Privacy Policy

1Introduction

Noor Labs, LLC ("Noor Labs," "we," "us," or "our") operates the Maal mobile application, web dashboard, and website (collectively, the "Services"). We are committed to protecting your personal information and being transparent about how it is handled. This Privacy Policy explains what data we collect, why we collect it, how we use and share it, and the rights available to you.

By using any of our Services, you agree to the practices described in this policy. If you do not agree, please discontinue use of the Services and contact us to delete your account.

2Services Covered

This Privacy Policy applies to the following services operated by Noor Labs:

• Maal mobile app (iOS; Android planned)
• Maal web dashboard (noorlabs.io/dashboard)
• Maal website (noorlabs.io)

Throughout this policy, references to "the App" or "the Services" include all of the above unless stated otherwise.

3Information We Collect

a. Account Information

When you create an account, we collect your name, email address, and password (via Supabase Auth). This information is used to authenticate you and associate your data with your account.

b. Financial Data You Enter Manually

To calculate your Zakat obligation, manage budgets, and track your finances, you may manually enter financial information including:

• Manual accounts (cash, savings, investments, gold, silver, and other assets)
• Transactions (income, expenses, transfers)
• Budgets and budget categories
• Zakat payments and zakat-related records
• Any other financial data you choose to record

This data is stored locally on your device and synced to our secure cloud database (Supabase) so it is available across your devices.

c. Financial Data Via Plaid Technologies, Inc.

If you choose to connect a bank account, we use Plaid Technologies, Inc. ("Plaid") to facilitate that connection. Through Plaid, we receive:

• Account names and types (e.g., checking, savings)
• Account balances
• Transaction history
• Financial institution names
• Plaid-assigned item IDs used to identify the connection

By connecting a bank account, you grant Noor Labs and Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from the relevant financial institution according to the terms of Plaid's Privacy Policy. You can manage or revoke your bank connections at any time through the Settings section of the App or directly via my.plaid.com.

d. Device Information

We collect basic device information, including device type (iOS or Android) and app version, to ensure compatibility, deliver updates, and diagnose issues. We do not collect advertising identifiers, precise location data, or device fingerprints for tracking purposes.

e. Waitlist Signups

If you sign up for the Maal waitlist (on our website or through other channels), we collect your name, email address, and device preference (iOS or Android). This information is used solely to notify you of availability and is not combined with in-app data.

f. Authentication Data

You may sign in to Maal using email and password, Sign in with Apple, or Google OAuth. All authentication is handled by Supabase Auth. When you use Apple or Google sign-in, we receive only the information you authorize (typically your name and email address). We never receive or store your Apple ID password or Google account password.

Secure authentication tokens (issued by Supabase upon sign-in) are stored locally on your device using platform-standard secure storage. These tokens allow the App to verify your identity without requiring you to re-enter your password on each use. They do not contain your password or any financial data.

g. In-App Purchases and Donations

Maal offers an optional Pro subscription managed through RevenueCat, Inc. (planned). RevenueCat processes purchase receipts provided by the Apple App Store or Google Play Store to verify your subscription status. RevenueCat receives a pseudonymous app user ID and purchase receipt data — it does not receive your name, email address, or any financial data you enter in the App.

Donations to Noor Labs are processed through Stripe, Inc. All payment information (card number, billing address) is handled entirely by Stripe and never touches our servers. We receive only confirmation of payment amount and status.

Noor Labs does not process payments directly. All payment transactions are handled by Stripe, Apple, or Google through their respective platforms.

h. Affiliate and Outbound Links

The App contains links to third-party websites, including charitable organizations, gold and silver dealers, and halal finance platforms. These links include UTM tracking parameters (e.g., utm_source=maal) that allow us to understand which links are used, but they do not transmit any personal information about you. Clicking these links takes you to external websites governed by their own privacy policies. Noor Labs is not responsible for the privacy practices of third-party sites. Affiliate and referral links are clearly disclosed within the App.

i. Information We Do Not Collect

Maal does not include any advertising SDKs, third-party analytics tools, or behavioral tracking libraries. We do not collect your location, contacts, camera or microphone data, advertising identifiers, IP addresses for tracking purposes, or any information unrelated to providing the Maal service. We do not serve ads of any kind. We do not use tracking pixels.

4How We Use Your Information

We use the information we collect exclusively to:

• Calculate your Zakat obligation based on your assets, nisab threshold, and hawl (lunar year) completion date
• Track your transactions, budgets, and financial accounts
• Sync your financial data across devices via your Supabase account
• Retrieve current gold and silver spot prices to compute the nisab in real time
• Establish and maintain connections to your bank accounts via Plaid on your request
• Retrieve bank balances and transactions through Plaid on your behalf
• Authenticate your identity and maintain session security
• Send transactional emails (welcome, approval, and credential notifications via Resend)
• Respond to support requests and communications you initiate
• Comply with applicable legal obligations

5How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only with the following parties, and only to the extent necessary to provide the service:

Plaid's use of data you provide through its interface is governed by the Plaid End User Privacy Policy.

