Privacy Policy
Effective: 2026-06-16 · Operator: Stoneveil Holdings LLC · Contact: support@44protocol.com
This policy explains what data 44 Protocol collects, why, where it's stored, how long, and your rights. We try to write it plainly — if anything is unclear, write to support@44protocol.com and we'll clarify.
We do not sell your data. Ever.
What we collect
Account data: email address, password (hashed), optional display name, and the timestamps of your account events (signup, walkthrough completion, etc.).
Profile data: weight, sex, and other settings you enter to use the register.
Protocol data: the compounds in your stack, your pulses, reconstitution mL, notes, titration phase, and snapshots of past protocols you create.
Lab data: lab values you choose to enter (manually or via CSV paste). We do not retrieve labs from external providers.
Behavioural analytics: page views, feature usage, and event timestamps via PostHog (self-hosted EU region). Used for product improvement, not advertising.
Diagnostic logs: error reports via Sentry. May include browser, OS, and the page where the error occurred. Stack traces do not include your stack content.
Payment data: we do not see or store card details. Stripe processes payment and returns to us only the subscription status, customer ID, and plan.
Why we collect it
To run the Service, to compute your protocol, to surface safety reminders, to support you when you write in, to detect and fix bugs, and to understand which features are useful so we can build more of them. That's it.
Where it lives
Application data: Supabase (Postgres) in US region. Row-level security ensures users can only read and write their own rows.
Hosting: Vercel (US edge network). TLS-only. HSTS preload-eligible. Strict CSP.
Analytics: PostHog. Diagnostics: Sentry.
Payment: Stripe (PCI-DSS Level 1 certified).
How long we keep it
Account, profile, stack, and lab data are kept while your account is active. If you delete your account, we remove that data within 7 days from active systems and within 30 days from backups.
Stripe customer records and billing history are retained per Stripe's own retention policy (typically 7 years for tax and audit purposes).
Diagnostic logs (Sentry) are retained 90 days. Analytics (PostHog) are retained 12 months for raw events, indefinitely in aggregate.
Your rights
You can:
- Access: request a copy of the data we hold on you.
- Correct: update your profile, stack, and labs directly in the app; email us for anything not editable.
- Delete: email support@44protocol.com from the account email to request deletion.
- Export: request a machine-readable export of your data.
- Opt out of analytics: email us and we'll exclude your account from analytics collection.
If you're in the EU/UK, you have additional rights under GDPR. If you're in California, you have additional rights under CCPA/CPRA. Email us to exercise any of them.
Children
The Service is for users 18 and older. We do not knowingly collect data from anyone under 18. If we learn we have, we delete it.
Security
Passwords are hashed (Argon2id via Supabase Auth). Connections are TLS-only. Database rows are protected by row-level security. The application uses a strict Content Security Policy, HSTS, and X-Frame-Options DENY. We do not store payment card details.
No system is perfectly secure. If you discover a vulnerability, please write to support@44protocol.com with the subject "Security disclosure".
Changes to this policy
We may update this policy. The effective date at the top will change. Material changes will be announced in the app and on the changelog.
Contact
Stoneveil Holdings LLC · Phoenix, Arizona · support@44protocol.com