Privacy Policy

Privacy Policy
Effective: August 16, 2025

Company (Controller): Immortal Company, Inc., 11273 COLINWARD AVE, LAS VEGAS, NV 89135, USA (“Immortal,” “we,” “us,” “our”)

Contact: privacy@protocols.co

This Privacy Policy explains how we collect, use, disclose, and protect information in connection with Protocols, a wellness social app available at protocols.co and our mobile apps (the “Service”).

Important: Protocols is not a medical device and does not provide medical advice. The Service is intended only for individuals located in the United States and aged 13 or older. If you are not in the U.S. or are under 13, do not use the Service.

Not a contract. This Policy is for transparency and compliance; it is not a contract and does not create any legal rights beyond those required by law. For terms governing your relationship with us (including limitations of liability and dispute resolution), please review our Terms of Service.

1) Scope & Eligibility

  • Applies to protocols.co, our apps, and any features, content, or communications offered by Immortal that link to this Policy.

  • U.S. only. By using the Service, you represent you are currently located in the United States. If you use the Service from outside the U.S., you understand your information will be transferred to and processed in the U.S. under U.S. law.

  • Age 13+. We do not knowingly collect personal information from children under 13 (see §15).


2) Notice at Collection (California & similar U.S. state laws)

We collect the categories of personal information below from the sources listed for the purposes described, and retain it for periods aligned with §11 (Data Retention). Examples are illustrative, not exhaustive.

Identifiers

  • Examples: Phone number for OTP, account handle, IP, device IDs

  • Sources: You; your device; our service providers

  • Purposes (see §5): Operate/authenticate; security; debug; analytics; communications

  • Disclosure (see §7): Service providers; legal; business transfers

Account/Profile

  • Examples: Name, bio, avatar/cover photo

  • Sources: You

  • Purposes: Operate; social features; safety

  • Disclosure: Public by default (content); service providers

User Content

  • Examples: Posts, photos, comments, likes, follower graphs

  • Sources: You

  • Purposes: Operate; social features; safety/enforcement

  • Disclosure: Public by default (content); service providers

Wellness Inputs (Sensitive)

  • Examples: Food, hydration, exercise, supplements, habits, routines

  • Sources: You

  • Purposes: Provide/improve features you request

  • Disclosure: Service providers (on our instructions)

Health Integrations (Sensitive)

  • Examples: Apple HealthKit categories you authorize

  • Sources: You; HealthKit (with your permission)

  • Purposes: Provide/improve features you request

  • Disclosure: Not used for ads; not sold; limited processors; only shared with your separate consent

Geolocation (Sensitive)

  • Examples: Precise GPS (if enabled); coarse IP location

  • Sources: Your device; IP

  • Purposes: Features like UVI/sunset, safety/abuse controls

  • Disclosure: Service providers

Contacts Matching

  • Examples: On-device SHA-256 hashed phone/email for friend-finder

  • Sources: Your device

  • Purposes: Friend discovery (opt-in)

  • Disclosure: Service providers; never plain contacts

Internet/Technical

  • Examples: App usage events, crash logs, OS/browser info

  • Sources: Your device; SDKs

  • Purposes: Operate; security; analytics; diagnostics

  • Disclosure: Service providers

Communications

  • Examples: Email/SMS for product updates (opt-in)

  • Sources: You

  • Purposes: Transactional messages; marketing with consent

  • Disclosure: Email/SMS processors

Inferences

  • Examples: Basic content/feed ranking signals

  • Sources: Derived by us

  • Purposes: Improve relevance and product experience

  • Disclosure: Not for legal or similarly significant decisions

Selling/Sharing: As of the Effective Date, we do not “sell” or “share” personal information (as those terms are defined under CPRA/other U.S. state privacy laws), and we do not use personal information for cross-context behavioral advertising. If that changes, we will update this Policy, honor opt-out preference signals where required, and provide appropriate notices/controls.


3) Information We Collect

We collect information you provide directly, information from your device and activity, and—only with your permission—from integrations (e.g., HealthKit).

  • Account & Identity. Phone number (for OTP sign-in/security), name, handle, bio, profile/cover photos.

  • User Content & Social Graph. Posts, photos (e.g., meals/supplements), comments, likes, follower/following relationships. Public by default unless you change settings (§6).

