Privacy Policy

Last Updated: June 17, 2026

Protocol Fitness Technologies, Inc. ("Company," "Protocol," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your information when you:

visit our marketing website at protocolcrm.com (the "Site"); and
access or use our software-as-a-service platform and applications — including the Protocol CRM web application and our mobile applications (such as "Start My Protocol") — and the related features, integrations, and services we provide through them (collectively, the "Services").

The Site and the Services are together referred to as the "Offerings." By using any of our Offerings, you accept this Privacy Policy and our Terms of Use, and you consent to our collection, storage, use, and disclosure of your information as described herein. If you do not agree, please do not use our Offerings.

1. Who We Are and Your Data Roles

Protocol provides a platform for fitness, health, and wellness professionals (each a "Professional") to manage their business and serve their own clients (each an "End Client").

For information that Professionals and End Clients submit into the Services to run a Professional's business — such as End Client profiles, training and nutrition plans, appointments, messages, and progress data — the Professional is the controller of that information, and Protocol acts as a processor / service provider that handles it on the Professional's behalf and under their instructions. If you are an End Client and have questions about how your data is used within a Professional's account, please contact that Professional directly; their own privacy policy may also apply.

For information we collect for our own purposes — such as Site visitors, newsletter subscribers, account holders, and our billing relationship with Professionals — Protocol is the controller.

2. Information We Collect

2.1 Information You Provide

On the Site. We collect your email address when you subscribe to our newsletter, and any details you submit through lead, assessment, or contact forms (such as your name, email, and message).

In the Services. When you register for or use the Services, we collect:

Account and profile information — name, email address, password, business name, phone number, profile photo, and similar details.
Billing information — subscription plan and transaction records. Payment card details are collected and processed by our third-party payment processor; we do not store full card numbers.
Content you submit — the information you and your users enter into the Services, which may include client records, scheduling and appointment data, messages, and health, fitness, body-composition, nutrition, and wellness information ("Health & Fitness Data"). You are responsible for having the necessary rights and consents to submit information about other people (such as your End Clients).

2.2 Information Collected Automatically

When you use our Offerings, we automatically collect certain information about your device and your activity, including your IP address, browser type, operating system, device identifiers, referring URLs, pages and screens viewed, features used, time spent, and other usage and diagnostic data. We use cookies and similar technologies to provide, secure, and analyze the Offerings (see Section 8).

On the Site we use Google Analytics, a web analytics service provided by Google, Inc., which uses cookies to help us understand how visitors use the Site. Information generated about your use of the Site may be transmitted to and stored by Google on servers in the United States. You can learn more at policies.google.com/privacy.

2.3 Information From Third-Party Integrations You Connect

The Services let you connect third-party accounts to enable functionality. If you connect such an account, we receive information from that provider as needed to operate the feature you enabled. The most significant example is Google — see Section 4 for exactly what Google data we access and how we use it.

2.4 Device Health Data (Apple Health & Android Health Connect)

Our mobile applications can, at your option, read health and fitness data from Apple Health (on iOS) and Android Health Connect (on Android) so you can see your activity, recovery, and body-composition trends and your Professional can factor them into your coaching. This connection is optional and read-only — it is enabled only after you grant permission on your device's health permission screen, we never write to or modify your device health data, and you can revoke access at any time from Health Connect (Android) or the Settings app (iOS). Depending on your platform and the permissions you grant, we read: steps, active energy (calories) burned, sleep sessions, resting heart rate, heart rate variability (HRV), weight, body fat percentage, and VO2 max.

We use device health data solely to provide these user-facing features. We do not use it for advertising, we never sell it, we share it only with the subprocessors that host the Services on our behalf and with your Professional, and we do not use it to train generalized or non-personalized AI or machine-learning models. Android Health Connect data is handled in accordance with Google's Health Connect permissions requirements, and Apple Health data in accordance with Apple's HealthKit requirements.

