NoorBloom ("we", "us", or "our") operates the NoorBloom mobile application (the "App"). We are committed to protecting your privacy, particularly given the deeply personal and faith-based nature of our services. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights over it.
By downloading or using NoorBloom, you agree to the collection and use of information as described in this Policy. Where applicable law requires consent as the legal basis, your continued use constitutes consent only after you have been presented with the required consent mechanism.
1. Information We Collect
1.1 Account Information
When you create a NoorBloom account, we collect:
- Email address — used to authenticate your account and send service communications.
- Display name — used to personalize your experience (e.g., greeting you and customizing duas).
- Encrypted password — stored as a one-way hash; never accessible in plain text by us or any third party.
- Authentication token from Apple or Google — if you use Sign In with Apple or Sign In with Google, we receive only a unique identifier; we do not receive your Apple or Google password.
- Subscription status — to determine which features you are entitled to access.
Sign In with Apple
If you choose to hide your email address via Apple's private relay, we respect and honor this choice. We will never attempt to identify or link a hidden Apple email to your real identity.
1.2 Location Data
We request access to your device location only for two specific religious features:
- Prayer Times — to calculate accurate Fajr, Sunrise, Dhuhr, Asr, Maghrib, and Isha times for your location.
- Qibla Compass — to determine the direction of the Kaaba relative to your position.
✓ Our Location Commitment
Your precise location coordinates are used only in-app at the time of your request to compute prayer times and Qibla direction. We do not store a history of your location on our servers. We do not sell, share, or use your location for advertising, tracking, or any surveillance purpose whatsoever.
1.3 Content You Create
- Dua requests — when you use "Dua for Loved Ones," you enter a name and context (e.g., "Zehra — exam motivation"). This text is sent to our AI backend to generate a personalized dua. This input is not retained on our servers after generation.
- Affirmation mood selections — your selected mood (e.g., Happy, Sad, Anxious) is used to retrieve relevant Islamic affirmations. See Section 2 for sensitive data treatment.
-
Reflections Diary entries — your diary entries are written and stored locally on your device only. We do not proactively upload your diary to our servers.
Important qualification regarding AI Reflection: If you choose to tap the AI reflection button for a specific diary entry, the text of that entry (the focus and the diary text you explicitly submit at that moment) is transmitted to our AI service to generate an Islamic reflection. This transmission is user-initiated, one-time, and the text is immediately discarded by our service upon returning the reflection. It is never stored, indexed, or associated with your identity on our servers. Diary entries that you do not submit for AI reflection are never transmitted from your device under any circumstances.
1.4 Usage and Analytics Data
To understand how the app is used and improve it, we collect automatically:
- Features accessed and frequency of use
- App version, device type, operating system, and language
- Session duration and navigation patterns (anonymous)
- Crash reports and error logs
- In-app purchase events (subscription activation, renewal)
This data is collected via Firebase Analytics and Firebase Crashlytics and is pseudonymized or aggregated before analysis. It is not linked to your identity without separate disclosure.
1.5 Payment Information
All payments for NoorBloom Premium are processed exclusively through Apple's App Store. We do not collect, store, or have access to your credit card or payment details. Apple's payment processing is governed by Apple's own privacy policy and terms.
2. Sensitive Data Categories
Certain data we process falls into legally protected "special categories" that require heightened care and, in most jurisdictions, your explicit consent before we may process them.
| Data Type |
Why It's Sensitive |
How We Handle It |
Legal Basis |
Religious Belief Data
Inferred from use of Islamic features (prayer times, duas, Quran, Qibla) |
GDPR Art. 9(1) — data revealing religious beliefs; KVKK Art. 6 |
Used solely to power Islamic features. Never sold. Never shared with advertisers or data brokers. |
Explicit consent (GDPR Art. 9(2)(a)); performance of contract |
Emotional / Mental Health Data
Mood selections in Affirmations (e.g., Anxious, Depressed, Heartbroken) |
Health-adjacent data; reveals psychological state |
Used only to retrieve relevant affirmations in-session. Not stored beyond session. Not analyzed for profiling. |
Explicit consent at onboarding; can be withdrawn at any time |
Personal Diary Content
Reflections Diary entries |
Highly personal intimate thoughts; may reveal health, family, or spiritual struggles |
Stored locally on device only. Never uploaded. When AI reflection is requested, only the shared text is temporarily processed and immediately discarded post-generation. |
User-initiated action; explicit consent for AI processing |
Third-Party Personal Data
Names and contexts entered in "Dua for Loved Ones" |
Personal data of individuals who have not consented |
Used only to generate the requested dua. Not stored. Not associated with any profile. |
User's responsibility; our processing is strictly transient |
Your Responsibility for Third-Party Data
When you enter another person's name and personal circumstances into the Dua for Loved Ones feature, you are the data controller for that individual's data. Please ensure you have permission to share another person's personal details with our service.
