LEGAL

Privacy Policy

Last updated: 10/07/2026 · Effective: 10/07/2026

This Privacy Policy explains how Naman Sharma (trading as "Protocol", and referred to in this policy as "Protocol", "we", "us" or "our") collects, uses, discloses and protects your personal information when you use the Protocol mobile application, the Protocol website at protocol-ai.net, and any related services (together, the "Service").

Protocol is an injury-recovery accountability and coaching tool. To do its job it necessarily handles information about your health. We treat that information as sensitive and have written this policy to be specific about what we collect, where it goes, and what control you have over it.

Please read this policy together with our Terms of Use. By creating an account and using the Service you confirm you have read and understood this policy.


1. Who is responsible for your information

The data controller — the person who decides how and why your information is processed — is Naman Sharma, an individual operating as a sole trader in Australia under the name "Protocol".

Privacy contact: privacy@protocol-ai.net

If you are in the European Economic Area ("EEA") or the United Kingdom, the relevant terms in Section 17 apply to you. If you are in Australia, the United States or India, the corresponding country/state sections in Section 17 also apply.


2. A plain-language summary

This is a summary only. The detail that legally governs is in the sections below.

What we collectExamplesWhyWho it goes to outside Protocol
Account & identityEmail, password, your first nameTo create and secure your accountClerk (authentication)
Health & recovery informationYour injury, injury date, pain scores, swelling notes, exercise adherence, check-ins, recovery plan, things you tell the coachTo run your recovery plan and personalise coachingOpenAI (to generate coaching responses); Supabase (storage)
Coaching preferencesYour recovery goal, your stated coaching-style preference, a reminder cue (a note about your own routine)To frame coaching and time reminders the way you asked forOpenAI (as part of your recovery context); Supabase (storage)
Recovery-outcome data (opt-in only)A short pain/function scale and self-reported re-injury, anchored to your recovery dayTo improve Protocol and, in anonymised form, for potential future research — only if you separately consentSupabase (storage); shared or analysed only in anonymised, aggregated form
Uploaded clinical documentsPhotos or PDFs of discharge summaries, scan reports, physio notes, and the text extracted from themTo turn clinical context into your plan's restrictions and timelineOpenAI (to read the document via vision OCR); Supabase (storage)
Conversations with the coachEverything you type to the Protocol coachTo answer you and maintain recovery continuityOpenAI (to generate replies); Supabase (storage)
Device & technicalApp version, device type, IP address, crash/diagnostic signalsTo keep the app working and secureOur hosting provider

We do not sell your personal information. We do not use advertising networks. We do not run third-party analytics or behavioural-tracking SDKs in the app. Your health information is shared only with the infrastructure providers listed in Section 7, and only to operate the Service.


3. Information we collect

3.1 Information you give us

Account and identity information. When you sign up we collect your email address and a password, and basic details you provide during onboarding. Your password is handled by our authentication provider (Clerk) and is not visible to us in plain text.

Onboarding and health information. During onboarding and ongoing use you provide information about your physical condition, including:

Coaching preferences. During onboarding you also choose:

Uploaded clinical documents. You may upload photographs or PDF files of clinical documents — for example a discharge summary, an imaging or scan report, or notes from your physiotherapist or doctor. We store the file you upload, and we extract the text from it so the coach can use the clinical context. These documents commonly contain health information about you and may contain identifiers placed there by a third party (such as a clinic).

Conversations with the coach. The Service is built around an ongoing coaching conversation. We retain the messages you send and the responses generated, because recovery coaching depends on continuity — the coach's value comes from remembering your trajectory across days and weeks.

3.2 Information we collect automatically

We deliberately keep this minimal. We do not embed third-party analytics, advertising or behavioural-tracking SDKs. We collect:

3.3 Information from third parties

3.4 Health information is "sensitive"

Information about your injury, symptoms, pain, treatment and recovery is health information, which is treated as sensitive information under the Australian Privacy Act and as a special category of personal data under the EU/UK GDPR. We collect and use it only with your consent and only to provide the Service, as described in this policy. You can withdraw consent at any time (see Section 12), though doing so will usually mean we can no longer provide the Service to you.

