What we collect, what we don't, and why.

Solah (“Solah”, “we”, “us”) operates the website at solah.app and the Solah mobile applications (iOS at launch; Android shortly after). For the purposes of the UK GDPR and the Data Protection Act 2018, Solah is the data controller for the personal data described in this policy.

You can contact us at any time at support@solah.app.

We only collect data that is necessary to run Solah for you. Categories:

• Account data. Your name, email address, password hash, and authentication tokens — used to sign you in and send transactional messages (e.g. confirmation, password reset).
• Location. Approximate coordinates so we can compute accurate prayer windows. You can override with a manually-entered city if you prefer not to share device location. We do not log a history of your locations.
• Calendar metadata. When you connect Google Calendar (or any future calendar integration), we read event titles, start times, and end times only. We do not read event bodies, attachments, attendees, recurrence exceptions, or video-conference links.
• Your content. Niyyah, muhasabah reflections, habits, standards, goals (himmah), and any notes you save into Solah. These are saved on-device first and synced to our servers when you’re online.
• Device + usage data. Operating system, app version, locale, crash logs, and aggregated product analytics (which features are used, how often). We use this to find bugs and prioritise features — not to profile you.
• Payment data. Subscriptions are processed by Apple App Store, Google Play, or Stripe. We never see or store your card details — we only receive subscription status and the masked last four digits.

The lawful bases we rely on:

• Contract. We process account, location, calendar, and content data to deliver the Solah service you signed up for.
• Legitimate interest. We process aggregated device + usage data to keep the product secure and to improve it. You can opt out of analytics in app settings without affecting access.
• Consent. Marketing emails (e.g. product updates beyond the launch newsletter) are sent only if you opt in. You can withdraw consent at any time.
• Legal obligation. Tax records, fraud prevention, lawful requests from regulators.

We never sell your personal data. We do not use your reflections, habits, or any user-generated content to train machine-learning models.

We share only with the third-party processors required to run Solah, under data-processing agreements:

• Hosting + infrastructure. Application hosting, databases, and file storage with reputable cloud providers in the UK / EU.
• Calendar APIs. Google Calendar (when you connect it). Read-only scope, titles and times only.
• Payments. Apple, Google, Stripe — for subscription processing.
• Analytics. Google Tag Manager + Google Analytics for aggregated product analytics on the marketing website.
• Email delivery. Transactional and waitlist messages via an industry-standard email provider.

We do not share data with advertisers or data brokers, and we do not run any third-party advertising trackers on the marketing site or in the app.

We keep account and content data while your account is active. When you delete your account, all personal data is purged from our live systems within 30 days. Encrypted backups roll off within 90 days. Anonymised analytics events may be retained longer for trend analysis.

Records we are required to keep by law (e.g. tax records for completed transactions) are retained for the statutory minimum and then deleted.

Under UK + EU data protection law you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected (rectification);
• have your data deleted (erasure / “right to be forgotten”);
• receive your data in a portable format (data portability);
• restrict or object to certain processing;
• withdraw consent for processing based on consent;
• lodge a complaint with your data protection authority — in the UK that is the Information Commissioner’s Office (ico.org.uk).

You can export every piece of your Solah data, or delete your account entirely, in one tap from inside the app (Settings → Account → Data export / Delete account). For anything you can’t do from the app, email support@solah.app and we’ll respond within 30 days.

The solah.app marketing website uses a small number of first-party cookies for essential functionality (e.g. remembering you closed a modal). It also loads Google Tag Manager, which fires Google Analytics for aggregated traffic and feature-usage analytics.

We do not run any third-party advertising or retargeting trackers. You can opt out of analytics in your browser via the standard browser controls or by using a privacy-focused browser. We respect the Do Not Track and Global Privacy Control (GPC) signals where supported.

Data is encrypted in transit (TLS 1.2+) and at rest. Passwords are stored as one-way hashes (Argon2id). Access to production systems is restricted, logged, and reviewed regularly. We notify affected users without undue delay if a breach occurs.

We host data in the UK and EU by default. If a sub-processor transfers data outside the UK / EEA, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs), plus supplementary measures where required.

Solah is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has signed up, please contact us and we will delete the account.

We may update this policy as the product evolves. We’ll update the “Effective” date at the top, and for material changes we’ll notify you in the app and by email before the new terms take effect.

Questions or requests about your data? support@solah.app.