Protocolby Sonder

Privacy Policy

Effective date: March 20, 2026

Sonder Wellness, LLC (“Protocol by Sonder,” “we,” “us,” or “our”) operates the website at protocolbysonder.com and related services. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Information We Collect

Account Information

When you create an account, we collect your email address. We use passwordless authentication (magic links), so we do not store passwords.

Performance Assessment (Quiz)

When you complete our Performance Assessment, we collect your name, email address, quiz answers, and calculated results (performance scores, bottleneck analysis, and qualification data including your role, past investment in health, and timeline).

Intake Assessment

If you proceed to our intake process, we collect detailed health information including:

  • Contact details (name, email, phone, age, sex)
  • Health goals and priorities
  • Medical history, symptoms, and triggers
  • Symptom ratings across digestive, energy, hormonal, cognitive, and immune categories
  • Environmental exposures
  • Lifestyle factors (sleep, nutrition, stimulants, exercise)
  • Genetic and family health history
  • Current supplement and medication stack
  • Stress and adherence information
  • Uploaded documents (lab work, genetic reports, practitioner notes, food sensitivity panels, hormone panels, gut microbiome tests)

Payment Information

Payments are processed entirely by Stripe. We receive your name and email address upon successful payment. We never see, process, or store your credit card number, CVV, or billing address — that information is handled directly by Stripe under their own privacy policy.

Wearable and Health App Data

If you connect a wearable device or health app (such as Oura Ring, Eight Sleep, or MyFitnessPal), we access health data directly from each provider’s API using credentials you authorize. This may include:

  • Sleep data (duration, stages, quality scores)
  • Activity and readiness data
  • Heart rate and heart rate variability (HRV)
  • Body metrics (temperature, readiness scores)
  • Nutrition data (calories, macros)

Wearable data is fetched on demand directly from each provider’s API and is not permanently stored in our database. We store encrypted authentication tokens and connection status. For services that require account credentials (such as Eight Sleep), your password is encrypted at rest and used solely to maintain your data connection.

Protocol Usage Data

When you use your personalized protocol dashboard, we record daily task completions to track your progress.

2. How We Use Your Information

  • Deliver our services: Design your personalized protocol, generate your configuration overview, and provide your performance dashboard.
  • Communicate with you: Send your assessment results, protocol updates, onboarding emails, and service-related notifications.
  • Process payments: Fulfill purchases and manage your account.
  • Improve our services: Understand aggregate patterns to improve our assessment, protocols, and user experience.
  • Coordinate care: Share relevant health information with our partnered licensed physicians and providers when your protocol requires prescribed compounds or diagnostics.

3. Third-Party Services

We share data with the following service providers, each operating under their own privacy policies:

  • Supabase — Database, authentication, and file storage. Your data is stored in Supabase’s US infrastructure.
  • Klaviyo — Email communications. Receives your email, first name, assessment results, and purchase events to deliver relevant email sequences.
  • Stripe — Payment processing. Handles all payment card data directly.
  • Oura — Sleep, HRV, readiness, and temperature data via their official API (OAuth 2.0).
  • Eight Sleep — Sleep tracking and bed metrics via their API.
  • MyFitnessPal — Nutrition and calorie tracking (when available).
  • Calendly — Consultation scheduling. When you book a call, Calendly processes your booking information under their own privacy policy.
  • Vercel — Website hosting and deployment.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Cookies and Local Storage

We use essential cookies only for authentication session management (provided by Supabase). We do not use analytics cookies, advertising cookies, or third-party tracking scripts.

Your intake form data is temporarily saved in your browser’s local storage so you can resume where you left off. This data is cleared after submission.

5. Health Data

We recognize that much of the information we collect is sensitive health data. We treat all health-related information — including symptoms, medical history, genetic data, wearable metrics, and lab results — with the highest level of care.

  • Health data is used exclusively for designing and delivering your personalized protocol.
  • Access to health data is restricted to authorized team members involved in your care.
  • Any prescriptions or compounds provided through our service are prescribed by a licensed physician and compounded by a licensed pharmacy.
  • We do not share your health data with advertisers, data brokers, or any party unrelated to your care.

6. Data Retention

We retain your personal and health data for as long as your account is active or as needed to provide our services. If you request deletion, we will remove your data within 30 days, except where retention is required by law or for legitimate business purposes (such as maintaining records of completed protocols for continuity of care).

7. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct any inaccurate information.
  • Delete your account and associated data.
  • Disconnect any linked wearable or health app at any time from your dashboard.
  • Unsubscribe from marketing emails via the link in any email.

To exercise any of these rights, contact us at team@protocolbysonder.com.

8. Data Security

We implement industry-standard security measures including encrypted data transmission (TLS/SSL), secure authentication, and access controls. Our infrastructure providers (Supabase, Vercel, Stripe) maintain SOC 2 compliance and additional security certifications.

9. Children’s Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of our services after changes constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Sonder Wellness, LLC
Email: team@protocolbysonder.com
Website: protocolbysonder.com