3.5 Recovery-outcome data (optional — separate opt-in consent)

Separately from the Service itself, you can choose to share recovery-outcome data: a short pain and function scale, and whether you experienced a re-injury, each recorded against your recovery day. This is health information and is sensitive in the same way as the rest of your recovery data (Section 3.4). It works like this:


4. How we use your information

We use your information to:

  1. Create and secure your account and authenticate you.
  2. Run your recovery plan — generate, propose, activate and revise the plan that anchors your recovery, track adherence, and surface your Day-N progress, streak and pain trends.
  3. Provide AI coaching — send the relevant parts of your conversation and recovery context to our AI provider so it can generate a response, and maintain a rolling summary of your history so the coach stays consistent over time (see Section 6). This includes framing the coaching around the recovery goal and coaching-style preference you chose, and timing reminders to the reminder cue you gave us.
  4. Translate clinical documents — read uploaded reports and convert them into the restrictions, timeline and red-flag awareness that shape your plan.
  5. Operate, maintain and improve the Service — fix faults, prevent abuse and fraud, and keep the app secure and reliable.
  6. Communicate with you about the Service, including in-app reminders you have enabled and essential service or security notices.
  7. Improve Protocol and support potential future research using recovery-outcome data — only if you have given the separate opt-in consent described in Section 3.5, and only in anonymised, aggregated form for any research use.
  8. Comply with our legal obligations and enforce our Terms of Use.

We do not use your personal information to train third-party AI models for the benefit of those providers, to build advertising profiles, or to sell to data brokers.

4.1 Legal bases (EEA/UK users)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

PurposeLegal basis
Creating your account; providing the core Service you asked forPerformance of a contract (Art. 6(1)(b))
Processing your health information (injury, symptoms, plan, uploaded reports, coach conversations)Your explicit consent (Art. 9(2)(a)), on the contractual basis above
Collecting and analysing recovery-outcome data to improve Protocol and for potential future research (Section 3.5)Your explicit, separate opt-in consent (Art. 9(2)(a)), withdrawable at any time
Security, fraud and abuse prevention, fault diagnosisOur legitimate interests in operating a safe and reliable Service (Art. 6(1)(f))
Service and security communicationsPerformance of a contract / legitimate interests
Meeting legal obligationsLegal obligation (Art. 6(1)(c))

You may withdraw your consent to health-data processing at any time. Withdrawal does not affect processing carried out before withdrawal, and will generally mean we can no longer provide the Service.


5. The Service is not a medical service

Protocol is an accountability and translation tool, not a medical device, and not a substitute for professional medical advice, diagnosis or treatment. We do not use your information to make a medical diagnosis or to provide a medical service. How the Service handles your information does not create a clinician–patient relationship. The full medical disclaimer is in our Terms of Use and is shown to you in-app before you begin.


6. How AI providers process your information

This section matters more than any other, so we have set it out separately.

The Protocol coach is powered by large-language-model and vision services provided by OpenAI. To generate a coaching reply, or to read a clinical document you upload, the relevant content is transmitted to OpenAI for processing. In practice this means:

We use OpenAI through its API, not its consumer products. Under OpenAI's API data-handling terms, content submitted through the API is not used by OpenAI to train its models, and is retained by OpenAI only transiently for the purpose of providing the service and monitoring for abuse, before deletion. OpenAI acts as our processor/subprocessor and is contractually restricted to processing the data to provide the service to us, under data-processing terms that impose confidentiality and security obligations — protection consistent with, and no less protective than, what this policy describes.

We ask for your permission in the app first. In the Protocol app for iOS, before you can use the coach — and before any of your content is transmitted to OpenAI — the app shows you a consent screen that explains what is sent and who it is sent to, and asks for your explicit agreement. We record that consent, and when you gave it, against your account. If you do not agree, the coach and document upload remain unavailable, because they cannot function without this processing.

OpenAI is located in the United States. Sending your information to OpenAI therefore involves an international transfer of your personal information (see Section 8).

If you do not want your information processed by OpenAI in this way, do not agree on the consent screen and do not use the coach or upload clinical documents — but note that these are core to the Service.


7. Who we share your information with

We share your information only with the service providers (subprocessors) that we rely on to operate the Service, and only to the extent needed for them to perform their function. Each is bound by contract to protect your information and use it only on our instructions.

ProviderFunctionWhat it receivesLocation
OpenAIAI coaching responses; vision OCR of uploaded documentsCoach conversations and recovery context; images/text of uploaded clinical documents (health information)United States
SupabaseDatabase and file storageAll account, health, plan, conversation and uploaded-document data, at restSingapore
ClerkAuthenticationEmail, password, account identifiersUnited States
Fly.ioApplication hostingRequests to the Service, including IP address and request content in transitSydney, Australia
AppleApp distributionOperates the App Store through which the app is downloaded and manages your Apple Account relationship; we do not share your recovery or health data with ApplePer Apple's policies

We may also disclose your information:

We do not currently share your information with your healthcare providers. Your recovery data is yours; the Service is designed around patient-owned data. If we introduce features that let you share data with a clinician or clinic in future, we will update this policy and obtain any consent the law requires before doing so.