  • Wellness & Health Inputs (Sensitive). Entries you make about food, hydration, exercise, supplements, goals, habits, routines.

  • Health Integrations (Sensitive). With your explicit permission, we access only the HealthKit categories you authorize.

  • Location. With OS permission, precise GPS (for features like local UVI/sunset); we may also infer coarse location from IP.

  • Contacts (Friend-Finder). Opt-in on-device hashing (SHA-256) of your contacts’ emails/phone numbers; we receive only hashes for matching, not your plain contact list.

  • Device/Technical. Device and app identifiers, IP, OS/browser details, crash/diagnostic logs, and usage events.

  • Cookies/SDKs. First-party cookies/SDKs for core functionality, analytics/diagnostics (e.g., Mixpanel, Sentry), infrastructure/communications (e.g., Supabase, AWS, Vercel, Twilio), and payments (e.g., Stripe).

  • Communications. Email/phone for transactional messages; marketing only with your consent.

We may create de-identified or aggregated data (which is not personal information) and use it for any lawful purpose. We commit to maintaining and not re-identifying de-identified data except to test our de-identification processes.


4) Sources of Information

  • You (account setup; posts; wellness entries; settings; communications).

  • Your Device/OS (permissions; sensors; crash/usage telemetry).

  • Integrations you authorize (e.g., HealthKit).

  • Service Providers (fraud prevention, security, analytics).

  • Public/Community Content (content you or others make public).


5) How We Use Information

We use personal information to:

  • Operate the Service (account creation, authentication, social features).

  • Provide features you request (e.g., UVI/sunset, health data syncing you authorize).

  • Maintain safety and integrity (detect, prevent, and respond to spam, abuse, fraud, violations of our Terms or policies).

  • Debug, monitor, and improve (analytics, diagnostics, performance).

  • Communicate (transactional messages like OTP codes, service notices; marketing only with your consent—unsubscribe/STOP anytime).

  • Research & development (including product analytics, quality assurance, and improving algorithms that do not make legal or similarly significant decisions about you).

  • Comply with law and enforce our rights.

Automated decision-making (clarity)

We do not engage in automated decision-making with legal or similarly significant effects (e.g., credit, employment, housing). We may use ranking/recommendation algorithms for content discovery that do not have such effects.


6) Public Content & Social Visibility

  • Public by default. Posts, profiles, and other public actions may be viewed, used, reshared, or indexed by others and search engines.

  • Controls. You can make your account require follower approval; you can delete your public posts at any time, but deletion does not control copies, shares, or indexing by others/third parties.

  • Caution. Do not post information you would not want to be public.


7) How We Disclose Information

We do not sell or share personal information for cross-context behavioral advertising. We disclose information as described:

  • Service Providers / Sub-processors. Hosting, storage, analytics, error monitoring, communications, payments, content moderation, and AI infrastructure (e.g., OpenAI, Anthropic) solely to provide the Service on our instructions and subject to confidentiality and security obligations.

    • AI Features. If you use features that send content to model providers, we instruct vendors to use data only to provide the requested functionality. Where available, we configure vendor settings to disable training on your content. Vendor trust & safety logging may occur. Avoid submitting highly sensitive information in free-text fields.

  • Legal/Compliance. To comply with law or legal process; to protect users, the public, or our rights, property, and safety; to detect/prevent fraud or security issues.

  • Business Transfers. As part of a merger, acquisition, financing, or sale of assets, in which case data may transfer subject to this Policy’s protections or successor equivalent protections.

  • Public Content. Content you make public is, by definition, visible to others and may be reshared.

  • With Your Consent. Where you direct us to share (e.g., exporting your data to a third party).

Contacts Matching. We receive only contact hashes, used solely for friend discovery; we do not use them for advertising.
Payments. Stripe processes payments; we don’t store full card numbers.

8) Health Integrations (Apple HealthKit)

If you connect HealthKit:

  • We access only data types you explicitly authorize and use them solely to provide or improve app features you request.

  • We do not use HealthKit data for advertising or marketing and do not sell HealthKit data.

  • We will not disclose HealthKit data to third parties except (a) to service providers acting on our behalf to provide Service functionality under strict confidentiality, or (b) with your separate, express consent.

  • You can revoke access at any time in your device’s Health settings; controls in our app may also be available.


