Privacy Policy

We collect only what we need to make MishMish work for you:

• Account and identity: When you first open MishMish, we create an anonymous account identifier so we can sync your progress across sessions and devices. Authentication is anonymous by default, so you are not required to provide a name or email address to use the app. If you later voluntarily link an email or sign-in account, we will collect that email (and, optionally, a display name) at that time.
• Usage data: Information you generate using MishMish, including your streak count, daily completion logs, completed daily verses, reflections you write, dua history, XP, prayer logs (only if you enable prayer tracking), language preference, time zone, and reminder settings.
• MishAI conversations: Messages you exchange with MishAI, our AI companion, are processed by Google Gemini to generate responses. Conversations are stored locally on your device. See the AI Services section below.
• Location (only if you enable prayer tracking): If you turn on prayer tracking, the app will request approximate (coarse) and precise (fine) device location to calculate local Islamic prayer times. See the Location section below.
• Device information: Device type, operating system version, app version, language, time zone, and crash diagnostics necessary for the app to function and for us to fix bugs.
• Subscription information: If you subscribe to MishMish Premium, your subscription status is managed by Google Play Billing and RevenueCat and synced to your account. We never receive your payment card information.

We do not collect your contacts, photos, or browsing activity outside MishMish. Your account data is stored via Supabase, our backend provider.

MishMish requests device location only to compute local Islamic prayer times for the prayer-tracking feature. We want to be very clear about how this works:

• Location is used on-device to calculate prayer times. It is not stored on our servers, not shared with third parties, and never used for tracking, profiling, or advertising.
• Location access is optional. We only request it if you choose to enable prayer tracking.
• We may request both approximate (coarse) and precise (fine) location so prayer times are accurate for your area.
• You can deny or revoke location permission at any time in your device settings. If you do, prayer-time features simply will not work, but the rest of MishMish continues to function normally.

We use the information we collect for a small, defined set of purposes:

• To provide and operate the service, including syncing your streak and progress across your devices.
• To send you reminders that you have opted into, streak nudges, daily verse notifications, and prayer time reminders. You can disable any of these in the app settings.
• To improve the service through anonymized, aggregated usage statistics. These statistics never identify you individually.
• To respond to support requests you send us.

Some commitments we hold as non-negotiable:

• We never sell your data to third parties. Not now, not ever.
• We never show advertisements inside MishMish.
• We never share your spiritual journey data, your reflections, journal entries, dua history, or streak record, with anyone, including advertisers, brokers, or partners.
• We never track you across other apps or websites. MishMish has no third-party advertising trackers, no fingerprinting, and no cross-app identifiers.

Your data is stored with Supabase, our backend provider, encrypted at rest on our servers and encrypted in transit between your device and our infrastructure using TLS 1.2 or higher.

We use industry-standard access controls, audit logs, and least-privilege practices to protect the systems where your data is stored. No system is perfectly secure, but we treat your trust as a sacred amanah.

Your reflections, journal entries, and personal notes are stored on our servers (Supabase), encrypted at rest and transmitted over encrypted connections (TLS 1.2 or higher). Access is strictly limited to authorized personnel for support, security, and operational purposes only, and is audit-logged. We do not read your content for commercial purposes, share it with advertisers, or use it to train AI models.

If you ever delete your account, this content is permanently and irreversibly destroyed from our active systems within 30 days and from backups within 90 days.

You are in full control of your data:

• Access: You can view your account data in the app at any time, and email us for a complete copy in JSON format.
• Correction: You can update or correct your settings at any time in the app.
• Deletion: You can delete your account and all associated data at any time from Settings → Delete my account in the app. This permanently removes your data from our active systems within 30 days and from backups within 90 days.
• Portability: Email us to request an export of your personal data. We will provide it in a portable JSON format within 30 days.
• Restriction and objection: You can object to or restrict certain types of processing by emailing us.
• Withdraw consent: You can withdraw consent for optional data processing at any time. This will not affect processing that already occurred.

If you reside in the European Economic Area, United Kingdom, or Switzerland, you have rights under the GDPR (or equivalent law) to access, correct, delete, restrict, object to processing of, and port your personal data, and you may lodge a complaint with your local supervisory authority.

If you reside in California, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete it, the right to opt out of any sale or sharing (we do not sell or share personal information as defined by the CCPA), and the right to non-discrimination for exercising your rights.

The fastest way to exercise your deletion right is in-app via Settings → Delete my account. For any other request, email us at support@mishmishcompanion.app.

We use a small number of trusted infrastructure and service providers to operate MishMish. Each is bound by a data processing agreement that prohibits them from using your data for their own purposes.

• Backend, database, and authentication: Supabase, which stores your account, progress, and reflections.
• AI assistant responses: Google Gemini, operated by Google LLC, processes MishAI conversations. See the AI Services section below for details.
• Subscription management: RevenueCat, which manages subscription state. It does not receive your payment card information.
• Payments: Your app store, which handles all subscription billing. We never see your payment card information.

We do not use advertising networks, fingerprinting trackers, or cross-app identifiers. We may add or change service providers and will update this policy when we do.

MishAI is an AI-powered assistant feature within MishMish, powered by Google's Gemini API. When you send a message to MishAI:

• Your message and recent conversation context are transmitted to Google's Gemini API to generate a response. This is third-party processing subject to Google's terms, available at https://ai.google.dev/gemini-api/terms.
• We do not use these conversations to train AI models.
• Please do not share sensitive personal information (such as financial details, medical information, government IDs, or anything you would not want a third party to process) in MishAI chats.
• Your MishAI conversation history is stored only on your device. We do not store the contents of your MishAI conversations on our servers.
• An automated moderation layer reviews AI responses for quality and accuracy concerns before they reach you.

MishAI provides reflection prompts and general information about the Quran, Islamic practice, and daily life. It is not a religious authority and may contain inaccuracies. Do not rely on MishAI for binding religious rulings (fatwas). For those, consult a qualified scholar.

Your data is stored and processed primarily in the United States. If you use MishMish from outside the United States, your data is transferred internationally for the purposes described in this policy.

For users in the European Economic Area, United Kingdom, and Switzerland: this transfer is supported by Standard Contractual Clauses with our service providers (including Supabase, Google, and RevenueCat), providing GDPR-compliant safeguards.

MishMish is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with information, please contact us and we will delete it.

If we make material changes to this policy, we will notify you via email and through an in-app notification at least 30 days before the changes take effect. Continued use of MishMish after the effective date constitutes acceptance of the updated policy.

Minor clarifications and non-material edits may be made at any time and reflected in the "Last updated" date at the top of this page.

If you have any questions or concerns about this policy, or if you want to exercise any of your rights, please reach out to us at support@mishmishcompanion.app. We respond to every email personally.