Skip to main content

Developer Privacy Policy Packet

Important Notice for Developers

For informational purposes only, below, we provide GUIDELINES for a Developer Privacy Policy, a CHECKLIST, and a TEMPLATE of a Privacy Policy that are intended as a reference to help you meet the minimum requirements for approval on the Quran Foundation platform.

You, as the developer, have unique knowledge of your application, its features, the specific data it collects, and its target audience. Therefore, you are solely responsible for ensuring your privacy policy is accurate, comprehensive, and fully compliant with all applicable laws, rules, and regulations in every jurisdiction where your app is available.

Important:
THE GUIDELINES, CHECKLIST, and TEMPLATE ARE PROVIDED ON AN “AS-IS” BASIS AND DO NOT CONSTITUTE LEGAL ADVICE. THE QURAN FOUNDATION DISCLAIMS ALL LIABILITY AND RESPONSIBILITY FOR ANY ISSUES ARISING FROM YOUR USE OF OR RELIANCE ON THESE MATERIALS.

We strongly recommend that you consult with qualified legal counsel to ensure your final privacy policy is appropriate for your specific circumstances.

Guidelines for Developer Privacy Policy (Quran Foundation)

These guidelines describe the minimum expectations for any app that uses Quran Foundation (“QF”) APIs and seeks approval on the Quran Foundation platform.

1. Introduction and Scope of Policy

The developer’s privacy policy must clearly define its purpose and applicability.

A. Identification

State the full name of the application and explicitly mention that it uses the Quran Foundation APIs.

B. Ecosystem Context

Reference the Quran.com domain and QuranReflect to situate the app within the correct ecosystem.

C. Effective Date

Clearly display the date the policy was last updated and became effective.

2. Data Collection and Usage

This section must be transparent about what data is collected and why. A core principle of data privacy is data minimization, so developers should only collect what is necessary.

A. Types of Data Collected

  • List every type of personal and non-personal data the app collects, such as:
    • Email addresses
    • Avatars
    • Bookmarks
    • Notes
    • Reading history
  • Clarify that public Quran text and associated metadata are retrieved via the API without collecting personal user data from the source.

B. Purpose of Collection (Lawful Basis)

  • For each type of data collected, explain its specific purpose and which application features rely on it.
  • This fulfills the “Lawful Basis for Processing” requirement under regulations like GDPR.

C. Prohibited Uses

Include clear statements that:

  • No user data is used to build advertising profiles.
  • QF user data will not be sold, mined, or repurposed for any function beyond the explicitly stated features.
  • User-generated content, such as “user reflections,” is not used for training AI models without obtaining prior, specific user consent.

D. Handling of Sensitive Data (Religious Information)

Because data relating to religious beliefs is often classified as “special category” or “sensitive” data:

  • Acknowledge Sensitive Data
    The policy must recognize that data related to a user’s religious beliefs is considered sensitive personal data under GDPR and other global privacy laws, and therefore receives stronger legal protection.
  • Require Explicit Consent
    Developers must obtain explicit, affirmative consent from a user before collecting or processing any religious data.
    • This consent must be separate from general agreement to the terms of service.
    • It must require a clear, specific action from the user (for example, checking an unticked box).

3. Data Sharing and Third Parties

Transparency about data sharing is critical for user trust and legal compliance.

A. Sub-processor Disclosure

  • Identify all third-party services (sub-processors) that handle user data, such as:
    • Hosting providers
    • Analytics services
  • Provide direct links to the privacy policies of each of these third parties.

B. Data Protection Agreements

  • Affirm that legally binding contracts are in place with all third parties requiring them to protect user data.
  • The policy must state that third parties are required to respect Islamic content guidelines and are prohibited from misusing Quran / Quranic text.

4. Data Security

Developers must describe the measures in place to protect user data.

A. Security Measures

Specify the use of industry-standard security practices, including:

  • TLS for data in transit
  • Encryption-at-rest
  • Access controls
  • A defined secret rotation cadence

B. Incident Response

  • State the window for responding to a security incident, which must be less than 24 hours.

C. Compliance Reference

  • The policy must reference “Security Rule 6.9” as required.

5. User Rights and Controls

The policy must empower users by clearly explaining their rights over their data.

A. Data Control Mechanisms

  • Explain how users can revoke the application’s access via OAuth tokens and disable specific data permissions.
  • Provide a direct link to the QF OAuth Revocation endpoint.

B. Data Deletion

  • Describe the process for data deletion.
  • Link to an in-app “Delete My Data” screen or equivalent mechanism.

C. Other Data Rights

  • Inform users of their right to:
    • Access a copy of their data
    • Correct inaccurate information

6. Data Retention and Deletion

The policy must define how long data is stored.

A. Retention Period

  • State that user data is retained for as long as the user’s account is active.

B. Deletion Timeline

  • Commit that user data will be hard-deleted within 30 days of a request.
  • Clarify that data in backups will be wiped within 90 days.

C. QF Account Deletion

  • Ensure the policy states that if a user deletes their main QF account, associated data within the app (like notes and bookmarks) is also deleted.

