Privacy Policy

Effective date: June 15, 2026  ·  Version 1.0

1. Who we are

Ikraplus is an iOS, Android, and web application for Quran memorization with AI-powered tajweed feedback. The app is operated by:

Green Light Global Inc.
A Texas corporation (file number 803762540)
Email: contact@ikraplus.app

In this policy, "Ikraplus", "we", "us", and "our" mean Green Light Global Inc. "You" means the person using the app — or, where this policy refers to a child under 13, the parent or legal guardian who created the child's account.

2. Information we collect

2.1 Information you give us

• Account information: name, email address, hashed password, language preference (English or Turkish), self-reported skill level, age group, role (student, teacher, or parent), birth year (used to enforce minimum age and trigger parental consent flows for children under 13).
• Profile picture: if you upload one. Stored as an image file linked to your user ID.
• Recitation recordings: short audio clips you record while practicing. Used for AI tajweed analysis and (if you submit one to a teacher) review.
• Memorization progress: which verses or pages you've recorded, your AI-generated tajweed scores, your review schedule (spaced repetition data), notes you write.
• Family and group connections: if you link your account to a parent's, a child's, a teacher's, or a group of fellow students, we store those connections.
• Communications you send us: if you email us or use an in-app feedback feature, we keep the content of that message.
• Payment information (when paid plans are available): if and when subscription plans launch, payments are processed by Stripe. We never receive your full card number — Stripe gives us a token and your billing status.

2.2 Information collected automatically

• Device and app information: device type, operating system version, app version, language setting, time zone offset, crash logs and error reports.
• Usage information: which screens you visit, which features you use, when you opened the app, anonymized event names (for example, "studio_record_started"). This helps us understand which parts of the app are valuable and which need work.
• Push notification tokens: if you allow notifications, the operating system gives us a token we use to send your daily reminder, task assignments, etc. We don't see your phone number or any contact list.
• Logs: the backend records requests (URLs, response codes, timestamps) for debugging and abuse prevention. Logs are kept for up to 30 days.

2.3 Information from third parties

• If you sign in with Apple or Google, we receive your verified email and name from them. We do not receive any other profile information.

3. How we use your information

We use the information described above for the following purposes:

• To run the app. Create your account, authenticate you, sync your progress across devices, send the notifications you've enabled, deliver AI tajweed feedback on your recordings.
• To analyze your recitation. Audio recordings are sent to OpenAI's Whisper transcription service so we can compare your recitation to the standard Uthmani text and surface tajweed and makhraj errors. OpenAI is contractually prohibited from training models on your audio.
• To enable Family and Group features. Parents see their linked child's progress; teachers see assigned students' submissions; students see their group memberships.
• To improve the app. Aggregated, anonymized usage data tells us which features matter. We do not use individual recitations to train any model.
• To prevent abuse and protect users. Logs, rate limits, error tracking.
• To communicate with you. Account-related emails (password reset, security notices), occasional product updates (you can opt out of non-essential emails).
• To process payments (when paid plans are available) through Stripe.
• To comply with the law if we receive a valid legal request.

4. Legal bases (for users in the EU and UK)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) — and, for UK users, the UK GDPR and Data Protection Act 2018 — require us to tell you the legal basis we rely on for each type of processing:

• Performance of a contract: running your account, delivering AI feedback, syncing progress, processing payments.
• Legitimate interests: understanding how the app is used so we can improve it; preventing abuse; protecting users.
• Consent: push notifications, marketing emails (where applicable), and processing data of children under 13 (consent given by the parent).
• Legal obligation: responding to lawful requests, retaining records where required.

You can withdraw consent any time. Withdrawing consent does not affect processing already done.

5. Who we share information with

We do not sell your personal information. We share data only with the service providers below, and only as much as they need to do their job for us:

Provider	Purpose	Where data is processed
Railway	Hosting the backend API and database	United States
Cloudflare	Object storage (recordings, avatars, attachments), DNS, web hosting, email routing	Global edge network; primary storage in user's region
OpenAI	Transcribing recitation audio (Whisper API)	United States
Expo (Push)	Routing push notifications to Apple/Google	United States
Sentry	Crash and error reporting	United States
PostHog	Product analytics (anonymized aggregate usage)	United States
SendGrid	Transactional emails (password reset, account notices)	United States
Stripe	Subscription payments (when paid plans launch)	United States

We require each provider to have appropriate security and confidentiality measures. We also share information where required by law or to protect the safety of users.

6. International data transfers

Our service is operated from the United States. If you use Ikraplus from outside the United States, your information will be transferred to and processed in the United States and other countries where our service providers operate. Where required, we rely on the European Commission's Standard Contractual Clauses or equivalent legal mechanisms to protect your data.

7. How long we keep information

Data	Retention
Account information	Until you delete your account
Recitation recordings	24 hours after upload — auto-deleted by storage lifecycle policy
Tajweed scores, transcripts, progress data	Until you delete your account
Profile picture, submission attachments	Until you delete them or your account
Backend request logs	30 days
Error reports (Sentry)	30-90 days
Payment records	7 years (legal requirement for tax records)

When you delete your account, we delete or anonymize all data associated with you, except records we are legally required to retain.

8. Children under 13

Ikraplus is intended for users aged 13 and older. Children under 13 may not create their own account.