3. AI-Powered Features & Data Processing
NoorBloom uses artificial intelligence to power three features. We are committed to full transparency about how your data is used in these features.
3.1 Dua Generator (AI)
- Input: Name of the person the dua is for; context you provide (e.g., health, exam, marriage).
- Processing: This input is sent to our AI service to generate a personalized Islamic supplication.
- Retention: Input data is not stored on our servers after the dua is generated. The generated dua text may be temporarily cached for in-app display but is not associated with your account in a retrievable way.
- AI Training: Your dua inputs are not used to train AI models without separate explicit opt-in consent.
3.2 Reflections Diary AI (AI)
- Input: When you tap the AI reflection button, you share the entry focus and your diary text with our AI service.
- Processing: The text is processed to generate an Islamic reflection enriched with Quran and Hadith.
- Retention: Diary text shared for AI reflection is immediately discarded by our service upon returning the reflection. It is never stored, indexed, or associated with your identity.
- Default: Your diary entries that you do not share for AI reflection are never transmitted from your device.
3.3 Affirmations (AI-Assisted)
- Your mood selection is used to retrieve relevant affirmations. This may involve lightweight processing on our servers to personalize the response.
- Mood selections are not stored in a manner linked to your long-term profile beyond the current session.
✓ Our AI Commitment
We do not use your personal spiritual data, diary entries, or emotional state to train AI models without your separate and explicit consent. If we ever consider this in the future, we will ask for your opt-in at that time.
4. How We Use Your Information
| Purpose |
Legal Basis (GDPR) |
Data Used |
| Provide and maintain the App and its features |
Performance of contract (Art. 6(1)(b)) |
Account info, location, content, usage data |
| Authenticate your account |
Performance of contract (Art. 6(1)(b)) |
Email, password hash, authentication token |
| Personalize your experience |
Consent (Art. 6(1)(a)); legitimate interest (Art. 6(1)(f)) |
Name, usage patterns, content preferences |
| Process subscription payments |
Performance of contract (Art. 6(1)(b)) |
Subscription status via Apple |
| Send prayer time notifications |
Consent (Art. 6(1)(a)) — user-enabled only |
Location (computed prayer times), push token |
| Improve app performance and fix bugs |
Legitimate interest (Art. 6(1)(f)) |
Crash logs, aggregated usage data |
| Process religious/mood sensitive data (AI features) |
Explicit consent (Art. 9(2)(a)) |
Mood selections, dua inputs, shared diary text |
| Comply with legal obligations |
Legal obligation (Art. 6(1)(c)) |
Account info, transaction records |
| Notify you of material policy changes |
Legal obligation / legitimate interest |
Email address |
We Do NOT Use Your Data For:
- Targeted or behavioral advertising
- Selling your data to third parties, data brokers, or marketers
- Profiling based on your religious practices
- Government surveillance or intelligence purposes (except when legally compelled)
- Any purpose beyond what is described in this Policy
App Store Privacy "Nutrition Labels" — Reference Guide
The following summarizes how our data practices map to App Store Connect Privacy disclosures. This is provided for transparency; the App Store Connect declarations govern for App Store purposes.
Data Linked to You: Contact Info (email address); Identifiers (Firebase user ID); Purchase History (subscription status); Usage Data (feature interactions linked to account).
Data Not Linked to You: Diagnostics (crash logs); Analytics (anonymous usage metrics); Approximate Location (prayer times calculation — not stored on server).
Data Not Collected: Health & Fitness (no HealthKit); Financial Info (Apple handles payments); Browsing History; Contacts; Messages; Diary entries (device-only, not collected by us except when explicitly submitted for AI reflection as described above).
