Your health data is private
by architecture.
We designed The Living Protocol with the assumption that your health data is your most sensitive personal asset. Every security decision reflects that — not as a compliance checkbox, but as a product principle.
Core security commitments.
SHA-256 Trust Timeline
Every Legacy Vault entry is SHA-256 hashed and timestamped on the server. The hash is stored separately and verified on read. Any tampering produces a hash mismatch that is surfaced immediately.
Server-Side AI Only
All Protocol Coach™ AI calls are made server-side via the Anthropic API. Your health history never leaves TLP's servers in an AI request — the model receives only what is needed, nothing more.
Zero Data Brokering
We do not sell, rent, or share your health data with third parties for advertising, research, or any other commercial purpose. This is not buried in a terms document — it is an architectural constraint.
Self-Hosted Infrastructure
TLP's backend runs on a dedicated Hetzner server in Germany under VaultSpark Studios' direct control. We do not use shared compute where your data could be co-located with other tenants' workloads.
Bring Your Own Key (BYOK)
Premium users can supply their own AES-256-GCM encryption key for Legacy Vault entries. Your key means we cannot decrypt your vault contents even under legal compulsion.
Strict Content Security
TLP's web app enforces a strict Content Security Policy, X-Frame-Options: DENY, HSTS, and Referrer-Policy on every request. No inline scripts, no third-party frames, no tracking pixels.
How the Trust Timeline works.
When you create a Legacy Vault entry, TLP computes a SHA-256 hash of the content, records the hash alongside the timestamp, and stores both in an append-only table. The vault entry itself can never be modified — only new entries can be added.
At any time, you or your heirs can request a verification pass. TLP re-hashes every vault entry and compares against the stored hash. If a single character has changed, the verification fails and the entry is flagged as tampered.
Witness signatures add a second-party hash to the Trust Timeline — the witness signs the entry hash with their own key, producing a dual-signed receipt that requires both parties to collude to falsify.
Honest transparency.
What we collect
- ✓Health and biometric data you explicitly input
- ✓Protocol actions (workouts logged, meals tracked, vault entries created)
- ✓Session data for authentication
- ✓Anonymized performance metrics for system improvement (opt-out available)
What we never do
- ✗Sell or rent your data to third parties
- ✗Use your health data to train AI models
- ✗Share data with advertisers
- ✗Store AI conversation history in a trainable corpus
- ✗Retain data after account deletion (except Legacy Vault per your request)
Legal & compliance.
The Living Protocol™ is operated by VaultSpark Studios LLC. All health data handling is governed by our Privacy Policy and Terms of Service. We are not a covered entity under HIPAA, but we follow privacy-first principles that exceed HIPAA's requirements for non-covered entities.