Privacy Policy

Last updated: May 1, 2026

ProtocolEngine is operated by Stefan Ojanen. This Privacy Policy describes how we collect, use, and protect your data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

Data Controller

Stefan Ojanen, ProtocolEngine. Contact: hello@protocolengine.io

Legal Basis for Processing

We process your data under the following legal bases (GDPR Article 6):

Consent: Newsletter subscription, quiz responses, use of the Evidence Assistant

Contract performance: Account creation, premium subscription delivery

Legitimate interest: Analytics (privacy-focused, no personal data), service improvement, security

Information We Collect

Information you provide: Email address (account or newsletter signup), display name (optional), quiz responses, supplement stack entries, saved protocols, and bookmarks.

Payment data: When you subscribe to Premium, payment is processed by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers.

Evidence Assistant: When you use the Evidence Assistant, your messages are sent to Anthropic (Claude) for processing. Conversations are not stored on our servers. Anthropic processes data under their data processing agreement.

Health condition selections (special category data): You may optionally select health conditions from a predefined list (e.g. diabetes, hypertension, cardiovascular disease) to personalize research content. This constitutes special category health data under GDPR Article 9. We process this data only with your explicit consent (Article 9(2)(a)), given through the dedicated consent flow at the point of selection. This data is used solely to show you relevant research findings and supplement evidence related to your conditions. It is not shared with third parties, used for medical diagnosis, or used to make treatment recommendations. You may view, modify, or delete this data at any time from your account settings (Settings > Health Data). Deletion is immediate and permanent.

Wearable data (special category data): When you connect a wearable provider (Oura Ring, WHOOP, Withings, and others added over time), we receive biometric data from that provider on your behalf. This includes sleep duration and stages, sleep efficiency, heart-rate variability, resting heart rate, readiness/recovery scores, blood pressure, weight, and similar measurements. This is special category health data under GDPR Article 9. We process it only with your explicit consent (Article 9(2)(a)), given through both the provider's OAuth consent screen and your action to connect on ProtocolEngine. See the Wearable Integrations section below for the full data inventory, retention policy, and your controls.

Automatically collected: Privacy-focused analytics via Plausible Analytics. No cookies, no personal data. We collect aggregate page views, referrer, device type, and country-level location only.

We do not: Track you across other websites. Sell your personal data. Use advertising cookies or trackers. Profile you for marketing purposes.

How We Use Your Data

To provide and operate the service (account, saved data, Evidence Assistant, newsletter)

To process payments for Premium subscriptions (via Stripe)

To improve our content and features using aggregate, anonymized analytics

To send the weekly digest newsletter (only with your explicit consent)

Third-Party Processors

We share data with the following processors, each under appropriate data processing agreements:

Supabase (database, authentication) — EU-hosted

Stripe (payment processing) — PCI-DSS compliant

Anthropic (Evidence Assistant processing) — messages are not stored after processing

Vercel (hosting) — edge network

Plausible Analytics (web analytics) — no personal data collected

Google (Calendar integration, optional premium feature) — when you connect Google Calendar, we create recurring events on your behalf. We access only the calendar events write scope. We do not read, store, or analyze your existing calendar events.

Oura Health Oy / Oura, Inc. (wearable integration, optional) — when you connect an Oura Ring, we receive sleep, heart rate, HRV, readiness, and activity data from the Oura API. See Wearable Integrations below.

WHOOP, Inc. (wearable integration, optional) — when you connect WHOOP, we receive recovery, strain, sleep, HRV, resting heart rate, and SpO2 data from the WHOOP API. See Wearable Integrations below.

Withings SA (wearable integration, optional) — when you connect a Withings device, we receive weight, body composition, blood pressure, resting heart rate, sleep summary, and SpO2 data from the Withings API. See Wearable Integrations below.

Wearable Integrations

If you choose to connect a wearable device, we receive biometric data from that provider's API to generate evidence-graded protocol recommendations. Connection is opt-in, free of charge, and can be revoked at any time. ProtocolEngine is not a healthcare provider and wearable data is never used for medical diagnosis or treatment.

What we receive (per provider, scoped to what you authorize):

Oura Ring (Oura Health Oy / Oura, Inc.): sleep stages and duration, heart rate variability (HRV), resting heart rate, sleep efficiency, sleep onset latency, time awake after sleep onset, readiness score, body temperature deviation, blood oxygen, daily steps, and active calories. Source: https://ouraring.com.

WHOOP (WHOOP, Inc.): recovery score, strain score, sleep stages and duration, sleep efficiency, HRV, resting heart rate, blood oxygen, and respiratory rate. Source: https://www.whoop.com.

Withings (Withings SA): body weight, body fat percentage, systolic and diastolic blood pressure, resting heart rate, sleep summary (duration, stages, efficiency, latency, time awake), and blood oxygen. Source: https://www.withings.com.

We do not receive raw continuous heart-rate streams, GPS location, workout details beyond aggregate metrics, or any data outside the OAuth scopes you authorize at connection.

How we use wearable data:

Compute per-user baseline trends over the previous 90 days for each metric.

Detect signals (e.g. low 7-day HRV, fragmented sleep, elevated blood pressure, wake-time drift) and surface evidence-graded protocol recommendations linked to peer-reviewed research.

Re-anchor your daily schedule to your actual wake time, only when you explicitly accept that recommendation.

What we never do with wearable data:

We never sell, rent, lease, or trade wearable data to anyone.

We do not use wearable data for advertising, retargeting, or marketing profiling.

We do not combine wearable data with third-party datasets for any purpose other than the protocol recommendations described above.

We do not transfer wearable data to data brokers, insurers, or employers.

We do not use wearable data to make automated decisions that produce legal effects (GDPR Article 22).

We do not use wearable data to train machine-learning or generative-AI models.

Storage and retention:

Daily aggregated summaries (one row per metric per day) are retained for the lifetime of your account or until you delete them.

Raw provider payloads (the original webhook bodies) are pruned after 7 days; only the aggregated daily summaries remain.

OAuth tokens are encrypted at rest using AES-256-GCM. The encryption key is held outside the database.

All wearable tables enforce row-level security: only you can read your own data via the application's authenticated APIs.

Your control:

Disconnect any provider at Settings > Connected Wearables. Disconnecting revokes the OAuth token at the provider where supported, removes our webhook subscription, and (at your choice) immediately deletes all readings collected from that provider.

Export all wearable data as JSON via the export action on the Connections page. The export contains daily summaries, raw payloads still within the 7-day window, your connection metadata (with tokens redacted), and your generated recommendations.

Delete all wearable readings while keeping the connection in place via the same page.

Deleting your ProtocolEngine account permanently removes all wearable data within 30 days.

Source attribution and provider terms:

Oura data is provided under the Oura API Agreement. Oura's privacy notice: https://ouraring.com/privacy-policy.

WHOOP data is provided under the WHOOP Developer Terms of Use. WHOOP's privacy policy: https://www.whoop.com/legal/privacy.

Withings data is provided under the Withings Public API Terms. Withings's privacy policy: https://www.withings.com/us/en/legal/privacy-policy.

Security incidents:

If we identify an actual or reasonably suspected breach of wearable data, we will notify the affected users and the originating provider(s) without undue delay and in any case within 72 hours of becoming aware, in accordance with GDPR Article 33 and the providers' developer terms.

Data Storage and Retention

Your data is stored in Supabase (hosted in the EU). We use encryption at rest and in transit. Data is retained for as long as your account is active. If you delete your account, all personal data is permanently removed within 30 days. Newsletter subscription data is deleted upon unsubscribe.

Cookies

ProtocolEngine uses only essential cookies required for authentication (session tokens). We do not use advertising, tracking, or third-party cookies. Plausible Analytics is fully cookieless.

Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of access (Article 15): Request a copy of all personal data we hold about you. Use the data export feature in your account settings.

Right to rectification (Article 16): Correct inaccurate personal data via your account settings.

Right to erasure (Article 17): Delete your account and all associated data via account settings.

Right to restrict processing (Article 18): Request that we limit how we use your data.

Right to data portability (Article 20): Download your data in a structured, machine-readable format (JSON) via account settings.

Right to object (Article 21): Object to processing based on legitimate interest.

Right to withdraw consent: Withdraw consent at any time (e.g., unsubscribe from newsletter). This does not affect prior processing.

Right to lodge a complaint: You may file a complaint with your local data protection authority.

Automated Decision-Making

ProtocolEngine does not use automated decision-making or profiling that produces legal effects. Evidence scores are calculated algorithmically from published research and are the same for all users.

Children

ProtocolEngine is not directed at children under 16. We do not knowingly collect data from minors.

Changes to This Policy

We may update this policy. Material changes will be communicated via the website. Continued use after changes constitutes acceptance.

Contact

For all privacy inquiries, data requests, or complaints: hello@protocolengine.io