Privacy Policy

This Privacy Policy explains how irshad.app ("we", "us", "our") collects, uses, and protects your information when you use the Irshad mobile app and the website at irshad.app (together, the "Service").

If you do not agree with this policy, do not use the Service.

1. Who we are

The Service is operated by irshad.app. For any privacy question you can reach us at support@irshad.app.

2. What we collect

2.1 Information you give us

• Account: email address and password (passwords are stored only as a bcrypt hash — we never see your plain password).
• Optional profile: first name, last name, and phone number if you choose to provide them.
• User content: posts, comments, and likes you create in community features.

2.2 Information created as you use the Service

• Learning progress: which lessons, quizzes, and daily challenges you complete, your scores, streaks, XP, and level.
• Bookmarks and review queue: items you save or that are scheduled for review.
• Certificates: records of completed courses.
• Preferences: settings like track level (beginner / advanced) and notification choices.

2.3 Information collected automatically

• Authentication events: timestamp, IP address, and user-agent for sign-in / sign-up attempts. Retained for up to 180 days for security and abuse prevention.
• Rate-limiting data: short-lived counters keyed to IP or user ID, auto-expired.
• Diagnostic logs: correlation IDs, request metadata, and error traces (no lesson content or passwords).
• Push notification tokens: if you enable notifications, the device token and platform (iOS / Android).

We do not use third-party advertising SDKs, cross-app tracking, or sell your data.

3. How we use your data

• To create and maintain your account and sync progress across devices.
• To deliver lessons, quizzes, daily challenges, streaks, and achievements.
• To send transactional messages (password resets, account notices) and, if you opt in, push notifications.
• To detect and prevent fraud, abuse, and security incidents (rate-limiting, auth event audit trail).
• To improve the Service by diagnosing bugs and performance issues.
• To comply with legal obligations.

We process data on the lawful bases of contract (delivering the Service you signed up for), legitimate interest (security, fraud prevention, product improvement), and consent (push notifications, optional profile fields).

4. Who we share it with

We share data only with service providers that help us run the Service, under contract and only as needed:

• Microsoft Azure — application hosting (Azure Functions, Azure Key Vault).
• MongoDB Atlas — encrypted database hosting.
• Apple and Google — app distribution, push notification delivery (APNs / FCM), and in-app payment processing for subscriptions.

We do not sell personal data and do not share it with advertisers.

We may disclose data if required by law, valid legal process, or to protect the rights, safety, or property of users or the public.

5. Data retention

• Account and progress data: kept until you delete your account.
• Deleted accounts: when you request deletion, your account is soft-deleted and sign-in is blocked immediately. The record is permanently purged 30 days later. During that window you may email support@irshad.app to restore it.
• Authentication events: up to 180 days, then automatically deleted.
• Rate-limit counters: minutes to hours, then automatically deleted.
• Backups: may persist for up to 30 days after purge, then overwritten.

6. Your rights

Depending on where you live (GDPR, UK GDPR, CCPA, and similar laws), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data (edit profile fields in-app or email us).
• Delete your account and associated data (see Account Deletion).
• Export your data.
• Object to or restrict certain processing.
• Withdraw consent (e.g. turn off push notifications).
• Lodge a complaint with your local data protection authority.

To exercise any of these rights email support@irshad.app from the email on your account. We respond within 30 days.

7. Children

Irshad is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal data from children below that age. If you believe a child has given us data, email us and we will delete it.

8. Security

We use industry-standard safeguards: TLS in transit, encrypted storage at rest, bcrypt password hashing, JWT-based authentication, strict server-side input validation, rate limiting, and secrets held in Azure Key Vault accessed via managed identity. No system is perfectly secure — please use a strong unique password and report anything suspicious.

9. International transfers

Our infrastructure may process data in the United States, the European Union, and other countries where our providers operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

10. Changes to this policy

We may update this policy as the Service evolves. Material changes will be announced in-app or by email. Continued use of the Service after an update means you accept the revised policy.

11. Contact

Questions, requests, or complaints: support@irshad.app.