TAWASAW Privacy & Cookie Policy, and GDPR Consent

Effective date: 20 October 2025

Last Updated: 20 October 2025

This Privacy & Cookie Policy describes how Tawasaw (the App , we , us , our ) collects, uses, discloses and protects personal data of users ( you , your ) and the lawful bases for that processing under the EU General Data Protection Regulation (GDPR). This document also contains the explicit consent text that Tawasaw will rely on when you register. This Policy is written for a privately-operated app (no corporate entity). The data controller is the operator of the Tawasaw app. You may contact the controller at tawasawapp@gmail.com for any questions, requests, or concerns about your personal data.

1. Scope & Overview

What is Tawasaw?

Tawasaw is a religious ranking and improvement platform designed to help Muslims assess their religious knowledge and practice, connect with others at similar levels, and receive personalized guidance for spiritual growth.

How the Platform Works:

• Religious Assessment Quiz: Upon registration, you must complete a comprehensive quiz that assesses your self-reported religious knowledge, practices, and commitment level.
• Rank Assignment: Based on your quiz responses, the system calculates and assigns you a religious rank (from Rank 1 to Rank 10). This rank reflects your current level and is used throughout the platform.
• Personalized Tasks: You receive daily and weekly improvement tasks tailored to your rank, designed to help you progress to higher levels.
• Group Matching: You are automatically matched with other users of similar ranks, preferred languages, gender, and timezone to form support groups (maximum 5 members per group).
• Progress Tracking: Your task completion, weekly evaluations, and rank progression are tracked. You can advance to higher ranks by consistently completing tasks and meeting weekly goals.
• Social Features: Connect with group members, send messages, schedule meetings via Zoom, and support each other's spiritual journey.

Important: By using Tawasaw, you acknowledge that this is a religious ranking platform that requires quiz completion and consent to data processing for rank calculation, group matching, and task assignment.

Age limit: Tawasaw is available only to users aged 16 years or older. DOB selection during registration will not allow ages under 16.

Consent requirement: Acceptance of this consent is mandatory to create an account. If you do not accept, you may not register or use the App.

2. Personal Data We Collect

We collect and process the following personal data depending on the features you use:

Profile / identity data

• First name, last name, country, gender, date of birth, language, email address, timezone.
• Profile picture/photo (optional, if you choose to upload one). Images are stored on our servers and may be visible to other users depending on your privacy settings.

OAuth authentication data (when using "Sign in with Google")

• Name and email address from your Google account.
• Google user ID (used for account linking and authentication).
• Profile picture URL (optional, if you choose to import it).
• When you sign in with Google, we receive this information directly from Google. We do not receive or store your Google password.

Account & authentication

• Hashed password (not stored in clear text), password reset tokens, authentication metadata.

Quiz & religious data

• Quiz answers, quiz-derived religious level and assigned rank, tasks assigned and completion status. Because quiz results and rank concern religious beliefs or practices, they are treated as special category (sensitive) data under GDPR (religion). GDPR
• The quiz data is used only for self-ranking and improvement purposes, not shared to other users or externally.

Why We Need Your Religious Assessment Data:

We collect and process your quiz answers and religious data for the following essential purposes:

• Rank Calculation: Your quiz responses are analyzed to calculate your religious knowledge and practice level, which determines your initial rank (1-10). This rank is fundamental to how the platform operates.
• Personalized Task Assignment: Your rank determines which daily and weekly improvement tasks are assigned to you. Tasks are specifically designed for each rank level to provide appropriate guidance for your spiritual growth. All tasks are designed to promote peaceful spiritual development, compassion, and ethical behavior. Tasks never encourage violence, harm to oneself or others, extremism, or any illegal activities. Tasks cover 8 categories: Prayer, Quran, Dhikr (remembrance), Fasting, Knowledge, Character, Community (Dawah), and Night Prayer (Qiyam). Tasks are created by the Tawasaw team based on general Islamic practices and teachings, and are designed solely for educational and motivational purposes. Some tasks may include links to external educational videos (e.g., YouTube) and articles from publicly available Islamic educational content provided by third parties (Islamic scholars, educators, content creators). Important: Task content and associated educational resources do not constitute religious rulings (fatwas), official religious guidance, or scholarly opinions. They are general suggestions for spiritual improvement. You are responsible for verifying the accuracy and appropriateness of all task content and educational resources with qualified Islamic scholars or religious authorities. For questions about the religious validity, permissibility, or correct methodology of any task or practice, you should consult with qualified scholars. Tawasaw is not responsible for any consequences arising from your reliance on task content, educational resources, or the App's suggestions.
• Group Matching: Your rank is used to match you with other users at similar levels, ensuring that group members can relate to each other's experiences and provide relevant support.
• Progress Tracking: We track your task completion and weekly evaluation results to determine when you're ready to advance to the next rank. Your religious data helps us measure your progress over time.
• Platform Functionality: The entire platform is built around the concept of ranked spiritual development. Without processing your religious assessment data, we cannot provide the core service.

