Minbar

Legal

Privacy Policy

Effective April 16, 2026

How Minbar LLC collects, uses, and protects information when you use the Minbar websites, mobile apps, and services.

Minbar LLC (“Minbar,” “we,” “us,” or “our”) operates the Minbar platform: the minbar.one website, per-masjid websites under minbar.one subdomains or custom domains, the Minbar mobile apps for iOS and Android, and our backend services (together, the “Service”). This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the choices you have. If you do not agree with this policy, please do not use the Service.

1. Who this policy covers

  • Members and visitors. This policy governs how we handle your data when you browse our websites, download our apps, create a Minbar account, or join a masjid community on the Service.
  • Masjid administrators. When a masjid uses Minbar to manage its community, the masjid is the “controller” of its members’ information and Minbar is the “processor.” This policy still describes what we do with that data, but the masjid’s own policies may also apply.
  • Anonymous contributors. If you post to a Dua Board or send a message through a masjid’s public contact form without signing in, this policy applies to that interaction.

2. Information we collect

Information you give us

  • Account information: first name, last name, email address, password (hashed and managed by our auth provider), optional phone number, optional profile photo, notification preferences, and quiet-hour settings.
  • Content you create: announcements, events, group chat messages, board posts (including Dua Board posts you mark anonymous), emoji reactions, inbox messages, masjid profile edits, correction suggestions, and any images you upload.
  • Payment information (masjid admins only): billing email, masjid name, and subscription details. Card numbers are collected directly by Stripe; Minbar never sees them.
  • Public contact form submissions: your name, email, and message when you contact a masjid from its public website without signing in.
  • Communications with us: messages you send to support@minbar.one.

Information we collect automatically

  • Device and app data: device model, operating system version, app version, push notification token, time zone, and preferred language.
  • Approximate location (with your permission): when you use the Explore tab to find nearby masjids, your coordinates are sent with the search request; we do not store them on our servers.
  • Usage data: pages viewed, features used, announcements opened, events viewed, sign-in timestamps, and similar product analytics.
  • Log data: IP address, request URLs, timestamps, browser type, and error reports (for example, stack traces captured by our error-tracking provider).
  • Browser storage: on per-masjid websites, a short session token (thread_session_*) stored in your browser’s localStorage lets you return to a contact-form conversation after verifying your email address. See the Cookies & Storage Notice.

Information we receive from third parties

  • Sign-in providers: if you sign in with Google or Apple, we receive your name, email, and a stable identifier from that provider. We never receive your password.
  • Stripe: subscription status, plan, renewal dates, and payment-failure events.
  • Masjid seed data: for masjids we pre-populate in the directory, we import publicly available information (name, address, phone, website) from sources such as the Google Places API. This does not include personal data about individual members.

What we do not collect

  • We do not ask for or store your date of birth.
  • We do not knowingly collect information from children under 13. See Section 9.
  • We do not store payment card numbers or CVVs.
  • We do not sell personal data, and we do not share it with third parties for their own advertising. We do not “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and we do not engage in cross-context behavioral advertising.

3. How we use your information

We use personal information to:

  • Provide the Service: deliver prayer times, route announcements and group messages, store your events, authenticate you, process subscription payments, and keep content scoped to the right masjid.
  • Send notifications: push notifications for announcements, events, prayer reminders, and group messages based on your preferences.
  • Send transactional email: account verification, password resets, receipts, contact-form replies, and admin invitations.
  • Improve the Service: aggregate analytics, error monitoring, and debugging.
  • Protect the Service: detect abuse, prevent spam, enforce our Acceptable Use Policy, and satisfy legal obligations.

We do not use your personal data for third-party advertising and we do not serve ads in the Service.

4. Legal bases (for users in the EEA and UK)

If you are in the European Economic Area or the United Kingdom, we process your personal data under one or more of these legal bases:

  • Contract — to deliver the Service you signed up for.
  • Legitimate interests — to keep the Service secure, prevent abuse, and improve features, balanced against your rights.
  • Consent — for push notifications and optional location access. You may withdraw consent at any time.
  • Legal obligation — to respond to lawful requests and to meet tax and accounting requirements.

5. Anonymous Dua Board posts

When you submit a post to a Dua Board with the anonymous option, the post is stored without any user identifier attached to it. Admins and other members cannot see who wrote the post, and we do not keep a hidden mapping that would let us reveal the author later. We may retain minimal metadata (masjid, timestamp) and short-lived request logs to prevent abuse. Emoji reactions are not anonymous — reactions are linked to your account so that masjids can moderate harassment.

