggregated reports may be retained longer by Google per its own policies
Firebase Analytics user-property values (app_language, theme_mode) Until you uninstall and reinstall (which resets the app-instance ID), or until Google’s own retention window expires
Firebase Crashlytics crash reports Google retains Crashlytics data for 90 days per its standard configuration
Support emails (Gmail) Up to 24 months from the last correspondence, unless we need to retain them longer to defend legal claims or comply with law
Backups None — we have no server-side backups of your data

Uninstalling the app from your device clears all locally-stored content. It does not retroactively delete analytics events or crash reports that were already transmitted before uninstallation — those expire under the periods above. You may also ask us to delete them on request (see §11).

10. Security

We apply the following safeguards:

No method of electronic transmission or storage is 100% secure. If we become aware of a security incident that involves personal data we hold (for example, in our email inbox) that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority in accordance with applicable law (GDPR Art. 33-34, CCPA §1798.82, equivalents).

11. Your rights

Depending on where you live, you have some or all of the following rights in relation to personal data we hold about you.

11.1 All users

11.2 EEA, UK, Switzerland (GDPR / UK GDPR / FADP)

11.3 California (CCPA/CPRA)

Categories of personal information collected under CCPA, in the 12 months preceding the effective date, are: identifiers (app-instance ID, Crashlytics installation UUID), internet or other electronic network activity information (event names and parameters, app version, screen views), and geolocation data (country only, derived from IP). No other CCPA categories are collected.

11.4 Brazil (LGPD)

11.5 Canada (PIPEDA and provincial equivalents)

11.6 Other jurisdictions

If you live elsewhere (for example, Australia, New Zealand, Japan, South Korea, South Africa, India, UAE), local laws may grant you similar rights. Please contact us and we will respond consistent with applicable law.

11.7 India (DPDP Act, 2023)

12. How to exercise your rights

Send an email to mukashi.dev@gmail.com from an address you control, describing your request. To help us respond, please:

We do not require you to create an account, and we do not ask for more information than is necessary to verify your request. Because we do not hold a record of who installed the app, verification is inherently limited; if we cannot verify a request without additional information that you are unwilling to provide, we will tell you so and explain what we can still do (for example, deletion by resetting your app-instance ID, which you can also do locally by uninstalling and reinstalling).

We will respond within 30 days (GDPR/UK GDPR), which may be extended by a further 60 days for complex requests with notice to you. For CCPA, we will confirm receipt within 10 business days and respond within 45 days (extendable by another 45 days).

You may also simply uninstall the app to stop any further telemetry from your device, and contact us if you additionally want existing telemetry deleted.

13. Children’s privacy

Muhasaba is a general-audience app and is not directed to children under 13 (United States — COPPA), under 16 (default threshold in the EEA for consent; some Member States have lowered this to 13, 14, or 15), or under 18 where local law sets that threshold for processing a child’s data.

We do not knowingly collect personal information from a child without verifiable parental consent. If you believe a child has used the app and we have received personal information about them (for example, through a support email), please contact us at mukashi.dev@gmail.com and we will delete the information.

The religious-tracking nature of the app does not in itself constitute “special category” data about a child, because we do not transmit the content of amals or completions.

14. Automated decision-making and profiling

We do not carry out any automated decision-making, profiling, or scoring that produces legal or similarly significant effects on you (GDPR Art. 22). The analytics we collect are aggregated and descriptive, not predictive, and are not used to make decisions about individuals.

15. App permissions

The app requests the following permissions at the operating-system level. Each is used only for the purpose disclosed.

15.1 Android (AndroidManifest.xml)

Permission Purpose
android.permission.POST_NOTIFICATIONS To display local reminder notifications at the times you choose
android.permission.RECEIVE_BOOT_COMPLETED To reschedule your reminder notifications after the device restarts (so reminders continue to fire)
android.permission.INTERNET Required by the Google Firebase SDKs to transmit the diagnostic data described in §3.2 and §3.3

No other permissions are requested. No custom network calls are made by the app’s own code.

15.2 iOS / iPadOS

The app does not list any NSxxxUsageDescription strings in Info.plist beyond those required implicitly by the SDKs, because the app does not access contacts, calendar, camera, microphone, photos, location, motion, or health data. The app will at runtime request permission to deliver local notifications via the standard iOS notification authorisation flow.

