Mizaf

Privacy Policy

Last updated: 8 July 2026

1. Who we are

Mizaf (“Mizaf”, “we”, “us”) operates the website at mizaf.app and the Salat Connect mobile applications for iOS and Android. We provide prayer times and verified mosque information to Muslim communities.

For privacy questions, data subject requests, or to contact our data controller, email privacy@mizaf.app.

2. What information we collect

We collect only what is necessary to operate the service:

  • Account & identity. Your email address (used for magic-link sign-in via Supabase Auth) and any display name you choose to set.
  • Profile information you provide. Any optional profile fields you choose to fill in (preferred language, home country).
  • Your activity on the service. Mosques you follow, notification preferences, mosque suggestions you submit, claims of ownership you submit, verification evidence you upload, and mosque-administration roles assigned to you.
  • Device & notification metadata. When you enable push notifications, we receive a push token from Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM), together with the platform identifier (iOS / Android) and app version required to deliver pushes to your device.
  • Approximate location, on request.If you grant location permission on the mobile app, we use your device’s GPS to surface nearby mosques. Location is read on demand only and is not retained on our servers beyond the immediate response.
  • Server & security logs. Our hosting provider (Vercel) records standard request metadata (timestamp, URL path, response status, request region). We use these logs for security investigation and abuse prevention. We hash IP addresses with SHA-256 before persisting them to our forensic audit log; unhashed IPs are not stored long-term.
  • Rate-limit identifiers. Upstash Redis stores short-lived per-user and per-IP counters used to enforce rate-limits on write operations. Entries expire automatically within the rate-limit window.

We do not collect: advertising identifiers, health data, financial data, contact lists, photos or other media beyond mosque-verification evidence you choose to upload, and we do not run third-party analytics, behavioural tracking, or advertising SDKs.

3. Error monitoring

The web application includes the Sentry error-monitoring SDK as a dependency. At the time of writing, Sentry is not active in production — the SDK is initialised only when a Sentry DSN is set in the deployment environment, and no DSN is currently configured. If we enable Sentry in the future, it will receive minimal error context (URL path, browser, anonymised stack trace) when an error occurs, and we will update this policy before doing so.

4. How we use your information

We use information to:

  • Provide you with the service (sign-in, prayer times, mosque follow lists, notifications you have opted into).
  • Operate verification, moderation, and trust-and-safety workflows for mosque listings.
  • Detect and prevent abuse, spam, and security incidents.
  • Maintain a tamper-evident audit log of administrative actions, as required for our verification model.
  • Comply with legal obligations.

5. Lawful basis (UK GDPR / EU GDPR)

We rely on the following lawful bases:

  • Contract. Processing necessary to provide the service you have signed up for (account, mosque follows, prayer times).
  • Legitimate interests. Security logging, abuse prevention, and maintaining the integrity of mosque verification. These interests are balanced against your rights and freedoms.
  • Consent. Push notifications and device location access are enabled only with your explicit permission and may be withdrawn at any time in your device settings.
  • Legal obligation. Where we are required by applicable law to retain certain records.

6. Who we share information with

We do not sell personal information and do not share it with advertisers. Information is processed by the following service providers, acting as our processors:

  • Supabase (database, authentication, storage). Project hosted in the EU region.
  • Vercel (web hosting, server logs).
  • Upstash (Redis for rate-limit counters). Short-lived, no personal content stored.
  • Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) for delivering push notifications to iOS and Android devices, respectively.
  • Google Fonts. The mobile app fetches fonts from Google Fonts when first launched. Google receives standard request metadata for this.

We may also disclose information when required by law (for example, a valid court order or regulatory request), to enforce our Terms of Use, or to protect the rights, property, or safety of Mizaf, our users, or others.

7. International transfers

Our primary data store (Supabase) is in the EU. Some processors (Vercel, Google, Apple, Upstash) may transfer or process data outside the UK / EEA. Where such transfers occur, they rely on appropriate safeguards (Standard Contractual Clauses or the processor’s equivalent).

8. How long we keep information

We keep account information for as long as your account is active, and afterwards only as required for security, fraud prevention, or legal obligations.

  • Audit logs. Records of administrative actions are retained for forensic integrity. Where personal identifiers appear in audit logs, they may be retained or anonymised (replaced with a non-reversible reference) when the underlying account is deleted.
  • Security logs. Hashed IP records used for abuse prevention are retained for up to 12 months.
  • Rate-limit counters. Expire automatically within the configured window (typically 60 seconds to 24 hours).

9. Your rights

Under UK GDPR and EU GDPR, you have the right to access, correct, delete, or restrict our processing of your personal information; to object to processing; and to data portability. You may exercise these rights at any time by contacting privacy@mizaf.app.

To delete your account, see the Delete account page.

You also have the right to complain to a supervisory authority. In the UK that is the Information Commissioner’s Office (ICO): ico.org.uk.

10. Children

Mizaf is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, contact us and we will delete it.

11. Security

We use industry-standard transport encryption (HTTPS) and rely on our processors’ managed infrastructure for storage encryption. Access to administrative tooling is restricted to staff accounts and is itself audit-logged. No system can be guaranteed completely secure; we will notify affected users and the relevant authorities where required by law in the event of a personal data breach.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. Material changes will be communicated via in-app notice or email where practical.

13. Contact

Privacy questions, data subject requests, and complaints: privacy@mizaf.app.