We mean it. Here’s how.

What we collect — and what we don’t

What we refuse to collect

• ✗No third-party analytics. No Google Analytics. No Meta Pixel. No Segment. No Mixpanel. No PostHog. No anything. We don’t load a single third-party script that profiles you. We do keep a server-side privacy-clean pageview log for our own operational decisions — it stores only the timestamp, the normalized route (no query string, dynamic segments collapsed), and your browser-locale prefix. No IP, no User-Agent, no referrer, no cookie or visitor ID. It cannot be used to identify you or track you across pages.
• ✗No cross-app data combination. Structurally prevented by UmmahPassport’s pairwise-subject primitive: NoorMap, Iḥsān Standards, and Wasla each see a different ID for the same person. We could not correlate your activity across the network even if we wanted to.
• ✗No IP address logging. Our edge (Caddy) is configured for minimal logs — no IPs persisted, no User-Agent fingerprints, no browser fingerprints, no click trails, no time-on-page beacons.
• ✗No data sale, ever. Not to brokers. Not to advertisers. Not to governments outside the legal floor (subpoena + counsel review + disclosure to you).

What we collect — only when you explicitly do something

• •Your approximate location — only when you click “Find places near me.” The coordinate is snapped to ~110m on your device before it leaves the browser, so what we use for the “near you” query is a neighborhood-scale point, not your address.
• •Your search query — only when you type in the search bar. We forward the query server-side to Nominatim (OpenStreetMap’s geocoder) for address autocomplete matches. The un-snapped query in the address-search input never leaves the client side until you press it.
• •Your UmmahPassport pairwise pseudonym — a stable per-RP ID issued by UP when you sign in. Not your email, not your name. NoorMap’s copy of this ID is mathematically distinct from the one Iḥsān or Wasla sees for the same you.
• •The fields you type into the Suggest form — name, address, kind, halal status, optional website / phone / notes — stored against your UP pseudonym so a moderator can downgrade trust if a single contributor turns out to be spammy. Nothing else from a Suggest submission is persisted: no IP, no User-Agent, no fingerprint.

Cookies

No tracking cookies. No analytics cookies. No third-party cookies. The cookies we do set are functional — they exist because the site can’t work without them. Each one is HttpOnly, meaning JavaScript can never read it; it travels only between your browser and our server.

• noormap_session — your signed-in session. HMAC-signed, HttpOnly, 30-day max-age, set only after you sign in via UmmahPassport. Contains your UP pairwise sub + tier + optional display name. Nothing more.
• noormap_locale — remembers your language preference. HttpOnly, 1-year max-age. No identifier in it.
• sso_state, sso_pkce, sso_next — scratch state for the OIDC handshake. 5-minute TTL, HttpOnly. They exist for the half-second it takes you to bounce between NoorMap and UmmahPassport during sign-in, then they’re gone.

Retention

• Suggest submissions: retained in our moderation queue until reviewed + ingested into the canonical ledger (typically less than 14 days), then archived.
• Session cookies: 30 days from the last sign-in. Sign out at any time to invalidate immediately on this device; rotate your UmmahPassport sessions from your UP account to invalidate everywhere.
• Server logs: minimal, no PII, no IPs. Aged out within 30 days.
• Account deletion: email security@noormap.com and we’ll wipe your UP pairwise sub from our queue and delete any open Suggest submissions tied to it. The canonical entity rows (mosque addresses, business listings) that come from public directories are not personal data and aren’t affected — those are managed via listings@noormap.com.

Map tiles — the one third party we can’t fully avoid yet

NoorMap is a map. Maps need tiles. Tiles have to come from somewhere that knows roughly where on Earth you’re looking. So we tell you exactly what that exposure looks like:

• Sources: base map tiles are served from Protomaps, OpenFreeMap, and (in production) a self-hosted PMTiles archive we run ourselves. All are aligned with OpenStreetMap and have no commercial profiling business.
• What they see: your IP address (because tile fetches go directly from your browser to them) and the tile coordinates inside your viewport — roughly which part of Earth you’re panning. They do not see who you are; we never share your session cookie with them.
• Where we’re headed:moving to fully self-hosted tiles for all regions so this last third-party exposure goes away. It’s on the launch-readiness queue.

Sub-processors

A complete list of every external service that touches anything related to you when you use NoorMap. If we add a new one, we update this list before we send you to it.

• UmmahPassport— sign-in. UP runs the same privacy posture as NoorMap (same charter, same network). Sees your email (because that’s how magic-link auth works) but issues us only a pairwise pseudonym, never your email.
• Iḥsān Standards— the canonical ledger of mosques, businesses, and non-profits. We read its SQLite file directly via a monorepo path — no network call, no data leak across a wire. You don’t send anything to Iḥsān by using NoorMap.
• Amazon Web Services (SES) — transactional email if and only if we need to send you a magic link or a moderation reply. We chose AWS SES specifically because we already run our infrastructure on AWS, so adding email delivery did not introduce another vendor to the PII chain. AWS holds SOC 2 Type II, ISO 27001, and PCI DSS attestations; data encryption uses KMS keys we own; we do notuse open-tracking pixels or click-rewriting, so the email you receive is the email we sent. The body isn’t retained by AWS once delivered; bounce + complaint metadata flows to an SNS topic with 30-day retention.
• Nominatim (OpenStreetMap) — address autocomplete. Sees the query string you type into the search bar (no identifier attached). Run by the OpenStreetMap Foundation, no commercial profiling.

The 90-day change pledge

If we ever change any of this for the worse — adding a tracker, loosening a retention window, taking on a sub-processor that doesn’t share our posture — the change has to be published in writing on this page at least 90 days before it takes effect. No silent updates. No buried footnotes. That’s the deal.

Loosening this pledge itself is also a change that triggers the pledge. It’s turtles all the way down.