Skip to main content

Legal

Privacy Policy

Last updated: 25 May 2026

1. Who we are

Hadith Compass ("we", "us") operates the website hadithcompass.org — an academic research tool for descriptive, framework-dependent ethical analysis of hadith corpora.

For questions about this policy or to exercise your rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), contact us at privacy@hadithcompass.org.

2. What data we collect

a. Account data (only if you sign in)

  • Email address and hashed password (managed by our authentication provider).
  • User role (e.g. admin) stored in our database.
  • Session token stored in your browser's local storage to keep you signed in.

b. Operational logs (admin users only)

  • AI audit logs recording prompts, model identifiers, and responses for analyses you trigger.
  • Ingestion job metadata (collection, timestamps, counts).

c. Anonymous visitors

Reading hadiths and published analyses requires no account. We do not run third-party analytics, advertising, or social-media tracking pixels. Standard server access logs (IP address, user agent, timestamp) may be retained by our hosting provider for security and abuse prevention for up to 30 days.

3. Legal basis (Art. 6 GDPR)

  • Contract (Art. 6(1)(b)) — to provide the account and admin features you request.
  • Legitimate interest (Art. 6(1)(f)) — to keep the service secure, prevent abuse, and audit AI outputs. You may object at any time.
  • Consent (Art. 6(1)(a)) — for any non-essential cookies or storage, if and when we introduce them. We currently use none.

4. Cookies & local storage

We use only strictly necessary browser storage required to operate the site. No consent is required for these under Art. 5(3) of the ePrivacy Directive:

  • sb-*-auth-token (local storage) — keeps you signed in. Deleted on sign-out.
  • hc-cookie-notice (local storage) — remembers that you have dismissed the cookie notice.

We do not use advertising, analytics, fingerprinting, or cross-site tracking cookies.

5. Sharing & processors

We rely on the following processors, each bound by a data-processing agreement:

  • Supabase — database, authentication, and hosting infrastructure (EU region available).
  • Cloudflare — edge hosting, DDoS protection, and TLS termination.
  • Lovable AI Gateway — routes AI classification and scoring requests to upstream model providers (currently Google Gemini, OpenAI). Prompts and responses are processed solely to return the requested output.

Some processors may transfer data outside the EEA. Where this occurs we rely on the European Commission's Standard Contractual Clauses (Art. 46 GDPR) and supplementary safeguards.

6. Retention

  • Account data — until you delete the account or request deletion.
  • AI audit logs — 24 months, then deleted.
  • Server access logs — up to 30 days.

7. Your rights (Art. 15–22 GDPR)

If you are in the EU/EEA or UK, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Request erasure ("right to be forgotten").
  • Restrict or object to processing.
  • Data portability — receive your data in a machine-readable format.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@hadithcompass.org. We will respond within one month (Art. 12(3) GDPR).

8. Security

Data is transmitted over TLS. Database access is protected by row-level security policies. Service-role credentials are stored only in server-side environment variables and never shipped to the browser.

9. Children

The service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

10. Changes

We may update this policy. Material changes will be announced on this page with a new "Last updated" date. Continued use after the effective date constitutes acceptance.

← Back to home