LEGAL
Privacy Policy
This Privacy Policy explains how Naman Sharma (trading as "Protocol", and referred to in this policy as "Protocol", "we", "us" or "our") collects, uses, discloses and protects your personal information when you use the Protocol mobile application, the Protocol website at protocol-ai.net, and any related services (together, the "Service").
Protocol is an injury-recovery accountability and coaching tool. To do its job it necessarily handles information about your health. We treat that information as sensitive and have written this policy to be specific about what we collect, where it goes, and what control you have over it.
Please read this policy together with our Terms of Use. By creating an account and using the Service you confirm you have read and understood this policy.
1. Who is responsible for your information
The data controller — the person who decides how and why your information is processed — is Naman Sharma, an individual operating as a sole trader in Australia under the name "Protocol".
Privacy contact: privacy@protocol-ai.net
If you are in the European Economic Area ("EEA") or the United Kingdom, the relevant terms in Section 17 apply to you. If you are in Australia, the United States or India, the corresponding country/state sections in Section 17 also apply.
2. A plain-language summary
This is a summary only. The detail that legally governs is in the sections below.
| What we collect | Examples | Why | Who it goes to outside Protocol |
|---|---|---|---|
| Account & identity | Email, password, your first name | To create and secure your account | Clerk (authentication) |
| Health & recovery information | Your injury, injury date, pain scores, swelling notes, exercise adherence, check-ins, recovery plan, things you tell the coach | To run your recovery plan and personalise coaching | OpenAI (to generate coaching responses); Supabase (storage) |
| Coaching preferences | Your recovery goal, your stated coaching-style preference, a reminder cue (a note about your own routine) | To frame coaching and time reminders the way you asked for | OpenAI (as part of your recovery context); Supabase (storage) |
| Recovery-outcome data (opt-in only) | A short pain/function scale and self-reported re-injury, anchored to your recovery day | To improve Protocol and, in anonymised form, for potential future research — only if you separately consent | Supabase (storage); shared or analysed only in anonymised, aggregated form |
| Uploaded clinical documents | Photos or PDFs of discharge summaries, scan reports, physio notes, and the text extracted from them | To turn clinical context into your plan's restrictions and timeline | OpenAI (to read the document via vision OCR); Supabase (storage) |
| Conversations with the coach | Everything you type to the Protocol coach | To answer you and maintain recovery continuity | OpenAI (to generate replies); Supabase (storage) |
| Device & technical | App version, device type, IP address, crash/diagnostic signals | To keep the app working and secure | Our hosting provider |
We do not sell your personal information. We do not use advertising networks. We do not run third-party analytics or behavioural-tracking SDKs in the app. Your health information is shared only with the infrastructure providers listed in Section 7, and only to operate the Service.
3. Information we collect
3.1 Information you give us
Account and identity information. When you sign up we collect your email address and a password, and basic details you provide during onboarding. Your password is handled by our authentication provider (Clerk) and is not visible to us in plain text.
Onboarding and health information. During onboarding and ongoing use you provide information about your physical condition, including:
- a description of your injury and the date it occurred (which drives the "Day N since injury" anchoring throughout the app);
- pain scores and how they change over time;
- swelling, symptoms, and how you are responding to activity;
- your exercise and recovery-plan adherence (which exercises you complete and when);
- daily check-ins and the resulting streak and trend data;
- barriers, goals, and the activities, sports, hobbies and work demands that matter to you;
- your recovery goal — what "recovered" means to you (for example returning to sport, everyday function, staying injury-free, or reducing day-to-day pain);
- anything else you choose to tell the Protocol coach.
Coaching preferences. During onboarding you also choose:
- a coaching-style preference — how you would like the coach to talk to you (for example pushed and challenged, encouraged, kept steady, or given the reasons and the data). This is a stated preference you pick from a short list so the coach can match your register. It is not a psychological, personality or clinical assessment, and we do not use it to assess or profile your mental state;
- an optional reminder cue — a short note about your own routine (for example "after my morning coffee") used only to time your check-in and exercise reminders.
