Privacy Policy

Last Updated: February 28, 2026

Loading audio...

Introduction

Truth Promoters is committed to protecting your privacy. This privacy policy explains how we handle data on our website. In short: we do not collect, store, or transmit any personal information to our servers.

Information We Collect

For Public Visitors: We do not collect or store any personal information on our servers, with the exception of messages submitted via our Contact Form (see below). All other data related to your preferences and settings is stored locally in your browser and never transmitted to us.

Contact Form: If you choose to send us a message via the Contact Us page, we store your name, email address, subject, and message securely on our servers. This information is used solely to read and respond to your enquiry. We do not share this information with any third party. Your IP address is temporarily recorded for rate limiting purposes only and is not displayed or used for any other purpose. You may request deletion of your contact messages at any time by emailing us.

For Admin Users: See the Admin User Authentication section below for information about data collected for authorized administrators.

Admin User Authentication (Authorized Personnel Only)

This section applies ONLY to authorized administrators and content creators (approximately 10-15 people). If you are a regular visitor to our website, this does not apply to you.

What We Collect for Admin Users:

  • Email address: Gmail account used for authentication
  • Name: From your Google profile
  • Profile picture: From your Google profile
  • IP address: For audit logs and security monitoring
  • Browser information: For audit logs and security purposes
  • Login timestamps: To track account activity

Purpose: Secure authentication and audit trail for system security and compliance. We use Google OAuth (Google Sign-In) to verify admin identity without storing passwords.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - authentication of authorized personnel for content management and website administration.

Storage: PostgreSQL database, encrypted at rest and in transit via SSL/TLS.

Retention: Active admin accounts retained indefinitely while authorized. Audit logs retained for 90 days, then automatically deleted.

Access Control: Only Super Administrators can view user management data. Admin users cannot view other admins' personal information.

Local Storage Usage

We use your browser's local storage (not cookies) to remember your preferences and improve your experience. This is considered "strictly necessary" functional storage under GDPR and does not require explicit consent.

What We Store Locally

  • Prayer Time Preferences: Your chosen calculation method (e.g., Ithna Asheri, Muslim World League), prayer time offset adjustments (±14 minutes per prayer), and Imsaak display preference
  • Theme Preference: Your dark mode/light mode selection
  • Location Data (Temporary): If you grant geolocation permission, we temporarily use your coordinates to calculate prayer times. This data is never sent to our servers.

Key Points About Local Storage:

  • Stays in your browser: All data remains on your device
  • Not transmitted: We never receive or access this data
  • No personal information: Contains only functional preferences
  • Full control: You can clear it anytime via browser settings

Purpose: To provide you with personalized prayer times according to your chosen calculation method and local adjustments, and to remember your interface preferences.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - providing functionality you explicitly request when you configure your preferences.

Cookies

For Public Visitors: We do not use cookies. All preferences are stored in browser local storage instead.

For Admin Users: We use httpOnly session cookies for authentication purposes only. These cookies:

  • Are strictly necessary for admin system functionality
  • Expire after 24 hours (automatic sign-out)
  • Are signed and encrypted (cannot be tampered with)
  • Use SameSite=Lax for CSRF protection
  • Are httpOnly (not accessible to JavaScript, preventing XSS attacks)
  • Are NOT used for tracking, analytics, or advertising

Third-Party Services

For Public Visitors: We do not use any third-party tracking, analytics, or advertising services. We do fetch content from external RSS feeds to display articles on our homepage, but this does not involve any user tracking or data collection.

When a reflection includes a YouTube video, we load a thumbnail image from YouTube (img.youtube.com) to display a preview. This image request is made by your browser directly to YouTube's servers and is subject to Google's Privacy Policy. The actual video only loads when you click play. No tracking cookies are set — we use YouTube's privacy-enhanced mode (youtube-nocookie.com) for video embeds.

For Admin Users: We use Google OAuth (Google Sign-In) for secure authentication. When an admin signs in:

  • They are redirected to Google's sign-in page
  • Google verifies their identity
  • We receive their email, name, and profile picture
  • No tracking data is shared with Google beyond authentication

We do NOT use Google Analytics, Google Ads, or any other Google tracking services. OAuth is used solely for secure authentication.

Prayer Times Calculation

Prayer times are calculated entirely in your browser using astronomical formulas. We do not send your location data to external servers.

If you grant geolocation permission, your coordinates are used only for calculating prayer times locally and are not transmitted anywhere. Learn more about our calculation methodology.

