Privacy Policy

AM Studios LLC ("AM Studios," "we," "us," or "our") operates Protocol 90, a mobile application available on iOS and Android (the "App"). Protocol 90 is a 90-day behavioral change and self-improvement program featuring daily missions, fitness training, squad-based social features, AI-powered coaching, journaling, health tracking, and financial planning tools.

This Privacy Policy explains what personal data we collect, how we use and protect it, who we share it with, and what rights you have regarding your data. It applies to all users of the App worldwide.

By creating an account or using Protocol 90, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis for processing, we will obtain your explicit consent before collecting or processing the relevant data.

• Personal Data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• Data Controller means the entity that determines the purposes and means of processing personal data. AM Studios LLC is the data controller for data processed through Protocol 90.
• Data Processor means an entity that processes personal data on behalf of the data controller (e.g., our cloud infrastructure providers).
• Special Category Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning a person's sex life or sexual orientation.
• Local Data means data stored exclusively on your device that is never transmitted to our servers or any third party.

3.1 Protocol 90 is intended for users aged 18 years and older. The App contains content related to behavioral self-assessment, including assessment of pornography viewing habits and sexual compulsivity (for male users only), substance and food habits, and other compulsive behaviors. By using the App, you represent and warrant that you are at least 18 years of age.

3.2 We do not knowingly collect personal data from children under the age of 13 in accordance with the U.S. Children's Online Privacy Protection Act ("COPPA"). We do not knowingly collect personal data from anyone under the age of 16 in the European Economic Area, or under the age of 18 in any jurisdiction.

3.3 The App relies on app store age ratings (17+ on the Apple App Store, Mature 17+ or equivalent on Google Play) and user self-declaration to enforce age restrictions. Regardless of app store age ratings, you must be at least 18 years old to use Protocol 90. We do not currently implement independent age verification mechanisms.

3.4 If we learn that we have collected personal data from a person under the age of 18, we will take steps to delete that data as quickly as possible. If you believe a minor has provided us with personal data, please contact us at privacy@amstudios.dev.

The following categories of personal data are collected and stored in our cloud infrastructure (hosted by Supabase in the US-West-2 region):

The following data categories are stored exclusively in on-device local storage (AsyncStorage and/or device filesystem) and are never transmitted to any server:

We use the personal data we collect for the following purposes:

• 6.1 Providing Core App Functionality: Creating and managing your account, tracking your 90-day program progress, delivering daily missions, processing gamification and XP awards, and managing subscription access.
• 6.2 Social Features: Enabling squad membership, real-time chat, activity feeds, and leaderboard rankings.
• 6.3 AI-Powered Coaching: Delivering personalized AI coaching by sending your conversation history and aggregated context data to OpenAI's models for response generation.
• 6.4 Behavioral Assessment: Generating vice category scores and behavioral cost projections to personalize your program experience.
• 6.5 Push Notifications: Sending locally scheduled reminders and notifications (with your permission).
• 6.6 Subscription Management: Processing in-app purchases and managing subscription entitlements through RevenueCat.
• 6.7 Security and Fraud Prevention: Protecting accounts, enforcing Row Level Security policies, and preventing unauthorized access.
• 6.8 Service Improvement: Understanding how features are used to improve the App (using only aggregated, non-identifying data).

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a legal basis, we process your personal data on the following grounds:

• 7.1 Performance of a Contract (Article 6(1)(b)): Processing necessary to provide the App's core services you signed up for, including account creation, program progression, daily missions, squad features, gamification, and subscription management.
• 7.2 Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent. This applies to: AI coaching (sending data to OpenAI), behavioral assessment (including sensitive lust category questions), health and fitness data tracking, and push notification delivery. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• 7.3 Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, provided these are not overridden by your fundamental rights. This applies to: application security, fraud prevention, enforcing our terms of service, and aggregated service improvement analytics.

Protocol 90 processes certain categories of data that may qualify as special category data under GDPR Article 9:

• 8.1 Health Data: Body measurements, nutrition logs, sleep records, fitness tracking, and related health metrics. This data is stored locally on your device and is not transmitted to our servers. Aggregated health summaries sent to OpenAI during AI coaching sessions also constitute health data processing.
• 8.2 Data Concerning Sex Life: The lust vice category assessment for male users includes self-assessment of pornography viewing frequency and sexual compulsivity. This data is stored in our cloud database as numerical scores and individual answer selections.
• 8.3 Data Revealing Philosophical Beliefs: The App's 90-day behavioral change program, including its oath ceremony and discipline framework, may constitute processing of data revealing philosophical beliefs.

