Privacy Policy
TAP | The Alchemist Protocol
Effective date: May 10, 2026 · Last updated: May 10, 2026
TAP does not sell your data. Ever. Not to advertisers. Not to wellness brands. Not to insurance companies. Not to research institutions. Not to anyone.
The wellness category has been built on data extraction. Companies collect biometric and behavioral data, monetize it through advertising or third-party sales, and treat the user as the product. We chose another path.
TAP collects only what is needed to install your structure — your check-ins, your protocol responses, your metrics. That data lives inside TAP. It serves your discipline. It is never the product.
We may anonymously analyze patterns across the membership to keep the protocol honest — what holds under pressure, what drifts, what needs adjustment. Your name and personal details are never part of that analysis. You may opt out of even this aggregate use.
Your data is yours. Your discipline is yours. Your investment is the membership — that is where the relationship begins and ends.
1. Who we are
TAP | The Alchemist Protocol (“TAP,” “we,” “us”) is a private mastery platform operated by Georges Najjar from Quebec, Canada.
Privacy Officer: Georges Najjar
Contact: privacy@thealchemistprotocol.com — or use our contact form.
Website: thealchemistprotocol.com
Member portal: lab.thealchemistprotocol.com
For privacy-related requests, contact the Privacy Officer at the email above. We will respond within thirty (30) days.
2. What data we collect
We collect the following categories of personal data, only when you choose to provide them:
From the Executive Discipline Score (EDS) assessment
- Name, email address, age
- Behavioral assessment responses (24 questions across Structure, Condition, and Command domains)
- Sleep duration, weekly alcohol consumption, supplement routine
- Optional free-text notes
From the Application form
- Name, email, phone number, city, time zone
- Professional context, prior program experience, drift sources
- Goals, commitment level, schedule
From the Intake form (post-acceptance)
- Detailed health context (training history, dietary patterns, sleep patterns, alcohol/sugar frequency, stress patterns, recovery practices)
- Body metrics (weight, waist measurement, height)
- Supplement and medication use
- Behavioral and cognitive patterns
From your use of the Lab portal (clients only)
- Daily check-in responses (Morning Activation, Mid Day Check-In, Night Lock)
- Weekly review submissions (compliance, drift, wins, friction, adjustments)
- Body metrics over time (weight, waist, sleep, energy)
- Habit assignments and completion logs
- Communication with your operator (support messages)
Account data
- Email address, hashed password, account creation date, login timestamps
Technical data
- IP address, browser type, device type, session timestamps
- Cookies (see our Cookie Notice for details)
3. Why we collect it (lawful basis)
We process your personal data on the following lawful bases:
| Purpose | Lawful basis (GDPR / Quebec Law 25 / PIPEDA) |
|---|---|
| Deliver the EDS assessment and return your results | Consent · Contract performance |
| Process your Application and respond to it | Consent · Pre-contractual measures |
| Deliver the 12-Week Transformation Lab service after acceptance | Contract performance |
| Allow your operator to monitor your protocol and respond | Contract performance |
| Send you transactional emails (invitations, reminders, weekly summaries) | Contract performance |
| Anonymously refine the protocol based on aggregate patterns | Legitimate interest (with right to opt out) |
| Comply with legal obligations (tax, fraud prevention, regulatory) | Legal obligation |
You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
4. How we use your data
We use your data for the following specific purposes:
- To deliver the TAP service you applied for and joined
- To allow your assigned operator to review your progress and adjust your protocol
- To send you transactional emails (account, onboarding, weekly summaries, system notifications)
- To analyze anonymized patterns across the membership to refine the protocol — your name and personal details are never part of this analysis, and you may opt out
- To respond to your support requests and questions
- To detect and prevent fraud, abuse, or violations of our Terms of Service
- To comply with applicable laws
We do not use your data for:
- Selling or licensing to third parties
- Advertising (we do not run ads, anywhere, ever)
- Profiling for any purpose outside of your TAP protocol
- Training external AI models or sharing with AI vendors for training purposes
5. Who we share data with (limited)
We share personal data only with the following categories of recipients, and only as necessary for service delivery:
Service providers (data processors who act under our instructions):
- Supabase — database, authentication, file storage (data hosted in United States)
- Vercel — application hosting (data hosted in United States)
- Google Workspace — email delivery (privacy@thealchemistprotocol.com — same address, both forward to operations), Google Calendar (appointment scheduling), Google Apps Script (automated workflows)
We have signed Data Processing Agreements (DPAs) with each of these providers. They process data only on our instructions and may not use it for their own purposes.
Legal recipients: We may disclose personal data when required by law, court order, or to protect the rights, property, or safety of TAP, our members, or others.
No third-party sharing for advertising or sale.
