Privacy policy
Privacy Policy
Protocol — operated by Ronin Cyber Pty Ltd (ABN 59 677 632 736)
Effective date: 3 June 2026
Ronin Cyber Pty Ltd ("Protocol", "we", "us", "our") respects your privacy. This policy explains
what personal information we collect, how we use and protect it, and your rights. It applies
to the Protocol Body OS mobile app, the getprotocolos.com website and store, and any related services (together, the "Services").
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
1. The short version
· Your health, fitness, biomarker and genetic data is yours. We process it to give you coaching and insights, nothing else.
· We do not sell your personal information, and we never sell or share health or genetic data for advertising.
· Health data from Apple HealthKit is used only to power features you turn on, and is handled under Apple's HealthKit rules.
· Your data is stored in Australia (AWS, Sydney region) by default.
· You can access, correct, export or delete your data, and withdraw consent, at any time.
2. Who we are and how to contact us
|
Entity |
Ronin Cyber Pty Ltd |
|
ABN |
59 677 632 736 |
|
Address |
Sydney, NSW, Australia |
|
Privacy contact |
paul@getprotocolos.com |
|
General support |
paul@getprotocolos.com |
We are the data controller for the information described here.
3. Information we collect
3.1 Account and profile
Name, email address, password (stored only as a secure hash), and the profile you build during onboarding: sports, focus areas, goals, and biometric baselines.
3.2 Health and fitness data (sensitive information)
With your explicit consent, the app collects and processes:
· Apple HealthKit data you authorise: heart-rate variability (HRV), resting heart rate,
sleep stages, activity and similar metrics.
· Journal and training entries you log: supplements, food, training, sauna, cold,
breathwork, light exposure, notes.
· Biomarkers you enter from bloodwork (e.g. marker, value, reference range).
· Documents you choose to upload (e.g. lab results).
· Derived metrics we compute from the above, including your daily Protocol Score.
3.3 Genetic data (special-category sensitive information)
If you choose to provide genetic information (e.g. genotype data or DNA-derived insights), we treat it as special-category data subject to separate, explicit consent and stronger
controls. Genetic data is never shared with insurers or any third party for underwriting or marketing. This is enforced technically, not just by policy.
3.4 Store and purchase data
If you buy supplements or subscribe, we (and our payment processor) collect order details, shipping address, and contact details. We do not store full card numbers; card data is handled by our PCI-compliant payment processor.
3.5 Technical and usage data
Device type, OS version, app version, crash and diagnostic data (via Sentry), and basic usage analytics, used to keep the Services reliable and secure.
4. How we use your information
We use your information to:
· Provide the core Services: compute your Protocol Score and generate coaching tied to your own numbers.
· Operate the AI coach. Coaching requests are processed server-side only, and prompts contain metrics and patterns, not your name, email or identifiers.
· Fulfil orders, manage subscriptions, and provide support.
· Keep the Services secure, debug issues, and meet legal obligations.
We rely on your consent for health, genetic and other sensitive information, and on the performance of our contract with you for account and order processing. You can withdraw consent at any time.
We do not use your health or genetic data for advertising, and we do not make automated decisions that produce legal or similarly significant effects about you.
5. Apple HealthKit
Where you enable HealthKit, the app reads only the data types you authorise, and writes back only data you ask it to. In line with Apple's requirements:
· HealthKit data is used solely to provide health and fitness features within Protocol.
· We do not use HealthKit data for advertising or marketing.
· We do not sell HealthKit data or disclose it to third parties for their own purposes.
· We do not share HealthKit data with any party who would use it for advertising, data-mining, or similar uses.
· You can revoke HealthKit access at any time in the iOS Health app or Settings.
6. The AI coach
The coaching feature uses an AI model, called only from our secure server-side function after verifying your session. Before any request leaves our environment:
· We strip direct identifiers; prompts carry metrics and patterns, not names, emails or IDs.
· We operate the Claude API under terms intended to provide zero data retention and no use of your data for model training. Processing this data may occur outside Australia for the AI request itself; the underlying records remain stored in Australia.
7. How we protect your information
Security and privacy are built into Protocol, not bolted on:
· Australian data residency by default — stored with Supabase on AWS ap-southeast-2 (Sydney).
· Encryption in transit (TLS 1.3) and at rest (AES-256). Special-category data (including
genetic data and AI coaching payloads) receives additional column-level encryption.
· Row-level security so each user can access only their own records, enforced at the database layer.
· On-device protection: authentication tokens stored in the iOS Keychain, an optional biometric (Face ID) gate, and certificate pinning on network calls.
· Audit logging of access to health data, and granular, withdrawable consent recorded per data category.
· Multi-factor authentication available to all users.
No system is perfectly secure, but we hold Protocol to a healthcare-grade standard.
8. When we share information
We share personal information only with:
· Service providers who help us run the Services under contract and confidentiality (e.g. cloud hosting, payment processing, subscription validation, error monitoring, the AI model provider). They may process data only on our instructions.
· Authorities, where required by law.
· A successor entity, in the event of a merger or acquisition, subject to this policy.
We never sell your personal information, and we never share health or genetic data for advertising or with insurers for underwriting.
9. Your rights
Under the Privacy Act and our own commitments, you can:
· Access the personal information we hold about you.
· Correct inaccurate information.
· Export your data in a portable format.
· Delete your account and data. We action erasure within 30 days, except where we must retain limited records by law (e.g. tax records for orders).
· Withdraw consent for any data category, including HealthKit and genetic data.
To exercise any of these, contact paul@getprotocolos.com. We will verify your identity before acting. You can also complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you are not satisfied with our response.
10. Data retention
We keep personal information only as long as needed to provide the Services or meet legal obligations. When you delete your account, we delete or de-identify your personal information within 30 days, other than records we are legally required to keep.
11. Children
Protocol is not intended for anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us information, contact paul@getprotocolos.com.
12. International users and transfers
Protocol is operated from Australia and intended for Australian users at launch. Where data is processed outside Australia (for example, the AI request described), we take reasonable steps to ensure it is handled consistently with this policy and the APPs.
13. Changes to this policy
We may update this policy. We will post the new version here with a revised effective date and, for material changes, notify you in-app or by email.
14. Not a medical device
Protocol provides general wellness and performance information. It is not a medical device and does not diagnose, treat, cure or prevent any disease. Always consult a qualified healthcare professional before acting on anything in the Services. See our Health & Medical Disclaimer.