Frequently Asked Questions

With Bowhead you can rest assured your health data is safe and anonymous. By 'safe' we mean only you control your health data, by 'anonymous' we mean if you share your data for research - your personal information is not shared.

Device Image

Privacy, Explained

What kind of encryption do you use?

We use PGP (Pretty Good Privacy) to encrypt data that is stored in the cloud. The app uses AES256 from Smartphone to Internet for the encryption of data. Of course, if your phone is hacked, tampered with, if there are cameras watching your phone or there are keyloggers on your computers we cannot guarantee encryption.

Bowhead uses advanced Web3js and the most advanced encryption possible while limiting the amount of information that is stored. We also make ourselves available to answer any encryption, engineering and general questions directly at Bowhead Support

If I lose my private key or 12 word recovery seed is my data lost forever?

Yes, unfortunately we do not store a copy of your backup or private key.

We recommend users to make one or more backup copies of their 12 word recovery seed.

How should I store my private key or recovery seed to my account?

The safest and only way we recommend is to write down your private key or recovery seed on a piece of paper. Please watch this full video of our security advisor and founder Peter Kroll on the best practices of securing your private key.

Many people have pointed out that if your printer has a virus, it could even relay an image of this to the hacker.

Should I print out, screenshot, or text message my private key to my friends or family?

No, you should write down the 12 word recovery seeds. We do not recommend any other mechanisms for backup.

You can contract a Power of Attorney for Personal Care and include within the 12 word recovery seed. Please note that lawyers/attorneys generally do not have a way to securely store a recovery seed because they will likely scan your documents for electronic archiving.

Can my family, doctor or hospital be the custodian of my private key?

We currently do not offer custodian services. However, similar to how XAPO, provides custodian services for the finance industry we hope to one day work with partners to provide trusted custodian services.

Hospitals and doctor’s offices do not have secure custodian services to protect the 12 word recovery seed or private key. A family member can become a custodian of the 12 word recovery seed using a Power of Attorney for Personal Care.

How is my data selectively shared?

Your data that has been selected to be shared with researchers is shared via smart contracts. This smart contract is available for review here.

Once my anonymous data is shared how is it handled?

We do not associate or store your IP with your encrypted data. When you contribute your data to medical research, we take additional steps to ensure that your data is more anonymized. For example, we only provide your birth month and year, rather than your birthday. Please note that anonymized data being transferred via smart contracts is non-reversible. All anonymized information you previously shared is made available forever.


How is Bowhead’s blockchain technology different from that of a traditional database encryption?

Yes, blockchain’s are notoriously slow and more difficult to implement than a traditional MySQL database. However, we believe that the significant security improvement makes it worthwhile.

At its most basic definition, a blockchain is a distributed ledger database.

A database can also store anonymized data, you don’t need a blockchain for this.

Traditional database technology (SQL/NoSQL) does not guarantee data integrity, data ordering; as well there is no mechanism to prevent back-dating of data or tampering with data. The blockchain technique is used to guarantee two or more copies of the same data arrive at disparate nodes and are stored correctly inside a database which is a technology sub-set of a blockchain system. The database sits under the blockchain it does not replace the blockchain. Databases deal with data-at-rest, blockchains deal with data-in-transit.

Using Ethereum’s smart contracts protocol ensures that only the receiving party (in this case the researchers) see the anonymized data and it is done so without associating IP, email addresses. This is the reason an email address is NOT used to create an account!

A database can also store encrypted data, you don’t need a blockchain for this.

Using a distributed ledger allows users to be sure that their information is actually getting encrypted and they are the only key holders.

Indeed the masternodes and client dapps will have local databases. It should be noted the difference between a database and a system. Traditional databases do not have secure mechanisms that allow them to be openly queried in a way that guarantees data integrity. The system needs to store file-based and state-based information. This data needs to be persisted beyond Bowhead’s central servers. The integrity of that data needs to be verified with hashes. The hashes need to be protected from back-dating the data. Proving the provenance and age of electronic health data is vital to the system.

In a database you can automate actions based on some criteria that you define in advance so you don’t need smart contracts on a blockchain.

This sounds like a distributed ledger database and smart contracts. The positive difference with a distributed ledger is that it is usually easily publicly auditable.

