Privacy Policy

v2.3.1Last updated: 2026-05-24

PRIVACY POLICY

Last Updated: 2026-05-11

As Huma Yazılım Anonim Şirketi ("Company", "We", "NUR"), we respect your privacy and take care to keep your personal data protected. This Privacy Policy explains the information we collect, use, share, and protect while you use the NUR mobile application and related websites (the "Service").

This Policy has been prepared to meet the requirements of GDPR Articles 13 and 14, the CCPA, COPPA, the Apple App Store Review Guidelines 5.1.1, and Google Play Data Safety. For users resident in Türkiye, a detailed KVKK Disclosure Notice and Explicit Consent Statement are provided as separate documents.

1. SCOPE AND DEFINITIONS

"Personal Data": Any information relating to an identified or identifiable natural person.

"Processing": Any operation performed on personal data, whether or not by automated means, such as collection, recording, storage, retention, modification, reorganization, disclosure, transfer, takeover, making available, classification, or restriction of use, provided that it forms part of any data filing system.

"Data Controller": The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

2. DATA CONTROLLER

Title: Huma Yazılım Anonim Şirketi
Address: Sarıdemir Mah. Ragıp Gümüşpala Cad. Ahenk Han İş Merkezi No: 29 İç Kapı No: 103 Fatih / İstanbul / Türkiye
Tax No: 4641985523 — Mersis No: 0464198552300001
E-mail: destek@huma.ist / info@huma.ist

3. DATA WE COLLECT

3.1. Data You Provide Directly to Us

Account Information: name, e-mail, profile photo
Authentication: Google/Apple Sign-in token, session information
User Content: rooms you create in dhikr rooms, your likes, your favorite lists
Communication Content: support requests and feedback messages

3.2. Data Collected Automatically During Use of the Service

Usage Data: which content you played, playback duration, completion rate, likes, screen view times
Device Data: device type, operating system, app version, IDFV (iOS) / Android ID, FCM push token
Connection Data: IP address, language setting, time zone
Location (precise): only with device permission, for prayer time / qibla calculation
Advertising Identifiers: IDFA (iOS, with ATT permission) / AAID (Android)
Crash and Performance Data: Firebase Crashlytics stack traces, performance metrics

3.3. Data We Receive from Third Parties

Google/Apple Sign-in: e-mail, name, profile photo, verified e-mail status
RevenueCat: store transaction ID, subscription status
Invite System: name/photo information shared by another user who invited you (GDPR Art. 14 disclosure: may contain invitation records relating to you)

3.4. Data We Do Not Collect

The NUR application does not collect the following categories of data:

Bank card / credit card number (payments are managed by the store)
Biometric data, voice recording, microphone access
Health data, religious-opinion tendencies (only usage behavior is processed; no tendency inference is made)
Messaging content (there is no text chat in dhikr rooms)

4. WHY AND HOW WE USE DATA (PURPOSE & LEGAL BASIS)

Purpose	Data Types	Legal Basis (GDPR Art. 6 / KVKK Art. 5)
Account creation and authentication	Identity, contact, device	Performance of contract (Art. 6(1)(b))
Service delivery (content, prayer time, dhikr)	All core data	Performance of contract
Security and abuse prevention	Device, log, IP	Legitimate interest (Art. 6(1)(f))
Legal obligations (log retention, tax)	Connection, financial	Legal obligation (Art. 6(1)(c))
Product development and error analysis	Crashlytics, performance	Legitimate interest
Analytics and behavior measurement	Usage events	Explicit consent (Art. 6(1)(a))
Personalized advertising	IDFA/AAID	Explicit consent
Marketing communication	Contact, permission	Explicit consent (Law No. 6563 + İYS)
Invite system PII sharing	Name, e-mail, photo	Explicit consent

5. WITH WHOM WE SHARE DATA

Your data is shared only with the categories of parties listed below and only for the stated purposes:

5.1. Service Providers (Data Processors)

Google LLC (USA): Firebase Authentication, Cloud Firestore, Cloud Functions, Firebase Cloud Messaging, Firebase Analytics, Crashlytics, AdMob, Geocoding API
Apple Inc. (USA): Sign in with Apple, App Attest, App Tracking Transparency
RevenueCat Inc. (USA): Subscription and store transaction management

5.2. Content and Streaming Services

MP3Quran.net (Saudi Arabia): Quran recitation content streaming (content fetch only — no user PII shared)

5.3. Legal Requests

Your personal data may be shared in response to lawful requests from competent judicial/administrative authorities.

5.4. Corporate Transfer / Merger

In the event of a merger, acquisition, or asset transfer, user data may be transferred to the acquiring party; in such case you will be notified in advance.

WE DO NOT SELL YOUR PERSONAL DATA TO THIRD PARTIES FOR ADVERTISING PURPOSES.

