1. Introduction
Zikar App Ltd ("we", "us", "our") is a company registered in England and Wales. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Zikar mobile application and related services ("the App").
This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By using the Zikar App, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the App. We are committed to protecting your privacy — our goal is to help you build a meaningful spiritual practice, not to monetise your personal information.
2. Information We Collect
2.1 Information You Provide Directly
- Full name (provided during registration)
- Email address (required for account creation)
- Password (stored in encrypted/hashed form — we never store plaintext passwords)
- Phone or WhatsApp number (optional, for reminders)
- Country, city, and birth year (optional, for personalised experience)
- Custom azkaar names and Arabic text you create
- Group names and descriptions you create
2.2 Information Collected Automatically
- Dhikr counts and session progress (morning, evening, after salah, before sleep)
- Streak data and daily activity records
- Session timestamps and duration
- Device type and Android operating system version
- App version and anonymised crash reports
- Firebase Cloud Messaging (FCM) device tokens for push notifications
2.3 Information from Google Sign-In
If you sign in using Google Sign-In, we receive:
- Your Google account name and email address
- Your Google account profile picture URL
- A unique Google identifier (Google ID)
We do not receive access to your Google contacts, Google Drive, Gmail, or any other Google services. We use only the information necessary to create and manage your Zikar account.
2.4 Guest Users
If you use the App as a guest (without creating an account), we store your data locally on your device only. No personal information is transmitted to our servers until you create an account.
3. How We Use Your Information
3.1 Core App Functionality
- To create and manage your user account
- To save and sync your dhikr counts, streaks, and session progress across devices
- To power group features (shared counting, leaderboards, group management)
- To calculate your analytics and personal records
3.2 Communications
- To send you daily reminder notifications (if enabled)
- To send important account notifications
- To respond to your support requests
3.3 Improving the App
- To understand how users interact with the App through anonymised analytics
- To fix bugs and improve performance
3.4 Subscription and Payments
- To manage your subscription (Free, Supporter, or Premium plan)
- To process payments through Stripe
Legal basis for processing (UK GDPR): Contract performance (to provide the App service), legitimate interests (to improve the App), and consent (for marketing communications).
4. Data We Do NOT Collect
We want to be transparent about what we do not collect or do:
- We do not collect your precise GPS location
- We do not access your phone contacts
- We do not access your camera or microphone
- We do not collect your browsing history
- We do not store your credit card or bank details (handled entirely by Stripe)
- We do not build advertising profiles
- We do not sell your data to third parties
- We do not use your data for targeted advertising
- We do not share your dhikr practice data with anyone without your consent
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal information. We share data only with the following trusted third-party service providers:
| Provider |
Purpose |
Location |
| Firebase (Google) |
Authentication, push notifications (FCM), crash reporting, analytics |
United States |
| Stripe |
Payment processing for subscriptions (PCI-DSS Level 1 certified) |
United States / EU |
| Railway.app |
Backend API hosting and PostgreSQL database |
United States |
Each provider is contractually bound to protect your data and use it only for the services they provide to us.
We may also disclose your information where required by UK law, court order, or lawful request from UK authorities.
6. Data Storage and Security
Your data is stored on secure servers hosted by Railway.app. We implement the following security measures:
- Passwords hashed using bcrypt — we never store plaintext passwords
- All API communications encrypted via HTTPS/TLS
- JWT tokens with short expiry windows for authentication
- Database access restricted to authenticated server processes only
- Sensitive tokens stored in FlutterSecureStorage using Android Keystore
- Rate limiting to prevent brute force attacks
- Input validation and parameterised queries to prevent SQL injection
Data Retention
- Active accounts: Data retained as long as your account exists
- Deleted accounts: Personal data deleted within 30 days
- Payment records: Retained for 7 years as required by UK financial regulations
- Crash reports and logs: Retained for 90 days then automatically deleted
7. Your Rights (UK GDPR)
Under the UK GDPR and the Data Protection Act 2018, you have the following rights:
- Right of access — Request a copy of the personal data we hold about you
- Right to rectification — Correct any inaccurate personal data
- Right to erasure ("right to be forgotten") — Request deletion of your personal data
- Right to data portability — Receive your data in a portable format (JSON)
- Right to object — Object to processing of your personal data
- Right to restrict processing — Request restriction of processing in certain circumstances
To exercise any of these rights, email us at privacy@zikar.app. We will respond within 30 days as required by UK GDPR.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. International Data Transfers
Zikar App Ltd is incorporated in England and Wales. Our servers are hosted by Railway.app and Firebase (Google), which may store data in the United States.
All international transfers of your personal data are conducted under appropriate safeguards in compliance with UK GDPR, including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) where applicable.
9. Children's Privacy
The Zikar App is not directed to children under 13. We do not knowingly collect personal information from children under 13. Users aged 13–18 may use the App with parental consent.
If you believe a child under 13 has provided us with personal information, please contact privacy@zikar.app immediately and we will delete the information.
10. Cookies and Tracking
The Zikar mobile app does not use browser cookies. We do not use third-party advertising trackers, social media pixels, or behavioural tracking technologies.
We use Firebase Analytics to collect anonymised, aggregated usage statistics to improve the App. This data cannot be used to identify individual users. You may opt out via Profile → Settings → Privacy → Share Analytics Data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App, send a push notification, and update the Effective Date above. Continued use of the App after changes take effect constitutes your acceptance.
The current version of this policy is always available at zikar.app/privacy.
بسم الله الرحمن الرحيم
This Privacy Policy is governed by the laws of England and Wales.
Zikar App Ltd is registered in England and Wales.
Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.