Islamify.ai Knowledge. Faith. Wisdom.
Sign in Get started

Privacy Policy

Last updated: 25 April 2026

Translation notice: This is a courtesy English translation. The legally binding version is the German original.

Islamify.ai — islamify.ai — EMAD gUG (limited liability)

1. Controller

Responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

EMAD gUG (haftungsbeschränkt)
Nawiaskystraße 27
81735 Munich
Germany

E-mail: datenschutz@islamify.ai
Phone: +49 89 20070281

Authorised managing directors: Emir Muminović, Meris Cerić, Damir Mujaković

2. Overview of data processing

We process personal data only to the extent necessary to provide our service or where you have consented to the processing. This privacy policy informs you about the type, scope and purpose of personal data processing when using our website islamify.ai and the associated mobile applications (collectively the "Service").

3. Legal bases for processing

We process your data on the following legal bases:

Legal basisApplication
Art. 6 (1) (a) GDPR (consent)Cookie consent, marketing analyses, newsletter
Art. 6 (1) (b) GDPR (contract performance)Registration, account management, subscription handling, payment processing, provision of the chat service
Art. 6 (1) (c) GDPR (legal obligation)Retention of invoice data (German Commercial Code / Tax Code)
Art. 6 (1) (f) GDPR (legitimate interest)IT security, fraud prevention, service optimisation

4. What data we collect

4.1 Registration data

Registration with Islamify.ai is exclusively via external authentication services (single sign-on, SSO). Registration with an email address and a self-chosen password is not provided. We do not store any passwords and do not operate our own password recovery process; if you have lost your access credentials, please contact the SSO provider you have chosen.

The following SSO providers are available:

  • Google Sign-In — Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy
  • Microsoft Entra ID (formerly Azure Active Directory) — Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Privacy policy
  • Sign in with Apple — Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Privacy policy
  • LinkedIn Sign-In — LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Privacy policy

When you sign in via one of these services, we receive from the respective provider:

  • Name (where transmitted by the provider)
  • E-mail address
  • Profile picture (where transmitted by the provider)
  • Unique user ID of the provider

Specifics of "Sign in with Apple": When signing in, you can choose to hide your real e-mail address. In that case Apple generates an anonymous forwarding address on the domain @privaterelay.appleid.com. We then receive neither your real e-mail address nor any way to determine it. Apple forwards messages sent to this relay address to your Apple ID and processes that forwarding as an independent controller. You can disable the relay address at any time in your Apple ID settings; e-mail delivery to your user account will then no longer be possible.

Legal basis: Art. 6 (1) (b) GDPR (performance of pre-contractual measures and contract performance — authentication via an SSO provider is a mandatory part of service provision).

4.2 Usage data

When using the Service we automatically collect:

  • IP address (anonymised)
  • Device type, operating system, browser version
  • Date and time of access
  • Pages and functions accessed
  • Referrer URL

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in IT security and service optimisation)

4.3 Chat data

When using the AI chat we process:

  • The messages you enter (questions/prompts)
  • The AI-generated answers
  • Timestamps of the interaction
  • Temporarily uploaded documents and images (automatically deleted after processing by the AI)

Legal basis: Art. 6 (1) (b) GDPR (contract performance)

Retention: You can set the retention period of your chat history yourself in the account settings. After the period you have chosen has expired, the chat history is automatically and irreversibly deleted.

4.3a Possible processing of special categories of personal data

Due to the Islamic subject focus of our Service, it is possible that you voluntarily enter sensitive information falling under Art. 9 GDPR (e.g. religious beliefs, health information).

We expressly recommend that you do not enter any sensitive personal data in chat messages.

Insofar as such data are entered voluntarily, processing is based on Art. 9 (2) (a) GDPR (explicit consent through voluntary entry).

The following do not occur:

  • no profiling
  • no classification by religious affiliation
  • no automated decision-making with legal effect

4.4 Payment data

When concluding a paid subscription, the following are collected via our payment service provider Stripe:

  • Payment method (e.g. credit card, SEPA)
  • Billing address
  • Transaction data

Note: Full credit card numbers are not stored by us, but exclusively processed by Stripe.

Legal basis: Art. 6 (1) (b) GDPR (contract performance)
Retention: 10 years (statutory retention obligation under § 147 AO, § 257 HGB)

4.5 Communication data

When you contact us (e-mail, support form) we process:

  • Name
  • E-mail address
  • Content of your message

Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) or Art. 6 (1) (f) GDPR (legitimate interest in handling enquiries)

4.6 Applications for sponsored access

If you apply for sponsored access via the e-mail template provided by us (Muḥsin sponsorship programme), we process the information voluntarily provided by you for the purpose of reviewing your application:

  • First and last name
  • Phone number and reply e-mail address
  • Description of your current life situation
  • Optional supporting documents (e.g. student certificate, unemployment / social-benefit / retirement notice)

Such supporting documents may contain special categories of personal data under Art. 9 GDPR (e.g. references to health or social situation). Processing is based exclusively on your explicit consent under Art. 6 (1) (a) and Art. 9 (2) (a) GDPR, which you grant by leaving the data-protection consent contained in the e-mail template intact. Without this consent, we may not review your enquiry and will delete the e-mail without delay.

Retention period: The e-mail and all attachments are deleted from active systems no later than 30 days after the application is concluded. Provider-side backups (Microsoft 365 / mail host) are overwritten in the regular rotation cycle; we do not deliberately access them.

Recipients: Data are not shared with third parties.

Withdrawal: You can withdraw your consent at any time informally — a short e-mail to datenschutz@islamify.ai is enough. Your data will then be deleted immediately. The lawfulness of processing carried out before the withdrawal remains unaffected.

