← Protocol

Privacy Policy

Protocol — stayonprotocol.com

Effective Date: March 10, 2026

Version: 1.0

What this means in plain English

Protocol collects health data from your wearables (like Oura Ring and WHOOP) and other sources you connect, then shows you a unified dashboard with scores, trends, and AI-powered coaching. Your data is yours. We use it to run the service for you. We send some of it to OpenAI's API to power the AI coach, but OpenAI does not use your data to train its models. We do not sell your data. We do not share it with advertisers. If you delete your account, we delete your data. This policy explains exactly what we collect, why, and how you can control it.

1. Who We Are

Protocol is operated by Protocol LLC (“Protocol,” “we,” “us,” or “our”), a limited liability company organized under the laws of the State of Michigan, United States. Protocol is a consumer wellness application. Protocol is not a medical device, not a healthcare provider, and not a covered entity under the Health Insurance Portability and Accountability Act (“HIPAA”).

For privacy-related inquiries, contact us at: privacy@stayonprotocol.com

2. Data We Collect

2.1 Data Summary Table

Data TypeSourcePurposeRetentionShared With
Name, email addressGoogle OAuth (Supabase Auth)Account creation, authentication, communicationsDuration of account + 30 days after deletion requestSupabase (infrastructure)
Sleep data (duration, stages, efficiency, HRV, resting heart rate)Oura Ring API, WHOOP APIDashboard display, daily scorecards, AI coaching, trend analysisDuration of account; refreshed per source API requirementsOpenAI (AI coaching), Supabase (storage)
Readiness and recovery scoresOura Ring API, WHOOP APIDashboard display, daily scorecards, AI coachingDuration of account; refreshed per source API requirementsOpenAI (AI coaching), Supabase (storage)
Activity data (steps, calories, active energy)Oura Ring API, WHOOP API, Apple HealthKitDashboard display, goal tracking, AI coachingDuration of accountOpenAI (AI coaching), Supabase (storage)
Workout data (sessions, duration, type)WHOOP API, Apple HealthKit, Protocol FitDashboard display, workout tracking, AI coachingDuration of accountOpenAI (AI coaching), Supabase (storage)
Body composition (weight, body fat %, BMI)Apple HealthKit, manual entryDashboard display, trend analysis, AI coachingDuration of accountOpenAI (AI coaching), Supabase (storage)
Self-reported data (hydration, supplements, workout notes)User manual entryDashboard display, goal tracking, AI coachingDuration of accountOpenAI (AI coaching), Supabase (storage)
AI coaching conversation historyUser interactions with AI coachConversational context, coaching continuityDuration of accountOpenAI (AI coaching), Supabase (storage)
App usage data (page views, errors, sessions)Automatic collectionService improvement, error diagnosisDuration of accountVercel (hosting), Cloudflare (CDN)
OAuth tokens (access, refresh)Oura, WHOOP, Apple HealthKitMaintain authorized connections to data sourcesDuration of connection; revoked upon disconnection or account deletionStored encrypted in Supabase; not shared

2.2 Categories of Data

Identity Data. Your name and email address, collected through Google OAuth sign-in via Supabase Auth.

Health and Fitness Data. Sleep metrics, readiness and recovery scores, activity data, workout data, heart rate variability, resting heart rate, and body composition data. This data is collected from connected wearable devices and apps through their respective APIs:

  • Oura Ring API (OAuth2; scopes: daily_sleep, daily_readiness, daily_activity, heartrate, personal_info)
  • WHOOP API (OAuth2; scopes: read:sleep, read:recovery, read:workout, read:cycles, read:profile)
  • Apple HealthKit (read-only on iOS via HealthKit SDK)
  • Protocol Fit (connected workout app using shared Supabase infrastructure)

Self-Reported Data. Hydration logs, supplement check-offs, manual weight entries, and workout notes that you enter directly.

