Legal

Protocolly Technologies ("Protocolly", "we", "us", or "our") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at protocolly.one and any related services. This policy applies to all users worldwide, including residents of the European Union (GDPR), California (CCPA), Brazil (LGPD), and all other jurisdictions. If you have questions about this policy, contact us at hello@protocolly.one.

We collect the following categories of information: Account Information: Email address, password (hashed and never stored in plain text), organization name, and role within your organization. Usage Data: Pages visited, features used, time spent on the platform, browser type, device information, and IP address (anonymized after 30 days). Content Data: Text descriptions you submit to generate SOPs, the SOPs and documentation generated, and any edits or annotations you make. Payment Information: We use Stripe as our payment processor. Protocolly never stores your full credit card number. We do not collect biometric data, health information, or any other sensitive categories of personal data.

We use your information for the following purposes: — To provide, operate, and maintain the Service. — To process your AI generation requests and return results. — To manage your subscription and process payments. — To send transactional emails (account confirmations, invoices, security alerts). — To analyze usage patterns and improve the Service. — To detect, prevent, and address technical issues and security threats. — To comply with legal obligations. We do not sell your personal data to third parties. We do not use your content to train AI models without explicit written consent.

For users in the European Economic Area (EEA), we process your personal data under the following legal bases: Contract Performance: Processing necessary to provide the Service you subscribed to (Article 6(1)(b) GDPR). Legitimate Interests: Analytics, security monitoring, and service improvement (Article 6(1)(f) GDPR). Legal Obligation: Compliance with applicable laws and regulatory requirements (Article 6(1)(c) GDPR). Consent: For marketing communications and optional analytics. You may withdraw consent at any time.

We share your data only with the following trusted service providers: Supabase (Database & Authentication): Your account data and generated SOPs are stored in Supabase's PostgreSQL infrastructure with encryption at rest. Groq (AI Processing): Text you submit for SOP generation is sent to Groq's API. Groq does not retain submitted data beyond the duration of the request. Stripe (Payment Processing): Subscription and billing information. Stripe is PCI DSS Level 1 certified. Vercel (Hosting & Edge Network): Application hosting and content delivery. We do not share your data with advertisers, data brokers, or any third party for marketing purposes.

Protocolly operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States. For transfers from the EEA, UK, or Switzerland to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers involving other jurisdictions, we implement appropriate safeguards as required by applicable law.

We retain your personal data for as long as your account is active or as needed to provide the Service. Account data is retained for the duration of your subscription plus 12 months after termination. Generated SOPs and content are retained as long as your account exists. You may delete individual documents at any time. Payment records are retained for 7 years to comply with tax and accounting regulations. Upon account deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

Depending on your jurisdiction, you have the following rights: Right of Access: Request a copy of the personal data we hold about you. Right to Rectification: Request correction of inaccurate or incomplete data. Right to Erasure: Request deletion of your personal data. Right to Data Portability: Receive your data in JSON or CSV format. Right to Object: Object to processing based on legitimate interests. CCPA Rights (California): Right to know, delete, and opt-out of sale (we do not sell data). To exercise any of these rights, contact hello@protocolly.one. We respond within 30 days (GDPR) or 45 days (CCPA).

We implement enterprise-grade security measures: — TLS 1.3 encryption for all data in transit. — AES-256 encryption for data at rest. — Row-Level Security (RLS) policies ensuring strict data isolation between organizations. — Regular security audits and vulnerability assessments. — Incident response procedures with 72-hour breach notification (GDPR compliant).

We use the following types of cookies: Essential Cookies: Required for authentication and session management. These cannot be disabled. Analytics Cookies: Anonymized and aggregated. You may opt out via account settings. We do not use third-party advertising cookies or cross-site tracking technologies.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has used our Service, please contact hello@protocolly.one.

We may update this Privacy Policy periodically. We will notify you of material changes via email at least 14 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

For privacy-related inquiries: Privacy Team: hello@protocolly.one Legal: hello@protocolly.one Support: support@protocolly.one For EU users, you have the right to lodge a complaint with your local Data Protection Authority (DPA). We aim to respond to all privacy inquiries within 5 business days.