Push Notifications

If you opt-in to push notifications for prayer times, community events, or Islamic calendar reminders, we collect and store the following data:

What We Collect:

  • Push subscription endpoint: A URL provided by your browser's push service (Google, Mozilla, or Apple)
  • Encryption keys: p256dh and auth keys for end-to-end encryption
  • Location: Latitude and longitude for prayer time calculation. If you grant browser location permission, we use those coordinates. If not, we determine your approximate location from your IP address via Cloudflare headers.
  • City and country: Determined from your IP address via Cloudflare headers for display purposes and optional geo-targeted community announcements
  • Timezone: For scheduling notifications at correct local times
  • Preferences: Which notifications you want (prayer times, community events, calendar reminders) and notification sound preference
  • Device information: Browser user agent for debugging subscription issues

Purpose: To send you prayer time reminders, community event notifications, and Islamic calendar reminders at the times you specify.

Geo-Targeted Notifications: If you opt-in to community event notifications, administrators may occasionally send announcements targeted to specific regions (e.g., events in your country or city). Your city/country data is used solely to ensure you receive relevant local announcements.

Multiple Devices: You can subscribe to notifications from multiple devices or browsers. Each subscription is stored separately.

Data Security: Notifications are end-to-end encrypted using the Web Push protocol. Browser push services (Google, Mozilla, Apple) cannot read the content of your notifications.

No Third-Party Sharing: Your notification data is stored on our self-hosted database and is never shared with third parties.

Your Control: You can disable notifications at any time via our settings or your browser settings. When you unsubscribe, all your notification data is permanently deleted.

Legal Basis: Consent (GDPR Article 6(1)(a)) - You explicitly grant permission via your browser's notification dialog. This is NOT cookie-based tracking and does not require a cookie consent banner.

Anonymous Site Analytics

We collect anonymous, aggregate statistics about website usage to understand which content is popular and improve the user experience.

What We Collect:

  • Page visits: Which pages are viewed and when
  • Approximate location: Country and city (derived from IP address, then the IP is immediately discarded)
  • Device information: Browser name/version, operating system, device type (parsed from User-Agent header)
  • Traffic source: Which website you came from (referrer domain)

What We Do NOT Collect:

  • IP addresses: Used for geolocation lookup, then immediately discarded
  • Personal identifiers: No login required, no account data
  • Cookies or tracking pixels: We do not use any tracking cookies
  • Cross-site tracking: We cannot identify you across different websites

Purpose: To understand which content is popular, where our community is located, and ensure the site works well on all devices.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - understanding aggregate site usage to improve content and user experience. Since no personal data is collected and IP addresses are immediately discarded, this has minimal privacy impact.

No Cookie Consent Required: Because we do not use cookies for analytics and do not store IP addresses, no cookie consent banner is required for this feature.

IlmFlow — Islamic Knowledge Base

IlmFlow is our Islamic knowledge base for browsing and searching the Quran, Tafsir al-Mizan, Sahifa al-Sajjadiyyah, and Mafatih al-Jinan. It includes an AI-powered study workspace with chat, clips, notes, and bookmarks.

Public Browsing & Search (No Account Required):

  • Scripture browsing: Browsing the Quran, Tafsir al-Mizan, Sahifa, and Mafatih is purely read-only content display. No data is collected.
  • Search queries: Semantic and keyword search queries are sent to our servers for processing but are not logged or stored. Each search is stateless and anonymous.

Workspace Features (Visitor ID):

The IlmFlow study workspace uses a visitor ID — a random UUID generated in your browser and stored in localStorage. This is not linked to any personal identity or Google account. It allows you to save your work across sessions.

  • AI Study conversations: Chat messages with the AI tutor are stored on our servers tied to your visitor ID, allowing you to continue conversations across sessions
  • Clips, notes, and bookmarks: Saved passages, personal notes, and bookmarked scripture are stored on our servers tied to your visitor ID
  • Projects: Named collections of clips, notes, and bookmarks for organising your study materials
  • Pseudonymous: Your visitor ID is a random UUID with no connection to your real identity. Clearing your browser data removes the link to your stored data

Short URL Clicks (i1m.me):

  • Anonymous click counting: When someone clicks an i1m.me short link, we record the approximate location (country and city derived from IP address) and referrer domain. The IP address is immediately discarded after geolocation lookup — it is never stored.

What We Do NOT Collect:

  • IP addresses: Used only for short URL geolocation, then immediately discarded
  • Personal identifiers: Visitor ID is a random UUID, not linked to any account or identity
  • Search query history: All searches are stateless and not logged
  • Cross-site tracking: No tracking cookies or analytics are used

Purpose: Providing access to Islamic sacred texts and AI-assisted study tools for the community.