7. Children’s Privacy

This section must address legal requirements related to minors.

A. Age Restrictions

  • Declare that the app is not intended for children under the age of 13 (or under 18 if aligning with Google Gemini or similar terms).
  • State that the app will block sign-ups if it detects a user is underage.

B. Parental Guidance (Optional)

  • For religious apps, developers may optionally include guidance for parents on supervising their children’s use of the app.

8. International Data Transfers

If the app is available globally, this section is required.

A. Cross-Border Transfers

  • Clearly state if user data may be processed in a country outside of the user’s home country.

B. Legal Safeguards

Because the application may be accessible in various international regions, the policy must adopt a high standard of data protection by default. It must state that:

  • For any international data transfer, the developer relies on legal mechanisms like the EU’s Standard Contractual Clauses (SCCs) or an equivalent data transfer framework to ensure data is protected in accordance with GDPR standards.

C. Local Law Compliance

  • Affirm that the developer is responsible for complying with all applicable data protection and transfer laws specific to the countries or regions where their users are located.

9. Policy Updates and Contact Information

The policy must be a living document, and users must be informed of changes.

A. Notification of Changes

  • Explain how users will be notified of material changes to the privacy policy, such as:
    • Via in-app banner
    • Via email
  • Explain how the effective date is updated.

B. Contact Details

  • Provide a valid email and postal address for privacy-related inquiries.
  • Guarantee a response to inquiries within 30 days.

Checklist – Developer Privacy Policy Compliance

This checklist summarizes the minimum items your app’s privacy policy must cover.

1. Introduction and Scope

  • ☐ The policy states the app’s name and its use of QF APIs.
  • ☐ The policy references the Quran.com and QuranReflect brand names.
  • ☐ A clear “Effective Date” is displayed.

2. Data Collection, Purpose, and Use

  • ☐ All types of collected user data are listed (e.g., bookmarks, notes, email).
  • ☐ The specific purpose for collecting each type of data is explained.
  • ☐ The policy includes a statement that no data is used to build advertising profiles.
  • ☐ The policy pledges that user data will not be sold, mined, or repurposed.
  • ☐ It explicitly forbids using user-generated content for AI model training without consent.

Sensitive Data

  • ☐ The policy acknowledges that religious data is a sensitive data category requiring special protection.
  • ☐ The policy confirms the app obtains explicit, opt-in consent before collecting any religious information.

3. Data Sharing and Third Parties

  • ☐ All third-party sub-processors (e.g., hosting, analytics) are named.
  • ☐ Direct links to the privacy policies of all third parties are provided.
  • ☐ The policy affirms that data protection agreements are in place with all sub-processors.

4. Data Security

  • ☐ The policy specifies security measures, including:
    • TLS
    • Encryption-at-rest
    • Access controls
    • Secret rotation cadence
  • ☐ The policy commits to a security incident response window of less than 24 hours.
  • “Security Rule 6.9” is referenced in the policy.

5. User Rights and Controls

  • ☐ The policy explains how users can revoke OAuth tokens and manage permissions.
  • ☐ A direct link to the QF OAuth Revocation endpoint is provided.
  • ☐ A link to an in-app “Delete My Data” feature is included.
  • ☐ Users are informed of their right to access and correct their data.

6. Data Retention and Deletion

  • ☐ The policy states data is retained only while the user’s account is active.
  • ☐ It commits to hard-deleting data within 30 days of a user request.
  • ☐ It commits to wiping data from backups within 90 days.
  • ☐ The policy ensures user data is deleted if their main QF account is deleted.

7. Children’s Privacy

  • ☐ The policy declares the app is not directed at children under 13 (or 18, as applicable).
  • ☐ The policy confirms that sign-ups from detected underage users are blocked.

8. International Data Transfers

  • ☐ The policy discloses if data may be transferred outside a user’s home country.
  • ☐ It states that a high-standard legal safeguard is used for such transfers (e.g., Standard Contractual Clauses (SCCs)), and affirms compliance with applicable data transfer laws in the developer’s regions.

9. Policy Updates and Contact

  • ☐ The method for communicating policy changes to users is explained.
  • ☐ A valid email and postal address are provided for privacy inquiries.
  • ☐ The policy guarantees a response to inquiries within 30 days.

Template – Developer Privacy Policy

Note: This is a template for developers to adapt. You must customize it to match your actual data practices and legal obligations.

PRIVACY POLICY for [App Name]

EFFECTIVE DATE: [Date Posted/Date of Last Revision]

[App Name] (“the App”) is provided by [Developer Company Name] (“we,” “us,” “our”). Our App is designed to work with the Quran Foundation (“QF”) APIs to provide you with a unique and engaging experience. This Privacy Policy explains what information we collect, how we use and protect it, and the choices you have about your information.

This App is an independent product and is not an official application of the Quran Foundation. It uses the QF API in accordance with their terms of service and accesses content from the Quran.com domain and QuranReflect to provide Quranic reading, reflection, and progress-tracking features.

