← Back to home

Privacy Policy

Last updated: April 28, 2026

Your privacy matters to us. This Privacy Policy explains what personal information Shamaya on Earth (“Shamaya,” “we,” “us”) collects, why we collect it, how we use and share it, and the choices you have. By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

1. Overview

Shamaya on Earth is a private, faith-rooted community for Iraqi Christian singles seeking marriage. To run the community safely we need to collect some information about you, both to power the Service and to keep members safe. We try to collect only what we actually need.

This policy works alongside our Terms of Service.

2. Information we collect

We collect the following categories of information:

Account & profile

  • Email address and password (passwords are stored hashed, never in plain text).
  • Profile details you provide: full name, date of birth, gender, city, country, family origin, languages, denomination, parish, baptism status, story, what you’re looking for, and preferences (age range, location).
  • Profile photo and additional member photos.
  • Optional verification documents you upload (for example, a baptism certificate) when requested by our team.

Communication content

  • Messages you send to other members, including text and image attachments.
  • Reports you submit and any moderation context (the report reason, your description, and the message or member you reported).

Payments

  • Subscription status, plan, billing period, trial dates, and payment events.
  • Payment-method details (such as card brand and last four digits) and customer/subscription identifiers from our payment processor (Stripe). We do not store your full card number; it is handled directly by Stripe.

Technical & usage

  • Basic technical information your browser sends (IP address, user-agent, language, approximate location derived from IP).
  • Authentication tokens and session cookies needed to keep you logged in.
  • Logs of important events (sign-ins, profile updates, payment events, moderation actions) for security and abuse prevention.

3. How we use your information

We use your information to:

  • Create and operate your account, including the manual approval review.
  • Show your profile to other approved members and let you message them.
  • Process subscriptions, trials, renewals, and refunds where applicable.
  • Keep the community safe: detect fraud, abuse, or impersonation; review reports; suspend or remove accounts that violate our Terms.
  • Send essential service emails (account verification, approval/rejection notices, billing receipts, security notifications). We will not send marketing emails without your consent.
  • Improve and secure the Service, debug issues, and maintain backups.
  • Comply with our legal obligations and enforce our Terms.

4. How we share information

We do not sell your personal information. We share it only in the limited situations below:

  • Other members. Once approved, your profile (name, age, photos, location at the city/country level, and the details you chose to share) is visible to other approved members. Messages and attachments you send are visible to your conversation partner.
  • Service providers. We use trusted vendors that process data on our behalf, including our cloud hosting and database provider and our payment processor (Stripe). They may only use the data to provide their service to us.
  • Moderation. Our admins can view profiles, messages, and reports as needed to enforce community safety and our Terms.
  • Legal & safety. We may disclose information if required by law, to enforce our Terms, or to protect the rights, property, or safety of Shamaya, our members, or the public.
  • Business transfers. If Shamaya is involved in a merger, acquisition, or sale of assets, member information may be transferred as part of that transaction; we will notify you and continue to honour this policy.

5. What other members can see

Approved members can see your profile (name, age, city, country, languages, denomination, parish, story, photos, what you’re looking for) and any messages or images you send them. They cannot see your email address, date of birth (only the calculated age is shown), payment information, or any uploaded verification documents.

You control what optional details you put in your profile and which photos you upload. You should never share information you’re not comfortable being seen by other members.

6. How long we keep your data

We keep your information for as long as your account is active. When you delete your account, we delete or anonymise your profile and member photos within a reasonable period, except where we need to keep certain data to:

  • Meet legal, tax, and accounting obligations (for example, payment records).
  • Resolve disputes or enforce our agreements.
  • Maintain the integrity of moderation records (e.g., suspension history) so previously removed users cannot easily return.

Backup copies may persist for a limited additional period before being overwritten.

7. How we protect your data

We use a range of technical and organisational measures to protect your information, including encrypted connections (TLS), row-level security in our database, hashed passwords, signed short-lived URLs for private images, and access controls so only authorised personnel can access sensitive systems.

No service is 100% secure. You are responsible for choosing a strong, unique password and for keeping it confidential. Notify us immediately if you suspect unauthorised access to your account.

8. Encryption & data protection

We take a defense-in-depth approach. Here’s exactly what that means in practice:

Encrypted at rest

  • Sensitive free-text fields on your profile — your story, what you’re looking for, family origin, and your baptism certificate file path — are additionally encrypted at the column level with a symmetric key managed by our secret vault. Even a database export with the disk-level keys would not expose these fields in readable form.
  • Our managed database (Lovable Cloud, powered by Supabase Postgres) encrypts all data on disk using AES-256, including automated backups.
  • Private file uploads — baptism certificates, verification documents, and chat attachments — are stored in private storage buckets that require a signed, short-lived URL to access. They are never exposed via a public URL.
  • Passwords are never stored. They are hashed with bcrypt by our authentication provider before being saved.
  • Payment card numbers never touch our servers — Stripe tokenises them and we only store the customer/subscription identifier.

Encrypted in transit

  • Every connection to Shamaya is forced over HTTPS (TLS 1.2+).
  • Internal calls between the app and the database use authenticated, encrypted connections.

Access controls

  • Row-level security (RLS) is enabled on every table that holds member data. The database itself enforces — row by row — that you can only read and write your own profile, photos, and conversations.
  • Admin actions (approvals, moderation) are logged to a separate audit table.
  • Every consent you give (Terms, Privacy, Waiver, Community Guidelines) is recorded as a separate, append-only event including timestamp, policy version, and the method used so we can prove what you accepted and when.

No system is unbreakable. If you believe your account has been compromised, contact us immediately at hello@shamaya.app.

9. Your rights & choices

Depending on where you live, you may have rights under applicable data protection laws (such as the GDPR), including the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Request deletion of your account and associated data.
  • Object to or restrict certain processing.
  • Receive a portable copy of your data.
  • Withdraw any consent you previously gave.
  • Lodge a complaint with your local data protection authority.

You can update most profile details directly in your account. For other requests, contact us at hello@shamaya.app. We may need to verify your identity before acting on your request.

10. Requesting data removal

You can request deletion of your account and associated data at any time. Here’s how it works:

  1. Open your account page and use the “Request data removal” button.
  2. The request enters a queue reviewed by our team. We may contact you to confirm your identity.
  3. Once approved, your profile, member photos, and uploaded documents are deleted. Conversations are anonymised so the people you spoke with don’t see broken threads.
  4. A minimal record (user id, deletion timestamp, payment history) is retained where required by law, anti-fraud, or accounting obligations — see “How long we keep your data” above.

If you are not signed in, email us at hello@shamaya.app from the address on your account.

11. International transfers

Shamaya on Earth is a global community. Your information may be processed in countries other than where you live, including countries whose data protection laws differ from yours. Where required, we rely on appropriate safeguards (such as standard contractual clauses) provided by our service providers.

12. Children

The Service is not intended for anyone under 18. We do not knowingly collect personal information from children. If you believe a child has created an account, please contact us so we can remove it.

13. Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date above and, for material changes, give you reasonable notice within the Service or by email. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

14. Contact us

For questions, requests, or complaints about this policy or your data, please contact us at hello@shamaya.app.