Privacy Policy

The data controller responsible for your personal data under the GDPR is:

We are a Swedish limited liability company (aktiebolag) registered with Bolagsverket and subject to Swedish law, EU law, and the GDPR. We take our responsibilities as a data controller seriously and are committed to handling your data with integrity, respect, and full legal compliance.

2.1 Account Data

When you create an account, we collect your email address and, optionally, a display name. This is required to provide and associate your reflection balance, content history, and settings with your account. We do not require your real name, phone number, or any government-issued identifier.

2.2 Purchase and Transaction Data

All purchases — including the App itself, the Barakah in-app purchase, and reflection top-ups — are processed entirely by Apple Inc. (App Store) or Google LLC (Google Play) through their own secure payment infrastructure. We do not receive, store, or process your payment card details, bank account information, or any payment credentials at any point.

We receive from Apple or Google only a purchase receipt and a transaction identifier, used solely to credit your reflection balance, verify your entitlements, and maintain accounting records as required by Swedish law. We store the minimum purchase metadata necessary to operate your account correctly.

2.3 Reflection Content & History

The personalised reflections and wisdoms you request through the App — including the spiritual categories you select, the content generated for you, and the exchanges from Ask Ayara — are stored in your account to allow you to review them within the App and to manage your balance. This content may include religious and spiritual material.

2.4 Usage and Analytics Data

We collect anonymised and pseudonymised data about how the App is used — such as which features are accessed, session frequency, and which reflection categories are selected — in order to understand usage patterns, fix bugs, and improve the product. This data is aggregated and is never used to build individual user profiles for commercial advertising or to infer characteristics about you beyond the minimum required to operate the service.

2.5 Device and Technical Data

We collect your device type, operating system version, app version, and a resettable app-instance identifier (not a persistent device identifier). This data is necessary for app functionality, security monitoring, and resolving technical issues.

2.6 Crash and Diagnostic Reports

If the App crashes or encounters an unhandled error, anonymised diagnostic information (crash stack traces, device state at the time of the error, OS version) is collected to help us identify and fix bugs. These reports contain no personal identifiers beyond what is technically unavoidable at the operating system level, and are retained for a maximum of 12 months.

2.7 Support and Email Communications

When you contact us by email at hello@oakdev.app or through any contact form on this website, we retain your name, email address, and the full content of your message in order to respond to you and maintain a record of our correspondence. This data is not shared with third parties and is retained for up to 3 years.

2.8 What We Explicitly Do NOT Collect

When you use the Qibla Compass or Prayer Times features, the App requests access to your device's current location. We want to be completely transparent about how this works:

• What is accessed: Your device's approximate or precise GPS coordinates, obtained via the standard location permission granted by iOS or Android.
• Purpose: Solely to calculate (a) the direction toward the Holy Ka'ba in Mecca (Qibla angle from your position), and (b) the accurate prayer times (Fajr, Dhuhr, Asr, Maghrib, Isha) for your current location.
• On-device processing only: Both calculations are performed entirely on your device using mathematical algorithms (spherical geometry / haversine formula). Your coordinates are never transmitted to our servers, never written to your account record, and never shared with any third party in any form.
• No persistent storage: Location data is used ephemerally for calculation and immediately discarded. It is not logged, stored locally in a form we can read, or retained in any database.
• Your control: The App will request your permission via the standard OS permission dialog before accessing location for the first time. You may grant or deny this permission, and you may change your choice at any time via your device settings (Settings → Privacy → Location Services on iOS; App permissions on Android). Denying location permission means the Qibla compass and prayer time features will not function, but all other App features remain fully available.
• Legal basis: Consent (Article 6(1)(a) GDPR), provided via the OS permission dialog. You may withdraw consent at any time by revoking location permission in your device settings.

Ayara uses artificial intelligence to generate personalised spiritual reflections and to power the Ask Ayara feature. We are fully transparent about how this works and your rights in relation to it.