Legal Basis: We process this sensitive data based on your explicit consent (GDPR Article 9(2)(a)). You provide this consent when you complete the quiz and check the consent boxes during registration.

Your Control: You can withdraw consent, reset your rank, or delete your account at any time (see Section 9 for details).

Social interactions

• Friends/follower relationships, friend requests, blocks/unfriends, chat messages (private messages and group chat content), group memberships.

Moderation & reporting

• Reports you submit (content reported, reporter identity, timestamps) and notes from moderation review.

Technical & usage data

• Device identifiers, IP address, device metadata, timestamps, and crash logs necessary for security, fraud prevention, and to provide the service.
• App version, operating system version, device model, and language settings.
• Network information (connection type, carrier).

Device Permissions

The App may request the following device permissions:

• Camera and Storage: To upload profile pictures (optional, only when you choose to upload a photo).
• Notifications: To send you task reminders, meeting alerts, friend requests, and messages. You can disable notifications in your device settings.
• Internet Access: Required for the App to function and communicate with our servers.

We do NOT collect: precise geolocation data, contacts, call logs, SMS messages, microphone audio (except when using Zoom for meetings, which is governed by Zoom's privacy policy), or biometric data.

Analytics and usage data

       We use analytics tools to understand how users interact with Tawasaw in order to improve functionality, usability and stability. These tools collect information such as app screens viewed, actions taken, device type, operating system version, approximate location (country), session duration, and technical performance data. Analytics data are processed in pseudonymised or aggregated form wherever possible.

Donation Data

When you make a donation through Google Play Store in-app purchases:

• We receive confirmation of the purchase from Google Play
• Transaction ID and purchase token
• Donation amount and type (one-time or monthly subscription)
• Purchase timestamp

Important: We do NOT receive or store your payment card details. All payment processing is handled securely by Google Play Store. Your financial information is governed by Google's Privacy Policy and payment terms.

Zoom Meeting Data - Third-Party Service

Tawasaw integrates with Zoom Video Communications, Inc. ("Zoom") to enable group members to schedule and conduct video meetings. Here's what you need to know:

What We Share with Zoom:

• When a group admin schedules a meeting and provides a Zoom meeting link, we store only the meeting link/ID and meeting name in our database.
• We do NOT share your personal data (name, email, profile information) with Zoom through our platform.
• We do NOT have access to Zoom meeting content, recordings, or participant data.

What Zoom Collects:

• When you click a Zoom link and join a meeting, you leave our platform and enter Zoom's service.
• Zoom may collect: your device information, IP address, meeting participation data, audio/video content, and any information you provide directly to Zoom.
• Zoom's data collection and use are governed by Zoom's Privacy Policy, available at: https://zoom.us/privacy

Your Responsibilities:

• You are responsible for reviewing and accepting Zoom's terms and privacy policy before joining meetings.
• If you do not wish to use Zoom, you can decline to join group meetings. This will not affect your ability to use other platform features.
• Group admins are responsible for informing meeting participants about any recording or data collection during meetings.

Our Role:

• We act as a facilitator by allowing group admins to share Zoom links.
• We are NOT responsible for Zoom's data practices, meeting content, or any issues arising from Zoom's service.
• We do not record, monitor, or access the content of Zoom meetings.

Data Retention:

• We store Zoom meeting links and schedules for as long as the group exists or until the admin deletes them.
• When you delete your account or leave a group, associated meeting schedules are removed from your view.

