Contents
- Who We Are
- Data We Collect
- How We Use Your Data
- Health & Cycle Data
- HealthKit Data
- Legal Basis for Processing
- Data Sharing & Third Parties
- Data Storage & Security
- Data Retention & Deletion
- Your Rights
- Partner Sharing Feature
- Children's Privacy
- Data Breach Notification
- Changes to This Policy
- Contact Us
1. Who We Are
Hiya (هِيَ) ("Hiya," "we," "us," or "our") is a women's wellness platform operated in the State of Kuwait. Hiya provides cycle tracking, wellness insights, and a marketplace connecting users with local wellness service providers.
Our registered business details will be updated here upon completion of Commercial Registration (CR) with the Kuwait Ministry of Commerce and Industry (MOCI). Until then, this policy governs all data handling within the Hiya mobile application and the website hiyakw.com.
2. Data We Collect
We collect the following categories of personal data:
| Category | Specific Data | When Collected |
|---|---|---|
| Account Information | Name, email address, profile photo (optional) | Registration via email, Google, or Apple Sign-In |
| Health & Cycle Data | Period dates, flow levels, symptoms, moods, basal body temperature, cycle length | When you log entries in the cycle tracker |
| Onboarding Health Data | Age range, cycle regularity, health conditions (e.g., PCOS), wellness goals | During initial onboarding questionnaire |
| HealthKit Data | Sleep duration, step count (read-only from Apple Health) | When you grant HealthKit permissions |
| Booking Data | Services booked, provider details, dates, times, booking status | When you book wellness services |
| Payment Data | Transaction IDs, amounts, payment status (card details are never stored by Hiya) | When you make a payment |
| Device & Technical Data | Device model, OS version, app version, crash logs, anonymous usage analytics | Automatically when using the app |
| Communication Data | Messages between you and wellness providers, support emails | When you communicate through the app |
3. How We Use Your Data
- Cycle Tracking & AI Predictions: To provide personalized cycle predictions, phase identification, symptom pattern recognition, and wellness recommendations tailored to your menstrual cycle.
- Wellness Marketplace: To connect you with local wellness providers, facilitate bookings, and manage appointments.
- Personalization: To deliver phase-aware nutrition tips, exercise modifications, and provider recommendations based on your cycle data.
- Service Improvement: To understand aggregate usage patterns and improve app features (using anonymized, non-identifiable data only).
- Communication: To send booking confirmations, reminders, and important service updates. Marketing communications require your separate opt-in consent.
- Error Monitoring: To detect and fix technical issues using Sentry error tracking (no personal health data is sent to Sentry).
- Security: To protect your account and prevent fraud.
4. Health & Cycle Data
We recognize that menstrual cycle data, fertility parameters, and symptom logs are highly sensitive personal health information. We treat this data with the highest level of care:
- Your health data is encrypted at rest and in transit.
- Health data is never sold to third parties under any circumstances.
- Health data is never used for advertising or marketing purposes.
- AI predictions are generated using only your own data — we do not pool health data across users for model training.
- You can export or delete all your health data at any time directly within the app, without needing to contact support.
Demo Mode: During our TestFlight beta testing phase, the app operates in demo mode. Demo bookings are clearly marked and no real payments are processed. All beta data handling follows the same privacy protections described in this policy.
5. HealthKit Data
If you choose to connect Apple HealthKit, we access sleep duration and step count in read-only mode. Hiya never writes data to HealthKit.
Critical: HealthKit data stays entirely on your device. It is never uploaded to our servers, never stored in our database, and never shared with any third party. HealthKit data is used exclusively on-device to enhance the accuracy of your cycle predictions and personalized insights.
6. Legal Basis for Processing
| Legal Basis | Applies To |
|---|---|
| Your Explicit Consent | Health data collection, cycle tracking, HealthKit access, marketing communications, partner sharing |
| Contractual Necessity | Account creation, booking services, processing payments, provider communication |
| Legitimate Interest | Error monitoring, fraud prevention, service improvement (anonymized data only) |
| Legal Obligation | Compliance with Kuwait regulations, responding to lawful government requests |
You may withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing that occurred before the withdrawal.
