Privacy Policy
Last Updated: May 19, 2026
Pilot Notice (Nigeria, May 2026): TheHyWing is in a closed Nigerian pilot. Personal and health data collected during the pilot is processed only for the purposes listed below, retained only as long as needed, and never sold. We are registering as a Data Controller of Major Importance with the Nigeria Data Protection Commission (NDPC). For any privacy question contact
privacy@thehywing.com.
1. Introduction
TheHyWing ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, WhatsApp bot, and related services (collectively, the "Service"). TheHyWing is a climate-risk intelligence and preventive health platform that protects human health and livelihoods across multiple climate stressors. We operate globally and comply with applicable data protection laws in all jurisdictions where we serve users.
2. Data Controller
TheHyWing is the data controller responsible for your personal data. For data protection inquiries:
3. Information We Collect
2.1 Personal Information
We collect information that you provide directly to us, including:
- Account Information: Email address, password (encrypted), and profile details
- Health Information: Occupation, work environment, climate exposure data, hydration records, vital signs, health conditions
- Agriculture Information: Crop types, livestock types, farming details (work_details field) — used solely to personalize Farm Intel climate risk assessments
- Location Data: Geographic location for weather-based alerts and agro-ecological zone detection (with your permission)
- Device Information: Device type, operating system, unique device identifiers
2.2 Automatically Collected Information
- App usage data and analytics
- Log data (IP address, timestamps, error logs)
- Weather API data for your location
3. How We Use Your Information
We use the collected information for:
- Service Delivery: Providing climate risk alerts, health monitoring, agricultural risk intelligence (Farm Intel), and medical consultations
- Personalization: Customizing alerts based on your work environment, health profile, and specific crops/livestock
- Livelihood Protection: Generating crop risk assessments, livestock welfare alerts, pest/disease warnings, and planting calendar guidance personalized to what you grow
- Safety: Sending critical climate health warnings and emergency notifications
- Communication: Sending service updates, password resets, and consultation reminders
- Analytics: Improving app performance and user experience
- Legal Compliance: Meeting regulatory and security requirements
4. Health Information Protection
We take the protection of your health information seriously:
- All Protected Health Information (PHI) is encrypted at rest (AES-256) and in transit (TLS 1.2+)
- Access to health data is logged and monitored for compliance
- We implement HIPAA-aligned security practices
- Health data is only shared with licensed clinicians for consultations you authorize
- At signup you provide granular, separate consents for: Terms of Service, Privacy Policy, processing of health data, AI symptom assessment, WhatsApp messaging, and marketing — each of which can be reviewed or withdrawn in the app at any time (Settings → Consents).
5. Information Sharing and Disclosure
We do not sell your personal information. We share data only in these circumstances:
- Healthcare Providers: Licensed clinicians during authorized consultations
- Caregivers: Only those you explicitly authorize
- AI Processing (OpenAI): Symptom descriptions are sent to OpenAI's API for AI-assisted health guidance. OpenAI processes this data under a Data Processing Agreement and does not use it for model training. No personally identifiable information (name, email, phone) is sent — only symptom text and anonymized health context.
- Service Providers: WeatherAPI.com / Open-Meteo (GPS coordinates only), Brevo (email delivery), Paystack (payments, PCI DSS compliant), Expo/EAS (push notification tokens), Render (cloud hosting)
- Legal Requirements: When required by law or to protect rights and safety
- Emergency Situations: To prevent serious harm to you or others
5a. Artificial Intelligence (AI) Transparency
AI Disclosure: TheHyWing uses AI (OpenAI GPT models) for symptom assessment, daily health tips, work schedule safety guidance, and personalized agricultural recommendations (Farm Intel).
Limitations: AI outputs are informational only — not medical diagnosis, prescription, or treatment. AI-generated agricultural guidance is advisory and does not guarantee crop yields or livestock outcomes. AI results are not reviewed by a clinician or agronomist in real-time. The AI may produce inaccurate results. Always consult qualified professionals. In emergencies, contact your local emergency services.
6. Data Security
We implement industry-standard security measures:
- SSL/TLS encryption for all data transmission
- Encrypted database storage
- Secure authentication with JWT tokens
- Regular security audits and monitoring
- Access controls and audit logging
7. Your Rights
Depending on your jurisdiction, you have the following rights:
- Access: Request a copy of your personal data (GDPR, NDPA, CCPA, DPDP, POPIA)
- Rectification: Correct inaccurate or incomplete data (GDPR, NDPA, POPIA)
- Erasure / Deletion: Request deletion of your data (GDPR, NDPA, CCPA)
- Data Portability: Receive your data in machine-readable format (GDPR, DPDP)
- Restrict Processing: Limit how we use your data (GDPR, POPIA)
- Withdraw Consent: Revoke consent at any time (all jurisdictions)
- Non-Discrimination: Exercise rights without diminished service (CCPA)
To exercise any right, email privacy@thehywing.com. We respond within 30 days.
8. Data Retention
We retain your information for as long as your account is active or as needed to provide services. Health records may be retained for longer periods to comply with medical record-keeping requirements.
9. Children's Privacy
TheHyWing is not intended for users under 18 years of age. We do not knowingly collect information from children under 18.
10. Data Breach Notification
In the event of a breach posing a risk to your rights, we will notify the relevant supervisory authority within 72 hours (GDPR/NDPA) and notify affected users without undue delay. Our breach response process includes:
- Detection & Assessment: Automated security event logging via our audit system identifies anomalous access patterns within minutes.
- Authority Notification: NDPC (Nigeria), relevant EU DPA, or other applicable authority notified within 72 hours of confirmed breach, including nature of breach, categories of data affected, approximate number of users, and remediation steps.
- User Notification: Affected users notified via email and in-app alert without undue delay, including what data was affected and recommended protective actions.
- Remediation: Encryption key rotation, forced token revocation, and access credential reset as appropriate.
11. International Data Transfers
Your data may be processed in countries other than your own. We use the following sub-processors:
| Sub-Processor | Purpose | Location | Data Shared |
|---|
| Render | Cloud hosting (API & database) | United States | All application data (encrypted at rest) |
| OpenAI | AI symptom assessment & farm advice | United States | Anonymised symptom text only (no PII) |
| Expo (EAS) | Push notification delivery | United States | Device push tokens & notification content |
| Meta (WhatsApp) | WhatsApp bot messaging | United States | Phone number & message content |
| Paystack | Payment processing (PCI DSS) | Nigeria | Payment data only |
| WeatherAPI / Open-Meteo | Weather data | UK / EU | GPS coordinates only |
| Brevo | Email delivery | EU | Email address & notification content |
| Netlify | Landing page hosting | United States | No personal data (static site) |
We ensure appropriate safeguards for cross-border transfers including Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs) with each sub-processor, and encryption of all data in transit (TLS 1.2+) and at rest (AES-256). PHI (Protected Health Information) is encrypted before leaving our application layer and is never sent to sub-processors in plaintext.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.
13. Jurisdiction-Specific Provisions
EEA (GDPR): Data portability, right to object, lodge complaints with your local DPA. USA (CCPA): Right to know, delete, opt out — we do not sell data. Nigeria (NDPA 2023): Consent-based processing, breach notification, correction/deletion. India (DPDP 2023): Consent management, data erasure, representative nomination.
© 2025-2026 TheHyWing. All rights reserved.