Privacy Policy

Last Updated: November 14, 2025

1. Information We Collect

1.1 Information Provided by Parents

When you create an account, we collect:

• Your email address - For account management, password resets, and important notifications
• Password - Stored securely using industry-standard encryption
• Child's first name - To personalize the learning experience (we do NOT collect last names)
• Child's age range - To ensure age-appropriate content and features

1.2 Audio Recordings (Voice Data)

When your child records a Surah:

• Audio recordings of Quranic recitations (typically 10-60 seconds)
• How we process it: Audio is sent to our secure servers (hosted on Railway), analyzed by our AI system to provide pronunciation feedback, then stored securely on Supabase. Your child's audio never leaves Little Hafiz infrastructure.
• Why we collect it: To provide personalized feedback on Tajweed (Quranic pronunciation rules) and track learning progress
• Who processes it: Our AI system (Faster Whisper speech recognition running on our own servers) analyzes the audio. No third-party AI services (such as OpenAI) process your child's recordings. No human listens to recordings unless you explicitly contact support with a technical issue
• How long we keep it: Recordings are stored indefinitely to track progress, but you can request deletion at any time

1.3 Usage and Performance Data

We automatically collect:

• Learning progress - Which Surahs completed, scores achieved, badges earned
• App usage statistics - Features used, time spent, frequency of practice
• Device information - Device type, operating system version, app version (for bug fixes and compatibility)
• Crash reports - Technical logs if the app crashes (no personal data included)

1.4 Information We DO NOT Collect

• ❌ Child's full name or last name
• ❌ Child's date of birth (only age range)
• ❌ Physical address or phone number
• ❌ Photos of your child
• ❌ Precise location data
• ❌ Social security numbers or government IDs
• ❌ Payment card information (handled securely by Apple/Google)

1.5 Summary: Data Used for App Functionality

2. How We Use Your Information

2.1 Educational Purpose

• Provide AI-powered feedback on Quranic pronunciation and Tajweed
• Track learning progress and achievements
• Personalize the learning experience with child-appropriate content
• Award badges and maintain learning streaks for motivation

2.2 Account Management

• Send password reset emails when requested
• Send subscription notifications and receipts (for $3.99/month or $39.99/year plans)
• Respond to support inquiries
• Communicate important updates about the app

2.2A Email Communications

Marketing and Newsletters:

• We do NOT send marketing emails or newsletters to children
• Parents may receive occasional product updates or feature announcements
• Parents can unsubscribe from non-essential emails at any time via the unsubscribe link
• Certain emails (password resets, subscription receipts, critical security notices) cannot be unsubscribed from as they are essential for account management

2.3 App Improvement

• Analyze aggregated, anonymized usage data to improve features
• Fix bugs and technical issues
• Improve AI accuracy for better feedback

3. AI Processing and Audio Analysis

3.1 How Our AI Works

Little Hafiz uses artificial intelligence to analyze Quranic recitations:

• Speech Recognition: We use Faster Whisper (an open-source speech recognition model based on OpenAI's Whisper architecture) running entirely on our own secure servers hosted on Railway. OpenAI does not process, receive, or have access to any of your child's audio recordings.
• Pronunciation Analysis: Our proprietary algorithm compares the recording to correct Quranic recitation
• Feedback Generation: The AI provides specific feedback on pronunciation, fluency, and completeness

3.2 Data Security in AI Processing

• Audio is transmitted using encrypted connections (TLS/SSL)
• Processing happens on secure servers owned/controlled by Little Hafiz (not shared with third parties)
• AI models are pre-trained and open-source, NOT trained on your child's recordings
• No human reviews recordings unless you specifically request technical support

4. Data Storage and Security

4.1 Where Data is Stored

• Database: Supabase (US-based, SOC 2 Type II certified)
• Audio Files: Supabase Storage (encrypted at rest)
• Backups: Automated daily backups with 7-day retention

4.2 Security Measures

• ✅ Industry-standard encryption (TLS 1.3) for data transmission
• ✅ Encrypted storage for all audio recordings
• ✅ Secure password hashing (bcrypt)
• ✅ Regular security audits and updates
• ✅ Access controls - Only authorized personnel can access systems
• ✅ Monitoring for suspicious activity

4.3 Data Retention

• Active accounts: Data retained as long as account is active
• Deleted accounts: Data permanently deleted within 30 days
• Audio recordings: Stored to track progress, but can be deleted on request
• Backups: Removed from backups within 7 days of deletion request

5. Children's Privacy (COPPA Compliance)

5.1 Parental Consent

• Parents must create the account and provide consent
• Children cannot create accounts independently
• We verify that the account holder is an adult (age 18+)
• Parental Identity Verification: By creating an account using your email address, you confirm that you are the parent or legal guardian of the child. We may request additional verification if needed to ensure compliance with COPPA requirements.

