Privacy Policy

1. Scope

This Privacy Policy describes how we collect, use, disclose, and retain information when you use sunni.ai (the “Service”).

2. Information We Collect

2.1 Information You Provide

• Account Data: email address, password (stored in hashed form), and account settings.
• Authentication Data: if you sign in using a third-party identity provider, we receive authentication tokens/identifiers needed to log you in (we do not receive your password for that provider).
• User Content: the text you submit (prompts) and the outputs generated by the Service, which we store so you can access your history.
• Religious Preference Data: your selected school of Islamic jurisprudence (madhhab), religious questions, and related preferences. This data qualifies as sensitive personal data under certain laws, including the EU GDPR, Indonesia’s UU PDP, and Malaysia’s PDPA. We process this data only with your explicit consent, which is obtained separately during account setup.

2.2 Information Collected Automatically

• Usage Data: pages viewed, features used, timestamps, and interaction events.
• Device/Network Data: device type, browser type, IP address, and related technical logs.
• Security & Fraud Signals: indicators used to detect abuse (e.g., unusual usage patterns).

2.3 Payment Information

Payments are handled by third-party payment processors. We receive limited billing information such as payment status, plan type, renewal dates, and transaction identifiers. We do not store full payment card numbers.

2.4 Cookies and Similar Technologies (Strictly Necessary Only)

We use strictly necessary cookies and similar technologies required to operate the Service (e.g., session management, authentication, security). We do not use marketing or non-essential analytics cookies by default.

3. How We Use Information

We use information to:

• provide, operate, maintain, and secure the Service;
• authenticate users and manage accounts;
• store and display your history (prompts and outputs);
• prevent fraud and abuse and enforce our Terms;
• provide customer support and respond to requests;
• improve the Service, including quality and safety improvements (see Section 5);
• communicate service-related notices (e.g., billing, security, important updates);
• comply with legal obligations.

4. How We Disclose Information

We may disclose information to:

• Service Providers (Processors): vendors that help us operate the Service (e.g., hosting, databases, identity/authentication, payment processing, security, email delivery). We disclose information only as needed for them to provide services to us.
• Legal and Safety: to comply with law, enforce our Terms, or protect rights, safety, and security.
• Business Transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets (subject to appropriate protections).

We do not sell personal information and we do not share personal information for targeted advertising.

5. AI Processing, Human Review, and Service Improvement

5.1 AI-Generated Outputs

We use automated systems, including AI and large language model (AI/LLM) technology, to analyze your prompts and generate outputs. All outputs are AI-generated and may contain errors, inaccuracies, omissions, or biases. AI-generated content does not reflect the views of Sanad and should not be treated as authoritative.

5.2 Human Review (Limited)

We may permit limited human review of a subset of content for purposes such as quality assurance, safety, abuse prevention, and customer support. Where human review involves content that includes religious preference data, access is restricted to authorized personnel subject to confidentiality obligations and security controls.

5.3 Use of Content for Service Improvement

We may use anonymized and aggregated User Content and Outputs to improve the quality, safety, and performance of the Service.

EU/UK Users: If you are located in the EU or UK, your User Content and Outputs are not used for AI training or Service improvement by default. You may opt in to such use through your account settings or by contacting privacy@sunni.ai.

All Other Users: Your User Content and Outputs may be used for Service improvement by default. You may opt out at any time by contacting privacy@sunni.ai or using in-app controls where available.

6. Data Retention

We retain information for as long as necessary to provide the Service and for legitimate business purposes. Retention generally follows these timelines:

• Billing/transaction records: up to 7 years (e.g., tax and accounting).
• Security logs: up to 180 days.
• User Content (prompts and outputs): retained during account activity, and for up to 180 days after account closure.
• Backups: typically purged on a rolling cycle up to 90 days.

7. Your Rights and Choices

7.1 Account Controls and Deletion

You can delete your account through in-app controls. Deletion ends access, and we will process deletion consistent with Section 6.

7.2 Communications

We send transactional and service-related messages only. We do not currently send marketing communications. If we begin sending marketing communications in the future, we will obtain your consent where required by applicable law and provide an opt-out mechanism.

