Privacy Policy
Takbeer Time is a non-commercial, ad-free, crowd-sourced directory of jamat (congregation) prayer times at masjids. This page tells you exactly what we collect, why, where it lives, and how to remove it.
We've tried to keep this in plain language. If anything is unclear, email [email protected] and we'll fix it.
On this page
1. What we collect
Account data (only if you sign in)
- Email address (required) — your account identifier and the address Google or Firebase uses to verify your sign-in.
- Full name (optional) — only if you choose to set it. Shown next to your submitted timings so other users see who contributed.
- Phone number (optional) — currently unused by features; the field exists in the schema for future contact preferences.
- Password hash — if you sign up with email + password, we store a bcrypt hash (cost factor 12) of your password. We never see or store the plaintext.
- Firebase UID — if you sign in with Google, we store the unique ID Firebase assigns you so we can recognise you on future sign-ins. Email/password users do not have one.
- Email-verified timestamp — set automatically when you sign in via Google (which guarantees the email is verified).
- Timestamps — when your account was created, last updated, and last signed-in.
Content you submit
- Prayer timings — the jamat times you submit for a masjid (Fajr, Dhuhr, Asr, Maghrib offset from sunset, Isha, Jummah). These are shown publicly to anyone using the directory or our public API.
- Submission notes — free-text notes you optionally attach to a timing submission.
- Reviews and ratings — if you write one, your name (or "Anonymous" if you didn't set one) is shown next to it.
- Suggestions you send — if you suggest a timing change to a time-keeper, your username and the suggested values are visible to that keeper.
- Mosques you add — the basic info (name, city, country, lat/lng) of any masjid you submit to the directory. These are public.
Preferences
- Favorites — which masjids you saved.
- Default masjid — the one shown on your home screen.
- Preferred time-keepers — for each masjid you've favourited, which keeper's submitted times you've chosen to follow.
- Reminder preferences — which prayers you've enabled reminders for, and how many minutes before jamat you want to be notified.
- Preferred language — for app translations.
Device-side state (stored only on your phone or browser)
- Sign-in token — after you sign in, we keep a JWT in
localStorageso you don't have to sign in again on every visit. It's bound to your account and expires after 30 days. - Last-known location — when you tap "Find masjids near me," your phone's GPS coordinates are read by the app and sent to our backend once as part of the search query (so the server can return masjids within radius). We do not store the coordinates on the server. The app may cache them in
localStorageon your device so the home screen can recompute sun-position prayer times without re-prompting for location each visit. You can clear them by clearing the app's storage. - Reminder schedule — your prayer reminder preferences are mirrored to
localStorageon the device so the app can fire reminders even when offline. They are also synced to your account if you're signed in. - FCM topic subscriptions (mobile only) — when you follow a time-keeper or sign in to receive suggestion notifications, your device subscribes to a Firebase Cloud Messaging topic. The list of topics this device has subscribed to is kept in
localStorageundertakbeer_fcm_topics_v1so we can clean them up when you sign out. - Cached masjids — masjids you've recently viewed are cached in
localStorageso the home screen renders instantly the next time you open the app.
Server-side request logs
Our backend logs each request's method, path, response status, and an approximate timestamp for operational debugging. These logs include your IP address (standard for any web service). Logs are retained for at most 30 days and are not used for analytics or sold to anyone.
Push notifications (mobile app only)
If you grant notification permission on the mobile app, Firebase Cloud Messaging (FCM) issues your device a token so we can deliver pushes. The token is stored on Google's servers — not ours — and is associated with topics like keeper-update-<mosqueId> (when you follow a keeper) or suggest-to-<userId> (so a keeper hears about new suggestions). We don't store the FCM token on our backend; we publish to topics, and Google routes the push to subscribed devices.
2. What we don't collect
- No analytics SDKs. No Google Analytics, Plausible, Mixpanel, Amplitude, Segment, Posthog, anything.
- No advertising. No ad networks, no remarketing pixels, no third-party ad cookies. The app and API are sadqa-jariah; ads would defeat the point.
- No fingerprinting. We don't profile your device, browser, or behavior beyond the operational request logs above.
- No microphone, camera, or contacts access. The app doesn't ask for them.
- No selling, sharing, or trading of your data with anyone, ever. (This bears repeating: there is no business model that would tempt us to.)
The codebase mentions an optional SENTRY_DSN environment variable for crash reporting. As of the current production deployment, Sentry is not configured — no error reports are sent anywhere. If we enable it in the future, this page will be updated to disclose it before any data is sent.
