Privacy Policy

This Privacy Policy explains how Sameerah AI ("the Service", "we", "us", "our") collects, uses, stores, and protects your information when you use our website. We are committed to protecting your privacy and complying with applicable data protection laws, including the UK GDPR, EU GDPR, CCPA, PIPEDA, and the Australian Privacy Act 1988.

Data Controller: Sameerah AI — contact us at compliance@sameerahai.com

UK Data Protection: We operate in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Users in the UK may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Automatically Collected:

• Browser Fingerprint: A hashed, non-reversible identifier used solely for rate limiting and abuse prevention. Not linked to your real-world identity.
• IP Address: Processed temporarily for rate limiting and security. Not stored long-term.
• Device Information: Browser type, OS, and screen resolution (as part of fingerprint generation only).

Account Information (if you register):

• Name and Email: Used to identify you and send account-related emails.
• Password: Stored as a one-way bcrypt hash. We never store your plain-text password.
• Google Account Data: If you sign in with Google, we receive your name, email, and Google user ID.

User-Provided:

• Chat Messages: Transmitted to our server and forwarded to third-party AI services to generate responses.
• Voice Recordings: Transmitted for transcription via third-party AI services if you use voice input.

• To provide, operate, and maintain the Service
• To authenticate your account and maintain your session
• To generate AI-powered responses to your queries
• To send account verification and password reset emails
• To enforce rate limits and ensure fair access for all users
• To prevent abuse, spam, fraud, and malicious activity
• To improve service quality, reliability, and user experience
• To comply with legal obligations and enforce our Terms of Use

Your messages and voice recordings are forwarded to third-party AI providers to generate responses. These providers operate under their own privacy policies. Additionally:

• Hosting: Hostinger may process server access logs.
• Google Sign-In: Authentication is handled by Google LLC under Google's Privacy Policy.
• Quran Audio: Quranic recitation audio is served from cdn.alquran.cloud.

We do not sell, rent, lease, or trade your personal information to any third party for marketing or commercial purposes.

• Account data: Retained while your account is active. Deletable on request.
• Chat messages: Retained for up to 90 days, then automatically deleted.
• Browser fingerprints: Rate limit data resets every 3 hours.
• Session data: Stored in your browser's localStorage only; clearable at any time.

Sameerah AI uses the following:

• sameerah_token — a secure, httpOnly cookie to keep you logged in (7-day expiry)
• currentChatId — localStorage entry for conversation continuity
• termsAccepted — localStorage entry to remember your consent

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. No data is shared with advertising networks.

We implement appropriate technical and organisational measures including:

• HTTPS/TLS encryption for all data in transit
• Security headers (CSP, HSTS, X-Frame-Options) via Helmet.js
• Passwords stored as one-way bcrypt hashes (never in plain text)
• Rate limiting and abuse prevention mechanisms
• Input validation and sanitisation to prevent injection attacks
• Account lockout after repeated failed login attempts

While we take reasonable steps to protect your information, no method of electronic transmission is 100% secure.

Under UK GDPR / EU GDPR:

• Access — Request a copy of the personal data we hold about you
• Rectification — Request correction of inaccurate or incomplete data
• Erasure — Request deletion of your personal data ("right to be forgotten")
• Restriction — Request restriction of processing
• Portability — Request your data in a machine-readable format
• Object — Object to processing of your personal data
• Withdraw Consent — Withdraw your consent at any time
• Lodge Complaint — File a complaint with the UK ICO or your national supervisory authority

Under CCPA (California Residents):

• Right to know what personal information is collected, used, and shared
• Right to request deletion of your personal information
• Right to opt-out of the "sale" of personal information (note: we do not sell your data)

Your data may be processed on servers located outside your country of residence. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws. We ensure appropriate safeguards are in place for all international data transfers.

When you use the voice input feature, audio recordings are transmitted securely over HTTPS to our server and forwarded to a third-party speech-to-text AI service for transcription only. Voice recordings are not stored after transcription is complete. The resulting text transcription is processed to generate an AI response and is subject to the same 90-day retention limit as chat messages.

By using the voice input feature, you explicitly consent to the processing of your voice data for transcription purposes as described above.

We process your personal data on the following legal bases under UK GDPR / EU GDPR Article 6:

• Contractual necessity (Art. 6(1)(b)): Account creation, authentication, and service delivery require processing your name, email, and session data.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, rate limiting, fraud prevention, and abuse detection.
• Consent (Art. 6(1)(a)): Use of voice input and acceptance of these terms at first visit constitutes your freely given, specific, and informed consent.
• Legal obligation (Art. 6(1)(c)): We may process data where required by applicable law or court order.

Sameerah AI enforces the following minimum age requirements in compliance with applicable law:

• General (worldwide): The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).
• European Union / EEA residents: In accordance with Article 8 of the GDPR, users under 16 years of age must have verifiable parental or guardian consent before using this Service and providing any personal data.
• UK residents: In accordance with the UK GDPR, users under 13 years of age require parental consent to use this Service.

By using this Service and providing personal information, you represent that you meet the applicable age requirement for your jurisdiction.

Parental rights: If you are a parent or guardian and believe your child under the applicable minimum age has used this Service or provided personal data without your consent, please contact us immediately at compliance@sameerahai.com. We will promptly investigate and delete any such data.

We do not knowingly create accounts for, or direct targeted content at, minors under the applicable age thresholds. If we discover that a user is below the minimum age, we will terminate their account and delete their data without delay.

We may update this Privacy Policy from time to time. Material changes will be indicated by updating the effective date at the top of this policy. Your continued use of the Service after any changes constitutes acceptance of the updated policy.