Uploaded clinical documents. You may upload photographs or PDF files of clinical documents — for example a discharge summary, an imaging or scan report, or notes from your physiotherapist or doctor. We store the file you upload, and we extract the text from it so the coach can use the clinical context. These documents commonly contain health information about you and may contain identifiers placed there by a third party (such as a clinic).
Conversations with the coach. The Service is built around an ongoing coaching conversation. We retain the messages you send and the responses generated, because recovery coaching depends on continuity — the coach's value comes from remembering your trajectory across days and weeks.
3.2 Information we collect automatically
We deliberately keep this minimal. We do not embed third-party analytics, advertising or behavioural-tracking SDKs. We collect:
- Technical and diagnostic data necessary to operate the Service: app version, device and operating-system type, and IP address (which our infrastructure providers process to route and secure requests);
- Limited crash and error diagnostics to identify and fix faults.
3.3 Information from third parties
- Authentication provider (Clerk). Clerk confirms your identity at sign-in and provides us with the account identifiers needed to associate your data with you.
3.4 Health information is "sensitive"
Information about your injury, symptoms, pain, treatment and recovery is health information, which is treated as sensitive information under the Australian Privacy Act and as a special category of personal data under the EU/UK GDPR. We collect and use it only with your consent and only to provide the Service, as described in this policy. You can withdraw consent at any time (see Section 12), though doing so will usually mean we can no longer provide the Service to you.
3.5 Recovery-outcome data (optional — separate opt-in consent)
Separately from the Service itself, you can choose to share recovery-outcome data: a short pain and function scale, and whether you experienced a re-injury, each recorded against your recovery day. This is health information and is sensitive in the same way as the rest of your recovery data (Section 3.4). It works like this:
- It is opt-in. We collect recovery-outcome data only if you give an explicit, separate consent in the app. It is not required to use the Service, and nothing about your coaching changes if you decline.
- What it is used for. To improve Protocol, and — in anonymised, aggregated form only — for potential future research into recovery outcomes. We do not share outcome data in a form that identifies you.
- You can withdraw at any time in the app or by emailing privacy@protocol-ai.net. Withdrawal stops us collecting new outcome data and using your outcome data in new analyses; anonymised aggregates already produced cannot be traced back to you and are not affected.
- Retention. Your outcome data is stored with your account and is deleted or irreversibly de-identified with the rest of your data when you delete your account (Section 9).
4. How we use your information
We use your information to:
- Create and secure your account and authenticate you.
- Run your recovery plan — generate, propose, activate and revise the plan that anchors your recovery, track adherence, and surface your Day-N progress, streak and pain trends.
- Provide AI coaching — send the relevant parts of your conversation and recovery context to our AI provider so it can generate a response, and maintain a rolling summary of your history so the coach stays consistent over time (see Section 6). This includes framing the coaching around the recovery goal and coaching-style preference you chose, and timing reminders to the reminder cue you gave us.
- Translate clinical documents — read uploaded reports and convert them into the restrictions, timeline and red-flag awareness that shape your plan.
- Operate, maintain and improve the Service — fix faults, prevent abuse and fraud, and keep the app secure and reliable.
- Communicate with you about the Service, including in-app reminders you have enabled and essential service or security notices.
- Improve Protocol and support potential future research using recovery-outcome data — only if you have given the separate opt-in consent described in Section 3.5, and only in anonymised, aggregated form for any research use.
- Comply with our legal obligations and enforce our Terms of Use.
We do not use your personal information to train third-party AI models for the benefit of those providers, to build advertising profiles, or to sell to data brokers.
4.1 Legal bases (EEA/UK users)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Creating your account; providing the core Service you asked for | Performance of a contract (Art. 6(1)(b)) |
| Processing your health information (injury, symptoms, plan, uploaded reports, coach conversations) | Your explicit consent (Art. 9(2)(a)), on the contractual basis above |
| Collecting and analysing recovery-outcome data to improve Protocol and for potential future research (Section 3.5) | Your explicit, separate opt-in consent (Art. 9(2)(a)), withdrawable at any time |
| Security, fraud and abuse prevention, fault diagnosis | Our legitimate interests in operating a safe and reliable Service (Art. 6(1)(f)) |
| Service and security communications | Performance of a contract / legitimate interests |
| Meeting legal obligations | Legal obligation (Art. 6(1)(c)) |
You may withdraw your consent to health-data processing at any time. Withdrawal does not affect processing carried out before withdrawal, and will generally mean we can no longer provide the Service.