We process special category data under GDPR Article 9(2)(a) — explicit consent. Before collecting any special category data, we obtain your explicit, informed consent through clear in-app consent flows. You may withdraw this consent at any time by contacting us at privacy@amstudios.dev or by deleting your account.

We share personal data with the following third-party service providers, each acting as a data processor on our behalf:

10.1 Protocol 90's AI coaching feature is powered by OpenAI's language models. When you use AI coaching, your conversation messages along with aggregated user context are sent to OpenAI's API for response generation.

10.2 AI conversations may be processed by OpenAI in accordance with their data processing terms. We use OpenAI's API, which is subject to OpenAI's enterprise data handling policies.

10.3 AI coaching is provided for informational and motivational purposes only. It does not constitute:

• • Medical or health advice
• • Financial or investment advice
• • Psychological, psychiatric, or therapeutic counseling
• • Professional fitness or nutritional guidance

Always consult qualified professionals for medical, financial, or mental health concerns.

10.4 You may stop using AI coaching at any time. You may request deletion of your AI conversation history by contacting us or deleting your account.

11.1 AM Studios LLC is based in the United States. If you are accessing Protocol 90 from outside the United States, your personal data will be transferred to and processed in the United States through our service providers (Supabase, OpenAI, RevenueCat, and Expo).

11.2 For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following safeguards:

• • EU-U.S. Data Privacy Framework (DPF): Where our service providers are certified under the DPF, we rely on this framework for lawful data transfers.
• • Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use European Commission-approved Standard Contractual Clauses to ensure adequate protection for transferred data.
• • Supplementary Measures: We implement additional technical and organizational measures as needed, including encryption in transit and at rest.

11.3 For transfers from Brazil, we comply with LGPD requirements, relying on Standard Contractual Clauses or other mechanisms approved by Brazil's National Data Protection Authority (ANPD).

11.4 For transfers from Canada, we comply with PIPEDA requirements and ensure that our service providers maintain comparable levels of data protection.

12.1 Active Accounts: We retain your cloud-stored personal data for as long as your account remains active and as necessary to provide you with the App's services.

12.2 Account Deletion: When you request account deletion, we will delete or anonymize your cloud-stored personal data within 30 calendar days. This includes all account data, profile data, assessment data, squad data, AI conversation history, and progression data stored in our Supabase database.

12.3 Local Device Data: Data stored locally on your device is retained until you uninstall the App or manually clear the App's data through your device settings. We have no ability to remotely access or delete locally stored data.

12.4 Backup and Residual Copies: Some data may persist in encrypted backups for up to 90 days after deletion before being permanently removed through routine backup rotation.

12.5 Legal Obligations: We may retain certain data beyond the periods described above where required by applicable law, such as for tax, accounting, or legal compliance purposes.

12.6 RevenueCat: Transaction and subscription data shared with RevenueCat is retained according to RevenueCat's own data retention policies. Upon account deletion, we will disassociate your user ID from RevenueCat records.

We implement appropriate technical and organizational measures to protect your personal data, including:

• 13.1 Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS protocols.
• 13.2 Encrypted Storage: Cloud-stored data is encrypted at rest within Supabase's infrastructure.
• 13.3 Row Level Security (RLS): All database tables are protected by Row Level Security policies, ensuring that each authenticated user can only access their own data.
• 13.4 Password Security: User passwords are cryptographically hashed using industry-standard algorithms. Plaintext passwords are never stored.
• 13.5 JWT Authentication: All API requests are authenticated using JSON Web Tokens with appropriate expiration periods.
• 13.6 Image Processing: User-uploaded images are compressed and resized before upload to minimize data exposure.
• 13.7 Server-Side Processing: Sensitive operations (such as AI API calls to OpenAI) are handled through server-side edge functions, ensuring that API keys and sensitive processing logic are never exposed to client devices.