3. Legal Bases for Processing (GDPR)

We rely on the following lawful bases depending on the processing activity:

• Explicit consent (Article 6(1)(a) + Article 9 for special categories): for collecting and processing data that reveal religious beliefs, for profiling/ranking based on your quiz answers, and for any future analytics or tracking that are not strictly necessary for the service. Processing religion-related data is permitted only with your explicit consent. GDPR
• Performance of a contract / provision of service (Article 6(1)(b)): to create, maintain and operate your account, to deliver the quiz, assign tasks, deliver password-reset emails, and run group/friend/chat functions.
• Legitimate interests (Article 6(1)(f)): for preventing abuse, fraud, spam; for platform security and basic moderation necessary to keep the platform safe and functional. When we rely on legitimate interests, we perform a balancing test to ensure your rights are not overridden.

        Consent (Article 6(1)(a) GDPR) For non-essential analytics and tracking, we rely on your consent. You may give or withdraw consent at any time in the App settings or by contacting tawasawapp@gmail.com.

        Legitimate interest (Article 6(1)(f)) Where Cookies and analytics are strictly necessary for technical performance, security or debugging, we rely on legitimate interest and ensure minimal impact on your privacy.

You will be asked to provide one-time explicit consent at registration to:

1. Process the special-category religious data (quiz, rank, tasks) and
2. Allow automated profiling (ranking & task-assignment) as described in this Policy. If you do not provide consent, you cannot create an account.

Quiz Consent and What It Means

Before you can complete the religious assessment quiz, you must provide explicit consent for the following data processing activities:

By submitting the quiz, you agree that:

1. Rank Calculation: We will analyze your quiz answers to calculate your religious knowledge rank (1-10). This rank will be visible to you and, depending on your privacy settings, to other users in your groups and friends list.
2. Group Joining (Optional): If you enable this option, you can join groups through automatic matching, registration, joining via code, or creating your own group. We will match you with other users based on your rank, preferred languages, gender, country, and timezone. You will be assigned to a group (maximum 5 members). If you disable this permission in Privacy Settings, you will not be able to join groups through any method. Please note that when you join groups, other members will be able to see or infer your rank level through various means. See the "Rank Visibility and Inference in Groups" section below for full details.
3. Ways to Join Groups: There are three ways to join groups in Tawasaw: (1) Automatic Assignment - the system automatically matches you with suitable groups, (2) Join via Group Code - you can join a specific group by entering its unique group code shared by group members or admins, and (3) Create Your Own Group - you can create a new group and invite others to join via the group code. All three methods respect your "Allow me to join groups" privacy setting. If you disable this setting, you cannot join or create groups through any method.
4. Group Names and Rank Visibility: When a group is created (through automatic assignment, manual creation, or during registration), the group name is automatically generated in the format: "[Language] [Rank] Group" (e.g., "English Pathfinder Group", "Arabic Lightseeker Group"). The rank in the group name reflects the group's fixed rank level, which is determined when the group is created. Group admins can edit the group name at any time from the group details screen. Admins may choose to remove or modify the rank from the group name if desired. However, the group's underlying rank level (used for matching purposes) remains unchanged regardless of name changes.
5. Personalized Task Assignment (Optional): If you enable this option, we will assign you daily and weekly improvement tasks based on your rank. Tasks are designed to help you progress to higher ranks. You can disable this in Privacy Settings.
6. Data Protection: Your quiz data and rank are protected according to this Privacy Policy and GDPR requirements for sensitive data (religious beliefs).
7. Your Rights: You can exercise the following rights at any time:

• Reset Your Rank: Request a rank reset, which will restart your progress from week 1 without changing your rank. The quiz cannot be retaken. To retake the quiz, you must delete your account and create a new one.
• Withdraw Consent: Disable group joining (which prevents all types of group joining including automatic matching, registration, joining via code, or creating your own group) or personalized tasks in Privacy Settings.
• Delete Your Account: Permanently delete all your data, including quiz results and rank (see Section 9).
• Access Your Data: Request a copy of your quiz answers and rank calculation (see Section 15).

Important Notes:

• The quiz can be completed any day after registration. Once you complete the quiz, you cannot retake it.
• Withdrawing consent for group matching or task assignment does not delete your existing data but prevents future automatic processing.
• You cannot use the core platform features (groups, tasks) without completing the quiz and having a rank assigned.

