Skip to content
Hayaa
العربية

Legal

Hayaa Privacy Policy

Effective: May 22, 2026 · Version 1.1

Introduction

Hayaa ("we", "us", "our", or the "App") is an Islamic recovery application designed to help Muslims overcome compulsive pornography and masturbation habits. This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the App.

This policy applies to the Hayaa mobile application available on the Apple App Store and Google Play Store, and to any related services we operate.

By creating an account or otherwise using the App, you acknowledge that you have read this Privacy Policy and consent to the practices described here. If you do not agree, please do not use the App.

Hayaa is operated by Hayaa LLC, a Michigan limited liability company. For privacy questions, contact support@hayaa.io.

Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and equivalent laws, the data controller for your personal information is Hayaa LLC, contactable at support@hayaa.io.

For the purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Hayaa LLC acts as the business that determines the purposes and means of processing your personal information.

Sensitive Personal Information

Hayaa processes categories of personal information that many privacy laws treat as "special" or "sensitive". By using the App, you provide explicit consent for us to process the following sensitive categories solely to deliver the App's features:

  • Religious affiliation: your declared Islamic sect ("Sunni", "Shia", or "prefer not to say") is used to filter the religious content we display.
  • Health-related information: your self-reported recovery progress, streak history, urges, journal entries, and mental-state check-ins are processed to power recovery features.
  • Information concerning a person's sex life: by the nature of the App, your use is itself indicative of a sensitive personal context. We do not collect details of sexual behaviour beyond what you voluntarily disclose in journal entries or AI conversations.

You may withdraw consent at any time by deleting your account (see "Your Rights" below). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Information We Collect

We collect information you provide directly, information generated through your use of the App, and information from third-party services you authorise.

  1. Account & profile information:
    • Email address (for authentication).
    • Display name, full name, age, gender, sect, recovery goals, struggle duration, usage frequency, triggers, and motivations supplied during onboarding.
    • Optional avatar selection.
  2. Usage data:
    • Streak start date, current streak, longest streak, relapse events, check-ins, and milestone records.
    • SOS button activations (date, time, completion).
    • Journal entries you author.
    • Content you interact with (which verses, hadith, or duʿās you view).
    • Messages you exchange with the AI companion (Rafiq/Rafiqa).
    • Posts, replies, and reactions you submit to the community.
    • Reports you file or that other users file against your content.
  3. Device & technical information:
    • Push notification token (so we can deliver prayer reminders, check-in prompts, partner alerts, and community replies).
    • Approximate device locale and timezone (derived from the operating system).
    • Operating system and App version.
  4. Location information (only if you grant permission):
    • Geographic coordinates used by the Aladhan API to calculate accurate prayer times for your area. We store coordinates only as needed to fetch prayer times; we do not track movement.
  5. Subscription information:
    • Subscription status (trial, active, expired, cancelled) and product identifier supplied by RevenueCat. We do not receive or store your payment card or bank details — purchases are processed by Apple or Google.
  6. Accountability partner data:
    • If you connect with an accountability partner, the relationship record links your account to theirs, and your display name, current streak, and last check-in date are shared with that partner.
  7. Third-party authentication data:
    • If you sign in with Apple or Google, we receive a verified email address and a unique identifier from that provider. We do not receive your password.

How We Use Your Information

We use your personal information only for the following purposes:

  • To create and maintain your account.
  • To personalise the religious content you see, including filtering by sect and matching content to your stage of recovery.
  • To operate the AI companion ("Rafiq" / "Rafiqa") and provide responses grounded in verified Islamic sources.
  • To track your streak, milestones, and recovery progress.
  • To deliver notifications you have opted into (prayer times, check-in reminders, partner activity, milestone celebrations, community replies).
  • To match you with accountability partners (Premium feature) and to enable communication between matched partners.
  • To moderate community content using the Google Perspective API and to investigate user reports.
  • To process and validate subscriptions through RevenueCat, Apple, and Google.
  • To detect, prevent, and investigate fraud, abuse, and Terms of Service violations.
  • To comply with legal obligations and lawful requests from authorities.
  • To improve the App, fix bugs, and develop new features. We use aggregated, de-identified data for analytics where possible.

Legal Bases for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)): processing necessary to provide the App's features you have requested, such as authentication, streak tracking, and the AI companion.
  • Consent (Art. 6(1)(a) and Art. 9(2)(a) for sensitive data): for processing religious, health, and sex-life information; for sending push notifications; and for accessing your location.
  • Legitimate interests (Art. 6(1)(f)): for fraud prevention, security, content moderation, and product improvement, balanced against your rights and interests.
  • Legal obligation (Art. 6(1)(c)): where we must process data to comply with applicable law.

How We Share Your Information

We do not sell your personal information. We share information only as described below.

  1. Service providers ("processors") acting on our instructions:
    • Supabase, Inc. — database, authentication, file storage, and server-side functions. Hosts your profile, content interactions, journal entries, and community data.
    • Anthropic, PBC — provides the Claude AI model that powers Rafiq/Rafiqa responses. The content of your messages and a subset of profile context (sect, gender, streak, triggers, motivation, recovery stage) are sent to Anthropic each time you converse. Anthropic does not use this data to train its models.
    • Voyage AI — provides the embedding model used to retrieve relevant religious content. We send the text of your AI queries to Voyage AI to compute search embeddings.
    • Google LLC (Perspective API) — automated content moderation for community posts and replies. We send the text of your community submissions for toxicity scoring before publishing.
    • RevenueCat, Inc. — subscription management. We share an anonymous user identifier with RevenueCat.
    • Apple Inc. and Google LLC — process purchases through their App Stores and, if you choose, provide authentication via Sign in with Apple or Sign in with Google.
    • Aladhan API — used to calculate prayer times. If you grant location permission, we send your coordinates to Aladhan to retrieve prayer schedules. Aladhan does not receive your identity.
    • Expo / EAS — provides push notification delivery infrastructure.
    • Sentry (Functional Software, Inc.) — automated crash reporting and error tracking from the App. Sentry receives technical context about errors (stack traces, device model, OS version, App version, an anonymous installation identifier) but is not used to collect message content, journal entries, or AI conversations.
  2. Accountability partners:

When you accept a partner relationship, that partner can see your display name, current streak, and last check-in date. They cannot see your real name, email, journal entries, AI conversations, or any other private data.

