Privacy Notice

Last updated: 12 April 2026

Who we are

Magic Story Club Limited is the data controller for The Callous Protocol. If you have questions about how we handle your data, contact us at privacy@callousprotocol.com.

What we collect

When you use The Callous Protocol, we collect and process:

  • Account data — email address, phone number, display name, timezone
  • Profile data — date of birth, biological sex, height, activity level, dietary preferences, and other personal context you provide
  • Health and fitness data — weight, meals, workouts, activities, sleep, recovery metrics, and step counts, sourced from connected services or entered manually
  • Coaching conversations — messages exchanged via WhatsApp, including any photos you send for analysis
  • Service credentials — OAuth tokens, API keys, or login credentials for connected third-party services, encrypted at rest using Fernet symmetric encryption

Why we process it and our legal basis

  • To provide the coaching service — calculating targets, tracking progress, generating check-in messages, and detecting patterns. Legal basis: performance of a contract (the service you signed up for).
  • To sync your data from connected services — fetching workouts, meals, weight, and recovery data on a schedule. Legal basis: consent (you choose to connect each service).
  • To improve the service — understanding usage patterns and fixing issues using aggregated, anonymised data. Legal basis: legitimate interest.

LLM providers and international transfers

Your coaching data is sent to large language model providers via OpenRouter to generate coaching messages and analyse your progress. The providers used include:

  • Anthropic (Claude) — generally used for analysis and reasoning
  • xAI (Grok) — generally used for messaging and conversation
  • Google (Gemini) — generally used for analysis and reasoning

These roles are not exclusive — any provider may be used for any part of the service.

These providers, along with Meta (which operates the WhatsApp Business API used to deliver messages), are based in the United States. By using the service, your data is transferred outside the UK/EEA. We rely on the providers' standard contractual clauses and data processing agreements. All LLM API requests are made with data retention and training opt-out where supported. We do not consent to your data being used to train models. However, we cannot guarantee how third-party providers handle data once received — please review their respective privacy policies.

Who we share data with

We do not sell your data to anyone. Your data is only shared with:

  • LLM providers (as described above) to generate coaching content
  • Meta — coaching messages are delivered via the WhatsApp Business API, which is operated by Meta Platforms, Inc.

All infrastructure (servers, databases) is self-hosted. No third-party cloud or hosting providers have access to your data.

Cookies

We use a session cookie to keep you logged in. We may use analytics cookies to understand how the app is used. We do not use third-party advertising or tracking cookies.

How long we keep your data

  • Account and profile data — retained while your account is active, deleted within 30 days of account deletion
  • Health and fitness data — retained while your account is active
  • Coaching conversations — retained while your account is active
  • Analysis reports — daily reports kept 14 days, weekly reports 8 weeks, monthly reports 12 months
  • Service credentials — deleted immediately when you disconnect a service

Your rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time for processing based on consent (e.g. disconnecting a service)

To exercise any of these rights, email privacy@callousprotocol.com.

Automated decision-making

The service uses automated processing to generate coaching messages, calculate nutritional targets, and detect behavioural patterns. These are advisory — no decisions with legal or similarly significant effects are made solely by automated means.

Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ico.org.uk/make-a-complaint