How we handle your data

1. Overview

Wasl ("Wasl", "we", "us") is a mobile app and service that combines an Islamic daily companion (Quran reader, prayer times, du'as, streaks) with group tools for Umrah and Hajj (live group map, lost-pilgrim helper, AI planner, bill split, hotel pinning, meeting points).

This policy explains what data we collect when you use Wasl, why we collect it, who we share it with, and the rights you have over your data. It applies to the Wasl mobile app on iOS and Android, our website at wasl.my, and any related services.

2. Data we collect

Account data

• Phone number — used to sign you in via one-time code. Stored encrypted by our authentication provider.
• Display name — what you set during signup. Visible to other members of any group you join.
• Email address (optional) — collected when you sign up with email or join our waitlist. We use it to send account-verification codes (a one-time 6-digit code to confirm your address), receipts, support replies, and occasional service emails (e.g., security notices). When you submit your email on our website you explicitly opt in, and account sign-up sends a confirmation code you must enter to verify ownership. You can use Wasl without giving an email if you sign in by phone, and you can unsubscribe from non-essential emails at any time.
• Country — picked during signup, used to localise prayer times and currency display.

Device & technical data

• IP address — recorded when you open the app or sign in (including as a guest), together with your platform (iOS/Android). We use it for security, abuse prevention, and understanding where our users are. VPNs and carrier networks may show a proxy address rather than your true one.

Location data

• Foreground location — your current latitude/longitude is used to compute prayer times and Qibla direction, and (if you've joined a group and chosen to share) to render your position on the group map.
• Background location — only when you're a member of a group and have explicitly enabled live tracking. Group members can see each other's approximate position during a trip. In agency-managed groups (groups run by a licensed Hajj/Umrah operator on behalf of its pilgrims), a limited trail of your recent positions — roughly the last 15 days — is also kept on our servers so the operator's authorised staff can locate a lost or separated pilgrim and investigate safety incidents. This trail is readable only by that agency's staff (never other pilgrims), is never used for advertising or profiling, and is automatically deleted after about 15 days — see Data retention. You can pause sharing at any time from inside the app, or revoke location permission entirely in your phone's system settings.
• Hotel / accommodation pin — a single coordinate you manually pin to share with your group.

Quran / prayer / worship data

• Last position in the Quran reader, bookmarks, saved du'as, daily reading streak, prayer-completion ticks. All stored against your account so you can resume across devices.

Group data

• Group code, group name, member list, group chat messages, shared expenses, meeting points. Visible to everyone in the group.

Receipt photos

• If you use the Bill Split feature, you can upload a receipt photo. It is processed by an AI receipt-reading service to extract line items. The photo is stored in encrypted cloud storage tied to your group; only group members can view it.

Purchase data

• Subscription status (free / Pro / Pilgrim Pass), entitlement expiry date, the product you bought. Payment is processed by Apple App Store, Google Play, or our payment processor — we never see or store your card number.

Device & diagnostic data

• Push notification token — used to send you adhan reminders, group alerts, and support replies.
• Anonymous crash reports — helps us fix bugs. Stripped of personally identifiable information before it reaches us.
• App version, device model, OS version — included in crash reports and support emails so we can reproduce issues.
• Anonymous website analytics — on our website (wasl.my) we count page visits and see which sites refer traffic, using a privacy-friendly anonymous identifier stored in your browser. It is not linked to your name or account, and we do not run advertising trackers.

3. How we use your data

• To run the features you signed up for — render the group map, send adhan notifications, compute streak progress, split bills, etc.
• To process payments — verify your subscription with Apple / Google so the right features unlock.
• To send transactional emails — account-verification codes, a one-time welcome message, and important account or security notices. These go only to your own registered address; we do not send marketing campaigns to purchased or third-party lists.
• To reply to you — when you write to support@wasl.my, we use your email and the message content to write back.
• To maintain the service — fix bugs, monitor outages, prevent abuse.