4.1 How Reflection Generation Works

When you request a reflection from a chosen category (e.g. Inner Peace, Patience & Hope), the App sends the following to our AI service provider's API:

• The selected category name (e.g. "Inner Peace").
• The requested tradition context (Shia Islamic spirit).
• The requested language.
• No personal identifiers, account information, or location data are included in this request.

4.2 How Ask Ayara Works

When you submit a free-form question via Ask Ayara, the following data is processed:

• What is sent: The text of your question and the Shia Islamic tradition context. No account details, device identifiers, or location data are sent alongside your question.
• What is returned: An AI-generated, personalised spiritual answer in the spirit of the Ahl al-Bayt tradition.
• What is stored: The question you submitted and the answer returned are stored in your reflection history within your account so you can review them.
• Sensitive content: Questions you submit may touch on personal matters, spiritual struggles, or your religious beliefs. This content may constitute special category data under Article 9 GDPR. See Section 5 for details on how we handle this.

4.3 Our AI Service Provider

The AI generation is provided by a third-party AI service provider acting as a data processor under a binding Data Processing Agreement (DPA) compliant with Article 28 GDPR. This agreement requires the provider to:

• Process data only on our instruction and for no other purpose.
• Implement appropriate technical and organisational security measures.
• Not use submitted content to train models or build user profiles without explicit consent.
• Delete or return data upon termination of the agreement.
• Comply with all applicable GDPR requirements, including international transfer obligations.

4.4 No Automated Decisions with Legal Effect

The AI in Ayara generates spiritual guidance and answers. It does not make any decisions that produce legal or similarly significant effects on you. You are always free to disregard any content generated by the AI. We do not use AI to profile users, make credit decisions, employment decisions, or any form of consequential automated decision-making as defined in Article 22 GDPR.

Ayara is a Shia Islamic spiritual application. By choosing to use it, you engage with content relating to Islamic faith and practice. The following types of data may constitute special category personal data under Article 9 of the GDPR, as they may reveal or imply your religious beliefs:

• Reflection categories selected: The spiritual categories you choose (such as Prayer Reflection, Seek Forgiveness, or Evening Dhikr) may indicate your religious practices and spiritual life.
• Reflection history: The personalised wisdoms and reflections you have received, rooted in the Shia Islamic tradition, are stored in your account.
• Ask Ayara questions: Free-form questions you submit may contain personal spiritual matters, religious questions, details about your beliefs, practices, or personal circumstances that constitute special category data.
• App usage itself: The fact that you use a Shia Islamic guidance application may, in certain contexts, indicate your religious affiliation.

We process this special category data on the basis of your explicit consent (Article 9(2)(a) GDPR), given when you create an account and actively use these features. We do not infer, sell, or share any data about your religious beliefs with any third party for commercial or discriminatory purposes. We do not use special category data for any purpose other than operating the App features you have chosen to use.

You may withdraw this consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

We process your personal data under the following legal bases as specified in Article 6 (and Article 9 for special category data) of the GDPR:

Specifically, we use your personal data to:

• Create, authenticate, maintain, and secure your Ayara account.
• Verify your purchase entitlements (Standard plan, Barakah, top-ups) and credit your reflection balance accordingly.
• Generate and deliver personalised spiritual reflections and wisdoms in the Shia Islamic tradition based on your chosen category.
• Process free-form questions submitted via Ask Ayara and generate AI-powered responses rooted in the Ahl al-Bayt tradition.
• Store your reflection history (including Ask Ayara exchanges) so you can review them within the App.
• Calculate and display your local prayer times using your device location — processed entirely on-device, never transmitted to us.
• Display the Qibla direction toward the Holy Ka'ba using your device compass and location — processed entirely on-device.
• Deliver daily content (Daily Scripture from Quran and Ahl al-Bayt books, Imam of the Day, Daily Personal Reflection).
• Send optional prayer time notifications if you have granted notification permission.
• Respond to your support enquiries, account requests, and deletion requests.
• Improve the App through analysis of anonymised, aggregated usage data.
• Detect, investigate, and prevent security incidents, fraud, and abuse.
• Comply with applicable legal obligations, including tax, accounting, and regulatory requirements under Swedish and EU law.