6. CROSS-BORDER DATA TRANSFER

The vast majority of the above service providers are established in the United States of America. Therefore, your data is transferred abroad. Legal safeguards for transfers:

EU Commission Standard Contractual Clauses (SCC),
Standard Contracts under the Regulation on the Transfer of Personal Data Abroad dated 10 July 2024 of Türkiye, and
For situations where Standard Contracts are insufficient, your explicit consent (KVKK Art. 9/6, GDPR Art. 49(1)(a))

are used to provide such safeguards. For details, please review the Cross-Border Transfer Undertaking document.

7. DATA RETENTION PERIODS

We retain your data only for as long as necessary for the processing purposes. Details are set out in the Personal Data Retention and Disposal Policy document. Summary:

Data Type	Retention Period
Active account data	As long as the account is active
Pseudonymized logs of deleted accounts	3 years (burden of proof)
Traffic logs under Law No. 5651	2 years
Tax/subscription records (VUK)	10 years
Marketing permissions	Until permission is withdrawn + 3 years proof
Crashlytics reports	90 days
Audit log (consent history)	5 years

8. YOUR RIGHTS

You have the following rights (the scope varies depending on jurisdiction and applicable legislation):

Right of access: to learn which data of yours we process
Right to rectification: to request correction of incorrect or incomplete data
Right to erasure / right to be forgotten: to request deletion of your data
Right to restrict processing: cessation of processing under certain conditions
Right to data portability: to receive your data in a machine-readable format (Profile > Download My Data)
Right to object: to object to processing based on legitimate interest
Right to object to automated decision-making/profiling
Right to complain: to lodge a complaint with the Personal Data Protection Authority (Türkiye) or your local supervisory authority
Right to withdraw explicit consent: for processing based on consent, without retroactive effect

To exercise your rights: use the in-app "Profile > Privacy & My Permissions" menu or destek@huma.ist.

9. CHILDREN'S PRIVACY (COPPA + GDPR-K)

This section has been prepared in accordance with COPPA (Children's Online Privacy Protection Act — USA), GDPR-K Article 8 (EU General Data Protection Regulation), KVKK, and the Apple App Store / Google Play children's policies.

9.1. Age Restriction

The NUR application is NOT directed to the use of children under 13 years of age.

Jurisdiction	Minimum Age
Republic of Türkiye	13
European Union (default, GDPR-K Art. 8)	16
United States of America (COPPA)	13
Other countries	According to the applicable local legislation

Users under 13 are prohibited from creating an account, and this is enforced by the system.

9.2. Age Declaration

Date or year of birth is not requested at registration. Compliance with the age threshold is established by self-declaration — the user must accept the Terms of Service to create an account, and those Terms state the minimum age (13) explicitly. This is the same approach taken by industry-standard services (e.g. Spotify, Apple Music).

If a user who does not meet the age requirement is later discovered (through their own statement, a parent's report, or a support request), the account is immediately suspended and the data is deleted in accordance with Section 9.3 and Section 7 (Data Retention).

9.3. Parental / Legal Guardian Rights

If, as a parent or legal guardian, you suspect that your child has created an account on NUR despite not meeting the age requirement:

E-mail: destek@huma.ist
Subject line: "Child Account Violation Report"
What you need to provide: the child's account e-mail address, type of relationship (parent/guardian), your contact information

Company obligations:

The report is verified within 48 hours
The account is deleted immediately, and all personal data belonging to the child is irreversibly destroyed via the accountDeletion Cloud Function
Only a pseudonymized log (3 years) is retained — for audit purposes

Parental rights (COPPA Sec. 312.5):

The right to review the data we have collected about the child
The right to request deletion of the data
The right to stop further data collection

9.4. Advertising and Data Collection from Children

NUR is designed for users aged 13 and over; the age threshold is enforced by self-declaration on Terms acceptance (see Section 9.2). The store age rating is 4+ on the App Store and "Everyone" on Google Play. To remain consistent with these ratings and to maximally protect children:

Ads are served only as Non-Personalized Ads (NPA) — every AdMob request includes nonPersonalizedAds: true.
No advertising identifier (IDFA, AAID) is collected; the iOS App Tracking Transparency (ATT) prompt is not shown.
No behavioural targeting, remarketing, or cross-app tracking is performed.
NUR is NOT published under "Made for Kids" / "Kids Category" — it contains measurement/advertising SDKs (AdMob, Firebase Analytics, Crashlytics) incompatible with those categories.
NUR is NOT enrolled in Google Families Self-Certified Ad SDK programs; ads are intended for the adult target audience.

9.5. Additional Measures for Child Safety

NUR has no text chat feature; in dhikr rooms only name/profile photo are visible (no personal contact information), and users below the age threshold cannot be invited.

9.6. Apple / Google Platform Policies

NUR is listed on the App Store with a 4+ rating and on Google Play as "Everyone". This rating:

Indicates that the content is suitable for all ages (no violence, no explicit content, etc.).
Does not conflict with the 13+ account-creation minimum: the rating measures content suitability while the account age represents the data-collection threshold (consistent with KVKK Art. 5 and COPPA §312).
Requires that ads are served NPA-only and that no advertising identifier is collected; Section 9.4 and Section 11.2 describe the framework in detail.

