Privacy policy

Last updated: 24 April 2026.

Short version

• We collect only what you choose to give us: your email, location (city-level), and the symptoms you log.
• Your health data is stored in a database file that belongs to your account alone — not shared with other users' data.
• We never sell your data. We don't train any machine-learning models on your data without explicit consent.
• You can export or permanently delete everything at any time from your account settings.

What we collect

Account data: email address, sign-in timestamps, approximate IP (for rate limiting and security), user agent.

Location: you choose this during onboarding. We only need city-level coordinates to fetch local pollen and weather forecasts from Open-Meteo. You can enter a city name manually instead of sharing device geolocation.

Health data: symptoms you log, severity ratings, medications you record, optional notes. If you connect a third-party service (for example, Oura Ring) in the Pro tier, the data that service provides.

Usage: aggregate, anonymous page-view counts via a privacy-respecting analytics tool. No cookies, no tracking across sites.

How we store it

Each HayReady account has its own isolated database file. Your health data cannot be returned by a query that was meant for another user — by design, not by promise. Databases live on our server in Sydney, Australia, behind Cloudflare's network.

Backups are encrypted and retained for 30 days, then deleted.

What we don't do

• We don't sell or rent your data to advertisers, data brokers, insurers, or anyone else.
• We don't share identifiable data with third parties except the specific services needed to run HayReady (email delivery, payment processing — listed below).
• We don't use your data to train machine-learning models for general purposes. If we ever build aggregate, anonymous research features, we'll ask first.

Third parties

• Cloudflare — content delivery, DDoS protection, DNS. May briefly see request metadata.
• Open-Meteo — free public weather and pollen API. We send your coordinates only, no identifying info.
• SendGrid — delivers sign-in links and account emails. Sees your email address.
• Stripe (Pro tier only) — handles payment. We never see your card details.
• Oura (Pro tier, optional) — if you connect your ring, we exchange tokens with Oura's API.

Your rights

• Access & export: one click in account settings gives you a JSON file of everything we hold on you.
• Deletion: one click permanently wipes your account, your per-user database, and removes you from backups on the next daily run.
• Correction: you can edit or delete any log entry yourself.
• Questions: email [email protected].

Security

Sign-in uses one-time magic links — there are no passwords to steal. Sessions are HttpOnly cookies over HTTPS only. All traffic between your device and our server is encrypted. The server is hardened (fail2ban, key-only SSH, firewall), but no system is perfectly secure — if you notice something wrong, email [email protected].

This is not medical advice

HayReady helps you track and forecast allergy symptoms. It is not a medical device and does not diagnose or treat any condition. Don't use it to replace a doctor or allergist. Call your doctor (or emergency services) for urgent symptoms.

Kids

HayReady is intended for people 16 and over. If you're a parent logging on behalf of a child, that's fine — just know we don't have separate child-specific protections yet.

Jurisdiction

HayReady is operated from New Zealand. We aim to comply with the New Zealand Privacy Act 2020, the Health Information Privacy Code 2020, and — where applicable — the EU GDPR. If there's a conflict between these rules and this page, the rules win.

Changes to this policy

If we change anything material, we'll email you before the change takes effect. Older versions of this policy are kept on request.