Rank Visibility and Inference in Groups

How Your Rank Becomes Visible or Inferable

Your rank information is shared with group members in the following ways:

1. Direct Rank Visibility (If Not Hidden)

If you have not disabled "Show rank to others" in Privacy Settings:

• Your exact rank name (e.g., "Baghil Haq", "Hasinun Nafs") is displayed next to your name in the group members list
• Your rank badge/icon appears on your profile within the group
• Other members can see your rank in the group details screen

2. Rank Inference Through Matching

Even if you hide your rank, group members can infer your approximate rank level because:

• All group members are matched at similar rank levels
• If a member knows their own rank (e.g., Rank 5), they can assume other members are at Rank 4, 5, or 6
• The matching algorithm prioritizes rank proximity for effective peer support
• Example: If you're in a group and one member reveals they're Rank 7, you can reasonably infer all members are approximately Rank 6-8

3. Rank Inference Through Teacher/Learner Roles

Your assigned role reveals rank information:

• Teacher Role (Rafiq): Assigned to members at the same or higher rank than other group members
• Learner Role (Talib): Assigned to members at the same or lower rank than other group members
• These roles are visible to all group members
• Members can infer relative rank positions based on who has which role
• Example: If you have the Teacher role and another member has the Learner role, members can infer you have a higher or equal rank

4. Group Rankings

Groups themselves have rankings based on the rank of the first user who joined the group. This means:

• The group's rank is determined by the first member's rank at the time they joined
• This group rank remains fixed and does not change based on other members' ranks
• While individual ranks may be hidden, the group's rank level is visible to all members
• Members can infer the approximate rank of the first member through the group's rank

5. Task Completion and Progress

Note: Weekly task completion rates, 28-day progression status, and rank advancement notifications are only visible to you. Other group members cannot see this information.

What You Can Control

• Show Rank to Others: Hide your exact rank name/badge (but inference through matching and roles still applies)
• Auto Join Groups: Opt out of automatic group assignment entirely
• Leave Groups: You can leave any group at any time from the group details screen

What You Cannot Control

• If you join a group, members will be able to infer your approximate rank level through matching criteria
• Your Teacher/Learner role assignment is rank-based and visible to group members
• Group rankings reflect member ranks collectively

Legal Basis for Rank Disclosure in Groups

We process and share your rank information for group assignment based on:

• Your Consent: By checking "Automatically join groups" you explicitly consent to rank-based matching and the associated rank disclosure
• Legitimate Interest: Creating effective peer support groups requires matching users at similar spiritual levels
• Performance of Contract: Group functionality is a core feature of the service you've signed up for

Data Sharing Within Groups

• Your rank information is shared only with members of groups you join
• Group members can see your name, rank (if not hidden), role, and activity status
• We do not share your rank with users outside your groups
• Group admins do not have additional access to your personal data beyond what regular members see

Group Member Removal Process

Tawasaw uses a democratic voting system for removing members from groups:

• Any group member can initiate a vote to remove another member from the group
• A member will be removed from the group only if ALL members vote to remove that member (unanimous consent required)
• Group admins cannot remove members unilaterally without a unanimous vote from all group members
• If you are removed from a group, you will receive a notification
• Removed members can join other groups via group code or through the auto-assign feature
• Removed members cannot rejoin the same group they were removed from

Your Rights

• Right to Withdraw Consent: You can leave groups or disable auto-join at any time in Settings
• Right to Access: You can view all your group memberships and rank information in your profile
• Right to Erasure: You can delete your account, which removes you from all groups
• Right to Object: You can opt out of group assignments at any time

For more detailed information about group assignment and rank visibility, please see our Group Assignment Information Page.

4. Automated Decision-Making, Profiling & Your Rights

Tawasaw uses automatic processing to convert quiz answers into a rank and to assign tasks tailored to that rank. This is a form of profiling / automated decision-making.