2. INFORMATION WE COLLECT AND WHY

We collect only the minimum amount of data necessary to provide and improve our service. Here is a summary of the information we collect and why we need it.

Data TypeWhat We CollectPurpose of Collection
Account InformationYour email address, username, and avatar, as provided through your QF account.To create and manage your account, authenticate you, and allow you to sign in.
App ActivityYour bookmarks, notes, and reading history within the App.To provide core App features, such as saving your progress and personalizing your experience.
[Other Data Types][Add any other data types you collect, e.g., IP address, Device Info.][Explain the specific purpose, e.g., To optimize app performance and troubleshoot bugs.]
Sensitive Religious InformationNotes, reflections, or interactions of a religious nature that you choose to store.We process this information only with your explicit, opt-in consent to support religious features you choose to use.

Sensitive Religious Information

Our App may allow you to interact with religious content or create notes and reflections of a religious nature. Under privacy laws like GDPR, this is considered sensitive personal information.

We do not collect or process such sensitive information without your explicit, opt-in consent. You must take clear, affirmative action to agree to the collection of sensitive information.

Prohibited Uses of Your Data

We are committed to using your data responsibly and only for the purposes stated. We will never:

  • Use your data to build advertising profiles.
  • Sell, rent, or mine your personal information.
  • Use your personal content, such as your notes or reflections, to train artificial intelligence (AI) models without your separate and explicit consent.

3. WHO WE SHARE YOUR INFORMATION WITH

We do not sell your personal information. We may share it with trusted third-party service providers (sub-processors) who help us operate and improve the App. We have legal agreements in place with these providers to ensure they protect your data.

Our current service providers are, for example:

  • [Name of Service Provider, e.g., Google Analytics]: [Purpose, e.g., To analyze app usage and help us improve user experience.] – [Link to their Privacy Policy]
  • [Name of Service Provider, e.g., Amazon Web Services]: [Purpose, e.g., To host our application servers and your data securely.] – [Link to their Privacy Policy]
  • [Add any other providers you use]

These partners are contractually bound to respect our Islamic Content Guidelines and are prohibited from misusing any text from the QF platform.

4. HOW WE PROTECT YOUR INFORMATION

We take the security of your data very seriously and use a combination of technical and administrative measures to protect it, including:

  • Encryption: We use industry-standard encryption (TLS) to protect your data while it is in transit between your device and our servers. Your data is also stored in an encrypted-at-rest format on our servers.
  • Access Controls: We limit access to your personal data to authorized personnel who have a legitimate need to access it.
  • Security Practices: We follow a defined secret rotation cadence for our keys and passwords to enhance security.

In the event of a security incident, we are committed to responding in less than 24 hours. Our security practices are aligned with Security Rule 6.9.

5. YOUR PRIVACY RIGHTS AND CHOICES

You are in control of your personal information. You have the right to:

  • Access and Correct Your Data:
    You can review and update your account information at any time within the App’s settings.

  • Revoke Access:
    You can revoke our App’s access to your QF account at any time by visiting the QF OAuth Revocation endpoint:
    [Link to QF OAuth Revocation endpoint].

  • Delete Your Data:
    You can permanently delete your account and all associated data using the “Delete My Data” feature within the App. You can find this feature here: [Describe location, e.g., in the “Account Settings” screen].

6. HOW LONG WE KEEP YOUR INFORMATION

We retain your personal data only for as long as your account is active.

If you choose to delete your account, we will begin the deletion process immediately. Your data will be permanently deleted from our live systems within 30 days.

Data may remain in our secure, encrypted backups for up to 90 days, after which it will be permanently wiped.

If you delete your main Quran Foundation account, your associated data in our App, such as notes and bookmarks, will also be deleted in accordance with this policy.

7. CHILDREN’S PRIVACY

Our App is not intended for or directed at children under the age of [13 OR 18, depending on your app’s terms]. We do not knowingly collect personal information from children.

If we learn that we have inadvertently collected information from an underage user, we will block their sign-up and take steps to delete their information.

8. INTERNATIONAL DATA TRANSFERS

We operate globally, which means your personal information may be transferred to and stored on servers located outside of your home country. We are committed to protecting your data regardless of where it is processed.

To ensure your data is protected, we rely on high-standard legal safeguards like the EU’s Standard Contractual Clauses (SCCs) or equivalent frameworks.

Furthermore, we are committed to complying with all applicable local data protection and transfer laws in the regions where our users are located.

9. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by, for example:

  • Displaying a notice in the App, and/or
  • Sending you an email (if appropriate).

We encourage you to review this policy periodically. The “Effective Date” at the top of this page indicates when it was last revised.

10. HOW TO CONTACT US

If you have any questions, comments, or concerns about this Privacy Policy or our privacy practices, please contact us by email or mail as follows:

  • Email: [Your Support Email Address]

  • Mailing Address:
    [Your Company Name]
    [Your Street Address]
    [Your City, State, Zip Code]
    [Your Country]

We guarantee a response to all privacy-related inquiries within 30 days.

Confidential – Quran Foundation Developer Privacy Policy Packet