7. Data Sharing & Third Parties
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Google Firebase | Authentication, database, storage, push notifications | Account data, encrypted health data, bookings |
| Sentry | Error tracking and crash reporting | Device info, error logs (no personal health data) |
| Tap Payments | Payment processing (KNET, Visa, Apple Pay) | Transaction amounts, payment tokens (Hiya never stores card numbers) |
| Wellness Providers | Fulfilling your bookings | Name, booking details, messages. Never health or cycle data. |
| Apple / Google | Sign-in authentication | Authentication tokens only |
We do not sell, rent, or trade your personal data to any third party. We do not share your health or cycle data with wellness providers, advertisers, or any other party without your explicit, specific consent.
8. Data Storage & Security
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Authentication: Firebase Authentication with secure session management.
- Access Control: Firestore security rules ensure users can only access their own data.
- Minimal Storage: Only your user ID is stored on-device (via AsyncStorage). No health data is cached locally beyond HealthKit.
- Development Practices: Sensitive logging is disabled in production builds. Developer tools are restricted to development environments only.
Data Residency: Our infrastructure currently uses Google Firebase. As Google Cloud expands its Kuwait region, we intend to migrate sensitive health data to Kuwait-based servers to align with evolving data sovereignty requirements. We will update this policy when any data residency changes occur.
9. Data Retention & Deletion
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account |
| Health & cycle data | Until you delete the data or your account |
| Booking history | 12 months after service completion, then anonymized |
| Payment records | As required by Kuwait financial regulations (typically 5 years) |
| Error logs | 90 days |
| Communication records | 12 months after last message, then deleted |
When you delete your account, all your personal data — including health and cycle data — is permanently destroyed from our systems within 30 days.
10. Your Rights
- Right to Access: View all personal data we hold about you, directly within the app's settings.
- Right to Correction: Edit or correct your personal information at any time through your profile.
- Right to Deletion: Delete specific health data entries or your entire account directly in the app without needing to contact support.
- Right to Data Portability: Export your cycle data and health records in a standard format.
- Right to Withdraw Consent: Revoke consent for any data processing at any time.
- Right to Restrict Processing: Request that we limit how your data is used.
- Right to Object: Object to processing based on legitimate interests.
- Right to Not Be Subject to Automated Decisions: Our AI predictions are advisory only — you are never subject to decisions based solely on automated processing.
To exercise any right, email privacy@hiyakw.com or use the in-app data management tools. We will respond within 30 days.
11. Partner Sharing Feature
- Partner sharing is entirely opt-in. It is never enabled by default.
- You control exactly which data categories are visible via individual toggle switches.
- Partners access a read-only web view — they do not need to install the app.
- Shared data may include: current cycle phase, expected period dates, fertility window status (if opted in), and general energy/mood forecasts.
- The following is never shared: individual symptoms, flow details, health conditions, HealthKit data, or symptom correlation insights.
- Sharing links expire after 30 days. You can revoke access instantly at any time.
12. Children's Privacy
Hiya is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18 years of age. If we learn that we have collected data from a minor, we will delete that data immediately. Contact us at privacy@hiyakw.com.
13. Data Breach Notification
- We will notify the relevant regulatory authority (CITRA) within 72 hours of discovering a breach, in accordance with Kuwait's Data Privacy Protection Regulation.
- We will notify affected users without undue delay via email and in-app notification.
- Notifications will include: the nature and scope of the breach, the types of data affected, measures taken, and steps you can take to protect yourself.
14. Changes to This Policy
- We will notify you via email and in-app notification at least 14 days before material changes take effect.
- The updated policy will be posted here with a new effective date.
- Where changes affect how we process health data, we will request your renewed consent.
15. Contact Us
We aim to respond to all privacy inquiries within 30 days.