AI Coaching Data. Your questions to the AI coach and the AI-generated responses, stored to maintain conversational context.

Usage Data. Page views, errors, and session data collected automatically. We do not collect advertising identifiers. We do not perform cross-site tracking.

Connection Credentials. OAuth access and refresh tokens for connected third-party services, stored in encrypted form.

2.3 Health Data Sensitivity

We recognize that health and fitness data is sensitive. We treat all health-related data collected through Protocol with heightened care. We collect and process this data only with your explicit consent, granted when you connect a data source or enter information into the app, and only as necessary to provide the Protocol service to you.

3. How We Use Your Data

We use your data for the following purposes:

  • Displaying your health metrics on your personal dashboard
  • Generating daily scorecards scored against goals you define
  • Powering the AI coach with your health data context so it can answer your questions, surface insights, and provide personalized recommendations (see Section 4)
  • Computing trends and insights across your connected data sources over time
  • Delivering proactive insights such as morning briefs and goal tracking notifications
  • Diagnosing errors and improving the service using aggregated, de-identified usage data
  • Communicating with you about your account, service updates, and material changes to these terms

In-App Product Suggestions. Protocol may use your health data to surface contextually relevant suggestions for health products, supplements, devices, or services within the app. For example, if your HRV trends suggest poor recovery, Protocol might suggest a magnesium supplement. These suggestions are generated by Protocol's own systems. Your personal data is not shared with any product manufacturer, advertiser, or other third party in connection with these suggestions. You will always be able to distinguish suggestions from your personal health data.

4. AI Processing Disclosure

Protocol's AI coaching feature is powered by the OpenAI API (currently using the GPT-4 model family). When you interact with the AI coach, your health data and conversation history are sent to OpenAI's API to generate responses.

What this means for your data:

  • OpenAI processes your data as a sub-processor acting on our instructions.
  • We use OpenAI's API endpoint with zero data retention enabled. OpenAI does not use data submitted through its API to train or improve its models.
  • Your data is transmitted to OpenAI over encrypted channels (HTTPS/TLS).
  • OpenAI's data usage policies for API customers are described at openai.com/policies/api-data-usage-policies.

We disclose this processing to you because your health data leaves Protocol's infrastructure when sent to OpenAI for coaching responses. By using the AI coaching feature, you consent to this processing.

5. Third-Party Data Processors

We use the following third-party service providers to operate Protocol:

ProcessorRoleData Location
SupabaseDatabase, authentication, row-level securityUS-East
OpenAIAI coaching (health data sent to generate responses)United States
VercelHosting and edge functionsGlobal CDN
CloudflareCDN, DNS, DDoS protectionGlobal CDN

We require each processor to handle your data in accordance with this Privacy Policy and applicable law.

Third-party data source providers. Oura, WHOOP, and Apple may collect usage data related to your use of their APIs and platforms. Oura may collect data related to Protocol's use of the Oura API and may use such data for any business purpose, including providing enhancements to the Oura platform or developer support. For details on how these companies handle your data, please review their respective privacy policies.

6. Data Sharing

We do not sell your personal data.

We do not share your personal data with advertisers or data brokers. We share your data only in the following circumstances:

  • With service providers listed in Section 5, solely to operate the Protocol service
  • When required by law, in response to a valid legal process such as a subpoena, court order, or regulatory request
  • With your consent, if we ever seek to share your data in a manner not described in this policy, we will obtain your prior consent
  • In a business transfer, if Protocol is acquired, merges with another company, or sells substantially all of its assets, your data may be transferred as part of that transaction. We will notify you and any applicable API partners (including Oura) before any such transfer and provide you the opportunity to delete your account.

7. Aggregated and De-Identified Data

We may create aggregated, de-identified datasets from user data for the purpose of internal product improvement, such as understanding general usage patterns or improving scoring algorithms. “De-identified” means data from which all direct and indirect personal identifiers have been permanently removed, such that the data cannot reasonably be used to identify any individual. We do not attempt to re-identify de-identified data. De-identified data is used only internally and is not sold, licensed, or shared with third parties.

