Privacy Policy

In short

We collect only what we need to run Shukr. We don't sell your data or show ads. Your direct messages are end-to-end encrypted, and we don't track your location in the background — you decide when to add it. The sections below explain the details.

1. Introduction

Shukr is operated by Umeed Holdings OÜ, a private limited company registered in Estonia (registry code 17285395), with its registered office at Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond 15551, Estonia. Shukr is a product of Barakah Tech Labs ("BTL"), a brand of Umeed Holdings OÜ. This Privacy Policy explains how we collect, use, share, and safeguard your information when you use the app. Any questions? Email us at legal@barakah.tech.

2. What Data We Collect

We only collect what is necessary to run the app.

When you sign up

• Phone number — used to create your account and to log you in.
• Password (stored as a one-way hash — we cannot read it).
• Your name or display name.
• Optional details you can add in the app: an email address, a username, and a profile photo (avatar).

When you use the app

• Content you post: text, images, media, comments.
• Direct messages (end-to-end encrypted — we cannot read them).
• Message metadata — even though we cannot read your direct messages, we process the limited information needed to deliver them, such as who is in a conversation and when messages are sent.
• Location you choose to add — when you mark a place on the map, or attach a location to a post or memory, we capture that location's GPS coordinates. This only happens when you deliberately choose to add it.
• Basic device info: device type, OS version.
• Log data: IP address (anonymised after 30 days), timestamps, error and crash reports.

What we never collect

• Your location in the background — we never track where you are. Location is captured only when you deliberately add it to a place, post, or memory, and never otherwise.
• Biometric data.
• Payment card details (handled entirely by our payment processor).
• Data from other apps on your device.

3. Device Permissions

Some features need permission to use parts of your device. We ask for these only when you use the relevant feature, and you can change or withdraw them at any time in your device settings:

• Camera — to take photos or video, and for live features.
• Microphone — to record audio and voice notes, and for live and video features.
• Photos and media — to let you choose images or media to share.
• Location — to capture a place's coordinates when you choose to mark a location or add one to a post or memory. Only when you actively do this, never in the background.
• Notifications — to alert you about activity in the app. You can turn these off at any time.

We do not use these permissions in the background. Turning a permission off only affects the features that rely on it.

4. Why We Use Your Data and Our Legal Basis

Under the GDPR, we must have a legal basis for using your data. We use your data only for the purposes below:

• To create and manage your account — to perform our contract with you.
• To show you content and let you interact with others — to perform our contract with you.
• To keep the platform safe and moderate content — our legitimate interest in a safe community, and to meet legal obligations.
• To fix bugs and improve the app during the beta — our legitimate interest in developing a reliable service.
• To send you important service updates — our legitimate interest in keeping you informed. We only send marketing if you opt in (consent).
• To comply with Estonian and EU law — to meet our legal obligations.

5. Who We Share Data With

We do not sell or share your data with advertisers. We share data only with:

• Cloud hosting providers — to store data; our core servers are located in the EU.
• SMS provider — to send login and verification codes to your phone.
• Payment processors (currently Polar Payments) — only what is needed to complete a transaction (we never see your card number).
• Maps provider — to display map imagery when you use map features; we share only what is needed to load the map, not your identity or device location.
• Law enforcement — only when required by a valid legal order.

All third parties are bound by GDPR-compliant data processing agreements. We keep your core personal data on servers within the EU. Where a service provider (such as our payment processor, SMS provider, or maps provider) processes limited data outside the European Economic Area (EEA), we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses.

6. Cookies and Similar Technologies

We use only the cookies and local storage that are essential to run the app — for example, to keep you signed in and to remember your settings. We do not use advertising, marketing, or third-party tracking cookies. Because these technologies are strictly necessary to provide the service, they do not require separate consent.

7. Additional Services and Permanent Storage (MemoryBox)

If you choose to use MemoryBox or similar Barakah Tech Labs services within Shukr, the files you upload are encrypted on your device and stored permanently on decentralized (blockchain) storage networks run by independent third parties. Because this storage is designed to be permanent and is not controlled by us, files that have already been uploaded generally cannot be edited or deleted — so the right to erasure may not be possible to fulfil for that content. We will make this clear before you use any such feature, and these services may have their own privacy terms.

8. How Long We Keep Your Data

• Account data: kept while your account is active, and deleted within 30 days of account closure.
• Log data: anonymised after 30 days, deleted after 12 months.
• Support messages: deleted 24 months after the issue is resolved.
• Financial records: kept for 7 years, as required by Estonian law.
• Public and community contributions (such as community posts and shared map markers): may be kept after your account is closed, in a form that is no longer linked to you.
• Files stored via MemoryBox or similar services: permanent (see section 7).

9. Your Rights

Under the GDPR, you have the rights listed below, and they apply even while Shukr is in beta. We're still building self-service tools into the app, so for now we handle these requests manually — just email us and we'll help. You have the right to:

• Access — get a copy of your data.
• Correct — fix inaccurate data.
• Delete — request that we erase your data (the "right to be forgotten"). This may not apply to some content, such as files stored permanently via MemoryBox, or public and community contributions that we keep in anonymised form after your account closes.
• Export — download your data in a portable format.
• Object — opt out of processing based on legitimate interests.
• Restrict — ask us to limit how we use your data.
• Withdraw consent — where we rely on your consent, you can withdraw it at any time.

To exercise any of these rights, email legal@barakah.tech. We aim to respond within one month. For complex or numerous requests, the law allows us to extend this by up to two further months, and we'll let you know if we need to. There's no charge for a reasonable request.

10. Your Right to Complain

If you believe we have mishandled your data, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee), or with the supervisory authority in your EU country of residence. We'd appreciate the chance to address your concern first, so please consider contacting us before you do.

11. Security

We protect your data with:

• End-to-end encryption for direct messages — only you and the people in the chat can read them; we cannot.
• Encryption at rest (AES-256) for your private posts and memories, and encryption in transit (TLS 1.3) for everything.
• Two-factor authentication (available for all accounts).
• Regular security reviews.

We are working to extend end-to-end encryption to your private memories and to messages within your groups and circles. Public and community content — such as public posts and places you share on the map — is not end-to-end encrypted, because it is meant to be seen by others.

Because Shukr is in beta, no service can be guaranteed to be perfectly secure, and you share content at your own risk. If a data breach occurs that affects your rights, we will notify the Estonian Data Protection Inspectorate within 72 hours and inform affected users without undue delay.

12. Children

Shukr is not intended for children under 16. We do not knowingly collect data from children under 16. If you believe a child has registered, please email legal@barakah.tech and we will delete the account promptly.

13. Changes to This Policy

If we make significant changes, we will notify you through the app and by email at least 14 days before the change takes effect. The current version is always available at shukr.barakah.tech/privacy.