Privacy Policy
Last updated: 2026-07-11. Applies to v1 of Barakah Tasks.
This is the consolidated, user-facing privacy disclosure for the Barakah Tasks app, operated by Asad Aftab ("Barakah Tasks", "we", "us"). It explains what data the app collects, where it's stored, and how the v1 surfaces (cloud sync, attachments, AI generation, Connected Agents) handle your information.
If you have questions, email [email protected].
1. What's stored on your device
Every Barakah Tasks user — Free, Premium, or Premium + AI — has a complete, working app that runs entirely on the device. Your tasks, categories, prayer preferences, attachments, and reminders are persisted in a local SQLite database. None of this leaves the device unless you sign in for cloud sync.
If you sign out (or never sign in), no information about you is sent to Barakah Tasks servers.
2. Cloud sync (Premium and Premium + AI)
When you upgrade to Premium, your tasks, categories, and prayer settings sync to a managed Firebase Data Connect database operated for Barakah Tasks.
- What syncs: task title, notes, category, tags, prayer/time anchor, status, steps (subtasks), reminders, recurrence, prayer-preference values (including the location your prayer times are calculated for), saved places you create for location reminders, and app preferences such as theme and celebration settings.
- What does NOT sync: the contents of chat threads, attachment files, or any local-only state are excluded from the sync paths beyond what's described in §3 (attachments) and §4 (collaboration).
- Authentication: Firebase Authentication holds your email + a hashed credential. Tokens are short-lived; no plain-text password leaves the sign-in surface.
- Data residency: the Firebase project is hosted in a single Google Cloud region. The current region is
us-east4(Northern Virginia).
3. Attachments
Attachments work on every tier. On the Free tier the files stay on your device: they are stored locally and never uploaded. Premium adds attachment backup and sync (5 GB of storage; 10 GB on Premium + AI), which uploads your files so they follow you across devices.
When backup and sync is on, attachments you add to a task are uploaded to a DigitalOcean Spaces bucket operated for Barakah Tasks. The flow:
- Your device asks the Barakah Tasks attachments service for a presigned PUT URL. Your Firebase ID token is verified server-side; no other credential is exposed to the client.
- Your device uploads the bytes directly to DigitalOcean Spaces over HTTPS.
- Metadata only — filename, size, content type, owner — is recorded in the Barakah Tasks database. The bytes themselves never pass through our application servers.
Soft-deleted attachments are kept for 30 days, then a daily purge job issues a presigned DELETE to the Spaces object and removes the metadata row. Hard-deleted attachments are not recoverable.
Separately, attachments on a completed task are purged 30 days after completion (reusing the same daily purge job) and the space is reclaimed; reopening a purged task does not bring the files back, and open tasks keep their attachments indefinitely. (This completion-based purge is a v1 behavior being rolled out.)
DigitalOcean is a US-based hosting provider; the bucket is in the same region as the database.
4. Shared categories (Premium and Premium + AI)
Collaboration in Barakah Tasks happens at the category level: a Premium user shares a category (a shared list) and invites people by email. Members of a shared category see every task in it — steps, comments, attachments, and activity events. You choose which categories to share; everything else stays private.
- Members join free: being a member does not require Premium. A member's shared categories sync so the list stays current across the group; a free member's own private tasks still never leave their device.
- Quota: attachments uploaded by any member of a shared category count against the category owner's storage — never against the member's.
- Invite tokens: sent via email through Emailit (a third-party SMTP provider). The token is single-use; revoking expired tokens fails closed.
- Removal: when an owner removes a member or stops sharing a category, the member loses access on their next sync and their local copy of the shared list is removed. Their past messages remain visible to the remaining members.
- Lapsed Premium: if the category owner's Premium subscription lapses, their shared categories become read-only for everyone, including the owner. History stays available, and restoring Premium re-enables editing with no data loss.
5. AI task generation (Premium + AI)
When you tap Use AI and submit a request, the Barakah Tasks AI proxy service forwards the following payload to OpenAI's API:
userPrompt— the text you typed.currentLocalDate— today in your timezone.locale— your app language.availableCategoryKeys— the list of category identifiers (work,worship,family, etc.) so the model can pick valid ones.availablePrayerAnchorIds— the prayer-anchor identifiers (fajr,dhuhr,asr,maghrib,isha).
Specifically NOT sent:
- Your existing tasks, task titles, notes, or any task content.
- Any chat / comment / message text from collaborative threads.
