Privacy Policy

SeeMyZakat is a free service for calculating your zakat and learning about Islamic finance. We collect as little as possible. Your portfolio data stays in your browser. No tracking cookies. No sale of data — ever.

This policy covers the full seemyzakat.com domain: the marketing site, the calculator at /calculator, the knowledge platform at /content, and our ops dashboard at /admin.

The only personal information we ever store is:

• Email address— only if you join the early-access waitlist or submit feedback/a question and opt to receive a response.
• Display name and passkey public key— only if you sign in with an Intentional ID account (optional; see Authentication below).

We do not collect names, phone numbers, mailing addresses, or browser fingerprints. We do not use tracking cookies or advertising networks.

All portfolio data you enter into the calculator (cash amounts, holdings, share counts, debts, valuables) is stored in your browser's sessionStorage and is automatically cleared when you close the tab. We do not store your portfolio data on our servers.

If you enable “Remember my data”, your portfolio is encrypted using AES-256-GCM and saved to localStorage. The encryption key lives entirely in your browser (non-extractable CryptoKey) and is automatically deleted after 30 days. You can delete it immediately at any time with the “Forget my data” button.

When you calculate your zakat, ticker symbols, share counts, and aggregate cash/debt numbers are sent to our server-side API for processing. This data is used only to compute your zakat obligation and is not stored, logged, or associated with any identity.

The knowledge platform at seemyzakat.com/content provides scholar-verified answers to common zakat and Islamic finance questions. You can browse Q&A anonymously.

If you submit a question or feedback vote, your submission is stored in Redis. Email is optional; if you provide one, it is stored with your submission so we can reply. We do not share submissions with third parties.

SeeMyZakat supports optional sign-in via Intentional ID— our WebAuthn/passkey-based authentication service operated at intentional-engines.com. You can use all public features without signing in.

If you choose to sign in:

• We set a session cookie named __intentional_session on seemyzakat.com. It is httpOnly, encrypted (AES-256-GCM), and scoped to this domain with a 7-day lifetime.
• Your passkey's public key is stored by Intentional Engines. The private key never leaves your device.
• See the Intentional Engines privacy policy for how the auth provider handles your data.

If you join an early-access waitlist, we store your email address and referral source in Upstash Redis. We compute a SHA-256 hash of your email with a salt to detect duplicate signups without leaking the email across storage rows.

We will use this email only to notify you about the launch. We do not sell, share, or rent your email. You can request removal at any time via the contact form.

If you send us a message via the contact form, we store your message and selected type (question, bug report, feature request, partnership, other) in Redis.

Name and email are optional. If you provide an email, it is stored alongside the message so we can respond. Messages are retained until reviewed and purged by our team.

If you click “Analyze my portfolio” from your calculator results, you consent to send a snapshot of your zakat data to intentional-capital.com. The transfer mechanism:

• Member names are replaced with generic labels (“Member 1”, “Member 2”) — real names are never transmitted.
• The snapshot is encrypted at rest with AES-256-GCM in an Upstash Redis key keyed by a one-time token.
• The token is automatically deleted after 15 minutes or on first retrieval, whichever comes first.
• No email, IP address, session identifiers, or browser data crosses between sites.

We use Vercel Analytics and Vercel Speed Insights for aggregate page-view and performance data. These services do not use cookies, do not track individuals, and do not collect personally identifiable information.

We use Sentryfor error monitoring. Sentry captures error messages, page URLs, and performance metrics. On the calculator only, Sentry records a small percentage of sessions via session replay — all text is masked, so your financial data is never visible. Traces are sampled at 10%.

Sentry assigns a random, anonymous session ID to your browser tab so we can count distinct users affected by an error. This ID is never linked to your identity and is discarded when you close the tab.

• Transport: HTTPS-only via HSTS. All cookies are Secure and SameSite=Lax.
• Headers: Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy.
• Session cookies: httpOnly, AES-256-GCM encrypted, signed.
• Rate limiting: per-route sliding-window limits on sensitive endpoints (calculate, discover, contact, early-access, transfer-token).
• CSRF: state cookies on auth flows.

• Portfolio data (sessionStorage)— cleared when you close the tab.
• Remembered portfolio (localStorage)— auto-deleted after 30 days, or immediately via “Forget my data”.
• Transfer snapshots— 15 minutes or first retrieval, encrypted at rest.
• Session cookies— 7 days.
• Waitlist email— until you request deletion.
• Contact messages / feedback— until reviewed and purged.
• Rate limit counters— 60 seconds.
• Sentry error reports— per Sentry's retention policy.

You may request, at any time, to:

• Access the personal information we hold about you (email + any messages you've sent).
• Correct inaccurate information.
• Delete your information.

Send requests via the contact form with the subject “Data Request”. We respond within 7 business days.

Browser-side data (sessionStorage, localStorage) can be cleared at any time using the calculator's “Forget my data” button or by clearing site data in your browser.

If you are a California resident you have the right to know, the right to delete, the right to opt out of the sale or sharing of your personal information, and the right to non-discrimination. We do not sell, rent, or share your personal information for any third party's marketing purposes — ever.

To exercise any right, use the contact form.

Questions about this policy? Send us a message.