Privacy Policy

1. Data Controller

Pure Path is operated by Ihsan Studio inc., a Canadian federal corporation incorporated in Quebec under the Canada Business Corporations Act, with its registered office in the Province of Quebec, Canada.

For all privacy-related inquiries, contact us at:

• Email: privacy@ppath.app
• Entity: Ihsan Studio inc.
• Jurisdiction: Quebec, Canada

Ihsan Studio inc. is the data controller (as defined under the GDPR) and the organization responsible for your personal information (as defined under PIPEDA) when you use Pure Path.

2. Our Privacy Commitment

Pure Path is built for Muslims seeking recovery from harmful habits. We understand the deeply personal and sensitive nature of this journey. Privacy and anonymity are not features we added later; they are the foundation of everything we build.

We will never sell your data. We will never share your personal information with third parties for marketing or advertising purposes. We will never compromise your anonymity.

3. Information We Collect

3.1 Account Information

• A unique anonymous user ID (auto-generated UUID, not linked to your real identity)
• Gender preference (used solely for gender-segregated community features)
• Age group bracket (used for content personalization and safety compliance)
• Notification preferences and device token (if notifications are enabled)
• A hashed recovery code for account restoration

We do not collect your real name, email address, phone number, physical address, or any personally identifiable information during account creation.

3.2 Recovery and Wellness Data

• Streak tracking data (start date, current streak, longest streak, reset history)
• Urge logs (intensity level, selected triggers, mood, time of day)
• Daily check-in responses and mood selections
• Journal entries (stored server-side, associated only with your anonymous ID)
• Recovery milestone progress and Noor Garden stage
• Blocking session data (schedule, commitment level, completion status, reflections)
• Lesson progress and course completion data
• Recovery reasons and pinned motivations

3.3 Community Data

• Community posts, comments, and reactions (posted under an auto-generated anonymous username)
• Chat messages in community and clan channels
• Clan membership and role data
• Friend connections (by anonymous ID only)
• Content reports and moderation flags

3.4 AI Coach Data

• Conversations with the Rafiq AI Coach are transmitted to our AI provider (Google Gemini) for processing
• Conversation summaries may be stored to maintain context within and across sessions
• Emergency protocol interaction data (anonymized intervention selections, swap preferences)

3.5 Technical and Safety Data

• Device platform (iOS, Android, or Web) for compatibility purposes
• App version number for support and debugging
• Subscription status and entitlement data (managed by RevenueCat)
• Device fingerprint: A non-identifiable device identifier derived from a header set by the app (X-Device-ID) and stored only when a community profile is created. This is used exclusively to detect ban evasion, specifically to prevent permanently banned users from creating new accounts to circumvent a safety ban. This identifier cannot be used to identify you personally and is not linked to your device's hardware or any external system.
• Urge timing patterns: Anonymous timestamps of urge log entries are analyzed to compute a personal high-risk hour and day of the week. This information is stored against your user ID and used solely to deliver timely, context-aware recovery support notifications.
• Community trust score: A trust points balance and trust level (0-3) are maintained to support community safety. These are earned through positive community participation and are used to determine which community features you can access.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Pure Path service, including account management, streak tracking, community features, and AI coaching.
• Legitimate interests (Art. 6(1)(f)): Processing for app improvement, security, fraud prevention, and content moderation, where our interests do not override your data protection rights.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as opting into push notifications or submitting community posts.
• Legal obligation (Art. 6(1)(c)): Where processing is required to comply with applicable law.

Given the sensitive nature of recovery-related data, we treat all recovery and wellness data with the highest level of protection, consistent with the processing of special category data under Article 9 of the GDPR.

5. How We Use Your Data

Your data is used exclusively to:

• Track and display your recovery progress, streaks, and milestones
• Provide personalized CBT, ACT, and DBT-based recovery guidance
• Power the Rafiq AI Coach with context-aware therapeutic support
• Enable anonymous, gender-segregated community participation
• Manage content blocking sessions and smart schedule suggestions
• Deliver the Emergency Protocol with personalized interventions
• Process and manage your subscription through Apple App Store or Google Play Store
• Send recovery-related push notifications (only if you opt in)
• Moderate community content to maintain a safe environment
• Generate aggregated, non-identifiable analytics to improve the app

6. Third-Party Service Providers

We use the following third-party services to operate Pure Path. Each is bound by their own privacy policies and data processing agreements:

6.1 Google Gemini (AI Processing)

Conversations with the Rafiq AI Coach and Emergency Protocol personalization are processed by Google's Gemini language model. We send conversation text and anonymized user context (age bracket, streak stage, gender). We never include personally identifiable information. Google's AI data usage policy applies to this processing.