Sensitive Mood Data: Collected in-session only, not stored linked to your identity.
5. How We Share Information
We do not sell, rent, or trade your personal data. We share your information only in the following limited circumstances:
5.1 Service Providers (Data Processors)
We share personal data with service providers who process it strictly on our behalf and under our instruction. These providers are contractually bound to protect your data and may not use it for their own purposes.
- Google Firebase — authentication, cloud database, analytics, crash reporting (US-based; SCCs in place)
- Apple Inc. — payment processing, Sign In with Apple authentication
- AI Processing Provider — temporary processing of dua and diary inputs to generate Islamic content (data is not retained post-generation)
5.2 Legal Requirements
We may disclose your data if required to do so by law, court order, or governmental authority, where such disclosure is lawful and proportionate. We will notify you where permitted before complying with such requests.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity. We will provide advance notice and require the successor to honor this Privacy Policy.
5.4 With Your Consent
For any sharing not covered above, we will ask for your explicit consent at the time.
✓ We Will Never Share Your Data With:
Data brokers · Advertisers · Political organizations · Government intelligence agencies (absent a lawful order) · Marketing companies · Any entity that will use it contrary to this Policy
6. Third-Party Services
6.1 Firebase by Google
Firebase provides authentication, cloud database (Firestore), analytics, and crash reporting. Firebase may collect device information and usage patterns. Data is stored on Google Cloud Platform servers in the United States. Firebase is certified under SOC 2 and ISO 27001.
Firebase Privacy: https://firebase.google.com/support/privacy
6.2 Sign In with Apple
Apple provides a unique identifier. If you hide your email, Apple's private relay manages the email. We receive no other Apple account data without your permission. Apple's Privacy Policy: https://www.apple.com/legal/privacy/
6.3 Sign In with Google
Google provides your email and basic profile information. Google's Privacy Policy: https://policies.google.com/privacy
6.4 Apple In-App Purchases
Payment is handled entirely by Apple. We receive only confirmation of purchase and subscription status. Apple's payment processing: App Store Terms
7. Data Security
We implement industry-standard technical and organisational security measures:
- All data in transit is encrypted using TLS 1.2 or higher (TLS/SSL)
- Passwords are stored as one-way cryptographic hashes (bcrypt)
- Firebase data is encrypted at rest (AES-256)
- Diary entries never leave your device in unencrypted form
- Access to production systems is granted on a strict need-to-know basis
- Regular security reviews of third-party integrations
While we implement these measures, no method of transmission over the Internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within the timeframes required by applicable law.
8. Data Retention & Deletion
8.1 Retention Periods
| Data Type |
Retention Period |
| Account information (email, name, password hash) |
Until account deletion + 30 days |
| Reflections Diary entries |
Device-only; deleted when you delete the app or your account |
| Dua inputs (AI processing) |
Immediately discarded after generation |
| Mood selections |
Session only; not persisted to server |
| Firebase Analytics (anonymous) |
Up to 14 months; then aggregated/deleted |
| Crash logs |
90 days |
| Transaction records |
As required by applicable tax and financial law (typically 5–7 years) |
8.2 How to Delete Your Account
You may delete your account and all associated data at any time:
- Open NoorBloom and go to Profile
- Tap Settings
- Select Delete Account
- Confirm deletion
Upon deletion, all personal data linked to your account will be permanently erased within 30 days, except where retention is required by law (e.g., financial records). Anonymized, aggregated analytics data not linked to your identity may be retained.
Alternatively, submit a deletion request to noorbloomapp@gmail.com.
9. Your Privacy Rights
Subject to applicable law, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your data (subject to legal retention requirements).
- Data Portability: Receive your data in a portable, machine-readable format (JSON or CSV).
- Withdraw Consent: Withdraw any consent you have given at any time, without affecting the lawfulness of prior processing.
- Object to Processing: Object to processing based on our legitimate interests.
- Restrict Processing: Request we restrict processing in certain circumstances.
- Opt Out: Disable location access, notifications, or analytics through your device Settings at any time.
To exercise any right, contact us at noorbloomapp@gmail.com. We may require verification of your identity and will respond within the time frame required by applicable law (generally 30 days, extendable to 90 days for complex requests).
