Privacy Policy

1. Who We Are & What Data We Collect

The Protocol ("we", "us", "our") is a nutrition coaching platform operated by The Protocol by Angel Dev SAS, based in Morocco. We are committed to protecting the privacy of our users in accordance with Morocco's Law 09-08 (CNDP) and the principles of the EU General Data Protection Regulation (GDPR).

We collect the following types of personal data:

• Account information: Full name, email address, display name, phone number (optional), and password (encrypted)
• Body metrics: Height, weight, birth date, sex, activity level, and fitness goals (provided during onboarding)
• Nutrition data: Meal logs, food entries, custom recipes, macro targets, and AI chat conversations
• Progress data: Weight entries, body measurements, and trend analytics
• Payment data: Plan selections, billing cycle, currency preference, payment receipts (uploaded files), and transaction status
• Communication data: Coach-client messages, support inquiries, and notification preferences
• Technical data: IP address, browser type, device information, and usage patterns collected automatically

2. How We Use Your Data

We use your personal data for the following purposes:

• Personalized nutrition: To calculate your macro targets, generate meal suggestions, provide AI-powered nutrition advice, and track your progress over time
• Account management: To create and manage your account, process subscription payments, and communicate about your account status
• Coaching services: To connect you with assigned coaches and facilitate coach-client communication
• Platform improvement: To analyze usage patterns (in aggregate), fix bugs, and improve features
• Communication: To send transactional emails (payment confirmations, subscription reminders, password resets) and optional marketing communications (only with your consent)
• Legal compliance: To comply with applicable laws and regulations, and to protect our legal rights

3. Data Storage

Your data is stored securely using Supabase, a managed database platform. Our primary database servers are located in West Europe (London, UK). Uploaded files (payment receipts, profile avatars) are stored in Supabase Storage with access controls.

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS/HTTPS), encrypted database connections, row-level security policies, and role-based access controls.

4. Data Sharing

We do not sell, rent, or trade your personal data to any third party.

Your data may be shared in the following limited circumstances:

• Coaches: If you are assigned to a coach, they can see your profile information, meal logs, progress data, and messages relevant to your coaching relationship. Coaches cannot see other users' data.
• Gym owners: If you are a member of a gym on our platform, the gym owner can see your name, subscription status, and assigned coach. They cannot see your meal logs or body metrics.
• Admin team: Our platform administrators can access your data for support purposes, payment processing, and account management.
• Service providers: We use Resend for transactional emails and Groq for AI-powered features. These providers process data in accordance with their own privacy policies and our data processing agreements.
• Legal requirements: We may disclose your data if required by law, court order, or governmental authority.

5. Cookies & Tracking

The Platform uses essential cookies to maintain your authentication session and remember your preferences (language, currency). We do not use advertising cookies or third-party tracking pixels. Our cookie consent banner allows you to accept or decline non-essential cookies.

6. Your Rights

Under Morocco's Law 09-08 and GDPR principles, you have the following rights regarding your personal data:

• Right of access: You can request a copy of all personal data we hold about you
• Right of correction: You can request correction of inaccurate or incomplete data
• Right of deletion: You can request deletion of your personal data ("right to be forgotten")
• Right of objection: You can object to the processing of your data for specific purposes
• Right of restriction: You can request that we restrict processing of your data
• Right of portability: You can request your data in a structured, machine-readable format

To exercise any of these rights, please email us at support@alprotocol.com. We will respond to your request within 30 days.

7. Data Retention

We retain your personal data for as long as your account is active. If you close your account or request deletion, we will delete or anonymize your personal data within 30 days, except for data we are required to retain for legal, accounting, or regulatory purposes. Payment records and transaction history may be retained for up to 12 months after account closure for legal and financial compliance.

8. Children

The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@alprotocol.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email or a prominent notice on the Platform. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Platform after any changes constitutes acceptance of the updated policy.

10. Contact

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us at:

support@alprotocol.com

The Protocol by Angel Dev SAS, Casablanca, Morocco

© 2026 Angel Dev · The Protocol. All rights reserved.