5. The Service is not a medical service
Protocol is an accountability and translation tool, not a medical device, and not a substitute for professional medical advice, diagnosis or treatment. We do not use your information to make a medical diagnosis or to provide a medical service. How the Service handles your information does not create a clinician–patient relationship. The full medical disclaimer is in our Terms of Use and is shown to you in-app before you begin.
6. How AI providers process your information
This section matters more than any other, so we have set it out separately.
The Protocol coach is powered by large-language-model and vision services provided by OpenAI. To generate a coaching reply, or to read a clinical document you upload, the relevant content is transmitted to OpenAI for processing. In practice this means:
- Your coach conversations and the relevant parts of your recovery context (which contain health information) are sent to OpenAI so it can generate the coach's response and maintain a continuity summary. Your recovery context includes your check-in details (pain scores and swelling notes), your injury and injury date, your recovery day and plan, and your stated coaching preferences.
- Clinical documents you upload that are images, or PDFs without a readable text layer, are sent to OpenAI's vision model so the text can be extracted. This means the image of your clinical document is transmitted to OpenAI.
We use OpenAI through its API, not its consumer products. Under OpenAI's API data-handling terms, content submitted through the API is not used by OpenAI to train its models, and is retained by OpenAI only transiently for the purpose of providing the service and monitoring for abuse, before deletion. OpenAI acts as our processor/subprocessor and is contractually restricted to processing the data to provide the service to us, under data-processing terms that impose confidentiality and security obligations — protection consistent with, and no less protective than, what this policy describes.
We ask for your permission in the app first. In the Protocol app for iOS, before you can use the coach — and before any of your content is transmitted to OpenAI — the app shows you a consent screen that explains what is sent and who it is sent to, and asks for your explicit agreement. We record that consent, and when you gave it, against your account. If you do not agree, the coach and document upload remain unavailable, because they cannot function without this processing.
OpenAI is located in the United States. Sending your information to OpenAI therefore involves an international transfer of your personal information (see Section 8).
If you do not want your information processed by OpenAI in this way, do not agree on the consent screen and do not use the coach or upload clinical documents — but note that these are core to the Service.
7. Who we share your information with
We share your information only with the service providers (subprocessors) that we rely on to operate the Service, and only to the extent needed for them to perform their function. Each is bound by contract to protect your information and use it only on our instructions.
| Provider | Function | What it receives | Location |
|---|---|---|---|
| OpenAI | AI coaching responses; vision OCR of uploaded documents | Coach conversations and recovery context; images/text of uploaded clinical documents (health information) | United States |
| Supabase | Database and file storage | All account, health, plan, conversation and uploaded-document data, at rest | Singapore |
| Clerk | Authentication | Email, password, account identifiers | United States |
| Fly.io | Application hosting | Requests to the Service, including IP address and request content in transit | Sydney, Australia |
| Apple | App distribution | Operates the App Store through which the app is downloaded and manages your Apple Account relationship; we do not share your recovery or health data with Apple | Per Apple's policies |
We may also disclose your information:
- to comply with the law — where required by a valid legal request, court order, or regulator, or to establish, exercise or defend legal claims;
- to prevent harm — where we reasonably believe disclosure is necessary to protect the safety of any person, or to prevent fraud or abuse;
- in a business transfer — if Protocol is involved in a merger, acquisition, financing or sale of assets, your information may be transferred as part of that transaction, subject to this policy. We will notify you of any such change in control of your personal information.
We do not currently share your information with your healthcare providers. Your recovery data is yours; the Service is designed around patient-owned data. If we introduce features that let you share data with a clinician or clinic in future, we will update this policy and obtain any consent the law requires before doing so.
We do not sell or rent your personal information, and we do not share it for cross-context behavioural advertising.