10. Children's Privacy
NoorBloom is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 years of age. If you are a parent or guardian and believe your child under 13 has provided us with personal data without your consent, please contact us immediately at noorbloomapp@gmail.com, and we will delete that information promptly.
If you are under 18, please use the app only with parental supervision and consent.
11. International Data Transfers
NoorBloom is available globally. Your data may be transferred to and processed in the United States (where Firebase/Google Cloud servers are located) and potentially other countries that may not have equivalent data protection laws to your home country.
We safeguard such transfers by:
- EU/EEA/UK users: We rely on European Commission-approved Standard Contractual Clauses (SCCs) with Firebase/Google and any other processors outside the EEA.
- Turkish users: We comply with KVKK Article 9 requirements for cross-border transfers, including obtaining your explicit consent or relying on adequacy decisions where applicable.
- All users: Our service providers are certified under internationally recognised security standards including SOC 2 and ISO 27001.
12. Additional Rights — EEA, UK, Switzerland (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, the following additional provisions apply:
12.1 Data Controller
The data controller for personal data processed through NoorBloom is the company operating NoorBloom as identified in the Contact section of this Policy.
12.2 Additional Rights
- Right to Object: You may object to processing based on legitimate interests (Article 6(1)(f)) at any time.
- Right to Restrict Processing: You may request restriction in circumstances defined by Article 18 GDPR.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your national supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
GDPR Art. 9 — Explicit Consent for Sensitive Data: How It Works
Before processing your religious data and emotional/mental health data, we obtain your explicit consent through a dedicated consent screen presented during app onboarding. This screen:
- Identifies the specific types of sensitive data (religious inference from app use, mood/emotional state)
- Explains the purpose of processing (personalised spiritual content, affirmation matching)
- Provides a clear Yes/Consent and No/Decline option — we do not use pre-ticked boxes
- Explains that declining limits certain features but does not prevent basic use
Withdrawing consent: You may withdraw consent at any time via Profile → Settings → Privacy Preferences → Manage Consent, or by emailing
noorbloomapp@gmail.com. Withdrawal is effective immediately for future processing; it does not affect prior lawful processing. Certain features dependent on this consent may become unavailable following withdrawal.
13. Additional Rights — California (CCPA / CPRA)
If you are a California resident, California law provides additional rights:
- Right to Know: You may request information about the categories and specific pieces of personal information we have collected, the sources, business purposes, and categories of third parties with whom we share it.
- Right to Delete: Request deletion of personal information we have collected from you.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Limit Sensitive Personal Information: You may limit the use of sensitive personal information to purposes necessary to provide the service.
- Non-Discrimination: We will not discriminate against you for exercising any of these rights.
To exercise California rights, contact us at noorbloomapp@gmail.com with "California Privacy Request" in the subject line. We will verify your identity before processing your request.
Categories of personal information collected in the last 12 months: Identifiers (email, name, device ID, IP address); commercial information (subscription records); approximate geolocation data; internet/electronic network activity (usage data); inferences drawn from usage (feature preferences); sensitive personal information (religious belief data by inference; mental health-adjacent mood data with explicit consent).
14. Additional Rights — Turkey (KVKK)
For users in Turkey, the following applies pursuant to the Law on Protection of Personal Data No. 6698 ("KVKK"):
- The data controller within the meaning of KVKK is the operator of NoorBloom identified in the Contact section.
- Religious belief data is a special category under KVKK Article 6. We process such data only with your explicit consent (KVKK Art. 6(3)).
- You have the following rights under KVKK Article 11: to learn whether your data is processed; to request information about processing; to learn the purpose and whether it is used accordingly; to know domestic/international parties to whom data is transferred; to request correction, deletion, or destruction; to object to adverse outcomes resulting from automated processing; to claim compensation for damages.
- To exercise these rights, contact our KVKK contact at noorbloomlegal@gmail.com.
- International transfer of your data to Firebase servers in the US is conducted pursuant to KVKK Article 9 with your explicit consent.
15. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our data practices, applicable law, or new features. We will notify you of material changes by:
- Posting an in-app notification
- Sending an email to your registered address (for material changes)
- Updating the "Effective Date" at the top of this document
If we make changes that require fresh consent under applicable law (e.g., new sensitive data processing), we will present you with a new consent request. Your continued use of the App after changes constitutes acceptance of the updated Policy for non-consent-required processing.