Protocol
LEGAL

Privacy Policy

Effective date: April 1, 2026  ·  Last updated: April 26, 2026

Protocol (“we,” “us,” or “our”) is committed to protecting your privacy. This policy explains how we collect, use, disclose, and safeguard your information when you use Protocol (“the Service”). Please read it carefully.

1. Information We Collect

Health Profile Information

When you complete the Protocol health quiz, we collect information you voluntarily provide, including your age range, biological sex, health goals, existing medical conditions, current supplement use, activity level, and dietary preferences. This information is used solely to generate your personalized health recommendations.

Usage Data

We collect data about how you interact with the Service, including which recommendations you view, challenges you complete, features you use, and time spent on each section. This helps us improve Protocol's recommendations and user experience.

Device & Browser Information

We automatically collect certain technical information when you visit Protocol, including your IP address, browser type and version, operating system, referring URLs, pages visited, and timestamps. This data is collected in aggregate and is not linked to your identity.

Cookies & Analytics

We use cookies and similar tracking technologies to analyze usage patterns. Specifically:

  • ·Google Analytics 4 (GA4): Anonymized usage analytics (page views, session duration, referral sources). IP anonymization is enabled.
  • ·Facebook/Meta Pixel: Aggregated conversion tracking for advertising measurement. We do not share individual health data with Meta.
  • ·Functional cookies: Required for core site functionality (session state, preferences).

You may opt out of analytics tracking at any time. See “Your Rights” below.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Generate personalized recommendations: Your health profile data is used to match evidence-based interventions from our research database to your specific goals and circumstances.
  • Improve our recommendation engine: Aggregate, de-identified usage patterns help us understand which interventions are most effective and which areas need improvement. Individual health data is never used for model training without explicit consent.
  • Communicate product updates: If you provide your email address, we may send you relevant updates about Protocol, new research findings, or product changes. You may unsubscribe at any time.
  • Aggregate, de-identified research: We may use anonymized, aggregate data to publish research about health optimization trends. No individual user data is ever shared with third parties for research purposes.
  • Legal compliance and safety: We may use your information to comply with applicable laws, respond to legal requests, or protect the safety of our users and the public.

3. Health Data Protections

Our core commitment:

We do not sell personal health data. Ever. Full stop.

  • Encryption: All health information you provide is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. This applies to data in our database and any backups.
  • Data separation: Health profile data is stored separately from personally identifiable information (name, email). This means that even in the unlikely event of a data breach, health data cannot be trivially linked to a specific individual.
  • No data sales: We do not sell, rent, license, or otherwise transfer your personal health information to third parties for their own use.
  • No health-targeted advertising: We do not use your health profile information to target you with advertisements, nor do we share it with advertising platforms for targeting purposes.
  • Regulatory compliance: We comply with applicable health data privacy regulations and are committed to meeting HIPAA standards for health information handling as the Service grows.

4. Third-Party Services

Protocol uses trusted third-party services to operate. Each has its own privacy policy and data handling practices:

SupabaseDatabase hosting

Our primary database and authentication provider. Data is hosted in US-based data centers with enterprise-grade security.

View Supabase Privacy Policy ↗
VercelSite hosting & CDN

Our web hosting and content delivery provider. Handles server-side rendering and edge caching.

View Vercel Privacy Policy ↗
Google Analytics 4Usage analytics

Anonymized page view and session analytics. IP anonymization is enabled. Does not receive health profile data.

View Google Analytics 4 Privacy Policy ↗
Meta PixelAd conversion measurement

Aggregate conversion tracking only. Health profile data is never shared. You can opt out via Facebook Ad Preferences.

View Meta Pixel Privacy Policy ↗
StripePayment processing (future)

When paid features are launched, Stripe will handle all payment processing. Protocol never stores full credit card numbers.

View Stripe Privacy Policy ↗

5. Data Retention & Deletion

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • ·Health profile data: retained until you request deletion or close your account
  • ·Usage analytics: retained for 26 months (Google Analytics default) in aggregate form
  • ·Server logs: automatically purged after 90 days
  • ·De-identified research data: may be retained indefinitely in anonymized form

Request Data Deletion

You can request deletion of all your personal data at any time. We will process your request within 30 days and confirm once complete.

[email protected]

6. Your Rights

Depending on your location, you may have the following rights regarding your personal information. To exercise any of these rights, contact us at [email protected].

Access

Request a copy of the personal data we hold about you.

Correction

Request correction of inaccurate or incomplete data.

Deletion

Request deletion of your personal data ("right to be forgotten").

Portability

Request your data in a machine-readable format.

Opt out of analytics

Disable GA4 and Meta Pixel tracking at any time.

Restrict processing

Ask us to limit how we use your data in certain circumstances.

California Residents — CCPA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:

  • ·The right to know what personal information we collect, use, share, or sell
  • ·The right to opt out of the sale of personal information (we do not sell personal information)
  • ·The right to non-discrimination for exercising your privacy rights
  • ·The right to correct inaccurate personal information

To submit a CCPA request, email [email protected] with “CCPA Request” in the subject line.

7. Children's Privacy

Protocol is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at [email protected] and we will delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • ·We will update the "Last updated" date at the top of this page
  • ·We will notify registered users by email at least 30 days before the changes take effect
  • ·For significant changes, we will display a prominent notice on the Protocol homepage

Continued use of Protocol after the effective date of any changes constitutes your acceptance of the updated policy.

9. Contact

For privacy-related questions, requests, or concerns, please contact us:

Email: [email protected]

Company: Protocol / Temnos

Website: protocolme.ai

We will respond to all legitimate privacy requests within 30 days.

Terms of Service →About Protocol →