Under the GDPR you have rights in relation to automated decisions, including the right not to be subject to decisions based solely on automated processing which produce legal effects or similarly significantly affect you. You also have the right to obtain meaningful information about the logic involved and to request human review and to contest the decision. Article 22 of the GDPR specifically limits such purely automated decisions and requires safeguards. GDPR

Concretely:

• By consenting during registration you permit the App s profiling for ranking and task assignment.
• Logic of automated decision-making: Your quiz answers are scored based on a predetermined algorithm that assigns points to each answer. The total score determines your initial rank (1-10). Tasks are then automatically assigned based on your rank level. The system uses rule-based logic (not machine learning or AI) to match quiz scores to rank levels and rank levels to task sets.
• Automated inactivity monitoring: The system automatically monitors your task completion activity. If you are inactive for 48+ hours (no task completion) while having overdue daily tasks, your rank progress may be automatically reset, and you'll restart from week 1 at the same rank. This automated decision is made to maintain consistency and engagement in the program. You can contact tawasawapp@gmail.com if you believe an inactivity reset was made in error.
• You may request a human review, ask for an explanation of the data and logic used, and contest your assigned rank; to do so contact tawasawapp@gmail.com and we will review the outcome within 30 days.
• Withdrawal of consent for profiling can be exercised by contacting us or by deleting your account (see Section 9). Withdrawal will not affect the lawfulness of processing carried out prior to withdrawal.

No AI or Machine Learning: We do not currently use artificial intelligence, machine learning, or neural networks to process your data. All automated decisions are based on predetermined rules and algorithms that can be explained upon request.

5. How & Why We Use Your Data (Purposes)

We process your personal data for the following purposes:

• Provide, operate and maintain the App (account creation, login, profile, quiz, ranks, tasks, friends, groups, chat). (Lawful basis: performance of contract / consent for special categories).
• Communications: Send password reset emails, transactional messages, important account notifications (Lawful basis: performance of contract / legitimate interest).
• Moderation & safety: Process reports, review content, and take action to enforce our community rules (Lawful basis: legitimate interest).
• Security & fraud prevention: Detect and prevent abuse, secure user accounts and the service (Lawful basis: legitimate interest).
• Platform security and integrity: Monitor for violations, investigate suspicious activity, detect and prevent fraud, abuse, spam, and unauthorized access. Enforce our Terms of Service and Community Guidelines, including suspending or terminating accounts. (Lawful basis: legitimate interest in protecting the platform and users).
• Data subject rights: to respond to access, rectification, deletion and portability requests (Lawful basis: legal obligation / performance).
• Backups & integrity: technical backups and log support to restore service after failure.
• Donation Processing: Process and record donations made through Google Play Store, maintain donation history, manage monthly subscriptions, and provide donation receipts. We use this information to maintain and improve the service, keep the app free and ad-free, develop new features, cover server and infrastructure costs, and support development and hiring (Lawful basis: performance of contract / legitimate interest).
• Push notifications: to notify you of new messages, meeting reminders, task updates, friend requests, and other app activities. You can disable push notifications in your device settings at any time. (Lawful basis: consent / legitimate interest for service delivery).

 

We will not use your data for purposes incompatible with those listed above without giving you prior notice and, where required, obtaining additional consent.

6. Data Sharing & Processors

We may share personal data with:

• Service providers / processors who host the App, manage the database, deliver email (password reset), provide moderation tools, or provide other infrastructure services. We only share the data necessary for their function and require them to implement appropriate technical and organisational safeguards (processors act only on our instructions). Current service providers include:

- Amazon Web Services (AWS) Lightsail: Server hosting and infrastructure (Mumbai, India)

- PostgreSQL: Database management

- Firebase Analytics (Google): App usage analytics (pseudonymised data)

- Google Play Store: Donation payment processing

- Email service providers: For transactional emails (password resets, notifications)

• Law enforcement, regulators or courts, where required by law or to respond to lawful requests and legal process.
• Other users: information you deliberately make available to others (for example, your name, rank, group memberships, chat messages you send, friend relationships, profile picture) is visible to those recipients and will be processed by them. Use the block feature to stop specific users contacting you.
• Google OAuth: When you sign in with Google, we receive limited profile information from Google in accordance with Google's OAuth 2.0 protocol. This data sharing is governed by Google's Privacy Policy and our agreement with Google. We do not share your Tawasaw data with Google beyond what is necessary for authentication.

We will never sell your personal data.