5.2 Minimal Data Collection

• We collect only information necessary for the educational service
• No collection of child's full name, address, or precise location
• No behavioral advertising or tracking for marketing purposes

5.3 No Third-Party Data Sharing

• We do NOT sell, rent, or share children's information with third parties
• We do NOT allow third-party advertising in the app
• We do NOT use children's data for marketing purposes

5A. International Children's Privacy Laws

5A.1 European Union (GDPR Article 8)

For users in the European Union:

• Age of Consent: The GDPR sets the age of consent at 16 (member states may lower it to 13). Regardless of your location, parental consent is required for all Little Hafiz users under 18.
• Lawful Basis: We rely on parental consent as the lawful basis for processing children's data
• Data Minimization: We collect only the minimum data necessary (first name, age range, audio recordings for educational feedback)
• Automated Decision-Making: Our AI provides educational feedback but does not make automated decisions that significantly affect your child
• Data Transfers: Data is transferred to the US where our servers are located, with appropriate safeguards (standard contractual clauses)

5A.2 United Kingdom (Children's Code)

For users in the United Kingdom, we comply with the ICO's Age-Appropriate Design Code:

• Best interests of the child: All design decisions prioritize children's best interests and wellbeing
• High privacy by default: The most privacy-protective settings are default for children
• Data minimization: We collect only what's needed for the educational service
• No profiling: We do not use children's data for profiling or behavioral targeting
• No location tracking: We do not collect or track precise location data
• No sharing: Children's data is not shared with third parties for marketing or advertising
• No nudge techniques: We do not use nudge techniques to encourage children to provide unnecessary data

5A.3 Other Jurisdictions

We comply with children's privacy laws in additional jurisdictions including:

• Canada (PIPEDA): Parental consent required, reasonable data collection
• Australia (Privacy Act): Heightened privacy protections for children
• Brazil (LGPD): Parental consent and data minimization for children
• Japan (APPI): Special protections for children's data
• Singapore (PDPA): Parental consent and appropriate safeguards
• India (DPDPA): Verifiable parental consent required

Our approach is to comply with the strictest applicable standard, which generally means meeting both COPPA (US) and GDPR (EU) requirements provides compliance with most global children's privacy laws.

5A.4 Middle East / GCC Countries

For users in Gulf Cooperation Council (GCC) countries, we comply with regional data protection laws:

• Saudi Arabia (PDPL): Parental consent required for children under 13, cross-border data transfers allowed with appropriate safeguards
• UAE (PDPL): Consent-based processing, parental approval for children's data
• Qatar (PDPPL): Parental consent required, detailed privacy notices for children's services
• Bahrain (PDPL): Heightened protections for children's personal data
• Kuwait: Standard data protection principles apply
• Oman: Personal data protection law compliance (effective February 2026)

Cross-Border Transfers: Our data is stored in the United States with appropriate safeguards including encryption, access controls, and data processing agreements. GCC laws generally permit international data transfers when proper safeguards are in place, which we maintain.

Consent Basis: Unlike GDPR, GCC laws rely primarily on consent rather than legitimate interest. We obtain explicit parental consent before collecting any child's data, which satisfies GCC requirements.

Arabic Language: This privacy policy is currently available in English. We are committed to providing Arabic translations as our service grows in the region. If you need assistance understanding this policy, please contact us at support@littlehafiz.app.

5A.5 Age Verification and Parental Consent

To ensure that only parents/guardians create accounts for children, we implement the following measures:

• Account Creation: Only adults (18+) can create accounts. Children cannot independently create accounts.
• Email Verification: We verify the parent's email address
• Payment Verification: For premium subscriptions, payment methods (credit cards) serve as additional age verification, as they are typically held by adults
• Declaration: By creating an account, the account holder confirms they are the parent or legal guardian
• Additional Verification: We may request additional verification if we have reason to believe a child created an account without parental permission

We continuously evaluate and improve our age verification and parental consent mechanisms to meet evolving global standards.

6. Information Sharing and Disclosure

6.1 We Do Not Share Personal Information

Your child's data is NEVER sold or shared with third parties for marketing. Period.

6.2 Service Providers (Data Processors)

We use trusted third-party services that help us operate the app. These providers have limited access to data only for specific purposes:

• Supabase: Database and file storage (contractually obligated to protect data)
• Railway: Application hosting (no access to personal data)
• Apple/Google: Payment processing for subscriptions (we never see payment details)
• Brevo: Email delivery for password resets and notifications
• RevenueCat: Subscription management and analytics (receives purchase tokens and anonymous app-user IDs, but NO child audio, learning data, or personal information)

All service providers are carefully vetted and bound by strict confidentiality agreements.

