Privacy Policy

Miqat (“we,” “us”) is an events and community platform for Islamic organizations — masjids, schools, charities, conferences, youth groups, and community centers. This policy explains what data we collect when you use Miqat, how we use it, who we share it with, and the choices you have.

This policy applies to all of Miqat:

• The Miqat website at miqatuna.com
• The Miqat organization dashboard
• The Miqat iOS app
• The Miqat Android app

We aim to collect only what we need to run the service and to keep your data private from the rest of the world by default.

Information you give us

• Account data— first and last name, email address, phone (optional), password (stored as a salted bcrypt hash, never as plain text), gender, and whether you identify as Muslim. Demographics are used to tailor event recommendations and audience defaults; you can review or update them in your profile.
• Address— city, state, country, and postal code. Used to show events near you and to associate organization registrations with a place.
• Organization data— if you register or join an organization, we store its name, type, public profile, members, events, volunteer applications, finances, and any documents you submit for verification.
• Event participation— RSVPs, ticket purchases, check-ins, and volunteer applications you submit.
• Donations— the amount, the campaign or fund you donated to, and (if you provide them) your name and email for the receipt. Card numbers are collected and stored by Stripe directly, never by Miqat.
• Requests— details of any service you request from an organization (e.g. a room booking, a class enrolment, a counseling appointment). See section 6 for how sensitive request types are handled.
• Content you create— event descriptions, organization profiles, AI-assisted drafts, and any text or images you upload.
• Communications— messages you send to organizers through the ticketing support assistant or the platform’s contact features.

Information collected automatically

• Session cookies— on the web, an opaque session token (httpOnly, SameSite=Lax) is set when you sign in. Required for the service to work.
• Mobile session token— the iOS and Android apps store a bearer token in the platform secure enclave (iOS Keychain / Android Keystore via Expo SecureStore). It is sent only over HTTPS to miqatuna.comand is cleared on sign-out.
• Security signals— sign-in attempts, MFA challenges, idle timeouts, and session devices. Used to protect your account from unauthorized access.
• Activity logs— admin and organizer actions on your organization (creating events, approving members, etc.) for audit and abuse prevention.
• Technical data— basic request logs (IP address, user agent, timestamps) for debugging and rate-limiting.

See sections 3 (location) and 4 (push notification tokens) for the two mobile-specific data types that are only collected with your explicit permission.

Location is optional. The iOS and Android apps ask for foreground location only at the point of use — not on first launch. You can deny the prompt, or revoke it later in your device’s system settings, and Miqat still works.

What we use location for, when you grant it:

• Showing events, masjids, and organizations near you on the Discover map and in “near me” lists.
• Suggesting a default mosque or organization to follow during onboarding.
• Filtering search results by distance when you turn that filter on.

What we do not use location for:

• Background tracking. The app does not request “always allow” location and does not track you while it is closed.
• Sharing your precise location with organizations or other users. Organizations see only the events you RSVP to or buy tickets for, not where you were when you tapped.
• Advertising, profiling for ads, or sale to third parties. Miqat does not show ads and does not sell location data.

If you prefer not to grant location, you can search for an organization or a city manually and pin a default mosque from your profile.

Push notifications are optional. The iOS and Android apps ask for permission only when you visit the Notifications screen and turn them on, not on first launch. You can disable them at any time from inside the app or from your device’s system settings.

When you enable push notifications:

• Your device issues an opaque push token (an Expo / Apple / Google identifier). We store it on your account so we know where to deliver your notifications.
• We use the token only to send notifications you can expect to receive: announcements from organizations you follow, reminders for events you RSVP’d to, and account-related updates such as ticket confirmations or sign-in alerts.
• Notification preferences are per-topic. You can turn individual categories on or off from Settings → Notifications inside the app.
• Push tokens are not sold, not shared with advertisers, and not used to build a marketing profile.
• If your device returns a “not registered” receipt, we delete the dead token automatically.

We do our best to deliver notifications promptly but cannot guarantee delivery — Apple, Google, and your network ultimately decide whether and when a push arrives.

• To provide the service: create your account, show events, process RSVPs and tickets, deliver QR codes for check-in, accept donations, and route service requests.
• To keep your account secure: enforce sign-in rate limits, MFA, idle session timeouts, and device-level session management.
• To send transactional email: account verification, password resets, MFA codes, ticket confirmations, donation receipts, and updates from organizations you follow.
• To send mobile push notifications (only if you enabled them — see section 4).
• To moderate the platform: enforce community standards, prevent abuse, and respond to reports.
• To improve Miqat: aggregated, non-identifying analytics. We do not sell or rent personal data, ever.