6. Where your data is stored
Your data is primarily stored on servers located in the United States, operated by our service providers (Supabase, Vercel, Google).
If you are located in the European Union, United Kingdom, Canada, or another jurisdiction with data protection laws, your data is transferred to and processed in the United States.
We rely on the following safeguards for international transfers:
- For EU/UK transfers: Standard Contractual Clauses (SCCs) signed with our US-based service providers
- For Canadian transfers (PIPEDA): Comparable level of protection through contractual safeguards
- For Quebec (Law 25): Privacy Impact Assessment performed; transfers occur only where the receiving jurisdiction provides adequate protection
If you have questions about international transfers, contact the Privacy Officer.
7. How long we keep your data
We retain personal data only as long as necessary for the purposes described above:
| Data category | Retention period |
|---|---|
| EDS submissions (anonymous prospects) | 24 months from submission, then deleted |
| Application data (declined applicants) | 12 months from decision, then deleted |
| Active client data (lab portal) | Duration of membership + 24 months for service continuity and historical reference |
| Inactive client data (membership ended) | 24 months after end of membership, then deleted unless legally required to retain |
| Transactional records (invoices, payments) | 7 years (Quebec / Canadian tax law requirement) |
| Support messages | 24 months from last message |
| Login / session logs | 12 months |
After the retention period, data is deleted or fully anonymized. Anonymized aggregate data may be retained indefinitely for protocol improvement purposes.
You may request earlier deletion at any time (see Section 8).
8. Your rights
You have the following rights over your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Deletion — request deletion of your data (subject to legal retention requirements)
- Portability — request your data in a machine-readable format
- Objection — object to processing based on legitimate interests (including the anonymized aggregate analysis)
- Restriction — request restriction of processing in certain circumstances
- Withdraw consent — for processing based on consent, withdraw at any time
- Lodge a complaint — with your local data protection authority (see Section 13 for jurisdiction-specific notices)
To exercise any right, contact the Privacy Officer at privacy@thealchemistprotocol.com with your request and the email address associated with your TAP account. Or use our contact form. We will respond within thirty (30) days. Most requests are handled in much less time.
9. Security
We implement industry-standard security measures to protect your data:
- All data transmitted between you and TAP is encrypted via HTTPS/TLS
- Database access is protected by Row Level Security (RLS) policies that limit access by role
- Passwords are hashed using bcrypt
- Access to your operator-side data is restricted to authenticated operator/admin accounts
- We maintain audit logs of administrative access
- Our service providers (Supabase, Vercel, Google) maintain SOC 2 / ISO 27001 / equivalent security certifications
No system is completely secure. In the unlikely event of a data breach affecting your personal data, we will notify you and applicable regulators within the timeframes required by law (72 hours for GDPR-applicable breaches, without unreasonable delay for affected users).
10. Children
TAP is intended for adults aged 18 and older. We do not knowingly collect personal data from children under 18. If you become aware that a child has provided personal data to us, please contact the Privacy Officer and we will delete it.
11. Cookies
We use a limited set of cookies to operate the service. See our separate Cookie Notice for details. Cookie consent is requested on your first visit if you are in the EU, UK, or other jurisdictions requiring it.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do:
- Material changes will be notified by email at least thirty (30) days in advance
- The “Last updated” date at the top will reflect the most recent change
- Previous versions are available on request from the Privacy Officer
Continued use of TAP after a change constitutes acceptance of the updated policy.
13. Jurisdiction-specific notices
For users in the European Economic Area (EEA) and United Kingdom
You have rights under the General Data Protection Regulation (GDPR) and UK GDPR. The lawful bases for our processing are described in Section 3. You may lodge a complaint with your national data protection authority. For EEA: see edpb.europa.eu/about-edpb/board/members_en. For UK: Information Commissioner's Office (ICO) at ico.org.uk.
For users in Canada
You have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). You may lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
For users in Quebec
You have additional rights under Quebec Law 25 (An Act respecting the protection of personal information in the private sector). You may lodge a complaint with the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.
For users in California
You have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Specifically: the right to know what personal information is collected, the right to delete, the right to opt out of sale (we do not sell data — there is no sale to opt out of), the right to non-discrimination. To exercise rights, contact the Privacy Officer.
For users in other US states with privacy laws (Virginia, Colorado, Connecticut, Utah, etc.)
Comparable rights apply. Contact the Privacy Officer to exercise them.
14. Contact
Questions, concerns, or requests:
TAP | The Alchemist Protocol
Privacy Officer: Georges Najjar
Email: privacy@thealchemistprotocol.com
Website: thealchemistprotocol.com
Or use our contact form.
We respond within thirty (30) days. Most requests are handled in much less.
End of Privacy Policy.