We do not sell, rent, trade, or otherwise commercially share your personal data. We share limited data only with the following categories of trusted third parties, each bound by appropriate data processing agreements and/or GDPR-compliant contractual safeguards:

8.1 Apple Inc. and Google LLC

As the operators of the App Store and Google Play respectively, they process your payment and purchase data under their own privacy policies when you buy the App or make in-app purchases. We receive only a purchase receipt and transaction ID; they retain all payment card and billing details.

8.2 AI Service Provider

An AI service provider processes the text of reflection requests and Ask Ayara questions to generate responses. They act as a data processor under a binding DPA (Art. 28 GDPR). They are not permitted to use your content for model training, advertising, or any purpose outside of generating responses on our instruction. See Section 4.3 for full details.

8.3 Cloud Infrastructure Providers

We use reputable cloud infrastructure providers (operating within the EU/EEA or bound by Standard Contractual Clauses) to host our backend services, databases, authentication infrastructure, and crash reporting. All providers act as data processors under our instruction and are bound by DPAs compliant with GDPR. We review and audit our processor relationships regularly.

8.4 Analytics Services

We may use anonymised, privacy-first analytics services to understand aggregate App usage. Any such service receives only anonymised, non-personally-identifiable data. We do not use Google Analytics or any advertising-network analytics service on this App or website.

8.5 Legal and Regulatory Authorities

Where required by applicable law, a binding court order, or a lawful request by a competent authority (including Swedish or EU law enforcement agencies acting within their mandate), we may be required to disclose personal data. We will challenge any request we believe to be unlawful, and we will notify you of any such disclosure to the maximum extent permitted by law.

OakDev & AI AB is established in Sweden (EU). Our primary infrastructure is located within the EU/EEA. Where any of our processors operate services outside the EU/EEA (for example, cloud providers or AI services based in the United States), we ensure that transfers are protected by one or more of the following appropriate safeguards:

• An adequacy decision by the European Commission confirming the receiving country provides an equivalent level of data protection.
• Standard Contractual Clauses (SCCs) approved by the European Commission, binding the recipient to EU-equivalent data protection standards.
• Binding Corporate Rules (BCRs) approved by a supervisory authority.
• Other appropriate safeguards under Chapter V of the GDPR.

You may request specific information about the transfer mechanisms we rely on for any given processor by contacting us at hello@oakdev.app. We will provide this information within 30 days.

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods are as follows:

Following the deletion of your account, we will make commercially reasonable efforts to ensure that your personal data is removed from our active systems and any backup systems within the timeframes stated above. For purchase records retained for legal compliance, only the minimum data legally required is kept and is inaccessible to normal operational queries.

As a data subject under the GDPR, you hold the following rights. To exercise any of them, contact us at hello@oakdev.app. We will acknowledge your request within 72 hours and respond fully within 30 days. There is no charge for any rights request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act (with written reasons).

If you are not satisfied with our response to a rights request, you have the right to lodge a complaint with a supervisory authority — see Section 18.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, disclosure, or alteration. Our security measures include, but are not limited to:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Sensitive personal data stored in our databases is encrypted at rest using industry-standard algorithms.
• Access control: Access to personal data is restricted on a strict need-to-know basis to authorised personnel only, with role-based permissions and audit logging.
• Authentication security: Account access is protected by secure authentication mechanisms. We support industry-standard login flows and do not store passwords in plain text.
• Third-party security review: We regularly review the security practices and data processing agreements of all third-party processors.
• Incident response: We maintain written incident response procedures for data breaches, including notification to the supervisory authority within 72 hours (Art. 33 GDPR) and notification to affected individuals without undue delay where there is a high risk to their rights and freedoms (Art. 34 GDPR).

While we take data security with the utmost seriousness, no information system is completely immune to attack. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay as required by law.

