How We Handle Your Data

A plain-language summary of our data architecture and compliance posture. Complements our Privacy Policy.

This page exists because health data deserves more than a generic privacy statement. If you are a user wondering what happens to your information, a regulator conducting oversight, or a partner doing due diligence, this is the overview before the detailed documentation.

What We Process

Kulawise processes the following categories of personal data:

  • Identity data: name, email, phone, password
  • Health and wellness data: dietary information, activity, sleep, body metrics
  • Wallet and transaction records: top-ups, withdrawals, subscription payments, payout records
  • Behavioural data: Circle activity, challenge participation, app usage patterns

Health data is classified as sensitive personal data under the Nigeria Data Protection Act. We treat it accordingly.

Our Architecture in Plain Language

Identity and Health Data Are Separated

Identity data (who you are) and health data (what you eat, how you move, how you sleep) are stored in separate database structures with isolated access controls. They are linked only through encrypted reference identifiers.

The practical effect: a compromise of the identity store does not expose health data, and a compromise of the health store does not expose identity data. Reconstructing the link requires credentials to both systems.

Kulawise Does Not Hold User Funds

Wallet balances are processed and held by our licensed payment partners under their applicable regulatory authorizations. Kulawise maintains a closed-loop ledger that mirrors balance state based on confirmed transactions.

This means we operate as a merchant customer of these processors, not as an independent financial institution. Your funds sit under licensed custody at all times. Wallet balances can only be spent within Kulawise or withdrawn back to your verified bank account.

AI Has Restricted Access to Your Data

AI processing for meal plans, food photo analysis, and wellness summaries uses third-party AI providers under agreements that restrict retention and prohibit training on your data.

Who Sees What

We work with the following categories of processors:

  • Cloud hosting: stores encrypted application data, cannot access decrypted health data without our keys
  • Licensed payment partners: process payments, hold wallet funds, see transaction details
  • AI model providers: receive meal and wellness inputs to generate outputs, restricted retention
  • Analytics tools: receive anonymized behavioural events, no identity data
  • Customer support tools: receive only the data necessary to resolve specific support requests

All processors operate under Data Processing Agreements that bind them to our privacy and security standards.

Compliance and Registrations

  • Kulawise is registering with the Nigeria Data Protection Commission as a Data Controller.
  • We will file Compliance Audit Returns (CAR) as we become subject to them under the NDPA and GAID 2025.
  • Our payment infrastructure operates under the licensed authorization of our payment partners, who are regulated by the Central Bank of Nigeria or equivalent authorities in their jurisdictions.
  • Our Data Protection responsibilities are overseen by a designated officer reachable at [email protected].

Our Approach to High-Risk Processing

Under NDPA guidance, certain processing activities qualify as high-risk and require a Data Protection Impact Assessment (DPIA). We are conducting Data Protection Impact Assessments for the following high-risk processing activities:

  • Processing of health data for AI personalization
  • Cross-border transfers of data for AI processing

For each, we are documenting the legal basis, the safeguards in place, and the controls available to users.

What We Do Not Do

  • We do not sell user data.
  • We do not use AI to make high-stakes automated decisions affecting your access to services, financial standing, or insurance eligibility.
  • We do not allow AI providers to retain your data beyond what is necessary to deliver the requested output, or to use your data to train their models.
  • We do not transfer health data to third parties for marketing purposes.
  • We do not pool user funds in Kulawise-controlled bank accounts.

Your Controls

You can manage your data at any time through Settings > Privacy in the app:

  • Withdraw consent for health data processing
  • Disable AI personalization
  • Opt out of analytics
  • Export your data
  • Delete your account

Reviews and Updates

We review this page and our underlying compliance documentation at least annually, and after any material change to our data processing activities. Updates are communicated through our standard policy update channels.

Contact

Last updated: June 2026