6.2 RevenueCat (Subscription Management)

RevenueCat manages in-app subscription processing. RevenueCat receives your anonymous app user ID and subscription transaction data from Apple or Google. RevenueCat does not receive your name, email, or any personal identifiers from Pure Path. See RevenueCat's Privacy Policy.

6.3 Apple App Store & Google Play Store

Subscription purchases are processed entirely through Apple's App Store or Google Play Store. We do not collect or store your payment card information. Apple and Google handle all payment processing under their respective privacy policies.

6.4 Hosting Infrastructure

Our servers are hosted on secure, managed cloud infrastructure with encryption at rest and in transit (TLS 1.2+). Server logs may temporarily contain IP addresses for security purposes; these are automatically purged within 30 days and are never linked to user accounts.

We do not use any third-party advertising SDKs, tracking pixels, analytics services, or data brokers.

7. Data Storage and Security

All data is stored on secure, encrypted servers. We employ industry-standard security practices including:

• Encrypted database connections (TLS/SSL) for all data in transit
• Encrypted storage at rest for all databases
• Secure PostgreSQL with connection pooling and parameterized queries
• Rate limiting and request throttling to prevent abuse
• Content Security Policy headers and CORS restrictions
• Regular security reviews and dependency auditing

Your recovery data is associated only with your anonymous user ID. Even in the unlikely event of a data breach, your data cannot be traced back to your real identity because we never collect identifying information.

8. International Data Transfers

Ihsan Studio inc. is based in Canada. Your data may be processed in Canada, the United States, or other jurisdictions where our service providers operate.

For users in the EEA, UK, or Switzerland: Canada has been recognized by the European Commission as providing an adequate level of data protection (Commission Decision 2002/2/EC). Where data is transferred to jurisdictions without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms under Chapter V of the GDPR.

For users in Quebec, Canada: transfers comply with the requirements of Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25).

9. Data Retention

We retain your data according to the following schedule:

• Account and recovery data: Retained for as long as your account is active. Deleted upon account deletion request.
• Community posts and messages: Retained while your account is active. Anonymized or removed upon account deletion.
• AI conversation history: Conversation summaries retained during your active session. You can clear all AI chat history at any time using the refresh button in the AI Coach screen.
• Server logs (IP addresses): Automatically purged within 30 days.
• Subscription records: Retained as required by Apple, Google, and applicable tax/financial regulations.

10. Data Deletion

You can delete your data through the following mechanisms:

• Account Deletion: Go to Settings > Delete Account in the app. This permanently removes all your data from our servers, including recovery tracking data, journal entries, community posts, AI chat history, and your anonymous profile.
• Panic PIN: If you have configured a Panic PIN in Privacy Settings, entering it will immediately and irreversibly wipe all app data from the device. To also remove server-side data, use the Account Deletion feature in Settings or contact privacy@ppath.app.
• AI Chat Clearing: Tap the refresh icon in the AI Coach to delete all conversation history.
• Email Request: Contact privacy@ppath.app to request data deletion. We will process your request within 30 days.

Upon deletion, all recovery tracking data, journal entries, community content, and AI chat history are permanently and irreversibly removed from our servers. Some data may persist in encrypted backups for up to 30 additional days before being permanently purged.

11. Anonymous Community

Our community features are designed with Islamic principles of privacy (sitr, meaning the concealing of faults):

• All usernames are auto-generated and fully anonymous
• Communities are gender-segregated in accordance with Islamic guidelines
• No profile photos, real names, or identity information is displayed or required
• You can regenerate your anonymous username at any time
• Community posts are moderated by automated filters and AI to maintain safety
• Cross-gender interactions are prevented at the server level

12. Safety Monitoring and Child Protection Systems

Pure Path operates several automated safety systems to protect all users, especially minors. These systems are proportionate, targeted, and legally defensible under applicable child protection frameworks (including COPPA, the UK Online Safety Act, and the EU Digital Services Act).

12.1 Crisis Keyword Detection

All community posts and direct messages are scanned in real time for crisis language patterns (e.g., phrases indicating suicidal ideation or severe distress) in English and common transliterations used in our user community. This scanning:

• Does not block or delay any content; users always see their messages go through
• Silently creates a confidential safety alert reviewed by trained volunteer ambassadors
• Triggers a private, non-disruptive outreach notification to verified ambassadors who may respond with compassionate support
• Is operated under the legitimate interests legal basis (GDPR Art. 6(1)(f)), specifically the prevention of serious harm and self-harm

12.2 AI-Assisted DM Safety Screening

To protect minors from predatory behavior, we operate an automated behavioral screening system for direct messages. This system operates as follows:

• Trigger threshold: Screening is only triggered when an adult user (aged 18 or older) contacts their third unique minor (aged 13-15) within a 7-day window. This behavioral pattern is associated with grooming risk
• Scope: When triggered, the first 10 messages from each of the flagged conversations (up to 3 conversations) are sent to Google Gemini AI for safety analysis, not the full message history
• Purpose: The AI analyzes only for grooming patterns, inappropriate content, or suspicious behavior, and responds with a risk classification (low/medium/high) and summary flags
• Deduplication: Each adult-minor conversation pair is analyzed at most once within 48 hours to avoid repeated screening
• No mass surveillance: The vast majority of users, including adults with entirely appropriate interactions with minors, will never be screened
• Human review: All AI screening results are reviewed by a human administrator before any enforcement action is taken
• Legal basis: Child protection under GDPR Art. 9(2)(b) (processing necessary for social protection purposes); COPPA compliance obligation; proportionate legitimate interest in preventing exploitation of minors

12.3 Report Velocity Escalation

When a user receives reports from 3 or more unique reporters within a 24-hour period, the system automatically escalates the situation by creating a priority safety alert for immediate administrator review. This prevents coordinated abuse and protects users from sustained harassment.

12.4 Ban Evasion Detection

When a new community profile is created, we compare the device fingerprint against fingerprints associated with permanently banned accounts. If a match is found, a safety alert is created for administrator review. No automated action is taken. A human administrator reviews all ban evasion flags before any enforcement decision.

12.5 Minor-Specific Protections

Users whose age is recorded as 13-15 ("young minors") receive additional automatic protections:

• Ghost Mode: Users aged 13-15 are excluded from community search results for users who are not already their friends or in the same clan, protecting them from unsolicited contact by strangers
• New Account Cooldown: If a sender's account is less than 3 days old and the recipient is under 16, direct message sending is blocked with a friendly explanation. This prevents newly created accounts from immediately targeting minors
• Direct Message Restrictions: New community accounts (Trust Level 0) cannot send direct messages to users who are not already their friends, regardless of the recipient's age

13. Children's Privacy (COPPA Compliance)

Pure Path is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13 years of age, in compliance with the U.S. Children's Online Privacy Protection Act (COPPA) and equivalent international regulations.

If you believe a child under 13 has used the app, please contact us at privacy@ppath.app and we will promptly delete all associated data.

Users between 13 and 16 years of age in the EEA require parental or guardian consent to use the app, in accordance with Article 8 of the GDPR. Our additional minor-specific protections (Section 12.5) apply to all users in this age bracket globally.

14. Your Rights

13.1 All Users

Regardless of your location, you have the right to:

• Access all data associated with your anonymous user ID
• Request deletion of all your data (via the app or by emailing privacy@ppath.app)
• Opt out of push notifications at any time through the app or your device settings
• Regenerate your anonymous community username
• Clear your AI conversation history at any time

13.2 European Economic Area, UK & Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you additionally have the right to:

• Right of Access (Art. 15): Obtain confirmation of whether your data is being processed and receive a copy of it.
• Right to Rectification (Art. 16): Request correction of inaccurate data.
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)): Withdraw previously given consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority.

13.3 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information.
• Right to Opt-Out of Sale: We do not sell your personal information. We have never sold personal information and will never do so.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact privacy@ppath.app or use the in-app deletion features.

13.4 Canadian Residents (PIPEDA & Quebec Law 25)

If you are a Canadian resident, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, the Act Respecting the Protection of Personal Information in the Private Sector (as amended by Law 25). You have the right to:

• Access your personal information held by Ihsan Studio inc.
• Request correction of inaccurate personal information
• Withdraw consent to the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
• File a complaint with the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec

15. Stealth Mode and Privacy Features

Pure Path includes advanced privacy features designed to protect users in shared device environments:

• Stealth Disguise Modes: The app can be disguised as a different application (Calculator, Weather, Notes, Clock) to protect your privacy.
• App Lock: PIN-based lock screen with optional biometric authentication (Face ID / Fingerprint) prevents unauthorized access.
• Panic PIN: An emergency PIN that instantly and irreversibly wipes all app data from the device. Server-side data can be removed separately via account deletion.
• Decoy PIN: A secondary PIN that opens a functional calculator disguise instead of the app.

These features are designed to protect users' privacy and dignity. They do not transmit any additional data to our servers.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any changes will be posted on this page with an updated "Last updated" date.

For material changes that affect your rights, we will make reasonable efforts to notify you through the app. Your continued use of Pure Path after any changes constitutes acceptance of the updated Privacy Policy.

17. Contact Us

If you have any questions about this Privacy Policy, your data, or wish to exercise any of your rights, please contact us:

• Privacy Inquiries: privacy@ppath.app
• General Support: info@ppath.app
• Entity: Ihsan Studio inc.
• Jurisdiction: Province of Quebec, Canada

We are committed to resolving any concerns about your privacy promptly and transparently. We aim to respond to all privacy-related inquiries within 30 days.