Privacy Policy

Shy is operated by Shyshark Wellness, a division of Shyshark Digital (Pty) Ltd, a company registered in the Republic of South Africa (Reg. No. 2024/706458/07, VAT No. 4160323491), with its registered address at Loch Venus Road, Cape Town, 7979, South Africa (“we”, “us”). For the personal information described in this policy, we act as the responsible party under the South African Protection of Personal Information Act, 2013 (POPIA), and as the data controller under the EU GDPR and UK GDPR for users located in the EU and UK.

Privacy queries and POPIA Information Officer: privacy@shyshark.co.za.

• We do not sell your data. We never have, and we will not.
• We do not share your data with third parties except the named processors required to run the service for you (listed below).
• You control your data. You can export or delete it from Settings at any time.

• Account data: email address, hashed password, display name, sign-in method (email or Google).
• Profile data: optional details you choose to provide (e.g. date of birth, sex, height, weight) to improve metric interpretation.
• Provider data: activity, sleep, recovery, and readiness data we receive from Strava, Oura, and any other provider you connect, using OAuth tokens you authorise.
• Derived data: normalised metrics, trends, and summaries we compute from your provider data.
• AI conversations: the questions you submit to the AI feature and the responses generated, plus the data summary used to ground each response.
• Reports: the date ranges, inputs, and generated outputs of reports you create.
• Technical data: IP address, device, browser, and usage logs needed to keep the service secure and reliable.

Most provider data is health information, which is “special personal information” under POPIA (s. 26) and a special category of personal data under GDPR (Art. 9). We process it only with your explicit, opt-in consent, given when you connect a provider.

• Provide the service: show your dashboard, generate reports, answer AI questions. Lawful basis: performance of our contract with you (POPIA s. 11(1)(b); GDPR Art. 6(1)(b)). Health information: your explicit consent (POPIA s. 27(1)(a); GDPR Art. 9(2)(a)).
• Account management and security: authenticate sign-ins, prevent fraud, comply with legal obligations. Lawful basis: contract and legitimate interests (POPIA s. 11(1)(d) and (f); GDPR Art. 6(1)(b), 6(1)(f)), and legal obligation (POPIA s. 11(1)(c); GDPR Art. 6(1)(c)).
• Service improvement: aggregate, anonymised analytics on how features are used. Lawful basis: legitimate interests (POPIA s. 11(1)(f); GDPR Art. 6(1)(f)). We do not use your health information for this.
• Communication: service emails (e.g. password reset, security alerts). Marketing emails only with separate opt-in consent.

We use a small set of vetted processors to operate the service. Each is bound by a data processing agreement that limits use of your data to instructions we give them.

• Supabase: database, authentication, and storage. Your account, profile, provider, derived, and AI data live here under row-level security.
• Vercel: application hosting and edge network.
• OpenAI and/or Anthropic: AI model providers used to answer questions and generate reports. See Section 6.
• Strava, Oura (and any provider you choose to connect): sources of provider data, accessed under OAuth.
• Email provider: transactional email (e.g. Postmark or equivalent).

We do not share your data with advertisers, data brokers, or any third party for their own marketing.

When you use the Ask AI feature or generate a report, the relevant slice of your data plus your prompt is sent to OpenAI and/or Anthropic to compute a response. This is necessary to provide the feature and is covered by your acceptance of these terms and your explicit consent at sign-up.

Once a request leaves our systems, the AI provider processes it under their own data handling terms and our processing agreement with them. We choose providers that contract not to train their public models on your inputs, but we do not control their internal operations and cannot guarantee the behaviour of their systems beyond what is contractually committed. If you do not want your data sent to AI providers, do not use the Ask AI or report generation features.

Some of our processors are based in the United States, the European Union, or other countries outside South Africa. Under POPIA s. 72, we transfer personal information outside South Africa only where the recipient is bound by laws, binding corporate rules, or contractual obligations that uphold principles substantially similar to POPIA, or where the data subject has consented.

For users in the EU or UK, where data is transferred outside the EEA or UK we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and additional safeguards where appropriate.

• Encryption in transit (TLS) and at rest.
• Row-level security so each user can read or write only their own records.
• OAuth tokens for providers are stored server-side and are never exposed to the client.
• Principle of least privilege for staff access, with audit logs.

No system is perfectly secure. If we discover a security compromise affecting your personal information, we will notify the South African Information Regulator and any other competent regulator (such as the UK ICO or relevant EU supervisory authority) as required, and notify you without undue delay where the compromise is likely to result in a high risk to your rights.

See our Data Retention Policy for full retention periods by data category.

Under POPIA (and GDPR where it applies to you), you have the right to:

• Access the personal information we hold about you, and ask who it has been shared with.
• Correct inaccurate or incomplete information.
• Have your information deleted (the “right to be forgotten” under GDPR; right to deletion under POPIA s. 24).
• Restrict or object to certain processing.
• Receive your data in a portable, machine-readable format and transfer it to another controller (GDPR right to data portability).
• Withdraw consent at any time, without affecting the lawfulness of processing already carried out.
• Lodge a complaint with the South African Information Regulator (inforegulator.org.za), the UK Information Commissioner’s Office (ico.org.uk), or your local EU data protection authority.

You can exercise most rights directly from Settings, or by emailing privacy@shyshark.co.za. We respond within the timelines required by law (within one month under GDPR; within a reasonable time under POPIA).

We use only cookies that are strictly necessary to keep you signed in and to keep the service secure. We do not use advertising or tracking cookies. If we add optional analytics in future, we will ask for your consent first.

Shy is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact us and we will delete it.

We will notify you of material changes by email or in-product before they take effect. The latest version is always at shy.shyshark.co.za/privacy.

Shyshark Digital (Pty) Ltd, Loch Venus Road, Cape Town, 7979, South Africa. Privacy queries: privacy@shyshark.co.za.