Note: There is no legal entitlement to sponsored access.

5. Anonymised quality assurance of the AI

5.1 Purpose

To ensure and improve the quality of our AI-generated answers, we store chat interactions in a separate, anonymised quality-assurance database.

5.2 Anonymisation

The data stored in the quality-assurance database contain the question asked and the AI-generated answer. The data contain no link to the user account, no user ID, no IP address and no other identifying features.

5.3 Residual risk for self-entered data

It is possible that users voluntarily enter personal data in their questions. We therefore recommend not entering any personal data in chat messages.

5.4 Market research

The anonymised data are additionally used for market research regarding Islamic topical interests in order to better tailor our offering to user needs.

5.5 No model training

The anonymised data are not used for training or fine-tuning AI models.

5.6 Legal basis

Since the data are anonymised and no longer contain any personal reference, this processing falls outside the scope of the GDPR (cf. Recital 26 GDPR).

6. Third parties and data processors

6.1 Hosting

The application is operated on our own infrastructure in Munich, Germany. No external hosting service provider is involved. Our servers are under the direct control of EMAD gUG (haftungsbeschränkt).

6.2 AI processing (chat answers, speech recognition, speech output)

For processing your input, generating AI answers, speech recognition (speech-to-text) and speech output (text-to-speech) we use exclusively a single data processor:

  • Provider: Google Cloud EMEA Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland (as EU contracting party for Google Cloud services)
  • Services: Vertex AI (for processing chat requests) and Google Cloud Speech-to-Text and Text-to-Speech
  • Server location: Frankfurt am Main, Germany (region europe-west3) or EU multi-region (EU/EEA only) for services without a dedicated Frankfurt deployment

The models used in Vertex AI (including models from the Gemini family and other partner models) run entirely on Google Cloud's infrastructure; your inputs are not passed on to the respective model developers. Which specific model handles a request is decided by our routing based on technical criteria (input type, language, load) and remains internal.

No use for model training: Under Google Cloud's Service Specific Terms, your inputs and outputs are not used to train AI models.

Legal basis: Art. 6 (1) (b) GDPR (contract performance). For inputs falling under Art. 9 GDPR (see section 4.3a), additionally Art. 9 (2) (a) GDPR (explicit consent through voluntary entry).

6.3 Vector database (knowledge search / RAG)

For searching our quality-checked knowledge base, we use a vector database:

  • Provider: Supabase, Inc., 970 Toa Payoh North, #07-04, Singapore
  • Server location (data at rest and in use): European Union

For each chat request, the question is converted into a numerical vector for searching the knowledge base and matched against stored expert texts. The request itself is not stored permanently in the vector database.

6.4 Authentication

Sign-in takes place via direct integration of the SSO providers listed in section 4.1 using the standardised OpenID Connect procedure. No intermediate identity service is used. All sign-in sessions are managed exclusively on our own infrastructure in Germany.

6.5 Payment processing

  • Provider: Stripe Payments Europe, Ltd., Dublin 2, Ireland

6.6 Web analytics (planned)

Google Analytics and Meta Analytics will only be activated after implementation and exclusively after your explicit consent via our cookie consent banner.

7. Data transfers to third countries

7.1 Principle

Your content (chat inputs, uploaded documents, voice recordings and the AI answers generated from them) is processed exclusively within the European Union. The hosting location as well as AI, speech and knowledge-search processing are localised in the EU.

7.2 Remaining transfers and protective measures

A data transfer to the USA may occur in the following cases:

  • Authentication via SSO (section 4.1): Google, Microsoft and LinkedIn are certified under the EU-U.S. Data Privacy Framework (Art. 45 GDPR); Apple relies on EU standard contractual clauses (Art. 46 (2) (c) GDPR).
  • Payment processing (section 6.5): Stripe is certified under the EU-U.S. Data Privacy Framework (Art. 45 GDPR).
  • Operational metadata for cloud providers: When using Google Cloud and Supabase, administrative metadata (e.g. billing data, support requests) may be processed at affiliated companies in the USA. These transfers are safeguarded by EU standard contractual clauses under Art. 46 (2) (c) GDPR.

In addition, we apply technical and organisational protective measures such as transport encryption (TLS), encryption at rest and data minimisation.

8. Retention periods

Data typeRetention period
Registration dataUntil deletion of the user account
Chat history (personal)Configurable by the user in settings
Anonymised chat data (QA)Unlimited (no personal reference)
Payment data / invoices10 years (§ 147 AO, § 257 HGB)
Usage data (server logs)90 days
Communication data3 years after the enquiry has been concluded

After deletion of the user account, all personal data are deleted within 30 days, unless statutory retention obligations conflict.

9. Your rights as a data subject

You have the following rights under the GDPR:

  • Right to access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7 (3) GDPR)

Right to lodge a complaint with the supervisory authority (Art. 77 GDPR):
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany

To exercise your rights: datenschutz@islamify.ai

10. Cookies

10.1 Strictly necessary cookies

We use technically necessary cookies for the operation of the Service (session cookies, authentication cookies). These are set without your consent.

10.2 Analytics and marketing cookies (planned)

Will only be set after implementation and after your explicit consent via our cookie consent banner.

11. Newsletter

When subscribing to the newsletter we process the e-mail address and the time of subscription (double opt-in). You can withdraw your consent at any time.

12. Protection of minors

Our Service is aimed at persons who have completed their 16th year of age. We do not knowingly collect data from persons under the age of 16.

13. Changes to this privacy policy

We reserve the right to adapt this privacy policy as required. The current version is always available at islamify.ai. In the case of material changes we will inform you.

Last updated: 25 April 2026
EMAD gUG (haftungsbeschränkt), Munich