Complete Subprocessors List: We maintain an up-to-date list of all data processors and subprocessors at: https://littlehafiz.app/subprocessors

6.3 Legal Requirements

We may disclose information if required by law, such as:

• Valid court order or subpoena
• Protecting the safety of children
• Preventing fraud or illegal activity
• Enforcing our Terms of Service

7. Your Parental Rights and Controls

7.1 Rights Under COPPA

As a parent/guardian, you have the right to:

• ✅ Review - Access all information collected about your child
• ✅ Delete - Request deletion of your child's data at any time
• ✅ Refuse - Refuse further collection or use of child's information
• ✅ Control - Manage child profiles and learning data

7.2 How to Exercise Your Rights

To review, modify, or delete your child's information:

• In-app: Go to Settings → Child Profiles → Manage Data
• Email us: [email protected]
• Response time: We will respond within 7 business days

7.3 Account Deletion

You can delete your account at any time:

• Settings → Account → Delete Account
• All personal data will be permanently deleted within 30 days
• Subscription will be canceled (per App Store/Play Store policies)

8. International Data Transfers and Global Operations

8.1 Where We Operate

Little Hafiz is available worldwide. Our infrastructure is primarily located in the United States:

• Primary Servers: United States (Railway hosting, Supabase database)
• Data Processing: All AI processing occurs on US-based servers
• Backup Storage: United States (Supabase)

8.2 Data Transfer Safeguards

If you are accessing Little Hafiz from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses where required by law for data transfers from the EU/EEA
• UK International Data Transfer Agreement: We use UK-approved transfer mechanisms for data from the UK
• Encryption: All data is encrypted in transit (TLS 1.3) and at rest
• Access Controls: Strict access controls limit who can access children's data
• Data Processing Agreements: All subprocessors sign data processing agreements with appropriate safeguards

By using Little Hafiz, you consent to the transfer of your child's data to the United States.

8.3 Data Localization

Important Note: Some countries require that certain data be stored within their borders (data localization). Currently, Little Hafiz stores all data in the United States. If you are in a jurisdiction with data localization requirements, please contact us at [email protected] to discuss whether Little Hafiz is appropriate for your use.

8.4 EU Representative

While we are a US-based company, if we determine that we process substantial amounts of data from EU residents, we will appoint an EU representative as required by GDPR Article 27. Current EU users may contact us directly at [email protected].

9. Cookies and Tracking Technologies

We do NOT use cookies, pixels, or tracking technologies in our mobile app.

• No third-party analytics tracking children's behavior
• No advertising trackers or behavioral profiling
• No cross-app tracking or data sharing

We only collect technical data necessary for app functionality (crash reports, performance metrics).

9.1 Third-Party Analytics and SDKs

10. Third-Party Links and Services

Little Hafiz may contain links to third-party websites (e.g., our website or support resources). This Privacy Policy does not apply to those external sites. We encourage parents to review the privacy policies of any third-party sites.

Note: Our app does NOT integrate with social media or allow children to interact with external communities.

11. Push Notifications

With your permission, we may send push notifications for:

• Practice reminders (to encourage daily learning)
• Achievement notifications (badges earned, streaks maintained)
• Important app updates

You can disable push notifications at any time in your device settings or within the app.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make significant changes, especially regarding children's data collection, we will:

• Notify you via email
• Display a prominent notice in the app
• Request renewed parental consent if required by law

Continued use of the app after changes indicates acceptance of the updated policy.

12A. Language and Translations

This Privacy Policy is provided in English. While Little Hafiz is available worldwide, we currently provide our Privacy Policy in English only.

If you require this Privacy Policy in another language or have difficulty understanding any part of this policy, please contact us at [email protected] and we will do our best to assist you.

Note: Some jurisdictions may require privacy policies to be provided in local languages. If required by law in your jurisdiction, we will provide a translated version. In case of any conflict between the English version and a translated version, the English version shall prevail to the extent permitted by law.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do NOT sell information)
• Right to non-discrimination for exercising your rights

To exercise these rights, contact us at [email protected].

13A. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request copies of your child's personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your child's data
• Right to Restrict Processing: Limit how we use your child's data
• Right to Data Portability: Receive your child's data in a transferable format
• Right to Object: Object to certain types of processing

Lawful Basis: We rely on parental consent as the lawful basis for processing children's data. You may withdraw consent at any time by deleting the account.

International Data Transfer: By using Little Hafiz, you consent to the transfer of your child's data to the United States, where our servers are located. We ensure appropriate safeguards are in place to protect data in accordance with GDPR requirements.

To exercise any of these rights, contact us at [email protected].

13A.1 Supervisory Authorities

If you are located in the EU/EEA or UK and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority:

• EU Users: Find your supervisory authority at https://edpb.europa.eu
• UK Users: Information Commissioner's Office (ICO) at https://ico.org.uk

However, we encourage you to contact us first at [email protected] so we can address your concerns directly.

14. Governing Law and Dispute Resolution

Governing Law: This Privacy Policy is governed by the laws of the State of Virginia, United States, without regard to its conflict of law provisions.

International Users: By using Little Hafiz, you consent to the application of United States and Virginia law to the resolution of any disputes. However, your statutory rights under your local consumer protection and privacy laws remain unaffected.

Disputes: Any disputes arising from this Privacy Policy or your use of Little Hafiz will be resolved in accordance with our Terms of Service.

15. Contact Us

16. Consent and Acknowledgment