8. International data transfers
We are based in Australia, and our application hosting is in Sydney. However, some of our service providers are located outside Australia and outside your country of residence:
- OpenAI and Clerk are located in the United States;
- our database and file-storage provider, Supabase, stores your information at rest in Singapore.
This means your information — including, in OpenAI's and Supabase's case, health information — is transferred to and processed in the United States and Singapore as described in this policy.
Where we transfer personal information out of the EEA or the UK, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum), or another lawful transfer mechanism.
If you are in Australia, by using the Service and providing your health information you consent to its disclosure to overseas recipients (including in the United States and Singapore) as described in this policy. Where Australian Privacy Principle 8 applies and that consent is not relied upon, we take reasonable steps to ensure overseas recipients handle your information consistently with the Australian Privacy Principles.
9. How long we keep your information
We keep your personal information for as long as your account is active and for as long as needed to provide the Service. Specifically:
- Account, health, plan and conversation data is retained while your account exists, because recovery coaching depends on a continuous longitudinal record.
- Recovery-outcome data (if you opted in — Section 3.5) is retained while your account exists and is deleted or irreversibly de-identified with the rest of your data when you delete your account. If you withdraw your outcomes consent earlier, we stop collecting it and stop using it in new analyses.
- Uploaded clinical documents are retained while your account exists, unless you delete them.
- When you delete your account (see Section 13), we delete or irreversibly de-identify your personal information from our active systems within 30 days of completing the deletion, except where we are required to retain certain records to meet a legal obligation, resolve disputes, or enforce our agreements.
- Information transmitted to OpenAI for processing is subject to OpenAI's own transient retention and deletion, as described in Section 6.
- Routine backups may persist for a limited period after deletion from active systems and are overwritten on our normal backup cycle.
10. How we protect your information
We take the security of your health information seriously and apply measures appropriate to its sensitivity, including:
- Encryption in transit — all communication between the app and our Service is protected with TLS.
- Encryption at rest — data stored with our database and storage provider is encrypted at rest.
- Authentication and access scoping — access to the Service requires an authenticated session, and our systems are designed so that every request is scoped to the data of the authenticated user. The mobile and web apps never access the database directly; all access goes through our authenticated backend.
- Restricted credentials — privileged database credentials are held only on our backend systems, never in the app.
- Least-privilege access — access to production systems is limited to those who need it to operate the Service.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a data breach that is likely to result in serious harm or meets a notification threshold under applicable law, we will notify you and the relevant regulator as required (for example, under the Australian Notifiable Data Breaches scheme, Articles 33–34 of the GDPR, or the U.S. Federal Trade Commission's Health Breach Notification Rule).
11. Reminders and notifications
If you enable reminders, the app will deliver local notifications on your device to prompt your check-ins and exercises. You can turn these off at any time in your device settings. We do not currently send remote push notifications.
12. Your rights and choices
Depending on where you live, you have some or all of the following rights over your personal information. Country- and state-specific detail is in Section 17.
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to correct information that is inaccurate or out of date. You can edit much of your profile directly in the app.
- Deletion / erasure — ask us to delete your account and personal information (see Section 13).
- Portability — request an export of the information you have provided, in a structured, commonly used, machine-readable format.
- Withdraw consent — withdraw your consent to our processing of your health information at any time. The optional recovery-outcomes consent (Section 3.5) can be withdrawn on its own, in the app or by email, without affecting the rest of the Service.
- Object / restrict — object to or ask us to restrict certain processing.
- Complain — lodge a complaint with us and with your data-protection regulator.
To exercise any of these rights, contact us at privacy@protocol-ai.net. We will verify your identity before acting on your request and will respond within the timeframe required by applicable law. We will not discriminate against you for exercising your rights.
13. Deleting your account
You can delete your account at any time in the app's Settings, or by emailing privacy@protocol-ai.net. When you delete your account we delete or irreversibly de-identify your personal information — including your conversations, recovery data and uploaded documents — from our active systems within 30 days, subject to the limited exceptions in Section 9. Deleting the app from your device does not, by itself, delete your account or your data from our systems.
14. Children's privacy
The Service is intended for users aged 18 and over and is not directed to children. We do not knowingly collect personal information from anyone under that age. If you believe a child has provided us with personal information, contact us at privacy@protocol-ai.net and we will delete it. If we introduce a pathway for younger users (for example, with verified parental or guardian consent), we will update this policy accordingly.
15. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you in the app or by email before the changes take effect. Your continued use of the Service after the changes take effect means you accept the updated policy.
16. Contacting us and making a complaint
For any privacy question or request, or to make a complaint, contact us at:
Naman Sharma, trading as "Protocol" Privacy contact: privacy@protocol-ai.net
If you are not satisfied with our response, you may also complain to your data-protection authority — see Section 17 for the relevant regulator in your region.
17. Region-specific terms
17.1 Australia
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
- Your health information is sensitive information under the Act. We collect it only with your consent and only as reasonably necessary to provide the Service (APP 3).
- Recovery-outcome data (Section 3.5) is also health information and therefore sensitive information. We collect it only with your separate, express opt-in consent, which you can withdraw at any time. Your coaching-style preference is a stated preference about how you want to be coached — we do not collect or infer psychological or clinical assessments from it.
- We disclose your information to overseas recipients (including OpenAI and Clerk in the United States, and Supabase in Singapore) as described in Sections 6–8. By providing your health information you consent to those overseas disclosures (APP 8).
- You may request access to and correction of your personal information (APPs 12–13) by contacting us.
- If you are not satisfied with how we have handled a privacy matter, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
- We will notify you and the OAIC of eligible data breaches as required by the Notifiable Data Breaches scheme.
17.2 European Economic Area and United Kingdom
We process personal data in accordance with the EU GDPR and the UK GDPR.
- Our legal bases are set out in Section 4.1. We process your health data on the basis of your explicit consent (Art. 9(2)(a)).
- You have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to withdraw consent at any time (Section 12).
- We transfer personal data to the United States and Singapore using Standard Contractual Clauses (and the UK Addendum) or another valid transfer mechanism (Section 8).
- You have the right to lodge a complaint with your supervisory authority. In the UK this is the Information Commissioner's Office (ICO), ico.org.uk. In the EEA it is the authority in your country of residence.
17.3 United States
The United States has no single, federal consumer-privacy law that covers a service like ours. Instead, your rights depend on the state you live in. We extend the core rights described in Section 12 to all our US users, with the additional provisions below.
HIPAA. Protocol is a consumer recovery and accountability tool. We are not a "covered entity" or a "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the health information you provide to us is not "protected health information" governed by HIPAA. It is consumer health information, governed by applicable U.S. state privacy laws and by the Federal Trade Commission Act. If in future Protocol contracts directly with a clinic, health plan or other HIPAA-covered entity to handle information on its behalf, HIPAA obligations and a Business Associate Agreement may apply, and we will update this policy before doing so.
California (CCPA/CPRA). If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the rights to know, access, delete, and correct your personal information, and to opt out of its "sale" or "sharing".
- In the preceding 12 months we have collected the categories of personal information described in Section 3, including health information, which is treated as sensitive personal information.
- We do not "sell" or "share" your personal information as those terms are defined under the CCPA/CPRA, and we do not use sensitive personal information for purposes beyond providing the Service.
- You may exercise your rights by contacting us at privacy@protocol-ai.net. We will not discriminate against you for doing so. You may use an authorised agent, and we will verify requests as the law requires.
Other US states. If you are a resident of another state with a comprehensive consumer-privacy law — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon and Montana, among a growing number of others — you generally have rights to access, correct, delete and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Because we do not sell your data, do not use it for targeted advertising, and process your health data only to provide the Service with your consent, several of these rights apply to us only in limited ways — but you may exercise any of them by contacting us at privacy@protocol-ai.net. Many of these laws treat health information as "sensitive data" that requires your consent, which we obtain.
17.4 India
We handle personal data of users in India in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act).
- We process your personal data (including health data) on the basis of your consent, for the specified purpose of providing the Service.
- You have the right to access and correct your personal data, to withdraw consent, to seek erasure, and to grievance redressal.
- For any grievance, contact our grievance point of contact at privacy@protocol-ai.net.
This policy is published at protocol-ai.net/privacy and is incorporated into the Protocol Terms of Use.