Protocol Health

Consumer Health Data

Consumer Health Data Privacy Policy

Effective date: June 14, 2026

This Consumer Health Data Privacy Policy describes how Protocol Health Ltd. (“Protocol Health,” “we,” “us,” or “our”) collects, uses, shares, and protects consumer health data. It is provided to comply with the Washington My Health My Data Act, Nevada Senate Bill 370, and the Connecticut Data Privacy Act, and applies to all users of the Service.


1. Scope and what “consumer health data” means

“Consumer health data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. This policy governs the consumer health data that Protocol Health collects through its intake process.

This policy applies to consumers in Washington and any person whose consumer health data is collected in Washington, to Nevada residents, and to Connecticut residents, and we extend its protections to all users of the Service.

2. Categories of consumer health data we collect, and sources

We collect the following categories of consumer health data:

  • self-reported health goals, conditions, symptoms, and wellness objectives;
  • self-reported lifestyle and regimen information (for example, diet, activity, and current supplement or compound use);
  • health-related inferences and derived data, including the generated protocol, which is derived from the information you provide.

Sources. We collect this data directly from you when you complete intake. Derived consumer health data is generated by us from the information you provide.

3. Purposes for collecting and using consumer health data

We collect and use consumer health data to:

  • generate your personalized educational protocol;
  • create and operate your account;
  • process your one-time payment;
  • send you transactional email related to your protocol; and
  • maintain the security and integrity of the Service.

We do not use consumer health data for any purpose beyond those stated above without obtaining your additional consent.

4. Categories of consumer health data we share, and recipients

We share consumer health data only with service providers that process it on our behalf and only as necessary to provide the Service you request. The categories of data shared are the self-reported and derived consumer health data described in Section 2. The specific recipients are:

  • Anthropic, PBC — receives your intake information to generate your protocol using the Claude AI model;
  • Neon — database / storage of your data;
  • Google Cloud — hosting of the Service (Cloud Run);
  • Clerk — account authentication;
  • Stripe — payment processing; and
  • Resend — transactional email delivery.

We do not have affiliates with which we share consumer health data. These recipients act as our processors and are not permitted to use your consumer health data for their own purposes.

5. Your consent to collect

Before we collect your consumer health data, we obtain your affirmative opt-in consent. During intake, you must check a clear, separate consent box agreeing to our collection and processing of the health information you enter. We record that consent. You may decline, but we cannot generate a protocol without the information needed to do so.

6. Your consent to share

We share your consumer health data with the recipients listed in Section 4 only to the extent it is necessary to provide the protocol you have requested. We do not share consumer health data for any other purpose. If we ever sought to share your consumer health data beyond what is necessary to provide the Service, we would first obtain your separate, distinct consent to do so.

7. We do not sell consumer health data

Protocol Health does not sell your consumer health data. We will not sell your consumer health data unless we first obtain your separate, written, and valid authorization that meets the requirements of applicable law, which you would have the right to revoke.

8. Your rights

You have the right to:

  • confirm and access the consumer health data we have collected about you;
  • withdraw your consent to our collection and sharing of your consumer health data; and
  • delete your consumer health data, including by having us direct our processors to delete it.

9. How to exercise your rights

To confirm, access, withdraw consent for, or delete your consumer health data, email us at support@myprotocol.health. We will verify your request using the information associated with your account and respond within 45 days, which may be extended once where reasonably necessary. When you request deletion, we will delete your consumer health data from our records and notify our processors to do the same.

10. How we protect consumer health data

We protect consumer health data using reasonable administrative, technical, and physical safeguards appropriate to its sensitivity, and we restrict access to those who need it to carry out the purposes described in this policy.

11. No geofencing

We do not use a geofence to establish a virtual boundary around any health-care facility, and we do not use geofencing to identify or track consumers, to collect consumer health data, or to send notifications or advertisements related to consumer health data.

12. Data retention

We retain consumer health data only for as long as necessary to provide and make available your protocol and to meet related legal and record-keeping obligations, after which we delete or de-identify it.

13. Who we are and how to contact us

This policy is published by Protocol Health Ltd., the entity responsible for the consumer health data described here. You can reach us at:

Protocol Health Ltd.
30 North Gould Street, Ste N, Sheridan, WY 82801, United States
support@myprotocol.health