Privacy Policy
Effective date: [DATE TBD BY COUNSEL] · Last updated: April 24, 2026
Youth Protocol, Inc. ("Youth Protocol," "we," "us") respects your privacy. This Privacy Policy describes what we collect, how we use it, and the choices you have.
This Policy does not govern Protected Health Information (PHI) handled under HIPAA. For PHI, see our Notice of Privacy Practices.
1. Information we collect
Information you give us directly
- Account information: name, email, phone, password, date of birth, address
- Medical intake information: skin type, concerns, goals, lifestyle, medical history, current medications, pregnancy status
- Payment information: card details (processed by Stripe — we do not store full card numbers)
- Communications: messages to clinicians, customer support, product feedback
- Photos: optional progress photos you choose to upload to your clinician file
Information we collect automatically
- Device type, browser, operating system, IP address
- Pages visited, time on site, click patterns
- Cookies and similar technologies (see Cookies below)
Information from third parties
- Payment processors (Stripe) confirm transaction success
- Shipping carriers (USPS, UPS) confirm delivery status
- Analytics providers (Google Analytics, Meta) help us understand site use
2. How we use information
- Deliver your telehealth service (route intake to clinicians, dispense medications)
- Process payments and manage subscriptions
- Communicate with you about orders, clinical check-ins, and account
- Improve our products and services
- Detect fraud, enforce our Terms, and comply with law
- Send marketing communications only where you have opted in (see Your Choices)
3. How we share information
We share information only in these circumstances:
- With your clinician(s): Your intake, messages, and medical history are shared with US-licensed clinicians we contract with to provide you care
- With our compounding pharmacy: Your prescription, shipping address, and relevant clinical information is shared with a 503A licensed pharmacy to fulfill your order
- With service providers: Payment processors, hosting providers, analytics tools, and customer-support platforms. These providers are contractually obligated to protect your data
- For legal reasons: When required by law, subpoena, court order, or to protect safety
- In a business transfer: If Youth Protocol is acquired or merges, your data may transfer as part of that transaction (you'll be notified)
We do not sell your personal information. We do not share your medical information with advertisers.
4. Data retention
We retain your account information for as long as your account is active, plus up to 7 years after account closure to comply with medical record retention requirements. Marketing preferences and site analytics data are retained per category-specific schedules (typically 2 years for marketing, 26 months for analytics).
5. Your choices
Depending on your state, you may have rights to access, correct, delete, or receive a copy of your personal information. California residents have additional rights under the CCPA/CPRA. Virginia, Colorado, Utah, Connecticut, and other state residents have rights under their respective privacy laws. To exercise these rights, email privacy@protocolo.co or write to the address below.
You can also:
- Unsubscribe from marketing emails via the link in any email
- Stop SMS messages by replying STOP to any message
- Disable cookies in your browser (may affect site functionality)
- Toggle off your subscription and request account deletion from your account
6. Cookies and tracking
We use cookies and similar technologies for:
- Essential cookies: keeping you logged in, processing checkout
- Analytics cookies: understanding how visitors use the site (Google Analytics, Meta Pixel)
- Advertising cookies: measuring ad performance and showing relevant ads (Meta, Google Ads)
You can manage non-essential cookies in our cookie banner or your browser settings.
7. Security
We use industry-standard encryption, access controls, and monitoring to protect your information. However, no system is 100% secure. If you believe your account has been compromised, contact us immediately at security@protocolo.co.
8. Children
Youth Protocol is not intended for anyone under 18. We do not knowingly collect information from children under 18. If you believe we have, please contact us and we'll delete it promptly.
9. International users
Youth Protocol is operated in the United States. If you access our services from outside the US, you consent to transfer of your information to the US, which may have different data protection laws than your country.
10. Changes to this Policy
We may update this Privacy Policy. When we do, we'll update the "Last updated" date at the top. Material changes will be communicated by email or in-app notification at least 30 days before taking effect.
11. Contact us
Questions or concerns? Contact us at:
Youth Protocol, Inc.
Privacy Office
[STREET ADDRESS TBD]
[CITY, STATE, ZIP]
privacy@protocolo.co
This Privacy Policy is a first-draft template for Youth Protocol, Inc. It has not been reviewed by legal counsel and must not be published in its current form. Specific state-law disclosures (CCPA/CPRA, VCDPA, CPA, UCPA, CTDPA), cookie consent banners, and the HIPAA Notice of Privacy Practices are separate documents that also require review.