Privacy Policy

Last updated: 24 March 2026

Munajat (“we”, “us”, “our”) operates the website munajat.app (the “Service”). This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

1. Information We Collect

Account Information

When you sign in with Google, we receive your name, email address, and profile photo from Google. We store this to create and manage your account. We do not receive or store your Google password.

Usage Data

We collect anonymous usage analytics through Umami, a privacy-focused, self-hosted analytics tool. Umami does not use cookies, does not collect personal data, and does not track users across websites. All data is aggregated and cannot be used to identify individual users.

Bookmarks and Preferences

When you bookmark du'as, create collections, or change settings (theme, font), this data is stored to provide you with a personalised experience. Theme and font preferences are stored locally in your browser and are not sent to our servers.

Payment Information

If you choose to support Munajat, payment processing is handled entirely by Stripe. We never see, store, or have access to your full card number. We only receive a transaction confirmation and your Stripe customer ID to manage your supporter status.

2. How We Use Your Information

• To provide, maintain, and improve the Service
• To manage your account and supporter status
• To save your bookmarks and collections
• To understand how the Service is used (via anonymous analytics)
• To communicate with you about your account if necessary

3. Data Storage and Security

Your data is stored in a PostgreSQL database hosted by Supabase (cloud infrastructure in Singapore). We use encrypted connections (TLS) for all data in transit. Passwords are never stored as we use Google OAuth for authentication.

4. Third-Party Services

We use the following third-party services that may process your data:

• Google OAuth — Authentication (name, email, profile photo)
• Supabase — Database hosting
• Stripe — Payment processing
• Cloudflare — CDN, DDoS protection, and DNS
• Upstash — Redis caching (no personal data stored)

Each of these services has their own privacy policy. We encourage you to review them.

5. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days. Anonymous analytics data may be retained indefinitely as it cannot be linked to individuals.

6. Your Rights

Under the Singapore Personal Data Protection Act (PDPA), you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Withdraw consent for data processing

To exercise any of these rights, contact us at [email protected].

7. Cookies

We use a single essential cookie for authentication (session token). We do not use tracking cookies, advertising cookies, or any third-party cookies. Our analytics tool (Umami) is cookie-free.

8. Children

The Service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at [email protected].