● GlobalProto · Privacy

Privacy Policy.

How Proto handles the data your body writes.

Effective July 6, 2026 · Huxley Technologies, Inc.

Who we are

Proto is an iOS and Apple Watch application published by Huxley Technologies, Inc. ("Proto," "we," "us"). Proto is a biomarker wallet: it reads your bloodwork and health data, keeps it encrypted on your device, and builds a daily protocol around what your body needs.

This policy explains what data Proto collects, how Proto uses it, where it is stored, who it is shared with, and how you control it.

Data we handle

Proto handles the following categories of user data:

Proto does not collect precise geolocation, contacts, photos, microphone data, or camera data.

Apple HealthKit

Proto reads the following HealthKit categories, with your explicit authorization through the iOS permission dialog: Heart Rate Variability (SDNN), Resting Heart Rate, Sleep Analysis, Workouts, Active Energy Burned, and Step Count. Proto does not write to HealthKit under any category and does not modify or delete any HealthKit record.

HealthKit samples are read directly onto your device and do not leave the device as part of normal operation. Samples are stored in Proto's on-device biomarker wallet, encrypted at rest with AES-256-GCM using a device-local key, and are used locally to render the biomarker wallet display, sort menu recommendations, and generate protocols. Proto's servers do not receive raw HealthKit samples.

Proto transmits aggregate, anonymized telemetry derived from HealthKit-informed app usage, for example, counts of protocol generations or feature engagement events, for the sole purpose of product reliability and usage analytics. This telemetry does not include raw HealthKit values, per-sample timestamps, or any identifier that could be used to reconstruct an individual HealthKit record. No raw HealthKit sample is transmitted off device under any circumstance.

You can revoke Proto's access to HealthKit at any time through iOS Settings → Privacy & Security → Health → Proto, and by toggling off individual data categories or revoking access entirely. Revocation takes effect immediately. Proto stops reading new samples and existing on-device samples are removed from the wallet on the next app launch.

Proto does not use HealthKit data for advertising, does not sell or share HealthKit data with data brokers, and does not use HealthKit data for cross-app or cross-site tracking. This is consistent with Apple's HealthKit usage requirements under Guideline 5.1.1 and Section 3.3.7 of the Apple Developer Program License Agreement.

WHOOP

Proto connects to WHOOP using OAuth 2.0 in read-only mode. Proto requests the following scopes: recovery, sleep, HRV, resting heart rate, and strain. Proto does not request write access to any WHOOP resource.

When you authorize the connection, WHOOP issues an access token that Proto stores in the iOS Keychain. This token is never transmitted from your device to Proto's servers. Proto's client uses it only to make authenticated calls directly to WHOOP's API on your behalf. Proto's servers receive and store the data returned by those calls, not the token itself.

Proto stores: recovery percentage, sleep performance score, HRV, resting heart rate, strain values, and their associated timestamps. Proto does not store your WHOOP account credentials, biometric journal entries, coach or team notes, or any WHOOP data outside the scopes listed above.

You can revoke this connection at any time from within Proto under Settings → Data Sources → WHOOP → Disconnect, or directly from WHOOP's developer and third-party app settings. Revocation immediately stops future data pulls. Previously stored data is deleted from Proto's servers upon revocation.

Function Health

Proto connects to Function Health using OAuth 2.0 in read-only mode, scoped to biomarker panel results. Proto does not request write access and does not request any scope beyond biomarker results.

The access token issued by Function Health is stored in the iOS Keychain and is used only by the Proto client to make authenticated calls directly to Function Health's API on your behalf.

Proto stores: biomarker name, LOINC code where available, numeric value, unit, reference range, and observation date for each panel result you authorize. Proto does not store physician notes, insurance information, appointment metadata, or any lab value not included in the authorized biomarker panel.

You can revoke this connection at any time from within Proto under Settings → Data Sources → Function Health → Disconnect. Revocation immediately stops future data pulls. Previously stored data is deleted from Proto's servers upon revocation.

MyChart

Proto connects to MyChart through SMART on FHIR as a patient-facing application. The connection is read-only, does not request offline_access, and requires you to re-authenticate each session. Proto reads only the observation resources you authorize during each session and does not store your MyChart credentials.

You can revoke Proto's MyChart access at any time from within MyChart under Manage My Account → Apps and Devices.

AI processing

All AI inference used for biomarker interpretation, protocol generation, and menu sorting runs on Cloudflare Workers AI, a first-party inference service that Proto operates directly. Cloudflare Workers AI executes open-weight models inside Cloudflare's edge infrastructure under Proto's direct configuration and control. No inference step in Proto is delegated to, brokered through, or supplemented by any third-party AI vendor.

Proto does not transmit user data to OpenAI, Anthropic, Google, Meta, Mistral, or any other third-party large language model or AI provider. No user data is sent outside Cloudflare's infrastructure for the purpose of AI inference at any point in Proto's current architecture.

Proto does not use user data to train any AI model, whether operated by Proto or by a third party. Data submitted for inference is used only to generate the immediate response returned to the requesting user.

The inputs sent to Cloudflare Workers AI are limited to anonymized biomarker values and derived recovery metrics, for example, an HRV trend value or a recovery score. Proto does not include personally identifiable information, including name, email address, physical address, phone number, or date of birth, in any payload sent to the AI inference layer.

Outputs of AI inference, including interpretation text and ranking scores, are returned to the requesting user's device for display and are not retained by Proto or by Cloudflare for model training or improvement purposes.

If Proto's architecture changes such that any third-party AI or LLM provider would process user data, Proto will update this policy, notify users in advance, and obtain affirmative consent before any user data is transmitted to that third-party provider.

Storage and encryption

On-device data is encrypted with AES-256-GCM using a device-local key held in the iOS Keychain. Server-side records are encrypted at rest with AES-256-GCM at the application layer before they reach the database, with the master key held in a Cloudflare Worker secret. All data in transit is protected with TLS 1.3.

Sharing

Proto does not sell your data. Proto does not share your data with advertisers or data brokers. Proto does not use your data for cross-app or cross-site tracking. Service providers Proto uses to operate the product, such as Cloudflare for infrastructure and inference, act as data processors under contract and only process data on Proto's instructions.

Retention and deletion

You can delete your account and data at any time from within Proto under Settings → Account → Delete Account. On deletion, all local data is purged immediately, all OAuth tokens are revoked, and server-side records are removed within 30 days. You may also email ryan@globalproto.com to request deletion.

Your rights

Depending on where you live, you may have rights to access, correct, delete, or port your data, and to object to or restrict processing. To exercise these rights, email ryan@globalproto.com. Proto will respond within 30 days.

Children

Proto is not directed to children under 13 and does not knowingly collect personal information from children under 13.

Changes

Proto will post any material changes to this policy on this page and update the effective date. For changes that expand how Proto processes your data, Proto will provide advance notice and, where required, obtain your consent.

Contact

Huxley Technologies, Inc.
ryan@globalproto.com