6. How we share information

We share limited personal information with service providers that help us operate the Service. Each is bound by confidentiality and security obligations and may use the data only on our instructions.

CategoryProvidersWhat they receive
Hosting & infrastructureSupabase (database, auth, storage, realtime), Render (API hosting), Cloudflare (CDN, DNS, Pages)Account data, content, logs
PaymentsStripeBilling email and subscription metadata. Card data goes directly to Stripe.
Push notificationsFirebase Cloud Messaging (Google)Device token and notification content
Transactional emailResendRecipient email and message content
Error trackingSentryError logs and debugging context
Sign-in providersGoogle, Apple (if you choose to use them)Sign-in request

Masjid admins and community members. When you join a masjid, your name, profile photo, and any content you post become visible to admins and other members of that masjid. Content posted to a masjid’s public website (for example, a public event or announcement) may be visible to anyone.

Other disclosures. We may also share information:

  • To comply with a lawful request, court order, subpoena, or other legal process.
  • To protect the rights, property, or safety of Minbar, our users, or the public, or to investigate suspected abuse.
  • To a successor entity in connection with a merger, acquisition, financing, or sale of assets. We will notify you of any change of control that materially affects your data.
  • As aggregated or de-identified information that cannot reasonably be used to identify you.

7. How long we keep your data

  • Account data: kept as long as your account is active. When you delete your account, your profile is anonymized immediately (name becomes “Deleted User,” email is removed). Content you created may remain with anonymized authorship on the masjids that host it unless those admins delete it.
  • Masjid data after subscription cancellation: retained for 90 days to allow reactivation, then deleted.
  • Group chat messages: retained by tier — about 3 months (Community), 12 months (Growth), and up to 5 years (Foundation). Older messages are deleted automatically and cannot be recovered, even by masjid admins. If your community needs longer retention (for example, for pastoral records or board meeting minutes), choose a higher tier or keep those records outside Minbar.
  • Analytics: aggregated daily counts kept long term; raw event rows deleted after about 1 year.
  • Logs: up to about 90 days.
  • Billing records: kept as long as required by tax and accounting law.

8. Your rights and choices

  • Access — request a copy of the personal data we hold about you.
  • Correction — update your profile in the app at any time, or email us.
  • Deletion — delete your account from Settings › Delete Account, or email us.
  • Export — request a machine-readable copy of your data.
  • Notifications — turn push or email notifications on and off in Settings.
  • Objection / restriction (EEA/UK) — ask us to pause or stop certain processing.
  • Non-discrimination (California) — we will not charge you more or give you a worse Service for exercising your rights.

To exercise any right, email support@minbar.one from the address on your account. We respond within 30 days. You also have the right to complain to your local data-protection authority.

California “Shine the Light”: we do not share personal information with third parties for their own direct marketing.

Do Not Track: we do not respond to Do Not Track signals because we do not do cross-site tracking in the first place.

9. Children

Minbar is not directed to children under 13, and we do not knowingly collect personal information from them. If you are a parent or guardian and believe your child under 13 has created an account, email support@minbar.one and we will delete it promptly. Masjid admins who operate youth programs on the Service are responsible for obtaining any parental consent required by applicable law.

10. Location data

Prayer times are calculated from the coordinates the masjid admin enters, not from your device. Your personal location is used only when you open the Explore tab and grant the app permission; the coordinates are sent with the search request and are not stored on our servers. You can turn location off in your device settings at any time; the rest of the Service will still work.

11. Push notifications

If you grant permission, we store a Firebase Cloud Messaging device token tied to your account and send notifications according to your preferences. Notification bodies may include masjid names, short announcement text, and prayer names. You can turn notifications off in Settings › Notifications or in your device’s OS settings at any time.

12. International transfers

Our servers and most of our service providers are in the United States. If you use Minbar from outside the United States, your data will be transferred to and processed there. Where required by law, we rely on Standard Contractual Clauses or equivalent safeguards for international transfers.

13. Security

We protect personal data with encryption in transit (HTTPS/TLS), encryption at rest for our databases, row-level and tenant-scoped access controls, least-privilege service accounts, and routine security updates. No system is perfectly secure; if we learn of a breach that affects you, we will notify you in line with applicable law.

14. Changes to this policy

We may update this policy. If the changes are material, we will give notice by email or a prominent notice in the app. The “Effective” date at the top reflects the most recent revision. Continued use of the Service after that date means you accept the updated policy.

15. Contact us

Questions, requests, or complaints? Email support@minbar.one.

Minbar LLC · Wisconsin, United States of America.