- Any attachment content.
The system prompt is versioned — the current version is barakahtasks.systemPrompt.v1. The model's response is a structured JSON TaskProposalBundle; the Barakah Tasks app renders that bundle in a review sheet so YOU approve / reject / edit before any task is created.
OpenAI processes the request under its current API privacy terms. AI generation is gated by a 300-per-month cap that resets on the first of each calendar month. A generation counts against the cap ONLY when the AI actually answers you — a set of task drafts, or a valid "no tasks" reply. Errors do not count: network failures, timeouts, rate-limited requests, unreadable responses, and content-filtered responses all leave your monthly allowance unchanged.
6. Place search (Premium)
The Saved Place editor's search-by-name field is a Premium feature served by Google Maps Platform (Places API). When you type a place name and explicitly submit it, the Barakah Tasks backend forwards to Google:
- the text you typed, and
- an approximate search area of about 50 km, centred on your current map position or, before a pin exists, your prayer-time city — so nearby results rank first.
Your live device location is never sent with a search. No search or location history is stored: the query is answered and discarded, the results exist only on your screen until you pick one, and only the coordinate you confirm is saved as your place. Google's place identifiers are dropped server-side and never stored. The Google API key lives on the Barakah Tasks server only — the app never carries a geocoding credential.
Free accounts never touch this service: the Saved Place editor on the free tier uses your current location, a draggable map pin, and manual coordinates, entirely without a hosted lookup.
Google processes the request under its current Maps Platform terms.
7. Connected Agents (Premium and Premium + AI)
You can authorize external MCP clients (Claude Desktop, ChatGPT, etc.) to read or modify your tasks. The OAuth + PKCE flow runs against the Barakah Tasks MCP server.
- Scopes are reviewed on the consent page before you grant access. The minimum useful scope is
tasks:read;tasks:writeandtasks:deleteare separate, harder-to-grant scopes. - Chat, attachments & collaborators over MCP — gated by your per-task opt-in. The MCP tool surface mirrors the in-app experience under a parity rule. Chat threads, attachment upload/download (via signed URLs), and collaborator/roster management are reachable by an agent only with the matching scopes (
comments:*,attachments:*,collaborators:*) and only on tasks where you have turned on the per-task agent-access flag. On every other task, no chat or participant data is returned. Raw attachment bytes never stream through the MCP server (the agent fetches them directly from storage via a signed URL), and no tool exposes another user's data beyond their name/identifier. - Audit log: every MCP call is recorded in
mcp_action_eventswith the agent's name, the tool called, and the result. Task titles, notes, and tokens are stripped from the audit row before persistence. - Revocation: Settings → Connected Agents lets you revoke any connection in one tap. Revocation invalidates the refresh token immediately.
- Lapsed Premium: lapsed users retain read-only MCP access for 30 days; write/delete fail with a clear
premium_lapsed_*error code. After 30 days, all MCP scopes are denied.
8. Telemetry and crash reports
The Flutter app's telemetry layer is not yet wired in v1. When it lands in v1.0.x, it will be configured to capture metric counts and timing durations only — never task content, never chat content, never PII.
Backend audit logs (mcp_action_events, ai_usage_events) are kept under a strict redaction contract: task titles, notes, comments, raw tokens, and email addresses are NEVER logged.
9. "Support the app"
The optional contribution surface in the Profile tab is exactly that — optional. The app is fully usable on the Free tier, and Premium / Premium + AI subscriptions are paid through the App Store / Play Store in-app purchase systems (RevenueCat handles entitlement). The "Support the app" wording is deliberately neutral and never frames the contribution as a donation, charity, sadaqah, or zakat unless explicit legal structure exists for that — none does in v1.
10. Your rights
- Access — your data is on your device; you can read it directly from the SQLite file.
- Export — coming in v1.0.x; for v1, contact [email protected].
- Delete — uninstall the app to remove all device-local data; cloud-sync deletion (account closure) is in v1.0.x; for v1, contact [email protected] to request server-side deletion.
- Correct — every field on a task / category / prayer-preference is user-editable in-app.
11. Changes
Material changes to this policy will be announced in-app before they take effect. The version of the policy that applies to your usage is the version that was active at the time of the action you took (e.g., the AI generation that ran).
The canonical version of this policy lives at docs/privacy-policy.md. The in-app Settings → Privacy screen renders the same content from a bundled asset, refreshed with each app release.