How a parent enables a child under 13 to use Ikraplus. Parents and legal guardians may create a "child account" for a child under 13 through the Family feature. During the child-account creation flow, the parent must:

• Confirm they are the parent or legal guardian of the child;
• Review what information will be collected about the child;
• Provide explicit consent to that collection.

Consent is recorded with a timestamp and the parent's account ID.

Information we collect about children:

• Child's first name (chosen by the parent)
• Child's birth year
• Recitation recordings, tajweed scores, and memorization progress
• App usage events (de-identified — child accounts are not tagged with user IDs in our analytics or error tracking)

What we do NOT collect from children:

• Email address (the child logs in with a code, not credentials)
• Phone number
• Precise location
• Behavioral advertising data (we have no advertising)
• Social or contact list data

Parental rights for child accounts:

• View all data collected about the child at any time from the Family screen.
• Delete the child's account (and all associated data) at any time.
• Revoke consent at any time — this deletes the child's account.
• Export the child's data on request — email contact@ikraplus.app.

If you believe a child under 13 has registered without a parent's consent, please email contact@ikraplus.app and we will delete the account within 30 days.

This section is designed to meet the requirements of the United States Children's Online Privacy Protection Act (COPPA), 16 CFR Part 312.

9. Your rights and choices

Regardless of where you live, you have the following choices about your information:

• Access: see what we hold about you from the Settings screen, or email us.
• Correct: edit your name, language, email, and other profile data from Settings.
• Delete: delete your account and all associated data from Settings > Account > Delete Account. This is permanent.
• Export: request a copy of your data by emailing contact@ikraplus.app. We respond within 30 days.
• Opt out of non-essential communication: push notification toggles in Settings; unsubscribe link in marketing emails.
• Object or restrict processing (EU/UK): email us with your request.

10. How we protect information

We use industry-standard safeguards:

• All data is transmitted over HTTPS/TLS.
• Passwords are hashed (never stored in plain text) using bcrypt.
• JWT-based authentication with short-lived access tokens and refresh tokens.
• Audio recordings are stored in private object storage with signed URLs.
• The backend runs behind a cloud provider with logical isolation and rate limiting.
• Access to production data is limited to engineering personnel on a need-to-know basis.

No internet service is perfectly secure. If we discover a breach affecting your data, we will notify you and the relevant authorities as required by law.

11. Cookies and tracking

The Ikraplus mobile app does not use cookies — it uses local secure storage to keep you signed in. The marketing website at ikraplus.app uses no third-party tracking cookies and shows no advertising. We may add minimal first-party analytics (such as Cloudflare Web Analytics) in the future; if we do, we will not link this information to identifiable users.

12. California residents (CCPA/CPRA)

If you live in California, you have the following additional rights under the California Consumer Privacy Act (as amended by the CPRA):

• The right to know what personal information we have collected, used, disclosed, and sold or shared.
• The right to delete your personal information.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information.
• The right to limit use of sensitive personal information.
• The right to non-discrimination for exercising these rights.

We do not sell or share personal information for cross-context behavioral advertising or any other purpose that would trigger California's "do not sell or share" right. To exercise your rights, email contact@ikraplus.app.

13. Turkey residents (KVKK)

If you are in the Republic of Turkey, you have additional rights under the Turkish Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu, Law No. 6698, "KVKK").

13.1 Data controller

The data controller for your personal data is:

Green Light Global Inc.
A corporation registered in the State of Texas, United States
Email: contact@ikraplus.app

13.2 Your rights under Article 11 of KVKK

As a data subject, you have the right to:

• Learn whether your personal data is being processed;
• Request information about the processing if your data has been processed;
• Learn the purpose of processing and whether your data is used in accordance with that purpose;
• Know the third parties to whom your data is transferred, in Turkey or abroad;
• Request correction of incomplete or inaccurate data;
• Request deletion or destruction of your data under the conditions set out in KVKK Article 7;
• Request that any corrections, deletions, or destructions be notified to third parties who received your data;
• Object to outcomes generated solely by automated processing where those outcomes produce a negative effect on you;
• Claim compensation for damages suffered due to unlawful processing.

13.3 How to exercise your rights

To exercise any of these rights, email contact@ikraplus.app with "KVKK request" in the subject line and a description of your request. We will respond within 30 days of receipt, free of charge unless the request is manifestly unfounded, excessive, or repetitive.

13.4 Cross-border data transfer

By using Ikraplus, you acknowledge that your personal data will be transferred from Turkey to the United States, and to other countries where our service providers (listed in Section 5) operate. We rely on your explicit consent under KVKK Article 9 for this transfer and, where applicable, written contractual safeguards with the relevant service providers.

13.5 Complaints to KVKK Kurulu

If you believe we have processed your personal data unlawfully and we have not resolved your concern, you have the right to lodge a complaint with the Personal Data Protection Authority of Turkey (Kişisel Verileri Koruma Kurulu) at www.kvkk.gov.tr.

14. Changes to this policy

We may update this policy from time to time. When we make a material change, we will revise the "Effective date" at the top, post the new version at this URL, and (where appropriate) notify you in the app. Continued use of Ikraplus after a change means you accept the updated policy.

15. How to contact us

Questions, complaints, or requests about this policy or your data:

Email: contact@ikraplus.app
Mail: Green Light Global Inc., Texas, United States

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority — for example, your national supervisory authority in the EEA, the Information Commissioner's Office (ICO) in the United Kingdom, or KVKK Kurulu in Turkey.