Privacy Policy

Protocolly One (“Protocolly”, “we”, “us”, or “our”) is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at protocolly.one and any related services (collectively, the “Service”).

This policy applies to all users worldwide, including residents of the European Union and EEA (GDPR), United Kingdom (UK GDPR), California (CCPA/CPRA), Brazil (LGPD), Mexico (LFPDPPP), and all other jurisdictions.

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.

If you have questions about this policy, contact us at hello@protocolly.one.

We collect the following categories of information:

Account Information

Email address, password (hashed and never stored in plain text), organization name, and role within your organization.

Usage Data

Pages visited, features used, time spent on the platform, browser type, device information, and IP address (anonymized after 30 days).

Content Data

Text descriptions you submit to generate SOPs, the SOPs and documentation generated, and any edits or annotations you make. You are responsible for ensuring this content does not include sensitive personal data of third parties without a lawful basis.

Payment Information

Subscription and billing data processed exclusively by Stripe (PCI DSS Level 1 certified). Protocolly never stores, processes, or has access to your full credit card number, CVV, or banking details.

Communications

Any messages you send to our support or sales team, including email correspondence.

We do not knowingly collect biometric data, health or medical information, government identification numbers, racial or ethnic origin, or any other special categories of sensitive personal data as defined under GDPR Article 9.

We use your information exclusively for the following purposes:

• To provide, operate, maintain, and improve the Service.
• To process your AI generation requests and deliver results.
• To manage your subscription, process payments, and issue invoices.
• To send transactional communications (account confirmations, invoices, security alerts, and service updates).
• To analyze anonymized and aggregated usage patterns to improve the Service.
• To detect, prevent, investigate, and address technical issues, fraud, and security threats.
• To comply with applicable legal obligations and respond to lawful requests from public authorities.
• To enforce our Terms of Service and protect the rights, property, and safety of the Company, our users, and third parties.

WE DO NOT SELL YOUR PERSONAL DATA TO ANY THIRD PARTY. WE DO NOT USE YOUR CONTENT TO TRAIN AI MODELS WITHOUT YOUR EXPLICIT WRITTEN CONSENT. WE DO NOT USE YOUR DATA FOR ADVERTISING OR BEHAVIORAL PROFILING PURPOSES.

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data only where we have a lawful basis to do so:

Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary to provide the Service you subscribed to, including account management, SOP generation, and billing.

Legitimate Interests (Art. 6(1)(f) GDPR)

Security monitoring, fraud prevention, service improvement, and analytics — where our interests are not overridden by your rights.

Legal Obligation (Art. 6(1)(c) GDPR)

Compliance with applicable laws, tax obligations, and regulatory requirements.

Consent (Art. 6(1)(a) GDPR)

For marketing communications and optional analytics. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We share your data only with the following carefully selected sub-processors under appropriate contractual protections:

Database & Authentication (Supabase)

Stores account data, SOPs, and generated content with AES-256 encryption at rest and TLS 1.3 in transit.

AI Processing Provider (Groq)

Processes text you submit for SOP generation. Your input is transmitted securely and is not retained by the AI provider beyond the duration of the individual API request.

Payment Processor (Stripe)

Processes all subscription and billing transactions. Stripe is PCI DSS Level 1 certified. Protocolly does not receive or store your full payment card details.

Hosting & Edge Network (Vercel)

Application hosting, serverless function execution, and global content delivery.

Analytics (Google Analytics)

Anonymized and aggregated usage analytics. IP addresses are anonymized. You may opt out via account settings.

WE DO NOT SHARE YOUR DATA WITH ADVERTISERS, DATA BROKERS, OR ANY THIRD PARTY FOR MARKETING OR COMMERCIAL PURPOSES. THE COMPANY IS NOT RESPONSIBLE FOR THE INDEPENDENT PRIVACY PRACTICES OR SECURITY INCIDENTS OF THIRD-PARTY SUB-PROCESSORS BEYOND THE CONTRACTUAL OBLIGATIONS THOSE PROCESSORS HAVE AGREED TO WITH US.

Protocolly operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States. For transfers from the EEA, UK, or Switzerland to the US or other third countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as updated from time to time, or other appropriate safeguards as permitted under applicable data protection law.

By using the Service from outside the United States, you consent to the transfer of your information to the United States and other countries which may have different data protection rules than those of your country.

We retain your personal data for as long as your account is active or as needed to provide the Service.

• Account data is retained for the duration of your subscription plus 12 months after termination.
• Generated SOPs and content are retained as long as your account exists. You may delete individual documents at any time.
• Payment records are retained for 7 years to comply with tax and accounting regulations.
• Upon account deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
• Anonymized and aggregated analytics data may be retained indefinitely as it cannot be linked to any individual.

Depending on your jurisdiction, you have the following rights regarding your personal data:

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data, subject to legal retention obligations.

Right to Data Portability

Receive your data in a structured, machine-readable format (JSON or CSV).

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Right to Restrict Processing

Request that we limit processing of your data in certain circumstances.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent, without affecting prior processing.

CCPA Rights (California Residents)

Right to know what personal information is collected, right to delete, right to opt-out of sale (we do not sell data), and right to non-discrimination for exercising your rights.

LFPDPPP Rights (Mexican Residents)

Rights of access, rectification, cancellation, and opposition (ARCO rights) as provided under Mexican federal privacy law.

To exercise any of these rights, contact hello@protocolly.one. We respond within 30 days (GDPR/UK GDPR) or 45 days (CCPA), extendable by an additional 30 days with notice where legally permitted.

EU and UK users have the right to lodge a complaint with their local Data Protection Authority (DPA) if they believe their rights have been violated.

We implement enterprise-grade security measures:

• TLS 1.3 encryption for all data in transit.
• AES-256 encryption for data at rest.
• Row-Level Security (RLS) policies ensuring strict data isolation between organizations.
• Regular security assessments and vulnerability monitoring.
• Incident response procedures with 72-hour breach notification to relevant supervisory authorities (GDPR Article 33 compliant).

NOTWITHSTANDING THE FOREGOING, NO METHOD OF TRANSMISSION OVER THE INTERNET OR METHOD OF ELECTRONIC STORAGE IS 100% SECURE. WHILE WE STRIVE TO USE COMMERCIALLY ACCEPTABLE MEANS TO PROTECT YOUR PERSONAL DATA, WE CANNOT GUARANTEE ABSOLUTE SECURITY. IN THE EVENT OF A DATA BREACH THAT RESULTS FROM FACTORS OUTSIDE OF OUR REASONABLE CONTROL, THE COMPANY’S LIABILITY SHALL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND AS SET FORTH IN OUR TERMS OF SERVICE.

We use the following types of cookies and similar tracking technologies:

Essential Cookies

Required for authentication, session management, and core platform functionality. These cannot be disabled without impacting your ability to use the Service.

Analytics Cookies

Anonymized and aggregated usage data to help us understand how users interact with the Service. You may opt out via your account settings.

We do not use third-party advertising cookies, cross-site tracking technologies, or sell cookie-derived data to any third party.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has used our Service, please contact hello@protocolly.one and we will promptly delete such information.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY’S TOTAL LIABILITY FOR ANY CLAIM ARISING FROM OR RELATED TO A DATA BREACH, UNAUTHORIZED ACCESS, OR ANY OTHER PRIVACY INCIDENT SHALL NOT EXCEED THE TOTAL AMOUNT PAID BY YOU TO THE COMPANY IN THE TWELVE (12) MONTHS PRECEDING THE INCIDENT. THIS LIMITATION APPLIES EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTHING IN THIS SECTION LIMITS THE COMPANY’S OBLIGATIONS UNDER APPLICABLE DATA PROTECTION LAW WITH RESPECT TO BREACH NOTIFICATION.

We may update this Privacy Policy periodically. We will notify you of material changes via email at least 14 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

For privacy-related inquiries:

EU and UK users have the right to lodge a complaint with their local Data Protection Authority (DPA). We aim to respond to all privacy inquiries within 5 business days.