Retention: Workspace data (conversations, clips, notes, bookmarks) is retained until deleted by the user. Users can export and delete their data at any time from the workspace settings. Clearing browser data removes the visitor ID, which severs the link to any stored data. Short URL click analytics are retained indefinitely (fully anonymous, no personal data).

Storage: IlmFlow data is stored in a separate self-hosted PostgreSQL database dedicated to the knowledge base. This is separate from the main website database.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) for anonymous browsing and search. Consent through use for workspace data storage — by creating conversations or saving clips, you implicitly consent to server-side storage tied to your pseudonymous visitor ID.

Software Downloads

We offer free software tools such as Substack Editor for download. When you download our software, we log basic information for security and analytics purposes.

What We Collect:

  • IP address: Full IP address stored for security monitoring and abuse prevention
  • Platform: Which version you downloaded (macOS, Windows, Linux)
  • Timestamp: When the download occurred
  • Browser information: User agent string for debugging
  • Referrer: Which page you came from (to detect unauthorized hotlinking)

Optional Email Collection:

Before downloading, you may optionally provide your name and email address to receive update notifications. This is completely optional - you can skip this step and download directly.

  • Email addresses are only used for software update notifications
  • You can unsubscribe at any time by contacting us
  • We never share your email with third parties

Purpose: Download analytics (popularity by platform), security monitoring (detecting abuse), and optional update notifications.

Retention: Download logs are retained for 90 days. Email addresses provided for updates are retained until you request removal.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) for download logging; Consent (GDPR Article 6(1)(a)) for optional email collection.

Your Rights & Data Control

Clear Your Data

You can clear all locally stored preferences at any time by clearing your browser's cache and local storage. Instructions vary by browser:

  • Chrome/Edge: Settings → Privacy and security → Clear browsing data → Check "Site settings" or "Cookies and other site data"
  • Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data
  • Safari: Preferences → Privacy → Manage Website Data → Remove All

GDPR Rights

Since we do not collect or process any personal data on our servers, most GDPR rights (access, rectification, erasure, etc.) do not apply in the traditional sense. However, you have full control over any data stored in your browser and can delete it at any time as described above.

Security

Since we do not collect or transmit personal data, there is minimal security risk. All data stays in your browser under your control. We use HTTPS to encrypt all communication between your browser and our website.

Children's Privacy

Our website is appropriate for all ages. Since we do not collect any personal information, there are no specific privacy concerns regarding children's use of the site.

Server Logs

Like most websites, our servers automatically log basic technical information such as IP addresses, browser type, and pages visited for security and operational purposes. These logs are retained for a limited period necessary for security purposes and then deleted. This data is not used for tracking or profiling.

Audit Logging (Admin Users)

This section applies ONLY to authorized administrators. For security, compliance, and incident response purposes, we maintain detailed audit logs of admin user activity.

What We Log for Admin Users:

  • Login and logout events: Timestamps of admin sign-in and sign-out
  • IP addresses: Network address used to access the admin system
  • Geographic location: Approximate location based on IP address (city/country level)
  • Browser and device information: Browser type, version, operating system, and device type
  • Admin actions: User management changes, content modifications, settings updates
  • Failed access attempts: Unauthorized access attempts and permission denials

Purpose: Security monitoring, incident response, compliance verification, and audit trail for administrative actions.

Retention: Audit logs are retained for 90 days, then automatically deleted. This provides sufficient time for security investigations while minimizing long-term data storage.

Access: Only Super Administrators can view audit logs. Regular admin users cannot view logs, including their own activity logs.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - security monitoring and compliance verification for authorized personnel managing website infrastructure.

Changes to This Privacy Policy

We may update this privacy policy from time to time. The "Last Updated" date at the top of this page indicates when the policy was last revised. If we make material changes, we will post a notice on our homepage.

Contact Us

If you have any questions about this privacy policy, please use our Contact Form to get in touch with us.

Summary

For Public Visitors:

  • Zero data collection: We don't collect, store, or transmit any personal data to our servers
  • Local storage only: Preferences stay in your browser
  • No tracking: No analytics, no ads, no behavior monitoring
  • Full control: You can clear your data anytime
  • GDPR-compliant: Strictly necessary functional storage only
  • IlmFlow browsing: Scripture content is read-only with no data collection; search queries are not logged

For Admin Users (~10-15 authorized personnel):

  • Google OAuth authentication: Secure sign-in without password storage
  • Data collected: Email, name, profile picture, login timestamps, IP addresses
  • Purpose: Authentication, security monitoring, audit trail
  • Retention: Active accounts indefinitely; audit logs 90 days
  • No tracking: Admin cookies used ONLY for authentication, not analytics
  • GDPR-compliant: Legitimate interest for authorized personnel
← Back to Home