3. Third-party services we rely on
Running a free, open service still requires some infrastructure. These are the third parties involved, and what they receive:
| Service | What it sees |
|---|---|
| Firebase Authentication (Google) | Verifies Google sign-ins and email/password sign-ins. Receives your email and a Firebase-issued user ID. Firebase privacy |
| Firebase Cloud Messaging (Google) | Routes push notifications to your device. Sees your device's FCM token and the topics it has subscribed to. Firebase privacy |
| OpenStreetMap | The web app and mobile app render maps using OpenStreetMap tiles. When the map is open, your device requests tiles from tile.openstreetmap.org, which sees your IP and the tile coordinates you're viewing. OSMF privacy |
| Google Fonts | The web pages load three font families (Cormorant Garamond, Inter Tight, JetBrains Mono) from fonts.googleapis.com. Google receives the request, including your IP. Google privacy |
| Hosting / CDN | The web app and API are served from our self-hosted server. The host sees standard request metadata (IP, path, user-agent). |
We do not use Google Maps Platform — the placeholder Maps key referenced in the repo is unused on production. The map is OpenStreetMap-based.
4. Why each item is collected
- Email — to identify your account, recognise you across devices, and accept Google ID-token sign-ins.
- Password hash — to verify email/password sign-ins. Bcrypt with cost factor 12 means even a database leak would take an attacker years per password to brute-force.
- Firebase UID — so we can match a Google sign-in token back to your existing account row instead of creating a duplicate.
- Full name — to attribute your contributions so the community can see who's keeping the times for their masjid.
- Submitted timings + notes — they're the entire point of the app. They're public on purpose.
- Favourites, default masjid, preferred keepers — to personalise the home screen and notify you when "your" times change.
- Reminder preferences — to fire your prayer reminders at the times you set, and to keep them in sync if you sign in on another device.
- Location (in-memory) — to find masjids near you. Sent once per "Find near me" tap; not stored on the server.
- FCM topic subscriptions — so push notifications reach the right device when a keeper updates times or a suggestion arrives in your inbox.
5. Where it lives
- Account data + submitted content are stored in a PostgreSQL database on our self-hosted server. (Operator note: hosting region needs final human confirmation before launch — please verify the deployment region.)
- FCM tokens and push delivery are handled by Google's Firebase infrastructure.
- Local preferences (favorites cache, sign-in token, reminder schedule, language, FCM topic list) live in your device's
localStorageand are never transmitted unless explicitly synced to your account. - No audio, photo, or video data is collected anywhere — there is currently no feature that captures any.
6. Data retention
- Active accounts are retained as long as you keep the account.
- Account deletion is a soft delete: when you delete your account (in-app or via the web form), the row is marked
deletedAt = NOW()and you can no longer sign in. Personally identifiable fields (email, name, password hash, Firebase UID) become inaccessible from the API. - Your submitted prayer timings are retained even after you delete your account, but they are re-attributed anonymously — your name is replaced with "Deleted user" in any public attribution. This is intentional: a deleted account shouldn't erase the timings the community is relying on right now to know when to be at jamat. If you want a specific submission removed, contact us.
- Favourites, your sent suggestions, and reminder preferences are removed when your account is soft-deleted.
- Suggestions sent to you are retained, since the senders should still see what they suggested (and that the recipient is no longer available).
- Backups may retain a snapshot of deleted records for up to 30 days for disaster-recovery purposes; after that, they're rotated out.
- Server logs are retained for up to 30 days.
7. Your rights
- Access — sign in to view your profile, favourites, submissions, and preferences.
- Correction — you can edit your full name, language, and preferences from the app. Email changes: ask us.
- Deletion — there are two ways:
- In-app: open the app while signed in, then tap "Delete my account" (in the footer or your profile area). You'll get a confirmation screen explaining what will be deleted; on confirm, the deletion happens immediately and you'll be signed out.
- Web (no sign-in needed): visit /delete-account.html, enter the email associated with your account, and we'll process the deletion request manually within 7 days. This path is for users who can't access the app anymore.
- Portability — JSON export of your data is not yet self-serve. Email [email protected] and we'll send you a dump within 30 days.
- Object / restrict processing — email us; we'll act on the request.
8. Children
Takbeer Time is intended for users 13 and older. We don't knowingly collect data from children under 13. If you believe a child has provided us with personal data, email us and we'll remove it.
9. GDPR / California (CCPA) rights
If you live in the EEA, the UK, or California, you have additional rights including the right to access your data, correct it, delete it, restrict processing, object to processing, and complain to a supervisory authority. To exercise any of these, email [email protected] and we'll respond within 30 days.
We do not "sell" personal information as defined by the CCPA, and we do not perform automated decision-making or profiling.
10. Changes to this policy
If we change anything material, we'll update the "Last updated" date at the top and post a note in the app. We won't expand what we collect without notice.
11. Contact
Privacy questions, data requests, or concerns:
Project owner: Junaid Qazi · Project: Takbeer Time