7. International Transfers & Hosting (Mumbai, India)

Your personal data is hosted and stored in Mumbai, India. Transfers of personal data from the EU/EEA to a third country require appropriate safeguards under the GDPR (such as an adequacy decision, Standard Contractual Clauses, or explicit consent). The European Commission oversees adequacy decisions and guidance on international transfers. European Commission

As of the Effective Date of this Policy, India is treated as a third country and EU authorities have expressed concerns about transfers to India in certain contexts; controllers commonly rely on appropriate safeguards (for example, Standard Contractual Clauses) and/or on explicit informed consent when transferring personal data to India. Recent supervisory guidance and decisions have highlighted that transfers to India require careful assessment. MEDIANAMA+1

Accordingly:

• By registering and consenting you acknowledge that your data will be stored in Mumbai and transferred to India.
• Where required by GDPR, we will implement appropriate safeguards (for example, Standard Contractual Clauses (SCCs)) and document transfer impact assessments. For more information about SCCs and transfer safeguards, see the EU Commission guidance. European Commission

Note: Because international law and adequacy statuses can change, we will update this Policy and our data handling practices in response to new legal developments.

8. Data Retention & Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Specific retention periods:

• Active account data: Retained for the duration of your account plus any legal retention requirements
• Chat messages: Retained until account deletion or message deletion by user
• Analytics data: 12 months, then automatically deleted or aggregated
• Backup data: Up to 30 days after account deletion
• Server logs: Up to 90 days for security and debugging purposes
• Moderation records: Up to 3 years or as required for legal defense
• Donation records: Up to 7 years for tax and accounting purposes
• Password reset tokens: 24 hours or until used

Account deletion: When you delete your account, we will delete your personal data associated with that account immediately from our active systems. You may delete your account from the App settings (Settings > Privacy & Security > Delete Account), which will redirect you to request a deletion link via email at https://tawasaw.app/delete-account.html, or by contacting tawasawapp@gmail.com. Deletion includes removal of profile data, quiz results, ranking, group memberships and (where possible) chat messages you have sent. You will lose access to your account and any content associated with it upon deletion.

Residual copies & legal exceptions: In some cases, residual copies of deleted data may remain in backups or logs for a limited time for technical restoration, integrity or fraud-prevention purposes, or where retention is required by law (for example, to respond to legal claims). We will make reasonable efforts to purge deleted personal data from backups and logs as soon as practicable (typically within 30 days).

Retention for moderation, legal claims or safety: Information relating to active investigations or legal obligations (for example, content subject to a legal hold) may be retained as necessary and only for as long as required.

9. Your Rights and How to Exercise Them

Under GDPR and other privacy laws, you have the following rights regarding your personal data:

1. Right to Access (Article 15)

• Request a copy of all personal data we hold about you, including quiz answers, rank, task history, messages, and group memberships.
• How to exercise: Email tawasawapp@gmail.com with "Data Access Request" in the subject line.

2. Right to Rectification (Article 16)

• Correct inaccurate or incomplete personal data (e.g., name, email, profile information).
• How to exercise: Update your profile in the App settings or email us.

3. Right to Erasure / "Right to be Forgotten" (Article 17)

• Delete your account and all associated personal data permanently.
• How to exercise: Go to Settings > Privacy & Security > Delete Account, then request deletion via email at https://tawasaw.app/delete-account.html, or email tawasawapp@gmail.com.
• What gets deleted: Profile data, quiz results, rank, task history, group memberships, messages (where possible), and all other personal information.
• Exceptions: We may retain data if required by law (e.g., donation records for tax purposes, moderation records for legal defense).

4. Right to Withdraw Consent (Article 7(3))

• Withdraw consent for optional data processing activities at any time.
• How to exercise:

• Disable Group Joining: Go to Settings > Privacy & Security > Privacy Settings > Toggle off "Automatically join groups". This will prevent you from joining groups through any method (automatic matching, registration, joining via code, or creating your own group). You must exit all current groups first.
• Disable Personalized Tasks: Go to Settings > Privacy & Security > Privacy Settings > Toggle off "Assign me personalized improvement tasks". No further tasks will be assigned.
• Withdraw All Consent: Delete your account.

• Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.

5. Right to Data Portability (Article 20)

• Receive your personal data in a structured, machine-readable format (JSON).
• How to exercise: Email tawasawapp@gmail.com with "Data Portability Request".
• What you'll receive: Profile data, quiz answers, rank, task history, group memberships, and message metadata.

6. Right to Object (Article 21)

• Object to processing based on legitimate interests.
• How to exercise: Email tawasawapp@gmail.com explaining your objection.

