Last updated: April 12, 2026

Privacy Policy

MyProtocolStack is committed to protecting your personal health data. This policy explains what we collect, how we use it, and your rights.

🔒 MyProtocolStack is NOT a HIPAA Covered Entity for its consumer-facing Explorer and Optimizer tiers. This platform is a personal health tracking tool, not a medical service, health plan, or healthcare clearinghouse. Users voluntarily upload their own personal health data for their own personal use — the same model used by Apple Health and MyFitnessPal.

✓ FTC Health Breach Notification Rule — MyProtocolStack complies with the FTC Health Breach Notification Rule (16 CFR Part 318). In the event of a data breach involving your health information, we will notify you within 60 days.

1. Who We Are

MyProtocolStack ("Company," "we," "us," or "our") operates myprotocolstack.com and related services (the "Service"). We provide a personal health protocol tracking platform that allows users to log biomarkers, track peptide and GLP-1 protocols, and analyze trends in their own personal health data.

2. What Data We Collect

2a. Health and Biomarker Data (Sensitive)

When you use our lab tracking features, you may voluntarily upload or manually enter:

Blood biomarker values (IGF-1, ApoB, testosterone, LH, FSH, HbA1c, hs-CRP, CBC, lipid panel, and 40+ additional markers)
Lab report PDFs from Quest Diagnostics, LabCorp, Function Health, Rythm Health, and other providers
Peptide protocol details including compounds, doses, vial inventory, and injection logs
GLP-1 titration schedules and dosing history
Body metrics including weight, energy, sleep quality, and mood

This data is entered voluntarily by you and is used solely to provide the Service to you. We do not sell this data.

2b. Account Data

Email address, password (hashed and never stored in plain text), account preferences, and subscription tier.

2c. Usage Data

Standard web analytics including pages visited, features used, device type, and browser. No health data is included in analytics.

3. How We Use Your Data

To provide core features: lab tracking, StackAI analysis, protocol logging, and calculator tools
To authenticate your account and maintain your session
To process subscription payments through Stripe (billing data only — no health data)
To send transactional emails (account confirmation, password reset) via Resend
To improve the Service based on aggregate, de-identified usage patterns
To comply with legal obligations

We do NOT: Use your health data for advertising, sell your health data to any third party, share your health data with insurers or employers, or use your health data to train AI models without your explicit consent.

4. HIPAA Notice

MyProtocolStack is not a HIPAA Covered Entity for its consumer-facing tiers. We are a consumer software platform where users voluntarily track their own personal health information for personal use.

Practitioner Tier: If you are a licensed healthcare provider using MyProtocolStack to manage patient data, you must contact us at hello@myprotocolstack.com before activating patient management features. A Business Associate Agreement (BAA) is required.

Clinic Tier: All Clinic Tier accounts require a signed Business Associate Agreement before activation. Contact hello@myprotocolstack.com to initiate the BAA process.

5. How We Share Your Data

We share your data only with carefully selected third-party service providers necessary to operate the Service. These providers are contractually bound to protect your data and may only use it to provide services to us — never for their own purposes, advertising, or model training.

Our service providers fall into the following categories: database storage and authentication, cloud hosting and content delivery, AI-assisted analysis (used only for the StackAI feature), payment processing, and transactional email delivery. In each case, only the minimum data necessary to perform the specific service is shared.

No health data is ever shared with advertisers, insurers, employers, data brokers, or any third party for commercial purposes.

A full list of our current service providers, including their names, data processing roles, and applicable data handling terms, is available upon request. To request this list, email hello@myprotocolstack.com with the subject line "Service Provider List Request." We will respond within 10 business days.

6. FTC Health Breach Notification

In compliance with the FTC Health Breach Notification Rule (16 CFR Part 318), if we experience an unauthorized acquisition of your unsecured personal health record information, we will:

Notify you directly by email within 60 days of discovering the breach
Notify the Federal Trade Commission within 60 days of discovery
Notify prominent media outlets if the breach affects 500 or more residents of a single state

Breach notifications will include: a description of what happened, the types of information involved, steps you can take to protect yourself, what we are doing to investigate and prevent future breaches, and how to contact us.

7. Your Rights

Right to Access

Request a complete export of all personal data we hold about you by emailing hello@myprotocolstack.com. We respond within 30 days.

Right to Deletion

Delete your account and all associated data at any time via Account Settings → Delete Account, or email us. Deletion is permanent and completed within 30 days.

Right to Correction

Correct or update any personal data through your account settings at any time.

California Residents (CCPA/CPRA)

California residents have the right to know what personal information is collected, the right to opt out of sale of personal information (we do not sell your data), the right to non-discrimination for exercising privacy rights, and the right to limit use of sensitive personal information. Contact hello@myprotocolstack.com to exercise these rights.

8. Data Security

All data encrypted at rest using AES-256 encryption (Supabase)
All data transmitted over encrypted HTTPS/TLS (Vercel)
Authentication via secure session tokens with automatic expiration
Lab report PDFs processed in memory for AI extraction — not stored in raw form
Access to health data restricted to authenticated account owners only via row-level security
Regular security assessments and dependency updates

9. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we permanently delete your personal health data within 30 days. We may retain de-identified, aggregated data that cannot be linked back to you for service improvement purposes.

10. Children's Privacy

Our Service is not directed to individuals under 18. We do not knowingly collect personal information from minors. Contact us immediately at hello@myprotocolstack.com if you believe we have inadvertently collected data from a minor.

11. Changes to This Policy

We will notify you of material changes to this Privacy Policy via email and by posting a notice on our website at least 30 days before changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

Privacy questions, data requests, or security concerns:

hello@myprotocolstack.com
MyProtocolStack | myprotocolstack.com

MyProtocolStack · myprotocolstack.com · hello@myprotocolstack.com
This privacy policy was last updated on April 12, 2026. Not legal advice. Consult a qualified attorney for legal guidance.