7.3 Access, Correction, and Requests

You may request access to, correction of, or deletion of certain personal information by contacting privacy@sunni.ai. We will respond within one month (or within the shorter period required by applicable law).

7.4 AI Training Opt-Out

You may opt out of having your User Content and Outputs used for Service improvement at any time. EU/UK users are opted out by default. To exercise this choice, contact privacy@sunni.ai or use in-app controls where available.

8. International Data Transfers

We are based in the United States and use service providers that may process data in the United States and other countries. Where applicable law requires safeguards for international data transfers, we rely on contractual safeguards including standard contractual clauses or equivalent mechanisms.

Our primary service providers include cloud hosting (Supabase), AI processing (OpenAI), and payment processing (Stripe). Each operates under data processing agreements that govern the handling of your personal data.

9. Data Breach Notification

In the event of a personal data breach, we will notify the relevant authorities and affected individuals as required by applicable law:

• EU/UK (GDPR): within 72 hours of becoming aware of a qualifying breach.
• Indonesia (UU PDP): within 3 x 24 hours (72 hours) of becoming aware.
• Malaysia (PDPA): as required by applicable provisions of the PDPA.
• United States: in accordance with applicable state data breach notification laws.

10. Security

We implement reasonable administrative, technical, and organizational safeguards designed to protect information. No system is 100% secure, and we cannot guarantee absolute security.

11. Children’s Privacy

The Service is intended for users 18 years and older. We do not knowingly collect personal information from minors. If you believe a minor has provided information, contact privacy@sunni.ai.

12. Third-Party Links

The Service may contain links to third-party sites or services. We are not responsible for their privacy practices.

13. EU/UK Users — Additional Privacy Disclosures & Rights

If you are located in the EU or UK:

1. Legal Bases. We process personal information under legal bases such as contract necessity, legitimate interests, consent (where applicable), and legal obligation. For religious preference data, we rely on your explicit consent.
2. Your Rights. You may have rights to access, correct, delete, restrict processing, object, and data portability. You may also withdraw consent where processing is based on consent.
3. AI Training Opt-Out by Default. Your User Content and Outputs are not used for AI training or Service improvement by default.
4. Complaints. You may lodge a complaint with your local data protection authority.
5. Cookies. We use strictly necessary cookies only. If we introduce non-essential cookies, we will present a consent mechanism.

14. Indonesian Users — Additional Privacy Disclosures & Rights

If you are located in Indonesia (under UU PDP):

1. Controller. Sanad Advisory Solutions LLC acts as the personal data controller.
2. Specific Personal Data and Explicit Consent. The Service processes specific personal data including information about your religious beliefs. We process this data based on your explicit consent, obtained separately during account setup.
3. Your Rights Under UU PDP. You have the right to access, correct, delete, withdraw consent, object, restrict processing, and request data portability.
4. Cross-Border Transfers. Your data is transferred to the United States with contractual safeguards.
5. Data Breach Notification. We will notify within 3 x 24 hours as required by UU PDP.
6. Retention and Deletion. We retain data as described in Section 6 and delete upon request unless retention is required by law.

15. Malaysian Users — Additional Privacy Disclosures & Rights

If you are located in Malaysia (under PDPA):

1. Data User. Sanad Advisory Solutions LLC acts as the data user.
2. Sensitive Personal Data and Explicit Consent. The Service processes sensitive personal data including religious beliefs. We process this data based on your explicit consent.
3. Your Rights Under the PDPA. You have the right to access, correct, withdraw consent, and make inquiries or complaints.
4. Cross-Border Transfers. Your data is transferred with adequate safeguards as required by the PDPA.
5. Retention and Deletion. We do not retain personal data longer than necessary.

16. US State Privacy Rights

Depending on your state of residence, you may have additional privacy rights. We do not sell personal information and do not share it for targeted advertising. You may contact privacy@sunni.ai to exercise applicable rights.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Changes are effective upon posting, unless applicable law requires additional notice.

18. Contact

For privacy inquiries or requests, contact privacy@sunni.ai. For legal matters & complaints, contact legal@sunni.ai or write to: