Privacy Policy — Ittisal
1) Who we are
Ittisal is provided by Saifullah Ahad ("we", "us", "our"). Our website/portfolio is: https://saifullah.ai.
2) What this policy covers
This Privacy Policy explains what information we collect, how we use it, and the choices you have when you use Ittisal (the "App"), a messaging and calling service available through the Android app, the Windows desktop client, and the web client at app.ittisal.org.
3) Information we collect
We collect the following categories of information depending on which features you use:
- Account identifiers: A phone number used for one-time verification (OTP), or Google account information when you choose Google sign-in on the web. Stored in Firebase Authentication.
- Linked desktop sessions: When you scan a Windows/web login QR code, a short-lived session ID and custom authentication token are processed through Firebase Cloud Functions to link that device.
- Profile information: Name, profile photo, and status/about text that you choose to provide. Stored in Firebase Firestore.
- Messages: Text and structured messages you send and receive. Where end-to-end encryption is configured, message content is encrypted with AES-256-GCM before storage in Firebase Firestore.
- Media files: Photos, videos, voice messages, and files you share in chats. Stored in Firebase Cloud Storage.
- Contacts: On Android, if you grant permission, we read device contacts to help find friends who use Ittisal. The Windows/web client does not read your operating-system contacts automatically; it processes a contact file only when you explicitly choose one to import.
- Call data: Call metadata (caller, receiver, type, duration, status) for voice and video calls. Stored in Firebase Firestore. Call audio/video is transmitted peer-to-peer via WebRTC and is not recorded or stored.
- Device tokens: On Android, Firebase Cloud Messaging (FCM) tokens are stored to deliver push notifications. The Windows client keeps the signed-in web session active for desktop notifications while Ittisal is running.
- Local device data: Authentication state, preferences, cached web resources, and the optional end-to-end encryption passphrase are stored in the browser profile or the isolated Ittisal Windows profile on your device.
- Admin Mode data: If enabled, we store the hashed admin PIN and the list of allowed contact UIDs in Firebase Firestore.
4) How we use information
- Deliver messages, media, and calls between users.
- Authenticate your identity via phone number verification.
- Send push notifications for new messages and incoming calls.
- Enforce Admin Mode restrictions (blocking messages and calls from non-approved contacts).
- Display your profile to other users you communicate with.
- Help you find contacts who use Ittisal.
5) Third-party services
Ittisal uses the following third-party services:
- Firebase Authentication: Phone, Google, QR-linked, and session authentication. Privacy Policy
- Firebase Firestore: Message and user data storage. Privacy Policy
- Firebase Cloud Storage: Media file storage. Privacy Policy
- Firebase Cloud Messaging (FCM): Push notifications. Privacy Policy
- Firebase Cloud Functions: QR session linking and call-connection support. Privacy Policy
- Google identity and reCAPTCHA: Fraud prevention and optional sign-in verification on the hosted web client. Privacy Policy
- STUN/TURN services: WebRTC connection setup and relay when a direct peer-to-peer call cannot be established. These services may process network information such as IP addresses needed to connect the call.
- AllOrigins: The web/Windows client may send a public URL from a message to
api.allorigins.winto retrieve a link preview. Message text and account credentials are not sent for this purpose.
We do not use advertising SDKs, analytics SDKs, or crash reporting services.
6) Sharing and disclosure
We do not sell your personal information. We do not share your data with third parties for advertising or marketing purposes.
Information is shared only in these cases:
- With other users: Your messages, media, profile name, and photo are shared with the users you communicate with.
- Firebase infrastructure: Data is processed and stored on Google Firebase servers to provide app functionality.
- Legal requirements: If required by law or to protect rights, safety, and security.
7) Data retention
Messages and media are retained in Firebase as long as the chat exists. Call metadata is retained for call history purposes. You may request deletion of your account and all associated data by contacting us at the email address below.
8) Permissions used
Android: Ittisal may request the following permissions, each used only for its stated purpose:
- Camera: For video calls and taking photos to share in chats.
- Microphone: For voice calls, video calls, and recording voice messages.
- Contacts: To find friends who already use Ittisal (optional).
- Storage/Media: To send and receive photos, videos, and files in chats.
- Notifications: To alert you about new messages and incoming calls.
- Internet: Required for all messaging, calling, and data synchronization.
All Android permissions are optional except Internet. You can deny any permission in Android settings, though the related feature may not work.
Windows and web: Ittisal asks for camera and microphone access only when you use calls or recording, notification access for message/call alerts, and file access only through files you select or download. Internet access is required for messaging, calling, authentication, and synchronization. The Windows shell denies other browser permissions by default.
9) Your choices and controls
- Permissions: Allow or deny permissions at any time through Android settings or Windows/browser privacy controls.
- Profile: Edit or remove your profile name, photo, and about text in Settings.
- Admin Mode: Admins can enable, disable, and manage allowed contacts with a PIN.
- Deletion: Request deletion of your account and data by emailing www.saifullah.ai@gmail.com.
10) Security
Where end-to-end encryption is enabled, Ittisal uses AES-256-GCM with per-chat key derivation. The web and Windows clients keep the encryption passphrase locally and can optionally back up key material encrypted with a PIN. Data in transit uses HTTPS, and voice/video calls use WebRTC's encrypted transport. Admin PINs are stored as SHA-256 hashes, not in plain text. We use reasonable technical safeguards to protect your information, but no method of transmission or storage is completely secure.
11) Children's privacy
Ittisal is not directed to children under 13. We do not knowingly collect personal information from children under 13. The Admin Mode feature allows an admin to manage device communications, and requires an admin to set up and control. Ittisal prohibits child sexual abuse and exploitation (CSAE), including child sexual abuse material (CSAM), grooming, sextortion, and sexual solicitation involving minors. Read our separate Child Safety Standards.
12) Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated policy at https://privacy.saifullah.ai/Ittisal and update the effective date above.
13) Contact
If you have questions or requests, contact: Saifullah Ahad
Email: www.saifullah.ai@gmail.com
Phone: +8801711134346
Website: https://saifullah.ai