8. Data Retention

We retain your personal data for as long as your account is active. Health data from connected sources is refreshed in accordance with the applicable source API's caching and retention requirements.

Upon account deletion or disconnection of a data source:

  • We will delete your personal data within 30 days of your request.
  • We will revoke all connected OAuth tokens.
  • We will purge AI coaching conversation history associated with your account.
  • Aggregated, de-identified data that cannot be used to identify you may be retained.

If a user revokes authorization for a connected data source (for example, disconnecting Oura or WHOOP), we will stop accessing new data from that source and will delete the data obtained from that source associated with your account.

9. Data Security

We implement administrative, technical, and physical safeguards designed to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Row-level security in our database (Supabase)
  • Encrypted storage of OAuth tokens
  • Access controls limiting employee access to personal data

No system is perfectly secure. We cannot guarantee absolute security, but we are committed to maintaining commercially reasonable protections appropriate to the sensitivity of health data.

Breach Notification. In the event of a data breach affecting your personal data, we will notify affected users in accordance with applicable law (including within 72 hours where required). We will also notify affected API partners as required by our agreements with them (within 24 hours for Oura; without undue delay for WHOOP).

10. Your Rights and Choices

10.1 All Users

Regardless of where you live, you can:

  • Access your data by viewing it in the Protocol app or by contacting us at privacy@stayonprotocol.com
  • Correct your data by updating it in the app or by contacting us
  • Delete your data by deleting your account in the app or by contacting us. Deletion will be completed within 30 days.
  • Disconnect data sources at any time through the app settings
  • Opt out of AI coaching by not using the AI coaching feature. (Health data is only sent to OpenAI when you use the AI coach.)

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know. You may request the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete. You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct. You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

To exercise these rights, contact us at privacy@stayonprotocol.com. We will verify your identity before fulfilling your request.

Categories of personal information collected (for CCPA purposes): Identifiers (name, email); health information (sleep, activity, recovery, body composition); internet or electronic network activity information (usage data); inferences drawn from the above (AI coaching insights, scores).

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

10.3 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland:

  • Lawful Basis. We process your personal data on the basis of: (a) your explicit consent, provided when you create an account and connect data sources; and (b) the necessity of processing to perform the service you have requested (Article 6(1)(a) and (b) GDPR). For health data (a special category), we rely on your explicit consent (Article 9(2)(a) GDPR).
  • Data Controller. The data controller is Protocol LLC, Michigan, United States.
  • Your Rights. You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. You also have the right to withdraw consent at any time. To exercise these rights, contact privacy@stayonprotocol.com.
  • Data Transfers. Protocol is a US-based service. Your data is stored and processed in the United States. By using Protocol, you consent to the transfer of your data to the United States.
  • Supervisory Authority. You have the right to lodge a complaint with your local data protection supervisory authority.
  • Data Protection Agreements. If full GDPR compliance requires a separate Data Processing Agreement for your use case, please contact us.

Note on independent controller status: With respect to data received from Oura, Protocol and Oura each act as independent data controllers. Neither party processes personal data received under the Oura API Agreement as joint controllers. Each party is independently responsible for complying with its obligations as a controller under applicable data protection law.

11. Children's Privacy

Protocol is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a person under 18, we will delete that information promptly. If you believe a minor has provided us with personal information, please contact us at privacy@stayonprotocol.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice by email (to the address associated with your account) and through an in-app notification. Non-material changes (such as formatting or clarification) may be made without advance notice. The “Effective Date” at the top of this policy will always reflect the most recent version. Your continued use of Protocol after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

For questions, requests, or complaints regarding this Privacy Policy or your personal data:

Email: privacy@stayonprotocol.com

Website: stayonprotocol.com

Terms of ServiceProtocol