3. How We Use Your Information

We use the information we collect to:

provide, operate, maintain, secure, and improve the Offerings and their features;
create and manage your account, authenticate you, and provide customer support;
process subscriptions, payments, and other transactions;
synchronize and display your appointments, availability, and calendars where you have enabled an integration (see Section 4);
send you service-related communications, and — where you have subscribed — our newsletter and product updates (each marketing email includes an unsubscribe option);
analyze usage to understand trends and improve performance and user experience;
detect, prevent, and address fraud, abuse, security incidents, and technical issues; and
comply with legal obligations and enforce our agreements.

We do not use your Health & Fitness Data, or data received from third-party integrations, to train generalized or non-personalized artificial intelligence or machine-learning models.

4. Google API Services — Limited Use

Some features of the Services let you connect your Google account to enable functionality such as calendar synchronization and availability ("free/busy") checks for appointment scheduling.

When you connect your Google account, we ask your permission (via Google OAuth) to access specific Google data. Depending on the features you enable, this may include:

your Google account email address and basic profile information, to identify your account and sign you in; and
your Google Calendar data — including the ability to view, create, edit, and delete events on calendars you select, view your free/busy availability, and view the list of calendars in your account.

We use this Google data solely to provide and improve the user-facing features you have enabled — for example, to write your Protocol appointments to your Google Calendar, keep them in sync, and block times when you are already busy. We store the access and refresh tokens needed to maintain the connection, together with the minimum calendar information required to operate these features.

Protocol's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, we do not use Google user data for advertising, we do not sell Google user data, we do not transfer it except as necessary to provide or improve these user-facing features (or for security purposes, to comply with applicable law, or as you direct), and we do not use Google user data to train generalized or non-personalized AI or machine-learning models.

You can disconnect your Google account at any time from within the Services, and you can review or revoke Protocol's access from your Google Account at myaccount.google.com/permissions. Revoking access stops future synchronization; events already written to your calendar are not automatically removed.

5. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties for their marketing purposes. We share information only as follows:

Service providers / subprocessors — vendors who help us operate the Offerings, such as cloud hosting and infrastructure, payment processing, email delivery, analytics, and customer support providers. They may access information only as necessary to perform services for us and are bound by confidentiality obligations.
At your direction — third-party services you choose to connect (such as Google), and information you choose to share within the Services.
Within a Professional's account — information submitted into a Professional's account is accessible to that Professional and the users they authorize.
Legal and safety — when required by law or legal process, or to protect the rights, property, or safety of Protocol, our users, or others.
Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Privacy Policy.

6. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Offerings, and thereafter as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. When information is no longer needed, we delete or de-identify it. Information held on behalf of a Professional is retained and deleted according to that Professional's instructions and their agreement with us.

7. How We Protect Your Information

We implement reasonable administrative, technical, and physical safeguards designed to protect your information from unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and secure the Offerings, remember your preferences, and analyze traffic. You can control cookies through your browser settings and, on the Site, through our cookie consent tool. Disabling cookies may affect your experience. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

9. Your Rights and Choices

Access, correction, and deletion — you may access, update, or delete your account information within the Services, or by contacting us. If you are an End Client, direct such requests to the Professional who controls your data; we will assist that Professional as their processor.
Connected accounts — you can disconnect integrations within the Services and revoke Google access at myaccount.google.com/permissions (see Section 4).
Marketing — unsubscribe from our newsletter at any time via the link in any marketing email.
Cookies — manage preferences as described in Section 8.
Regional rights — depending on where you live (for example, under the GDPR or the CCPA/CPRA), you may have additional rights, such as to access, correct, delete, port, or restrict processing of your personal information, and to lodge a complaint with a regulator. To exercise these rights, contact us using the details in Section 13.

10. International Data Transfers

We are based in the United States and may process and store information in the United States and other countries. Where required, we rely on appropriate safeguards for cross-border transfers of personal information.

11. Children's Privacy

Our Offerings are not directed to children. The Services are intended for users who are at least 18 years old, and the Site is not directed to anyone under 13. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, please contact us at [email protected] and we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a prominent notice on the Site or within the Services, or by email. We encourage you to review this Privacy Policy periodically. The "Last Updated" date above reflects the most recent revision.

13. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Protocol Fitness Technologies, Inc.
2261 Market Street, STE 46132
San Francisco, CA 94114
Email: [email protected]
Phone: (650) 761-7360