Privacy Notice

YourAfiyah ("we", "us", "our") is committed to protecting your privacy. This notice explains what personal data we collect, why we collect it, the legal basis on which we rely, and the rights you have. It is provided in accordance with Articles 13 and 14 of the UK GDPR.

Who we are

YourAfiyah is the data controller responsible for your personal data. We provide a halal, evidence-based supplement intelligence service for Muslim women in the UK.

If you have any questions about this notice or how we handle your data, contact us at privacy@yourafiyah.com.

What information we collect

• Account data — your name (or display name) and email address, created when you sign up.
• Health data — the answers you give in our questionnaire, which may include your health goals, symptoms, diagnosed conditions, medications, menstrual and reproductive status, dietary pattern, sun exposure, and body measurements. This is special category data under Article 9 of the UK GDPR.
• Location data — the city, and where you choose, the approximate coordinates you provide so we can calculate prayer times for your supplement schedule. We do not track your precise location in the background.
• Usage data — privacy-friendly, aggregated analytics about how the service is used (for example, pages visited), collected through Umami. Umami is cookieless, does not collect personal identifiers, and does not track you across sites.

Why we use your information and our legal basis

Health data (special category data)

We only process your health data where you have given us your explicit consent (Article 9(2)(a)). You are never required to provide health data, but without it we cannot generate personalised recommendations. You can withdraw your consent at any time (see Your rights), and we will stop processing your health data and, on request, delete it.

Where your data is stored

Your data is hosted and processed by the following trusted providers (sub-processors), each acting on our behalf under a written agreement:

• Supabase (authentication and database) — hosted in the EU.
• Railway (application backend hosting and database) — both hosted in the EU (Amsterdam, Netherlands).
• Vercel, Inc. (frontend application hosting and content delivery) — based in the US. Where personal data is transferred to the US, the transfer is made under the UK–US Data Bridge.
• Resend (transactional email delivery) — based in the US. Where personal data is transferred to the US, the transfer is made under the UK–US Data Bridge (the UK extension to the EU–US Data Privacy Framework), which provides an adequate level of protection.
• Sentry (Functional Software, Inc.) — error monitoring and crash reporting. Sentry receives technical error data only: personal and health data is scrubbed before transmission. We disable default personal-data collection and strip user identifiers, IP addresses, request headers, request bodies, and health-related fields before any event is sent. Data is processed in the EU (Germany — ingest.de.sentry.io).
• Umami (Umami Software, Inc., "Umami Cloud") — privacy-friendly, cookieless web analytics. Umami receives only aggregated page-view data and no personal data, sets no cookies, and performs no cross-site tracking. Region: [confirm region — pending legal review] (as Umami processes no personal data, no transfer of personal data takes place).

How long we keep it

We keep your account and health data for as long as your account is active. If you delete your account, or ask us to erase your data, we will delete it without undue delay, except where we are required to retain limited records to meet a legal obligation. Aggregated analytics that cannot identify you may be kept indefinitely.

Sharing your information

We do not sell your personal data. We share it only with the service providers listed above, who process it on our behalf under written agreements, and where we are legally required to do so.

Your rights

Under the UK GDPR you have the right to:

• access the personal data we hold about you;
• request rectification of inaccurate data;
• request erasure of your data ("right to be forgotten");
• request restriction of processing;
• data portability — receive your data in a structured, machine-readable format;
• object to processing based on our legitimate interests;
• withdraw consent at any time, where we rely on your consent (including for health data).

To exercise any of these rights, contact privacy@yourafiyah.com. We will respond within one month.

Cookies and analytics

We use a small number of essential cookies to keep you signed in and remember your preferences. These are required for the service to function and do not need consent under PECR. For analytics we use Umami, which is cookieless and privacy-friendly — it sets no tracking cookies, collects no personal data, and does not profile you. Because it is cookieless and processes no personal data, it does not require consent under PECR.

Children

YourAfiyah is intended for adults. You must be 18 or over to create an account. We do not knowingly collect data from anyone under 18.

Security

We take appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and reputable hosting providers. No system is completely secure, but we work to protect your information and to notify you and the ICO of any breach where required.

Changes to this notice

We may update this notice from time to time. We will post the updated version here and, where changes are significant, let you know.

How to contact us and your right to complain

For any privacy question or to exercise your rights, email privacy@yourafiyah.com.

If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, the UK supervisory authority for data protection.