Some organizations on Miqat accept sensitive request types — for example counseling appointments, janazah (funeral) services, nikah (marriage) inquiries, new-Muslim support, or other pastoral / private services they choose to offer. When you submit one:

• The full details of your request are visible only to authorized staff at the organization you submitted to. Other staff in the same organization see a redacted summary (e.g. count and status), not the request body.
• Mobile push notifications for sensitive request types use generic titles and bodies (no request details in the lock-screen preview).
• Sensitive request data is never used for advertising, model training, or cross-organization features. It is not shared with other organizations on Miqat.
• You can withdraw a pending request from your profile, and you can ask the organization to remove an actioned one.

We share your data only when one of these applies:

• The organization you interact with. When you RSVP, buy a ticket, donate, apply to volunteer, or submit a request, the organization sees the data needed to act on it: your name and email, the relevant order / RSVP / donation / request details, and (for paid items) the Stripe-issued receipt id. They do not see your other organizations or your unrelated activity.
• Stripe— our payment processor for both ticket purchases and donations. When you check out, payment information (card / Apple Pay / Google Pay / bank) is collected and stored by Stripe directly; Miqat never sees or stores card numbers. Stripe receives the data it needs to process the payment (amount, currency, your email, and the destination Connected account). Donations are recorded against the campaign, fund, or sponsorship item you chose, and the receipt is emailed automatically. If you donated anonymously, the organization’s public-facing dashboard hides your name — though the organization’s finance staff still need to see donor identity for tax / reporting purposes. See Stripe’s privacy policy.
• Apple and Google— if you use the iOS or Android app and have enabled push notifications, your device’s push token is delivered by us through Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM). They process the delivery but do not see notification content beyond what we hand them.
• Email and infrastructure providers— we use SMTP, hosting, and database providers under a vendor data-processing agreement. They handle your data on our behalf and don’t use it for their own purposes.
• Legal requirements— if we’re compelled by valid legal process, or if disclosure is necessary to protect Miqat or its users from harm or fraud.

We never sell your data. We never share it with advertisers or data brokers.

• Miqat does not contain ads.
• Miqat does not sell personal data.
• The iOS app does not request the Apple advertising identifier (IDFA) and is not used for cross-app advertising tracking.
• The Android app does not use the Android advertising id for targeting and is not used for cross-app advertising tracking.
• We do not embed third-party advertising SDKs, third-party analytics SDKs that profile users for ads, or social-network sharing widgets that fingerprint visitors.

Miqat offers AI-assisted features (event description drafting, marketing helpers, volunteer suggestions, finance summaries, ticketing support chat). When you use them:

• The text you submit is sent to our AI provider (Anthropic Claude) for processing under their data-protection terms. Anthropic does not train its models on this content.
• AI-generated drafts are stored in your organization’s account so you can review, approve, or reject them.
• AI output is clearly labelled as such in the dashboard.
• Token usage and request metadata are logged for billing and abuse prevention.
• Sensitive request bodies (section 6) are not sent to AI features.

You can:

• View and update your profile in Profile → Personal info on web, or Settings → Profile in the mobile app.
• Update demographics, address, and notification preferences at any time.
• Manage notification topics (email and push) in Profile → Notification preferenceson web, or Settings → Notifications in the mobile app.
• Sign out of all sessions and rotate your password from Profile → Security.
• Delete your account. Web: Profile → Security → Delete account. Mobile: Settings → Delete account (bottom of the screen). Both flows require you to confirm by typing your email and immediately end your session. Deletion removes your personal data; some records (e.g. orders the organization needs for accounting, or donation receipts required for tax reporting) may be retained as anonymized history.
• Request data export or out-of-band deletion by emailing support@miqatuna.com.
• Contact a specific organization to request removal from their member list.

• Account data — while your account is active, plus a short period after deletion for fraud prevention.
• Order, ticket, and donation records — up to 7 years after the event or donation, for tax and accounting requirements.
• Activity logs — 1 year, then aggregated.
• Email logs — 90 days.
• Push tokens — until you sign out, uninstall, or your device returns a “not registered” receipt (then auto-deleted).

We use industry-standard security: TLS for all traffic (including the mobile apps, which only call https://miqatuna.com), bcrypt for passwords, MFA support, session rotation, idle timeouts, rate limiting, and per-environment secrets. Mobile session tokens live in iOS Keychain / Android Keystore via Expo SecureStore — never in plain storage. No system is 100% secure — if we ever discover a breach affecting your data, we will notify you promptly.

Miqat is intended for adult community members and the staff of Islamic organizations who use the platform to run events, accept donations, and respond to requests. The mobile apps are rated for users aged 13 and over.

We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, contact us at support@miqatuna.com and we will remove it. Organizations creating events for children should ensure parental consent at the organization level.

Miqat is operated from North America and your data may be processed in the United States and other countries where our service providers operate. By using Miqat you consent to this transfer.

We may update this policy as the product evolves. Material changes will be announced by email and at the top of this page. The “Last updated” date above always reflects the current version.

Questions about this policy or your data? Email privacy@miqatuna.com or our general support team at support@miqatuna.com. You can also visit our support page for common help topics and account self-service.