7. Right to Restrict Processing (Article 18)

• Request temporary restriction of data processing in certain circumstances.
• How to exercise: Email tawasawapp@gmail.com with your request.

8. Right to Lodge a Complaint

• File a complaint with your national data protection authority if you believe we've violated your rights.
• EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en

9. Right to Reset Your Rank (Platform-Specific)

• Request a rank reset, which will restart your progress from week 1 without changing your rank. The quiz cannot be retaken. To retake the quiz, you must delete your account and create a new one.
• How to exercise: Contact tawasawapp@gmail.com with "Rank Reset Request".
• Effect: Your task history and weekly progress will be reset, and you'll restart from week 1. Your rank remains the same. The quiz cannot be retaken. To retake the quiz, you must delete your account and create a new one.

Response Time and Verification

• We will respond to all rights requests within 30 days (or 1 month under GDPR). Complex requests may take up to 60 days, and we'll inform you if an extension is needed.
• We may ask you to verify your identity before processing rights requests to protect your data security.
• You may withdraw cookie consent by changing your device or browser settings, or by deleting your account, which removes all personal data and cookie-related identifiers.

10. Security Measures

We implement technical and organisational measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures currently include (but are not limited to):

• Encryption: TLS/SSL encryption for all data in transit; database encryption at rest
• Password security: Passwords are hashed using bcrypt with salt; never stored in plain text
• Access controls: Role-based access control; limited to authorized staff only
• Firewall protection: Server firewall configured to allow only necessary ports (22, 80, 443)
• Regular updates: Security patches and software updates applied regularly
• Monitoring: Server logs monitored for suspicious activity
• Secure authentication: JWT tokens for API authentication; secure session management
• Data minimization: We collect only data necessary for the stated purposes
• Staff training: Any staff or contractors who handle personal data are trained in privacy and security best-practices
• Regular backups: Automated backups to prevent data loss

Data Breach Notification: No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
• Provide information about the nature of the breach, likely consequences, and measures taken or proposed to address the breach
• Take immediate steps to contain and remediate the breach

11. Moderation, Reporting & Safety

User Reporting

Users may report content or other users for violations of Terms of Service or Community Guidelines. Reports are reviewed by the Tawasaw team.

Our Moderation Rights

Reviewers may access reported content, user profiles, account data, and communication history to investigate violations of our Terms of Service or Community Guidelines. We may:

• Access and review content, messages, or user activity when investigating reported violations or suspected harmful behavior;
• Remove or restrict access to content that violates our Terms, Community Guidelines, or applicable law, or that poses a risk of harm;
• Suspend accounts temporarily or permanently for violations of our Terms or Community Guidelines;
• Issue warnings or restrict specific features for users who have violated our policies;
• Take other appropriate action to enforce our policies and maintain community standards and platform safety.

Decision-Making and Appeals

Moderation decisions are made based on our Terms of Service and Community Guidelines. While we aim to be fair and consistent, we may not be able to provide detailed explanations for every moderation action due to privacy, security, or legal considerations. Users may appeal moderation decisions by contacting tawasawapp@gmail.com within 30 days. We will review appeals and respond within a reasonable timeframe. Our decision on appeals is final.

Record Retention

Moderation records, including reports, investigations, and actions taken, may be retained for up to 3 years or as necessary to defend against appeals, legal claims, or to comply with legal obligations.

No Liability

We are not liable for any losses resulting from content removal, account suspension, or termination, except as required by applicable law.

12. Third-Party Features & Links

Tawasaw may include links to third-party services or embed content that is not controlled by Tawasaw. This Policy does not apply to third-party services; consult their privacy policies before using them.

13. Children & Age Verification

Tawasaw is restricted to users aged 16 and over. We will not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a person under 16, we will delete it without undue delay.

14. Cookies & Analytics

Tawasaw may use cookies or similar technologies (such as analytics SDKs) to understand app usage, improve performance and personalise user experience.

        Analytics providers: Firebase Analytics (Google)

        Data collected: device type, session ID, app version, usage events, and general geographic region (no precise location).

        Retention: Analytics data are stored for 12 months and then automatically deleted or aggregated.
You can opt out or withdraw consent to analytics collection at any time through the App s settings or by contacting tawasawapp@gmail.com.