We must guarantee that every node has the same state and that actions can eventually be triggered without the permission or availability of Bowheads central servers. Let’s note the difference between automation and third party researchers triggering actions in the system. An external third-party cannot automate actions inside Bowheads traditional databases. We must expose the system in an open network and the best way to do this is with a blockchain-based system.

How do you store data on the blockchain? Isn’t it slow and expensive?

The keys are not stored on the blockchain, it just stores health data record reference to IPFS, timestamps and the accounts progress (level, cycles completed and badges). The keys are stored in the DAPP that are created with the 12 words

Isn’t blockchain just a sales pitch or buzzword?

Please refer to the whitepapers by Satoshi Nakamoto on the Bitcoin Protocol and Ian Grigg on Triple Entry Accounting. We use the word blockchain to mean a system which guarantees the ledger distributed to more than one node on an open network have cryptographic data integrity. Smart contracts and distributed ledgers and cryptography are very real and very relevant for health data.

Do you use Hyperledger or Ethereum?

We use Ethereum’s smart contracts protocol, it is currently a private blockchain that we hope to further decentralize.

How is your network “zero trust”?

The user owns and controls the private keys to their encrypted information. To further Bowhead’s system of zero trust we intend to release our code open source – for further verification.

Can I see the smart contracts? Are the smart contracts upgradeable? How do I know you can’t just change them? What if you guys just update the smart contracts?

Yes, please see the smart contracts here. Each time we generate a new smart contract, the address changes and the transactions reflect that mutation, then it can be easily audited from our block explorer. Bowhead is the steward of the system and will update and respond to failures and bugs in whatever way is best for all participants in the system. Any changes to smart contracts will be auditable on the blockchain.

Can we audit your code?

Yes, we welcome any external audits on our smart contracts and infrastructure. Please contact us.

Is there a blockchain explorer where I can see the transactions?

Yes, please go here

How big is the blockchain now and how big will it reach in the full potential?

Our blockchain is currently 5 nodes on the main net, 3 on the test net but as we described above the data storage occurs on IPFS, which is a storage solution which is intended to operate in a distributed manner. We selected that storage solution because we would eventually like trusted parties and (exploring) public to be able to host without having an impact on the security of the data. As we’ve described this process of decentralization of storage is an evolution due to the nature and sensitivity of data.

Is Bowhead using Ethereum? Didn’t cryptokitties prove that it can’t handle data?

Bowhead’s smart contracts and blockchain is not used as a storage mechanism, that is DAPP’s job. As mentioned the files with big data footprints will be hashed into the blockchain and stored in full encrypted on IPFS.

Bowhead is using a code-fork of the Ethereum Protocol with a new genesis block. The researchers who participate in the system have an incentive to run masternodes and they will already have significant ability to store data because they are in the business of processing Big Data.

What permissions are requested from the users phone?

We request permission for the internet, access network state, vibrate, wake lock, receive boot completed, foreground service. We don’t request contact list, images or storage.

How does the end user know for sure that his IP address or other metadata is not being sent out with each transaction he does?

We do not associate IP or metadata with any exposed health data. We do use metadata in order to understand where the user is and see if a researcher’s query is appropriately linked. However, this only happens if the user has opted in to contribute their anonymized health data to research.

Anonymized Health Token

How do we know you are not selling things to companies? How do we know this will work?

Bowhead’s purpose is to provide a secure platform for storing health data and contributing to medical research through the sale of anonymized health data for those users that opt-in.

To verify that the system or company exists we welcome you to download our apps available for download today, as well as to see the frequency of app updates we have made since we launched version .01. We are building something difficult and arranged a dynamic team of engineers, doctors and researchers to get there.

Bowhead’s token sale in 2017 was not available to US or Canadian users. However, users in Canada and the US may use the application to store their health data and at their option contribute their anonymized health data to research. Our health data system complies with HIPAA and Health Canada standards.

How do you make sure that the users are not cheating?

The use of the Bowhead blockchain eliminates many forms of timing based attacks like bulk data inputs. We know WHEN data is input, we know the data was not changed later. Some information requested of users is subjective and it’s value will be judged accordingly. However, some information is of the nature that it’s cheaper for a human to perform honestly than to cheat the system with some robotic drone technology. As we discover cheaters we will strive to close down those holes. For example, there is no practical way to fake that an unrooted cell phone is traveling a certain GPS route with step-tracking and periodic answering of a captcha challenge while walking the route.