While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR and UK GDPR:

• 14.1 Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
• 14.2 Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete data. You may update your name and profile information directly within the App.
• 14.3 Right to Erasure (Article 17): You have the right to request deletion of your personal data ("right to be forgotten") where: the data is no longer necessary for its original purpose; you withdraw consent; you object to processing and there are no overriding legitimate grounds; or the data has been unlawfully processed.
• 14.4 Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of contested data.
• 14.5 Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and to transmit it to another controller.
• 14.6 Right to Object (Article 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• 14.7 Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• 14.8 Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (Data Protection Authority) if you believe your data protection rights have been violated.

To exercise any of these rights, contact us at privacy@amstudios.dev. We will respond within 30 days (or within the timeframe required by applicable law).

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• 15.1 Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• 15.2 Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, completing transactions, security).
• 15.3 Right to Correct: You have the right to request correction of inaccurate personal information.
• 15.4 Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. AM Studios does not sell or share your personal information as defined under the CCPA/CPRA. We do not exchange personal data for monetary or other valuable consideration, nor do we share it for cross-context behavioral advertising purposes.
• 15.5 Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information to purposes necessary for providing the services. We only use sensitive personal information (including health data and data concerning sex life) to provide the features you request.
• 15.6 Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Do Not Sell or Share My Personal Information: AM Studios does not sell or share your personal information. No opt-out action is required, but you may contact us at privacy@amstudios.dev with any questions or concerns.

To exercise your CCPA/CPRA rights, contact us at privacy@amstudios.dev. We will verify your identity before processing your request. You may also designate an authorized agent to submit requests on your behalf.

17.1 Protocol 90 is a native mobile application. We do not use cookies, web beacons, pixel tags, or similar browser-based tracking technologies.

17.2 We do not integrate any third-party analytics SDKs, advertising SDKs, or tracking frameworks into the App.

17.3 We do not engage in cross-app tracking, behavioral advertising, or user profiling for advertising purposes.

17.4 The only device identifier we collect is the Expo Push Token, used solely for delivering push notifications you have opted into.

18.1 Protocol 90 uses locally scheduled push notifications to deliver reminders (such as daily mission reminders, workout prompts, and program milestones). These notifications are scheduled on your device and do not require server communication.

18.2 No server-initiated push messages are currently sent to user devices.

18.3 You can disable push notifications at any time through your device's system settings (Settings > Notifications > Protocol 90 on iOS; Settings > Apps > Protocol 90 > Notifications on Android).

19.1 You may request full deletion of your account and associated cloud-stored data at any time by contacting us at privacy@amstudios.dev or through the account settings within the App.

19.2 Upon receiving a valid deletion request, we will:

• • Delete all cloud-stored personal data from our Supabase database (account data, profile data, assessment data, squad data, AI conversation history, and progression data) within 30 calendar days.
• • Remove user-uploaded images (profile avatars, squad chat photos) from cloud storage.
• • Disassociate your user ID from RevenueCat subscription records.
• • Invalidate all active authentication sessions.

19.3 Data stored locally on your device (health data, journal entries, financial data, workout logs, etc.) will remain on your device until you uninstall the App or manually clear the App's data. We cannot remotely access or delete locally stored data.

19.4 If you have an active paid subscription, account deletion does not automatically cancel your subscription. Please cancel your subscription through the Apple App Store or Google Play Store before requesting account deletion.

20.1 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
• • Provide clear information about the nature of the breach, the likely consequences, the measures taken to address the breach, and recommendations for you to mitigate potential harm.

20.2 We will also comply with data breach notification requirements under CCPA/CPRA, LGPD, PIPEDA, and any other applicable data protection laws.

21.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• • Update the "Last Updated" date at the top of this policy.
• • Notify you through in-app notifications or other appropriate means before the changes take effect.
• • Where required by law, obtain your consent to material changes in how we process your personal data.

21.2 We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For data protection inquiries from the European Economic Area or United Kingdom, you may also contact us at the email address above. If we are required to appoint a Data Protection Officer or EU/UK representative under applicable law, their contact details will be published here and communicated to you.

We aim to respond to all legitimate inquiries within 30 days. If your request is particularly complex or you have made multiple requests, we may need up to 60 days, in which case we will notify you and explain the reason for the extension.