Privacy Policy

This Privacy Policy explains how Nawah collects, uses, and protects your data.

2.1 Information you provide directly Account information. Your email address, password (stored only as a one-way hash by Firebase Authentication), and display name. A profile photo is optional. Family content. Chat messages, message reactions (emoji you tap on a message), photos, videos, voice notes, calendar events, tasks, shared lists, polls, poll votes, announcements, chat wallpapers, vault items (photos, PDFs, videos, rich-text notes), and any other content you create inside a family. Voice dictation. Audio you record to dictate messages or requests to the AI Assistant. Reports and blocks. If you report a message or block another user, we record that action so our moderation team can review it and so blocking can be enforced. 2.2 Information collected automatically Device information. Operating system, app version, language, and a Firebase Cloud Messaging token used solely to send push notifications you have enabled. Location (When In Use and Always). When you enable family-map sharing in Nawah, your location is uploaded to your family's map. With "Always" permission granted, updates continue while the app is in the background or your phone is locked, so your family can see your current location without you keeping the app open. We collect location only while you have turned sharing ON in the app; you can turn it off at any time, and we stop collecting immediately. Authentication metadata. Sign-in timestamps and a Firebase user ID used to associate you with your data. Crash reports. If the app crashes, Firebase Crashlytics automatically collects a crash report containing the exception type, stack trace, device model, OS version, app version, and the state of the app at the time of the crash. Crash reports do not include your name, email address, or family content. 2.3 Information we do not collect We do not track you across other apps or websites. The app's privacy manifest declares NSPrivacyTracking = false. We do not use third-party advertising networks. We do not use Firebase Analytics or any advertising or behavioural tracking SDKs. We do not collect your phone number, postal address, contacts, date of birth, gender, or browsing history.

To create and authenticate your account. To deliver the app's core features — sharing content with the families you join, syncing events to your device calendar, displaying your family on the map, and processing your requests to the AI Assistant. To send you push notifications you have opted in to (chat messages, task assignments, calendar reminders, announcements, polls). To enforce our Terms of Service, including reviewing reported content and acting on user blocks. To diagnose technical problems and prevent fraud and abuse.

5.1 With other family members Content you create inside a family — messages, message reactions, poll votes, events, tasks, lists, polls, announcements, chat wallpapers, vault items, and your live location while the family map is enabled — is visible to every member of that family. Your display name and profile photo are visible to other members so they can identify you in shared content. 5.2 With service providers We use the following providers to operate the app. Each receives only the data needed to deliver its service:

Account data and family content are stored in Google Firebase (Firestore and Cloud Storage), encrypted at rest by Google. Chat message bodies, message previews, and chat wallpapers are encrypted with AES-256 before they are written to Firestore. This is encryption at rest only — the key is managed by the app, not derived from your password, so it is not end-to-end encryption. Treat anything you write in a family chat as readable by every member of that family and by Nawah administrators when investigating reported content. Vault file uploads are stored in Cloudflare R2, encrypted at rest. All network communication uses TLS (HTTPS). Firebase App Check is used to reduce abuse from unauthorized clients. We do not implement custom or proprietary cryptography beyond the app-managed encryption described above. The app qualifies for the standard U.S. encryption export exemption. No system is perfectly secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security.

We send push notifications via Firebase Cloud Messaging for events such as new chat messages, task assignments, calendar reminders, announcements, and polls. Notification payloads contain a short title and body (truncated to 120 characters) and the IDs needed to open the right screen. You can disable notifications globally in your device settings or per-category in Settings → Notifications inside the app.

Access and correction. You can view and edit your profile from inside the app at any time. Account deletion. You can delete your account from More → Settings → Danger Zone → Delete Account. Deletion permanently removes your profile, blocked list, notification preferences, FCM tokens, your shared location, and your family memberships, and deletes your Firebase Authentication record. Messages you sent and items you added to family vaults remain visible to the family but will no longer show your name. Family creators must transfer or delete their families before deleting their account; the app guides you through this. Mute and delete. You can mute a chat (Settings → Mute) to stop receiving notifications from it without leaving the chat. You can delete messages you sent; deleted messages are hidden from other family members and removed from your device. Reporting and blocking. You can report any chat message via long-press, and you can block any family member at any time. Blocked users can be reviewed and unblocked from Settings → Blocked Users. Permission control. You can revoke camera, microphone, photo, calendar, location, and notification permissions from your device's system settings at any time. The app will continue to work with reduced functionality.

We retain your account information and family content for as long as your account is active. When you delete your account, we delete the items listed in section 8 immediately. Content you contributed to families you have left or to families that continue to exist after your deletion is retained as part of those families' shared history; it is no longer attributed to your account once your user record is removed. Vault file access URLs expire automatically after 24 hours and are regenerated on demand.

Our service providers (Google and Cloudflare) operate globally, and your data may be processed in countries other than the one in which you reside, including the United States. Each provider applies its own safeguards for cross-border transfers, including, where applicable, the European Commission's Standard Contractual Clauses.

Nawah is intended for use by adults and families together. The app is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from children under that age. If you believe a child has provided us with personal information without parental consent, please contact us at the address below and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date above and, where appropriate, notify you in the app. Continued use of Nawah after a change constitutes acceptance of the updated policy.

If you have questions, concerns, or requests about this Privacy Policy or your data, contact us at: Email: privacy@nawahfamily.com