6Third-Party Services

Maal integrates with the following third-party services to provide its functionality. Each service receives only the minimum data necessary:

• Plaid Technologies, Inc. — Bank account linking and balance/transaction retrieval (optional). Your bank credentials go directly to Plaid and are never shared with us. Plaid access tokens are stored server-side only, never on your device. Privacy Policy
• Supabase, Inc. — Authentication, user profiles, and cloud database. Data stored in the United States (us-west-1 region). Row Level Security ensures users can only access their own data. Privacy Policy
• Cloudflare, Inc. — Website hosting (Cloudflare Pages), API server (Cloudflare Workers), and DNS management. Workers are stateless with no persistent storage. Privacy Policy
• Resend, Inc. — Transactional emails (welcome, approval, credential notifications). Receives your email address and name only. Privacy Policy
• Stripe, Inc. — Donation processing and future subscription billing. Payment information is handled entirely by Stripe and never touches our servers. Privacy Policy
• Apple, Inc. — TestFlight distribution, App Store distribution, push notifications, and payment processing. Privacy Policy
• RevenueCat, Inc. — In-app subscription management (planned). Receives a pseudonymous app user ID and purchase receipts from Apple/Google to verify subscription status. Does not receive your name, email, or financial data. Privacy Policy
• Expo / EAS (Expo Application Services) — App build and update infrastructure. No personal user data is shared with Expo. Privacy Policy

7Data Storage and Security

Maal follows a local-first architecture. Your financial data is stored on your device with AES-256 encryption and synced to our cloud database (Supabase) for cross-device access.

We implement the following security measures:

• Local data encrypted with AES-256 on device.
• Cloud data stored in Supabase (US, us-west-1 region) with Row Level Security — users can only access their own data.
• All data transmitted between the App, our server, and Supabase is encrypted in transit using TLS (Transport Layer Security).
• Data is encrypted at rest within Supabase's infrastructure.
• Plaid access tokens are stored exclusively server-side in Supabase. They are never transmitted to or stored on your device.
• API server runs on Cloudflare Workers, which are stateless with no persistent storage.
• Authentication is handled via Supabase Auth with industry-standard password hashing.
• Access to your data is restricted to your authenticated session only.
• Local data is cleared on sign-out.

No method of electronic transmission or storage is 100% secure. While we take your security seriously and use commercially reasonable safeguards, we cannot guarantee absolute security.

8Data Retention

We retain your personal information for as long as your account is active. If you delete your account, we will permanently delete your personal information — including your account details and all financial data — from Supabase within 30 days of the deletion request.

You can delete your account at any time from the Settings section of the App. You may also disconnect any linked bank accounts at any time directly from the App without deleting your account. Local data stored on your device is cleared when you sign out.

We may retain certain anonymized, aggregated data (e.g., total number of users) that cannot be used to identify you, for product analytics purposes.

9Your Rights

a. All Users

Regardless of your location, you have the right to:

• Access the personal information we hold about you
• Export your data at any time
• Correct inaccurate or incomplete information in the App
• Delete your account and all associated data (removed from Supabase within 30 days)
• Disconnect any linked bank account at any time directly within the App
• Request a copy of your data by contacting us at hello@noorlabs.io

b. California Residents — CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions required by law.
• Right to Opt-Out of Sale: We do not sell your personal information, and we have not sold personal information in the past 12 months. There is nothing to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will receive the same quality of service regardless of whether you make a privacy request.
• Right to Correct: You may request correction of inaccurate personal information we maintain about you.

To exercise your CCPA rights, contact us at hello@noorlabs.io. We will respond within 45 days as required by law.

c. EU/EEA Residents — GDPR Rights

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) grants you the following rights:

• Right of Access (Article 15): You may request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You may request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): You may object to the processing of your personal data where we rely on legitimate interests as our legal basis.
• Right to Restrict Processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances.
• Right to Withdraw Consent (Article 7): Where we rely on your consent to process personal data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Response timeframe: We will respond to your request within one month of receipt. If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months, in which case we will notify you within the first month.

Legal basis for processing: We process your personal data under the following legal bases: (1) Performance of a contract — to provide the Maal service you have requested; and (2) Legitimate interests — to maintain the security and integrity of our service and to improve it.

Data controller: Noor Labs, LLC, California, United States. Contact: hello@noorlabs.io.

If you are unsatisfied with our response to a privacy request, you have the right to lodge a complaint with your local data protection authority.

d. Other US State Residents

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others — may have similar rights to access, delete, correct, and port their personal data. If you believe your state grants you specific privacy rights, please contact us at hello@noorlabs.io and we will honor your request consistent with applicable law. We will respond within 45 calendar days.

10Children's Privacy

Maal is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verified parental consent, we will take steps to delete that information as quickly as possible.

If you believe we may have inadvertently collected information from a child under 13, please contact us immediately at hello@noorlabs.io.

11Zakat and Islamic Context

Maal provides tools for calculating and tracking Zakat obligations. All Zakat calculations are for informational purposes only and do not constitute religious rulings, fatwas, or scholarly guidance. Users should consult qualified Islamic scholars (ulama) for complex or individual Zakat situations.

The App includes a charity directory with links to charitable organizations. Some of these links are affiliate or referral links, which is clearly disclosed within the App. Noor Labs does not endorse any specific charity and is not responsible for how donations are used by third-party organizations.

12Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Revised" date at the top of this page
• Send an in-app notification informing you that the Privacy Policy has been updated

We encourage you to review this policy periodically. Your continued use of Maal after changes become effective constitutes acceptance of the revised policy.

13Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: