Privacy notice

The short version

We collect the minimum we need to keep your account running and your progress saved. We do not show ads. We do not sell your data. We do not share your questions or your child's progress with anyone outside Al-Azhar's review process.

You can export everything we hold about you from Settings → Export my data, and delete everything from Settings → Delete account. Both work in one click.

What we collect

Account: your email, display name, and the Firebase auth tokens that prove you're you.

Usage: your research sessions, saved notebook entries, comparison records, daily Young Mufti progress, sticker history, and badge unlocks. All of this is stored under your own user account in Firebase Firestore.

Content you submit: questions you type into the research panel, voice queries you transcribe locally, content you submit for scholar review. Questions are sent to OpenAI, Anthropic, and Pinecone to retrieve and synthesize an answer; we do not log them for marketing or analytics resale.

Children's data (Young Mufti)

If a child uses Young Mufti under your account, their daily progress, XP, sticker history, and age tier are stored in YOUR account's youngMufti subdoc. We treat all kid progress as parental data: the parent owns it and can delete or export it at any time.

We do not currently support separate child Firebase accounts. When that ships, it will require explicit parental consent before a child under 13 can create one — that's a COPPA requirement.

We never ask a child for their full name, address, phone, school, or birthday.

Who sees your data

Firebase (Google) — host of the auth + Firestore + Storage services. They process your data on our behalf under Google's terms.

OpenAI + Anthropic — power the text-to-speech and answer-synthesis features. They process individual prompts under their respective enterprise terms and do not train on the data.

Pinecone — hosts the vector index that retrieval queries hit. Receives the query text but not your account identifiers.

Al-Azhar / Dar Al-Iftaa scholarly board reviewers — see content submitted for scholar review. Scholar review is the foundation of the platform's accuracy promise.

We do not sell, rent, or trade your personal information to anyone, ever.

Your rights

Export — Settings → Export my data ships a single JSON file with every record we hold about you, including all per-user collections (profile, progress, notebook, sessions, Young Mufti state, etc.).

Delete — Settings → Delete account permanently removes your account from Firebase Auth and every per-user collection. This is irreversible.

If you're in a jurisdiction where additional data rights apply (EU GDPR, California CCPA/CPRA, UK, Brazil's LGPD, etc.) and need help exercising a right beyond export/delete, email us — see contact below.

Security

Authentication is handled by Firebase Auth (passwordless or password-based, your choice). Data in Firestore is encrypted in transit and at rest under Google Cloud's standard encryption. API routes verify your Firebase ID token before reading or writing on your behalf. Firestore security rules deny client access to every collection except your own user document and its subcollections.

We have not had a security incident. If we do, we'll notify affected users within the timeframe required by applicable law (typically 72 hours for GDPR-class events).

Contact

Questions or concerns about your data? Reach us through the Contact page.