We do not sell or rent your personal information, and we do not share it for cross-context behavioural advertising.


8. International data transfers

We are based in Australia, and our application hosting is in Sydney. However, some of our service providers are located outside Australia and outside your country of residence:

This means your information — including, in OpenAI's and Supabase's case, health information — is transferred to and processed in the United States and Singapore as described in this policy.

Where we transfer personal information out of the EEA or the UK, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum), or another lawful transfer mechanism.

If you are in Australia, by using the Service and providing your health information you consent to its disclosure to overseas recipients (including in the United States and Singapore) as described in this policy. Where Australian Privacy Principle 8 applies and that consent is not relied upon, we take reasonable steps to ensure overseas recipients handle your information consistently with the Australian Privacy Principles.


9. How long we keep your information

We keep your personal information for as long as your account is active and for as long as needed to provide the Service. Specifically:


10. How we protect your information

We take the security of your health information seriously and apply measures appropriate to its sensitivity, including:

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a data breach that is likely to result in serious harm or meets a notification threshold under applicable law, we will notify you and the relevant regulator as required (for example, under the Australian Notifiable Data Breaches scheme, Articles 33–34 of the GDPR, or the U.S. Federal Trade Commission's Health Breach Notification Rule).


11. Reminders and notifications

If you enable reminders, the app will deliver local notifications on your device to prompt your check-ins and exercises. You can turn these off at any time in your device settings. We do not currently send remote push notifications.


12. Your rights and choices

Depending on where you live, you have some or all of the following rights over your personal information. Country- and state-specific detail is in Section 17.

To exercise any of these rights, contact us at privacy@protocol-ai.net. We will verify your identity before acting on your request and will respond within the timeframe required by applicable law. We will not discriminate against you for exercising your rights.


13. Deleting your account

You can delete your account at any time in the app's Settings, or by emailing privacy@protocol-ai.net. When you delete your account we delete or irreversibly de-identify your personal information — including your conversations, recovery data and uploaded documents — from our active systems within 30 days, subject to the limited exceptions in Section 9. Deleting the app from your device does not, by itself, delete your account or your data from our systems.


14. Children's privacy

The Service is intended for users aged 18 and over and is not directed to children. We do not knowingly collect personal information from anyone under that age. If you believe a child has provided us with personal information, contact us at privacy@protocol-ai.net and we will delete it. If we introduce a pathway for younger users (for example, with verified parental or guardian consent), we will update this policy accordingly.


15. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you in the app or by email before the changes take effect. Your continued use of the Service after the changes take effect means you accept the updated policy.


16. Contacting us and making a complaint

For any privacy question or request, or to make a complaint, contact us at:

Naman Sharma, trading as "Protocol" Privacy contact: privacy@protocol-ai.net

If you are not satisfied with our response, you may also complain to your data-protection authority — see Section 17 for the relevant regulator in your region.


17. Region-specific terms

17.1 Australia

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

17.2 European Economic Area and United Kingdom

We process personal data in accordance with the EU GDPR and the UK GDPR.

17.3 United States

The United States has no single, federal consumer-privacy law that covers a service like ours. Instead, your rights depend on the state you live in. We extend the core rights described in Section 12 to all our US users, with the additional provisions below.

HIPAA. Protocol is a consumer recovery and accountability tool. We are not a "covered entity" or a "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the health information you provide to us is not "protected health information" governed by HIPAA. It is consumer health information, governed by applicable U.S. state privacy laws and by the Federal Trade Commission Act. If in future Protocol contracts directly with a clinic, health plan or other HIPAA-covered entity to handle information on its behalf, HIPAA obligations and a Business Associate Agreement may apply, and we will update this policy before doing so.

California (CCPA/CPRA). If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the rights to know, access, delete, and correct your personal information, and to opt out of its "sale" or "sharing".

Other US states. If you are a resident of another state with a comprehensive consumer-privacy law — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon and Montana, among a growing number of others — you generally have rights to access, correct, delete and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Because we do not sell your data, do not use it for targeted advertising, and process your health data only to provide the Service with your consent, several of these rights apply to us only in limited ways — but you may exercise any of them by contacting us at privacy@protocol-ai.net. Many of these laws treat health information as "sensitive data" that requires your consent, which we obtain.

17.4 India

We handle personal data of users in India in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act).


This policy is published at protocol-ai.net/privacy and is incorporated into the Protocol Terms of Use.