The app ships an Apple Privacy Manifest (PrivacyInfo.xcprivacy) declaring:

16. Third-party services

Service Provider Purpose Privacy policy
Firebase Analytics Google LLC / Google Ireland Limited Usage analytics (release builds) https://firebase.google.com/support/privacy and https://policies.google.com/privacy
Firebase Crashlytics Google LLC / Google Ireland Limited Crash reporting (release builds) https://firebase.google.com/support/privacy
Firebase Core Google LLC / Google Ireland Limited SDK initialisation https://firebase.google.com/support/privacy
Apple App Store and StoreKit in-app review Apple Inc. App distribution and review prompt https://www.apple.com/legal/privacy/
Google Play and In-App Review API Google LLC App distribution and review prompt https://policies.google.com/privacy
Gmail (inbound) Google LLC Our support email inbox https://policies.google.com/privacy
Web content (via WebView) Various The app uses an in-app browser (WebView) to display this policy and other help content. Respective website’s policy

We do not embed advertising SDKs, attribution SDKs, social-login SDKs, chat/support SDKs, or any other third-party component that collects personal data.

17. Platform-specific disclosures

17.1 Apple Privacy “Nutrition Labels”

Consistent with this policy, our App Store privacy label declares the following data types as collected, not linked to you, and not used for tracking:

We do not declare any data collected for the purpose of “Third-Party Advertising” or “Developer’s Advertising or Marketing.” If you believe our label is out of date, please contact us.

17.2 Google Play Data Safety

Consistent with this policy, our Play Console “Data safety” section declares:

18. Region-specific disclosures

18.1 European Economic Area, United Kingdom, Switzerland

See §6 (legal bases), §8 (international transfers), §11.2 (rights), §22 (supervisory authorities).

18.2 California

See §11.3. We do not sell or share (as those terms are defined under CCPA/CPRA) personal information, and we do not process sensitive personal information for purposes that trigger the “Limit Use of My Sensitive Personal Information” right. We do not knowingly sell or share the personal information of consumers under 16.

Notice at Collection. This policy serves as our Notice at Collection. Categories and purposes are listed in §3, §5, §11.3.

Metrics. In the 12 months preceding the effective date: number of CCPA requests received: 0 (new policy). We will update this annually.

18.3 Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Nebraska, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island, Indiana, Kentucky (U.S. state consumer privacy laws)

You may have rights similar to California’s (access, delete, correct, opt-out of targeted advertising/sale, opt-out of certain profiling, appeal). We do not engage in targeted advertising, sale, or high-risk profiling, so several of these rights are not practically engaged; you may still exercise access, deletion, correction, and appeal via §12.

18.4 Brazil

See §11.4. The legal bases used are those in LGPD Art. 7 analogous to those in §6.

18.5 Canada

See §11.5.

18.6 Australia

Personal information is handled consistent with the Australian Privacy Principles under the Privacy Act 1988 (Cth). Complaints may be made to the Office of the Australian Information Commissioner (OAIC).

18.7 Middle East, South Asia, Southeast Asia, North Africa, Sub-Saharan Africa

Where local data-protection law applies (for example UAE Federal Decree-Law 45/2021, KSA PDPL, Bahrain PDPL, Qatar Law 13/2016, Turkey KVKK, India DPDP Act, Indonesia PDP Law, Malaysia PDPA, Singapore PDPA, Nigeria NDPA, South Africa POPIA), we will honour applicable rights to access, correction, deletion, and objection upon verified request. Processing is limited as described above.

19. Do Not Track and Global Privacy Control

The app is a native mobile application and does not respond to browser-level “Do Not Track” signals because no web tracking is used. Where applicable mobile-level signals (for example, iOS App Tracking Transparency) apply, we honour them — we do not track (as ATT defines the term), and our PrivacyInfo.xcprivacy reflects this.

If your jurisdiction recognises “Global Privacy Control” or an equivalent opt-out signal at the operating-system level, we will respect that signal as an opt-out of any processing that would otherwise be permitted only with opt-in consent.

20. Changes to this policy

We may update this policy from time to time. When we do:

Continued use of the app after a non-material change constitutes acknowledgement of the updated policy.

21. Contact us

For any privacy question, request, or complaint:

We aim to respond within 7 days to simple questions and within the statutory time limits to formal rights requests (see §12).

22. Supervisory authorities

22.1 EEA

You may lodge a complaint with the supervisory authority of your country of residence, place of work, or place of the alleged infringement. A list is maintained by the European Data Protection Board: edpb.europa.eu/about-edpb/about-edpb/members_en

22.2 United Kingdom

Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow SK9 5AF — ico.org.uk

22.3 Switzerland

Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern — edoeb.admin.ch

22.4 Other regions

Contact the national or state data-protection authority for your region. We will cooperate fully with authorised requests.

23. Glossary

End of policy.