 

15. Data Portability

Under GDPR Article 20, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. To exercise this right, contact tawasawapp@gmail.com. We will provide your data in JSON format, which includes:

• Profile information (name, email, country, gender, date of birth, language, timezone)
• Quiz answers and rank history
• Task completion history
• Group memberships and roles
• Friend relationships
• Messages you have sent (where technically feasible)

16. Changes to This Privacy Policy

We may update this Privacy Policy when necessary (for example, to reflect new legal requirements or new processing activities). We will publish the updated policy in the App and indicate the Effective Date. Where required by law or where changes are material, we will notify you in advance (via email or in-app notification) and, where necessary, obtain your renewed consent.

We recommend that you review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the App after changes are posted constitutes your acceptance of the updated Policy, unless the changes require explicit consent.

17. California Consumer Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share personal information.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out: You have the right to opt-out of the "sale" or "sharing" of your personal information. We do NOT sell or share your personal information for monetary or other valuable consideration.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information (including religious data). You can exercise this right by contacting us.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Do Not Sell or Share My Personal Information: We do NOT sell your personal information to third parties for money or other valuable consideration. We do NOT share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt-out of sale or sharing.

Do Not Track: Our App does not currently respond to "Do Not Track" signals from browsers because we do not track users across third-party websites. We only collect data within our App as described in this Policy.

To exercise your California privacy rights, contact us at tawasawapp@gmail.com with "California Privacy Rights" in the subject line. We will respond within 45 days.

18. Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have similar rights to those described above for California residents, including rights to access, correct, delete, and opt-out of certain data processing activities. To exercise these rights, contact us at tawasawapp@gmail.com.

19. Data Protection Officer & EU Representative

As a small-scale operation, we are not currently required to appoint a Data Protection Officer (DPO) under GDPR Article 37. However, you may contact us at tawasawapp@gmail.com for all data protection inquiries. If our processing activities expand to require a DPO, we will update this Policy accordingly.

We do not currently have an EU representative as we are not required to appoint one under GDPR Article 27. If this changes, we will update this Policy.

20. Contact & Complaints

Controller contact: tawasawapp@gmail.com

Response time: We will respond to your inquiries within one month (or two months for complex requests, with notification of the extension).

EU Supervisory Authorities: If you are in the EU and consider that your rights under the GDPR have been infringed, you have the right to lodge a complaint with your local Data Protection Authority / Supervisory Authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Information on how to contact supervisory authorities and your rights is available from the European Commission and your national authority.

20.1 Additional Resources

For more detailed information about specific aspects of our service, please refer to the following resources:

• Child Safety Standards: Learn about our commitment to protecting all users, especially minors, from harm. View Child Safety Standards
• Group Assignment Information: Understand how our group matching system works, including how your rank may be visible to other group members. View Group Assignment Information

21. Summary of Key Points

This summary provides key highlights of our Privacy Policy. Please read the full Policy for complete details.

• What data we collect: Profile information, quiz answers (religious data), task completion, chat messages, group memberships, device/technical data, analytics, donation records, and Zoom meeting schedules.
• Why we collect it: To provide the App, assign ranks and tasks, facilitate groups and chat, improve the service, process donations, and ensure security.
• Legal basis: Explicit consent (for religious data and profiling), performance of contract, and legitimate interests.
• Who we share with: Service providers (AWS, Firebase Analytics, email providers), other users (your profile and messages), Google OAuth (for authentication), law enforcement (when required). We NEVER sell your data.
• Where data is stored: Mumbai, India (with appropriate GDPR safeguards for EU users).
• How long we keep it: Active account data until deletion; backups up to 30 days; analytics 12 months; logs 90 days; moderation records up to 3 years; donation records up to 7 years.
• Your rights: Access, rectify, delete, port, restrict, object, withdraw consent, lodge complaint with supervisory authority.
• Security: TLS encryption, password hashing, access controls, firewalls, regular updates, monitoring.
• Automated decisions: Quiz scoring and rank assignment use rule-based algorithms (not AI/ML). You can request human review.
• Age requirement: 16 years or older only.
• California residents: You have additional rights under CCPA/CPRA. We do NOT sell or share your data.
• Contact: tawasawapp@gmail.com for all privacy inquiries.

Acknowledgment: By using Tawasaw, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

 

*** END OF PRIVACY POLICY ***