Protokol is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights — in plain language.
We collect information you provide directly to us when you create an account, use our services, or contact us for support.
Account information: Name, work email address, company name, and job title when you register.
Usage data: Actions taken within the platform — documents created, approved, or exported; vault files uploaded; team members invited. This data is used to provide the service and improve the product.
Document content: Text and metadata of C&Q documents you create or upload. This content is stored securely and used solely to provide you with the service. We do not use your document content to train AI models.
Technical data: IP address, browser type, device identifiers, and usage logs collected automatically when you access the service.
We use the information we collect to:
- Provide, maintain, and improve the Protokol platform - Process transactions and send related information - Send technical notices, security alerts, and support messages - Respond to your comments and questions - Monitor and analyse usage patterns to improve performance - Detect, investigate, and prevent fraudulent transactions and other illegal activity - Comply with legal obligations
We do not sell your personal information to third parties. We do not use your pharmaceutical document content for any purpose other than delivering the service to you.
Storage location: Data is stored on servers operated by Supabase (PostgreSQL) and Vercel, located in the European Union and United States. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses.
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Document content is hashed at the time of approval to ensure integrity.
Access controls: Role-based access control is enforced at the application layer. Staff access to production data is logged and restricted to authorised personnel only.
Retention: Account data is retained for the duration of your subscription and for 90 days after termination, after which it is deleted or anonymised. Audit logs are retained for 7 years to support regulatory compliance obligations.
Audit trail: Every document modification, approval event, and electronic signature is recorded in an append-only audit log. This log cannot be altered or deleted by platform users.
We use the following sub-processors to deliver the service:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database and file storage | EU / US |
| Vercel | Application hosting | EU / US |
| Clerk | Authentication and user management | US |
| Anthropic | AI document generation | US |
| Voyage AI | Document embeddings | US |
| Resend | Transactional email | US |
| Stripe | Payment processing | US |
| Sentry | Error monitoring | US |
Each sub-processor is subject to a data processing agreement. A full list of sub-processors is available on request by emailing hello@withprotokol.com.
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under applicable data protection law:
Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate personal data.
Erasure: Request deletion of your personal data, subject to our legal retention obligations.
Restriction: Request that we restrict processing of your personal data in certain circumstances.
Portability: Request a structured, machine-readable export of your data.
Objection: Object to processing of your personal data for direct marketing purposes.
To exercise any of these rights, email hello@withprotokol.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
Email: hello@withprotokol.com Subject line: Privacy Enquiry
We take privacy seriously and will respond to all enquiries within 5 business days.