9) Your Choices & Controls

  • Location. Enable/disable precise location in your device settings at any time.

  • Contacts. Friend-finder is opt-in; revoke in device/app settings.

  • Health Integrations. Grant/revoke categories (e.g., in Apple Health).

  • Marketing. Emails: use the unsubscribe link. SMS: text STOP to cancel, HELP for help. Message/data rates may apply; frequency varies; consent not required as a condition of purchase or use.

  • Public Content. Delete your posts at any time (copies/shares/search caches may persist).

  • Account Deletion & Data Requests. See §12.


10) Cookies, SDKs & Do Not Track

We use cookies and SDKs for core functionality, analytics (e.g., Mixpanel), diagnostics/error monitoring (e.g., Sentry), infrastructure (e.g., Supabase, AWS, Vercel), communications (e.g., Twilio), and payments (e.g., Stripe). You can control cookies in your browser and manage app permissions at the OS level.

Do Not Track/Global Privacy Control. Many browsers offer DNT/GPC. Because we do not sell or share personal information for cross-context behavioral advertising, these signals currently do not change our advertising practices. If we later engage in activities that require honoring recognized opt-out signals, we will do so as required by law.

11) Data Retention

We retain personal information only as long as necessary for the purposes in §5, to comply with legal obligations, resolve disputes, enforce terms, and maintain security. Examples (not promises):

  • Account & Content. Kept while your account is active; if you request deletion and we verify the request, we aim to delete active copies within 30 days.

  • Logs/Backups. Security/diagnostic logs and backups persist for a limited period consistent with operational needs and are purged on a routine schedule.

  • Legal Holds. If we are obligated to preserve information (e.g., for litigation), we will retain only what is necessary for as long as required.

Deletion from our active systems does not automatically remove content from others’ devices or third-party caches/archives.

12) Security

We use technical and organizational measures to protect information, including TLS in transit, encryption at rest provided by our cloud platforms, role-based access controls, least-privilege access, and routine monitoring. No system is 100% secure. Please report security concerns to privacy@protocols.co. We do not currently operate a public bug bounty.

13) Your U.S. Privacy Rights & Appeals

Depending on your state, you may have rights to access, delete, correct, and obtain a portable copy of personal information, and to limit certain uses of sensitive information.

  • How to submit. Email privacy@protocols.co from your account email (or include your account phone number) and specify the request type (access, deletion, correction, portability).

  • Verification. We may verify requests via one-time code to your account phone number or by other reasonable methods. If you use an authorized agent, we may require proof of authorization and also verify you directly.

  • Timing. We aim to respond within 45 days (or as required by law), and may extend once where permitted.

  • Appeal. If we deny your request, you may appeal by replying to our decision email with “Appeal” in the subject. If your appeal is denied, you may contact your state attorney general.

California (CPRA) Notice. We state above our categories, purposes, sources, and disclosures (§2). We do not sell or share personal information as defined by CPRA, and we do not use or disclose sensitive personal information for purposes requiring a Right to Limit. We do not offer financial incentives for personal information. You may still exercise access/deletion/correction/portability rights as described.

14) International Data Transfers

Data is hosted and processed in the United States (e.g., U.S. regions of Supabase/AWS). The Service is intended only for U.S. users.

15) Children & Teens

  • Under 13. We do not knowingly collect personal information from children under 13. If we learn we have, we will delete it.

  • Ages 13–15. We do not sell or share personal information for cross-context behavioral advertising.

  • We do not offer teen-specific features.


16) Third-Party Links & Services

Links to third-party websites or services are provided for convenience. Their privacy practices are governed by their own policies; we are not responsible for their content, security, or practices.

17) Changes to This Policy

We may update this Policy from time to time. The current version will be available in-app and at protocols.co. For material changes, we may provide additional notice (e.g., in-app banner, website notice, email, or SMS).

18) Contact Us

Email: privacy@protocols.co
Postal: Immortal Company, Inc., 11273 COLINWARD AVE, LAS VEGAS, NV 89135, USA

Short Disclaimers

  • No medical advice or HIPAA coverage. We are not a healthcare provider or covered entity; the Service is not a medical device or a substitute for professional medical advice.

  • Policy is not a contract. Nothing here limits your rights under applicable law.