10. SECURITY

We apply industry-standard measures to protect your data:

End-to-end encrypted communication with TLS 1.2+
Role-based access control via Firestore security rules
Device integrity verification via App Attest / Play Integrity
Runtime application integrity checks via FreeRASP
Regular security audits and penetration tests

No method of transmission over the internet or electronic storage method can be guaranteed 100% secure; although we exercise the utmost care, absolute security cannot be guaranteed.

11. COOKIES AND SIMILAR TECHNOLOGIES

This section complies with the ePrivacy Directive (EU), the Guidelines on Cookie Practices No. 2022/229 of the Personal Data Protection Board, and the Apple App Tracking Transparency requirements.

11.1. What is a Cookie?

A cookie is a small text file that websites store on user devices. In mobile applications, local storage mechanisms (SharedPreferences — Android, NSUserDefaults — iOS) and SDK storage are used instead of cookies.

11.2. Technologies Used in the Mobile App

The NUR mobile application does not use traditional HTTP cookies. Instead, the following local storage mechanisms are used:

Strictly Necessary Local Storage:

Key	Purpose	Retention Period
`auth_token`	Session management	For the duration of the session
`consent_cache`	Explicit consent status (offline)	Until the account is deleted
`download_settings`	Download preferences	Until changed by the user
`theme_preference`	Light/dark theme	Until changed by the user
`language_preference`	Application language	Until changed by the user

Functional:

Key	Purpose	Retention Period
`offline_tracks_key`	Downloaded content list	Until deleted by the user
`prayer_notification_state`	Prayer notification preferences	Until changed by the user
`dhikr_counter_local`	Offline dhikr counter	Until synced with the server

Analytics (with Explicit Consent):

SDK	Data	Retention Period
Firebase Analytics	Event logs, session data	14 months
Firebase Crashlytics	Crash stack traces	90 days

Advertising (Non-Personalized Ads — NPA only):

NUR serves only Non-Personalized Ads (NPA). Every AdMob request is sent with nonPersonalizedAds: true. This means ads are not targeted by user behaviour/interests; they are selected only from contextual signals (app category, country, language).

SDK / Data Type	Collected	Retention
IDFA / AAID (advertising identifier)	❌ Not collected — no iOS ATT prompt shown	—
Google Mobile Ads SDK (AdMob)	IP address (for approximate geolocation), device language/timezone, app version, ad impression/interaction counts	14 months
Behavioural targeting / Remarketing / Cross-app tracking	❌ Not performed	—

Google's advertising partners: AdMob is Google's ad network. Ads served in NPA mode may come from Google's contracted third-party advertisers, but these parties cannot access user-identifying data. Details: https://policies.google.com/technologies/partner-sites

Additional information for EU / EEA users: For GDPR and ePrivacy compliance, when the app launches, a consent screen is shown via the Google User Messaging Platform (UMP). Even in NPA-only mode this consent is gathered in EEA countries; without consent, ad serving is suspended.

Seeing Fewer Ads in General:

You can opt out of Google's and other ad networks' tracking/profiling mechanisms via the links below. Since NUR does not show identity-based ads, these choices do not change NUR's ad behaviour but they do affect other apps.

Google Ad Settings (all Google products): https://adssettings.google.com/
EU / EEA — under IAB TCF: reopen the UMP form via Profile → "Manage Ad Consent"
DAA (US/Canada): https://optout.aboutads.info/
NAI: https://www.networkadvertising.org/choices/
EDAA (Europe — web-based): https://www.youronlinechoices.eu/

11.3. Cookies Used on Our Websites

On our nurapp.web.app and huma.ist websites, only the following strictly necessary cookies are used:

Cookie Name	Provider	Purpose	Duration
`__session`	Firebase Hosting	Hosting session information	Session
`locale_pref`	nurapp.web.app	Language preference	1 year

No analytics or advertising cookies are currently used on our websites.

11.4. How Can You Manage Cookies?

Mobile App Local Storage:

Uninstalling the app clears all locally stored data
iOS Settings → NUR → Reset cache
Android Settings → Apps → NUR → Storage → Clear data

Ad Tracking for NUR:

Because NUR collects no advertising identifier (IDFA, AAID), no device-level ATT/tracking adjustment is required — the NPA-only mode described in Section 11.2 is active by default.

Resetting Advertising Identifiers in Other Apps (General):

iOS: Settings → Privacy & Security → Apple Advertising → "Personalized Ads" can be turned off
Android: Settings → Privacy → Ads → "Delete advertising ID" (Android 12+) or "Opt out of Ads Personalization"

Web Browser Cookies: can be managed via Chrome / Safari / Firefox settings.

12. CHANGES TO THE POLICY

This Policy may be updated from time to time. In case of material changes:

A re-consent modal is shown on app launch;
A notification is sent to your registered e-mail address (where appropriate);
The current version is published at https://nurapp.web.app/legal/privacy.

13. CONTACT

For any questions regarding this Policy or your personal data:

E-mail: destek@huma.ist
Mail: company address indicated above

Effective Date: 2026-05-11 Version: 2.0.0