We implement several anti-fraud practices to prevent this. From device specific to the way the rewards are granted. Of course, users could always fake self-reported data but we try to build a valuable app that helps real users track their data instead of users simply creating accounts to tap into rewards.

We are constantly analyzing the data looking for fraudulent patterns, also one of the reasons we keep the reward low and only after the user completes other activities, like tracking more than one headache we give them the full reward.

The mobile platforms have secure systems that prevent tampering with hardware (GPS, step-counters, etc). The Android platform will inform us if the user has rooted his device which could compromise the hardware inputs and allow cheating. Users with rooted devices will not be able to use the Bowhead client.

What prevents a user from creating fake identities to get the reward? If the identity is verified then the user is not anonymous anymore?

There are several strategies, for example, homomorphic encryption which allows you to run deep learning models without ever exposing the unencrypted information.

The user can create more than one identity (sybils) if they have more than one cell phone or they’ve built their own client app to interact with the blockchain directly. Rewards will be based on human labour which cannot be faked. Metadata that indicates robotic usage will disqualify a user from rewards


In the whitepaper it states that the token holders will receive rewards based on the research data that is transferred as well as receive rewards for being a masternode on the network? How can this work if the value of the token is hard to calculate?

This is a long term project and we understand that at the moment there are no masternodes and the architecture may be defined as centralized. However, our future development plan is to allow people and organizations to contribute their computer’s processing power, storage and bandwidth to become nodes in exchange for AHT token rewards. Our current focus has been to develop the smart contracts for health data, develop the application and now the researchers dashboard. Our next step will be to further decentralize the system.

At the onset of the network, since the AHT tokens value may be difficult to calculate initially, we will first reward users with a defined consideration; for example a 5, 10, 20 EURO card for their anonymized health data contributions.

Once the network fees and rewards model is proven we will look to automate additional functions such as sending and receiving of AHT, and allowing people to convert to other rewards. Of course, for this we will need to comply with local jurisdictions and follow proper protocol when compensating patients.

How are your nodes hosted?

We currently host our nodes on AWS, however, in the future we will be onboarding nodes to further decentralize our network.

Can I add a credit card and purchase from the store?

At the moment you cannot add a credit card to the Bowhead store. However, in the future we would like to be able to provide accredited at-home testing kits, genomic kits and other health/wellness products in a marketplace where people can use their tokens, credit card and other payment methods to purchase from the store.

We understand that this may be problematic for some users who do not want to have their shipping addresses held by a 3rd party and we will provide as many options as possible (for example gift card links) where no shipping address will be associated, relatable and stored by Bowhead’s system.

We understand that when you order an item, you need a physical shipping address. We are currently using Shopify to manage those marketplace items, however, none of your encrypted health data is stored on Shopify.

We are not asking nor validating the users name with respect to the medical data they store. The user is able to deploy any and all privacy technologies available to them. Including but not limited to, VPN, prepaid nameless credit cards, cryptocurrency tokens (AHT), mail forwarding services that legally allow pseudonyms to be used.

How can an AI system monitor information that is encrypted?

It’s called homomorphic encryption, and there is a growing open source group actively contributing to its proliferation.


Why is the thread locked on when discussing the bounty community?

Bowhead always reserved the right during the tokensale to modify the bounty based on tokens sold. Bowhead sold 3.2M out of 40M tokens (from the original token supply model), and adjusted the token model pro rata based on the tokens sold. Bowhead mentioned that the bounty users would receive 1% of the total tokens issued. We believe anything else would have been unfair to those who purchased tokens.

The system changed from Waves to Ethereum and now you are launching your own private blockchain?

We initially launched on Waves because the development team at Waves mentioned that their smart contract infrastructure would be ready in 2017. In 2018, when our 1st version of the Bowhead app was ready the smart contracts from Waves were not ready. We decided to move to Ethereum and begin to develop on the platform, however, we quickly realized that microtransactions were a roadblock and if we were going to indeed track all healthy habits and allow people around the world to use the application – the GAS price on Ethereum would be limiting, and eventually we launched our own Bowhead blockchain based on Ethereum.

We did look at Hyperledger but decided to use Ethereum’s smart contract tools because we felt the development community was more active.