Sunnah Lock is a phone-discipline app for Muslims. This policy describes what data the app touches, what leaves your device, and what stays on it.
We don't know what apps you block, what sites you filter, or what keywords you've banned. That data only exists on your phone. The only thing that leaves your device is your email (if you sign in) and your subscription status.
Data we collect
Account data
If you create an account (email / password or Google Sign-in), Firebase Authentication stores:
- Your email address
- A Firebase-generated user ID (UID)
- The timestamp of account creation and last sign-in
If you sign in with Google, Google passes your email to Firebase Auth. We do not request your name, profile photo, contacts, or any other Google account data.
Subscription state
Cloud Firestore stores a document keyed to your Firebase UID with your subscription tier. No block data, no app lists, no PIN.
Location data
Location is requested only when you create or run a location-based block (e.g. "block YouTube while at school"). The device's location is read on-device to evaluate whether the device is currently inside a parent-defined geofence, and the result is used to decide whether to apply the matching block.
Location is never transmitted off the device, never stored beyond the active block evaluation, never shared with us or any third party, and no background location is requested. If you do not create a location-based block, the location permission is never used.
What stays on your device
The following is stored only in a SQLCipher-encrypted local database and never leaves your phone:
- Blocked apps, websites, and keywords
- Your PIN (stored as a salted hash — not the PIN itself)
- Schedules, location triggers, and usage limits
- Block events (when a block was triggered and for which app)
- Dhikr log, if you use the dhikr counter
- Strict Mode configuration
Uninstalling the app erases all of it.
Sub-processors
We rely on these third parties for narrow, specific functions:
- Firebase Authentication (Google LLC) — sign-in and session management
- Cloud Firestore (Google LLC) — subscription state scoped to your Firebase UID
- Google Play Integrity API — detects rooted or tampered devices as part of anti-bypass protection
- Google Maps SDK — loaded only when you open the map picker to create a location-based block; used to display the map
- Google Play Billing — processes subscription purchases (applies only if you subscribe)
See Firebase privacy terms and Google's privacy policy for their handling.
Analytics and ads
Sunnah Lock does not use analytics SDKs, ad networks, or behavioral tracking. No Google Analytics. No Meta Pixel. No third-party ads. Ever.
We do not sell or share personal information for cross-context behavioral advertising as defined by CCPA / CPRA.
Children's data and parental consent
Sunnah Lock is operated by the parent. Account creation, sign-in, and all settings happen on the parent's device — or under the parent's account on the child's device. The child does not sign in, does not create an account, and does not provide any personal information to us.
All on-device data (blocked apps, block events, schedules) is generated locally by the parent's configuration and stays on the child's device.
We do not knowingly collect personal information from children under 13 (COPPA). If you believe a child under 13 has signed in, email us and we will delete the account.
Your rights
- Access / export — email us to receive a copy of the personal data we hold (your email, account creation date, subscription state)
- Delete — delete your account from inside the app (Settings → Account → Delete account) or email us; this removes your Firebase record. Uninstalling removes all on-device data
- Opt out — you can use Sunnah Lock without creating an account; some features (subscription, cloud sync) will be unavailable
Security
On-device blocking data is stored in a SQLCipher-encrypted Room database in release builds. PINs are hashed (never stored in plain text). Release builds run Google Play Integrity to detect rooted or modified copies and include tamper detection to prevent bypass attempts.
Data retention
- Block event logs and on-device data — stored locally only; retained until you uninstall the app
- Account email and Firebase UID — retained while your account exists
- Firestore subscription state — deleted within 30 days of account deletion
- Billing records — retained 7 years for tax / accounting purposes (Google Play Billing receipts)
International users
Firebase and Firestore data is processed by Google LLC in the United States. By using Sunnah Lock and creating an account, you consent to that transfer. EU / UK users: we rely on Google's Standard Contractual Clauses for international transfers.
Changes
If we update this policy, the date at the top changes. Material changes will be announced in-app before they take effect.
Contact
For privacy questions, access requests, or deletion requests: