Last updated: 2026-04-24. Your health data is yours. We do not sell it, license it, share it with advertisers, or train machine-learning models on it for anyone else's benefit.
Protokol Lab ("we," "us") operates the Protokol Lab service at protokollab.com. Contact for privacy inquiries: [email protected].
Account data — email address, hashed password, account creation timestamp, and plan tier. Optional display preferences (theme, timezone, unit system).
Health and logged data — whatever you choose to record: body weight, measurements, food entries, medication names and doses, injection timestamps, symptoms and 0–10 severity ratings, day notes, and progress photos you upload. You control what is entered; we do not extract data from other apps or devices unless you explicitly authorize sync.
Billing metadata — if you pay for a subscription, our payment processor collects payment-method information. We receive a subscription status, amount, and processor-issued identifiers, but we do not store full credit-card numbers on our servers.
AI chat content — if you use the AI assistant, your chat messages and the relevant portions of your logged data are sent to our AI model provider to generate a response. The provider is contractually restricted from using this content to train public models on your behalf.
Technical data — standard server logs (IP address, user-agent, timestamps, request paths) for operational security and abuse prevention. We may use lightweight first-party analytics to understand aggregate product usage. We do not use third-party ad-tracking pixels.
We do not use your data for advertising or to build profiles for third parties. We do not train publicly-available AI models on your logs.
We use a small set of processors, each bound by a contract to use your data only to deliver the service to us:
We do not sell, license, or otherwise transfer your personal data to advertisers, data brokers, or any third party for their independent marketing or analytics purposes.
Protokol Lab uses first-party cookies and browser local storage to keep you signed in, remember your theme and settings, and cache data for offline use. We do not set third-party advertising or cross-site tracking cookies.
Data in transit between your device and our servers is protected by TLS. Account passwords are stored only as salted, one-way hashes (we cannot recover your password; we can only reset it). Data at rest is stored on encrypted cloud infrastructure.
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and the appropriate authorities as required by applicable law.
We retain your data for as long as your account is active. When you delete your account, we delete your data from our production systems within a reasonable period and from backups within a longer period aligned to our backup retention cycle. We may retain anonymized or aggregated data, and we may retain limited records as required to comply with law, resolve disputes, or enforce our agreements.
Regardless of jurisdiction, you can:
Residents of certain states (including California, Virginia, Colorado, Connecticut, and Utah) have additional rights under state privacy law, including the right to know what categories of personal data we process and to request deletion. Residents of the European Economic Area and the United Kingdom have rights under GDPR and UK GDPR, including access, rectification, erasure, restriction, portability, and objection. To exercise any of these rights, email [email protected].
Protokol Lab is intended for users 18 and older. We do not knowingly collect personal data from anyone under 13. If we learn we have collected data from a child under 13, we will delete it promptly.
Our servers and processors operate in the United States. If you access the service from outside the United States, your data will be transferred to and processed in the U.S. under standard safeguards including, where applicable, the European Commission's Standard Contractual Clauses.
Protokol Lab is not a "covered entity" or a "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA). Data you log into Protokol Lab is not Protected Health Information under HIPAA and is not subject to HIPAA's safeguards. Where state laws such as the Florida Information Protection Act (FIPA) apply to specific data categories we process, we apply reasonable administrative and technical security measures consistent with those laws.
We may update this Privacy Policy periodically. The "Last updated" date above reflects the current version. For material changes we will notify registered users by email or in-app notice.
Privacy inquiries, data-rights requests, or security concerns: [email protected].