  1. Other community members:

Posts, replies, and reactions you submit to the community are visible to other users within the same sect feed and gender cohort, displayed alongside your display name and current streak.

  1. Legal & safety disclosures:

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service; (c) detect, prevent, or otherwise address fraud or security issues; or (d) protect against harm to the rights, property, or safety of Hayaa, our users, or the public.

  1. Business transfers:

If Hayaa is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide the App.

When you delete your account, we delete your authentication record, profile, streak history, journal entries, AI conversation history, community posts and replies, partner relationships, and push tokens within 30 days.

We may retain limited information after deletion when required to comply with legal obligations (e.g. tax records for subscription transactions), resolve disputes, prevent fraud and abuse, or enforce our agreements. Where retention is required, we store the minimum necessary and apply appropriate access controls.

Aggregated and de-identified information that cannot reasonably be associated with you may be retained indefinitely for analytical purposes.

Your Rights

Depending on your jurisdiction, you have some or all of the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you.
  • Rectification: request correction of inaccurate or incomplete information. You can update most fields directly in the App.
  • Deletion ("right to be forgotten"): request that we delete your personal information. The App provides in-app account deletion under Settings → Privacy → Delete Account.
  • Portability: request your information in a structured, commonly used, machine-readable format. The App provides Data Export under Settings → Privacy → Request Data Export.
  • Restriction: request that we limit how we process your information.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: withdraw any consent you previously gave. Deleting your account is the simplest way to withdraw all consents at once.
  • Lodge a complaint: if you are in the European Economic Area, the United Kingdom, or another jurisdiction with a privacy regulator, you may lodge a complaint with that regulator.

California residents have additional rights under the CCPA/CPRA, including the right to know the categories and specific pieces of personal information collected, the right to delete personal information, the right to correct inaccurate information, the right to opt out of "sales" or "sharing" (we do neither), and the right to non-discrimination for exercising these rights.

To exercise any of these rights, email support@hayaa.io or use the in-app controls described above. We will respond within 30 days (or sooner where required by law). We may verify your identity before fulfilling certain requests.

Security

We implement technical and organisational measures designed to protect your personal information, including:

  • Encryption in transit (TLS 1.2+) between the App and our servers and between our servers and third-party processors.
  • Encryption at rest for database storage.
  • Row-Level Security (RLS) on every database table, ensuring users can only access their own data.
  • Access controls and audit logging on administrative interfaces.
  • Routine application of security updates and dependency upgrades.

No security measure is perfect. In the unlikely event of a data breach affecting your personal information, we will notify you and the relevant regulators as required by applicable law.

Children's & Minors' Privacy

Hayaa is intended for adults aged 18 and older. We do not knowingly collect personal information from anyone under 18. Onboarding asks for your age and blocks accounts where the user reports being under 18.

If we learn that we have inadvertently collected personal information from a minor under 18, we will delete it promptly. Parents or guardians who believe their child has provided us with personal information may contact support@hayaa.io.

International Data Transfers

Hayaa is operated from North America and uses service providers based in the United States and elsewhere. If you use the App from outside these jurisdictions, your information may be transferred to, stored in, and processed in countries whose data protection laws may differ from those of your country.

Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or the UK Addendum, to ensure your information receives a level of protection essentially equivalent to that guaranteed by EU/UK law.

Advertising & Tracking

We do not display third-party advertisements in the App.

We do not use cross-site tracking, advertising identifiers (IDFA / GAID), or third-party analytics SDKs that profile users for advertising.

We do not engage in "selling" or "sharing" personal information for cross-context behavioral advertising as those terms are defined under California law.

AI Companion Notice

The AI companion ("Rafiq" / "Rafiqa") is powered by a large language model operated by Anthropic. When you send a message:

  1. The text of your message and your profile context (sect, gender, streak, triggers, motivation, subscription status, recovery stage) are sent to Anthropic.
  2. The text of your message is sent to Voyage AI to compute a search embedding used to retrieve relevant verified Islamic content from our database.
  3. Your message and the assistant's response are saved in your conversation history within the App's database so you can reference them later.

Anthropic processes these requests on a zero-retention basis under its commercial API terms — your conversations are not used to train Anthropic's models. However, no AI system is perfect; Rafiq/Rafiqa may occasionally produce inaccurate, incomplete, or inappropriate output despite safeguards. The AI is not a substitute for qualified religious scholarship, medical advice, or mental-health treatment. If you are in crisis or considering self-harm, please contact local emergency services or a qualified professional.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you within the App and update the "Effective date" at the top of this policy. Where required by law, we will obtain your renewed consent.

Continued use of the App after the effective date of an updated policy constitutes acceptance of the updated terms.

Contact Us

If you have questions, comments, or requests regarding this Privacy Policy or our handling of your personal information, please contact:

Email: support@hayaa.io

Subject line: Privacy Inquiry

We aim to respond within 7 business days and, in any event, no later than 30 days from receipt.