We do not use your data for behavioural advertising, and we don't profile you for ad targeting. There are no ad networks embedded in Wasl.

4. Who we share data with

We rely on a small number of trusted service providers to run Wasl. Each one only receives the minimum data needed for their function:

We do not sell your personal data to any third party. We do not share data with data brokers, ad networks, or marketing companies.

Legal disclosures

We will disclose data if compelled by a valid legal order from a competent court, or to protect the safety of our users or the public in a genuine emergency. We have not received any such requests as of the date of this policy.

5. Group features & visibility

When you join a Wasl group, certain data becomes visible to other members of that group:

• Your display name and approximate current location (only if you've enabled location sharing).
• Your messages in the group chat.
• Bills you've added and your share of group expenses.
• Meeting points you pin.

If you leave the group (or are removed by the admin), your data is removed from the group's view immediately. Historical messages you posted before leaving remain visible to remaining members — same as any chat app.

Lost Pilgrim Helper

When someone you don't know uses the Lost Pilgrim Helper feature with your group's six-character code, your group receives an in-app notification with the helper's name and a "Block" button. The helper sees your group members' approximate locations. The feature is rate-limited per helper per group, and any group member can revoke a helper's access with a single tap.

6. Data retention

• Account data — kept while your account exists. Delete your account from the app to remove it; see "Your rights" below.
• Group data — kept while the group exists. When an admin deletes a group, all messages, expenses, and shared pins are deleted within 30 days.
• Location history — for groups you join with friends or family, we keep only the most recent position per member while the group is active; we do not build a location history. For agency-managed groups (groups run by a licensed Hajj/Umrah operator on behalf of its pilgrims), we additionally retain a limited movement trail — roughly the last 15 days of approximate positions — stored on our servers so the operator can locate a lost or separated pilgrim and investigate safety incidents. This trail is readable only by that agency's authorised staff — never by other pilgrims — and is not used for advertising or profiling. It is automatically deleted after about 15 days.
• Crash reports — automatically purged after 90 days.
• Receipt photos — kept while the expense is in your group's bill history. Removed within 30 days of the expense being deleted by a group member.

7. Your rights and choices

• Access — write to support@wasl.my and we'll send you a copy of the data we have on file for you.
• Correction — fix your name, email, or country directly in the app, or write to us.
• Deletion — open the app → Settings → Delete account. Your profile and personal data are removed within 30 days. (Group data you contributed remains visible to remaining members as historical record, with your name replaced by "Former member".)
• Portability — your data export will be a JSON file we email to you on request.
• Opt-out of notifications — from your phone's system settings → Notifications → Wasl.
• Opt-out of location sharing — toggle "Share my location" in the group screen, or revoke location permission entirely in system settings.

If you're in the EU/EEA, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA. Email us with "Privacy request" in the subject and we'll respond within 30 days.

8. Security

All data in transit is encrypted with TLS. Stored data is encrypted at rest by our cloud infrastructure. We use app attestation and server-side rules to prevent unauthorised access from non-Wasl clients.

No system is perfectly secure. If you suspect a security issue, please write to support@wasl.my with "Security" in the subject line — we read those urgently.

9. Children

Wasl is not directed to children under 13. We do not knowingly collect data from anyone under 13. If you believe we have collected data from a child under 13, please write to us and we will delete it.

10. International data transfers

Wasl is operated from Malaysia. Our infrastructure providers may store and process data in the United States, the European Union, or other regions. By using Wasl you consent to these transfers, which are governed by the providers' own data processing agreements.

11. Changes to this policy

If we make material changes to this policy, we'll notify you in the app and update the "Last updated" date at the top. For non-material edits (typo fixes, link updates) we'll just update the date.

12. Contact

If you have a question about this policy, or want to exercise any of the rights above:

Email: support@wasl.my
Website: wasl.my
Postal: Wasl, Malaysia