Legal

Privacy Policy

Effective: February 2026 · Version 1.0

Kid-first

No ads, no ad-tech tracking of children.

Parent-controlled

Only a parent can enable GPS, moderation, cashout.

Minimal collection

We collect only what a feature needs. Delete anytime.

1. Who this applies to

This Privacy Policy explains what information the Al Noor Kids app ("the App") collects, how we use it, and the choices you have. It applies to parents, children, and any visitor to our public pages. It complies with the laws listed in §2 and any equivalent local child data-protection law in the user's country of residence.

2. Legal basis & child-data protection

Because Al Noor Kids is designed for families with children, we treat every child profile as protected under the strictest applicable child data-protection framework in the world. Depending on where the family resides, that may be:

  • United States — Children's Online Privacy Protection Act (COPPA); we obtain verifiable parental consent before creating any child profile.
  • California — CalOPPA + CCPA/CPRA (including CCPA-K).
  • Canada — PIPEDA (federal) and Québec Law 25 (with express consent for GPS).
  • EU / UK — GDPR Art. 6 (contract + consent) and Art. 8 (children); UK Age-Appropriate Design Code (ICO).
  • Australia — Privacy Act 1988 & Australian Privacy Principles.
  • Brazil — LGPD (Law 13.709/2018), Art. 14 (children & adolescents).
  • UAE — Federal Decree-Law No. 45 of 2021 (UAE PDPL).
  • Saudi Arabia — Personal Data Protection Law (PDPL).
  • Where a country's law is silent, the strictest of the above applies.

3. What we collect

Parent account

  • Name, email address, hashed password (bcrypt);
  • Family name and generated Family Code;
  • Consent timestamps: Terms & Privacy Policy acceptance, GPS opt-in.

Child profile

  • First name (or nickname), age, avatar choice, 4-digit PIN (hashed);
  • Islamic-routine activity: prayer logs, dua/adhkar logs, Qur'an-reading minutes, chores, quiz results, badges, Noor points;
  • Noor Chat messages the child sends to the AI (parent-visible; auto-moderated).

GPS / Safe Places (optional, opt-in)

  • Latitude, longitude, accuracy, timestamp — only while the child has the "Share my location" toggle ON;
  • Safe-place definitions (name, type, radius, coordinates) added by the parent;
  • Arrival events (which safe place, when).

Device & technical

  • JWT session tokens (browser localStorage);
  • Basic logs for security & abuse prevention (IP + user-agent, retained ≤ 30 days).

We do not collect: device contacts, photo library, microphone, or any biometrics. The App does not use third-party advertising trackers, marketing cookies, or ad SDKs on children.

4. How we use the information

  • Delivering the App's features (routines, chores, chat, quizzes, digest);
  • Awarding & verifying Noor points and streaks;
  • Sending prayer / mission reminders (only after the device's notification permission is granted);
  • Detecting safe-place arrivals for parent peace of mind (only when GPS consent is active);
  • Moderating Noor Chat to flag potentially unsafe content for parent review;
  • Security, fraud prevention and legal compliance.

5. AI processors (Gemini, OpenAI)

Noor Chat, quiz generation, and the Weekly Family Digest are powered by large language models — currently Google Gemini and, for Qaida audio, OpenAI text-to-speech. Requests are proxied through our integration provider (Emergent LLM). Only the text of a message and the child's age band are sent. No name, email, or precise location is transmitted to the AI provider. The AI providers are contractually barred from using conversations to train their models.

6. GPS tracking — full disclosure

What: Latitude / longitude / accuracy, sent every 3 minutes while the child's toggle is ON.

Purpose: Detect when the child arrives at a parent-defined safe place (school, madrasa, masjid, grandparents' home). Show a "safe-arrival" log to the parent.

Consent: Requires both (a) a parent to accept the GPS-consent form in Settings, AND (b) the child to enable the toggle on their own dashboard, AND (c) the device to grant browser/OS geolocation permission. All three must be true.

Retention: Arrival events kept 90 days rolling; last-known location kept only until overwritten by the next ping. Never sold, never used for ads.

Sharing: Location is never shared with any third party. It is stored only in the family's own database record and visible only to the parent(s) on the family account.

Withdrawal: The parent can revoke GPS consent at any time from Settings. Doing so immediately purges all safe places, arrival records, and last-known-location fields.

US notice: Under COPPA, this counts as personal information of a child. We collect it only with verifiable parental consent, use it solely for the safe-arrival feature, and retain it only as long as needed. California residents may exercise CCPA rights (right to know, delete, correct, opt-out of sale — we do not sell).

Canadian notice: Under PIPEDA and Québec Law 25, we obtain express, meaningful consent for the collection, use and disclosure of location data. Consent can be withdrawn at any time.

EU/UK notice: Legal basis is GDPR Art. 6(1)(a) consent, freely given by the holder of parental responsibility (Art. 8). Data are processed on servers in the United States under Standard Contractual Clauses.

Global notice: Where local law grants stricter protection than the above (e.g., LGPD, PDPL-KSA, PDPL-UAE, Australia's APP 3), those protections prevail and take precedence.

7. Sharing & disclosure

We do not sell personal information. We share limited data only with the service providers we need to run the App (hosting, database, AI). All processors are bound by data-processing agreements. We may disclose data if legally compelled (court order, subpoena) — and where possible we will notify the parent first.

8. Data retention

  • Active accounts: retained while the family account exists;
  • Chat messages: kept for 12 months, then automatically pruned;
  • GPS ping data & arrivals: 90 days rolling window;
  • Deleted accounts: full purge within 30 days.

9. Your rights

Parents (on behalf of themselves and their children) have the right to:

  • Access all data we hold about the family;
  • Correct or update any child's profile;
  • Delete individual data points or the entire account;
  • Withdraw consent (Terms, GPS, chat AI) at any time;
  • Export data in a machine-readable format (JSON) on request;
  • Lodge a complaint with the local data-protection authority (e.g., FTC, ICO, CNIL, OPC, OAIC, ANPD, SDAIA, UAE DPA).

10. Security

All connections use HTTPS. Passwords are hashed with bcrypt. JWTs are short-lived. MongoDB databases are hosted in access-controlled environments with encryption at rest. No system is perfectly secure — please notify us immediately of any suspected compromise.

11. Cross-border transfers

Data may be processed in the United States and the country of the parent's residence. Where EU/UK data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses and, where relevant, the UK International Data Transfer Addendum.

12. Contact & complaints

Data controller: Al Noor Kids team.
Email: info@alnoorkids.com
If you are unhappy with our response, you may complain to your local data-protection authority.

In short

We collect only what a feature needs, keep it briefly, never sell it, never track kids for ads, and give parents one-tap deletion of everything. GPS is fully opt-in and can be turned off at any time — which instantly purges all location data.

Al Noor Kids · Terms of Service