Privacy policy

Last updated: 24 April 2026.

Short version

What we collect

Account data: email address, sign-in timestamps, approximate IP (for rate limiting and security), user agent.

Location: you choose this during onboarding. We only need city-level coordinates to fetch local pollen and weather forecasts from Open-Meteo. You can enter a city name manually instead of sharing device geolocation.

Health data: symptoms you log, severity ratings, medications you record, optional notes. If you connect a third-party service (for example, Oura Ring) in the Pro tier, the data that service provides.

Usage: aggregate, anonymous page-view counts via a privacy-respecting analytics tool. No cookies, no tracking across sites.

How we store it

Each HayReady account has its own isolated database file. Your health data cannot be returned by a query that was meant for another user — by design, not by promise. Databases live on our server in Sydney, Australia, behind Cloudflare's network.

Backups are encrypted and retained for 30 days, then deleted.

What we don't do

Third parties

Your rights

Security

Sign-in uses one-time magic links — there are no passwords to steal. Sessions are HttpOnly cookies over HTTPS only. All traffic between your device and our server is encrypted. The server is hardened (fail2ban, key-only SSH, firewall), but no system is perfectly secure — if you notice something wrong, email [email protected].

This is not medical advice

HayReady helps you track and forecast allergy symptoms. It is not a medical device and does not diagnose or treat any condition. Don't use it to replace a doctor or allergist. Call your doctor (or emergency services) for urgent symptoms.

Kids

HayReady is intended for people 16 and over. If you're a parent logging on behalf of a child, that's fine — just know we don't have separate child-specific protections yet.

Jurisdiction

HayReady is operated from New Zealand. We aim to comply with the New Zealand Privacy Act 2020, the Health Information Privacy Code 2020, and — where applicable — the EU GDPR. If there's a conflict between these rules and this page, the rules win.

Changes to this policy

If we change anything material, we'll email you before the change takes effect. Older versions of this policy are kept on request.