Ayara offers optional push notifications for prayer times (Fajr, Dhuhr, Asr, Maghrib, Isha), allowing you to be reminded at the precise prayer time for your location. Regarding notification data:

• Permission: The App requests notification permission via the standard iOS/Android permission dialog before sending any push notifications. You may grant, deny, or later revoke this permission in your device settings.
• What is used: When you enable prayer notifications, your prayer times are calculated on-device based on your location (see Section 3). The notification content (e.g. "Fajr prayer time has begun") is then scheduled locally on your device or via a push notification service using your device push token.
• Push tokens: Your device may receive a push notification token (a temporary identifier issued by Apple APNS or Google FCM), which is used only to deliver notifications you have requested. These tokens are not associated with advertising identifiers and are refreshed periodically.
• No marketing notifications: We do not send unsolicited marketing notifications. All notifications are directly related to the prayer time features you have chosen to enable.
• Legal basis: Consent — Art. 6(1)(a) GDPR (via OS permission dialog). You may withdraw consent at any time in your device settings.

Ayara is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. Users between the ages of 13 and 16 may use the App only with the verifiable consent of a parent or legal guardian, in accordance with Article 8 GDPR and applicable national law.

If you believe that a child under 13 has provided us with personal data without appropriate parental consent, please contact us immediately at hello@oakdev.app. We will take prompt steps to verify the information and, where confirmed, to delete the data as quickly as reasonably practicable.

This website (the Ayara landing site) is a static informational website. We use a minimal and privacy-respecting approach to cookies and tracking:

• Technically necessary: We use a small cookie or localStorage entry to remember your cookie consent decision and your selected language. These are strictly necessary to function.
• Google Fonts: This website loads fonts from Google Fonts via your browser. Google may receive your IP address as part of this standard browser request. You may review Google's privacy practices at policies.google.com/privacy.
• No advertising cookies: We do not use advertising cookies, tracking pixels, cross-site tracking technologies, social media pixels, or third-party analytics services that profile individual visitors.
• No personal data collected through this website beyond what you voluntarily provide via contact forms or email links.

The cookie consent banner displayed when you first visit allows you to accept or decline non-essential cookies. As we currently use no non-essential cookies, the choice is primarily about future-proofing your preferences.

Your download and use of Ayara via the Apple App Store is also subject to Apple's Standard End User License Agreement (EULA) and Privacy Policy. Your download and use via Google Play is also subject to Google's Terms of Service and Privacy Policy.

In the event of any conflict between this Privacy Policy and the App Store or Google Play terms with respect to OakDev & AI AB's obligations as publisher, this Privacy Policy governs our data practices. Apple Inc. and Google LLC are not parties to this Privacy Policy and bear no responsibility for the Ayara application or OakDev & AI AB's data practices.

For subscription management (e.g. cancellation of the Barakah plan), please follow the standard subscription management procedures provided by Apple (Settings → Apple ID → Subscriptions) or Google (Google Play → Subscriptions).

We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, applicable technology, or legal and regulatory requirements. When we make changes:

• We will update the "Last updated" date at the top of this page.
• For material changes — changes that meaningfully affect your rights or how we process your data — we will notify you via a prominent in-App notice or by email at least 14 days before the changes take effect, giving you time to review and, if you disagree, to delete your account.
• For minor changes (e.g. clarifications, formatting, contact detail updates), we will update this page without individual notification.

Your continued use of the App after the effective date of any updated policy constitutes your acceptance. If you do not agree with a material change, you may delete your account at any time via the Delete Account page or by contacting us at hello@oakdev.app.

You have the right to lodge a complaint with a competent data protection supervisory authority if you believe we have processed your personal data in violation of the GDPR or applicable data protection law. We would appreciate the opportunity to address your concerns directly first — please contact us at hello@oakdev.app — but your right to contact the supervisory authority directly is unconditional.

As a Swedish company, our lead supervisory authority is:

If you are located in another EU/EEA member state, you may also lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or the place of the alleged infringement.

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us. We take privacy seriously and are committed to responding promptly and helpfully.

We aim to acknowledge all privacy-related communications within 72 hours and to resolve them fully within 30 days. If your request is complex or numerous, we may extend this period by a further two months, in which case we will notify you of the extension within the initial 30-day period and explain the reason for the delay.