1. Who we are
Haraka Tours is a Shia Islamic tour operator. The data controller is Haraka Tours, contactable at admin@haraka-tours.com.
2. What we collect
You provide to us
- Account: email, name, phone, date of birth.
- Registration for a trip: nationality, country of birth, country of residence, occupation, gender, dietary or medical preferences, a passport-page photograph for visa processing, and a recent photograph (selfie) used for identity verification.
- Party members travelling with you (provided by you on their behalf): their name, date of birth, gender, nationality, country of birth and residence, occupation, dietary and medical requirements, relationship to you, and (where required) a passport-page photograph for visa processing.
- Communication: messages you send to scholars or admins through the app.
- User-generated content: testimonials, photographs you choose to share with the group, questions you ask our scholars, and notes you post about holy places.
- Service requests: currency-exchange and SIM-card requests you submit, and bug reports you send us (your description, plus your account email, device type, OS version and app version).
Collected automatically
- A unique account identifier (Firebase user ID), assigned when you create your account, used to link your data to you.
- Your daily-quiz activity: the answers, attempts, points earned and reward tier associated with your account.
- Push notification token (so we can send trip updates and announcements).
- Approximate device location (only if you grant permission, for prayer-time and qibla calculations — processed on your device, never transmitted to us, never tracked or stored).
3. Why we collect it
- To operate the tour: process visa, room assignments, deliver welcome packs, broadcast announcements.
- Legal obligation: keep accounting records of memberships and payments for the period required by UK tax law.
- Legitimate interests: improve the service, prevent fraud, moderate user-generated content for safety.
- Consent: send marketing emails (opt-in), use device location (opt-in).
Some of what you provide is special-category data under UK/EU GDPR — health information (your medical and dietary needs) and data that can reveal religious beliefs, inherent in booking a pilgrimage. We process it only with your explicit consent, given when you provide it during registration, and solely to operate your trip safely (Article 9(2)(a)).
4. Who processes your data
We use the following sub-processors:
- Google Firebase (Authentication, Firestore database, Cloud Storage, Cloud Functions) — primary EU multi-region; some operational metadata may transit US infrastructure.
- Google Cloud Vision — automated safe-search scanning of images you upload. Images are scanned once and the result is stored as a flag; the image is not retained by Vision.
- Resend (transactional email) — sign-in links, payment references, approval emails. Sender is
noreply@haraka-tours.com. - Expo Push Service — delivers push notifications via Apple's APNs and Google's FCM.
Each is under a Data Processing Agreement that meets UK GDPR and EU GDPR requirements.
We do not sell your personal data, and we do not share it with third parties for advertising or cross-app tracking. The app contains no advertising or third-party analytics SDKs; the providers above act solely as our processors, on our instructions.
5. How long we keep it
- Account profile: while the account is open; deleted on request.
- Membership records: kept indefinitely for accounting purposes; anonymised (your name + email removed, trip + amount + date kept) when you delete your account.
- Push tokens: removed after 180 days of inactivity.
- Uploaded photos (passport, profile): deleted on account deletion or 24 hours after registration if the membership is cancelled.
- Database backups: 7 days rolling.
6. Your rights
Under UK GDPR / EU GDPR you have the right to:
- Access the data we hold about you (visible in-app on the Profile / Settings screen).
- Correct inaccurate data (editable in-app).
- Delete your account — Settings → Delete account. Triggers immediate erasure of personal data and anonymisation of accounting records.
- Port your data — request a machine-readable copy in the app (Settings → Export my data) or by emailing admin@haraka-tours.com.
- Object to processing based on legitimate interests.
- Complain to the Information Commissioner's Office (UK) or your local data protection authority.
7. Security
Authentication tokens are stored in the OS Keychain (iOS) / Keystore (Android) — not in plain text. Communication between the app and our servers is TLS-encrypted. Image uploads are stripped of EXIF metadata (including embedded GPS coordinates) before storage.
8. Children
The app is not intended for children under 13. Children of any age may travel as part of a family booking, but their personal data is provided and managed by the booking primary, who must have parental responsibility.
9. Changes
We may update this policy. Material changes will be announced in-app before they take effect. The "Last updated" date at the top reflects the most recent revision.
10. Contact
Questions or requests: admin@haraka-tours.com.