STEPPA

Last updated: May 13, 2026

This Privacy Policy describes our policies and procedures on the collection, use and disclosure of Your information when You use our Service and tells You about Your privacy rights and how the law protects You.

We use Your personal data to provide and improve our Service. By using our Service, You agree to the collection and use of information in accordance with this Privacy Policy.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for You to access our Service or parts of our Service.
• Application refers to Steppa, the software program provided by the Company.
• Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Steppa LLC, 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States.
• Country refers to: Delaware, United States.
• Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
• Personal Data is any information that relates to an identified or identifiable individual.
• Service refers to the Application.
• Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
• You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

• Email address
• First name and last name
• Phone number
• Payment information (processed by Whop — We do not store full card numbers on our servers)
• Bank account information for payouts (processed by Mercury — We do not store full bank account credentials on our servers)
• Identity verification information (processed by a third-party identity verification provider, where verification is requested)
• Tax identification information (as required by law for users approaching reporting thresholds)
• Usage Data

Important: We do not store full payment card numbers or bank account credentials on our own servers. These sensitive financial details are handled directly and securely by our Payment Processors.

Health and Fitness Data

To provide our fitness Challenge features, We collect health and fitness data from Your device, including but not limited to:

• Step counts
• Walking and running distances
• Activity data and timestamps
• Hourly breakdowns and source-attribution metadata for fraud-prevention and audit purposes
• Device and sensor information that the underlying health platform reports alongside step data

This data is collected through integration with Apple HealthKit. We only access health data that You explicitly grant permission for Us to access.

We use industry-standard security measures, including encryption in transit (TLS) and at rest, to protect health and fitness data. Your data is transmitted securely and stored in protected databases.

Important Limitations on Use of Health Data:

• We do NOT use HealthKit data for advertising, marketing, or data sales
• We do NOT share health data with advertisers or data brokers
• We do NOT use health data to build advertising or user profiles
• Health data is NEVER sold to third parties
• We do NOT use Your health data for medical diagnosis or treatment

We use health and fitness data ONLY to:

• Operate and manage fitness Challenges
• Verify Challenge completion and calculate results
• Display Your personal statistics and progress within the App
• Detect and prevent fraudulent activity

You can revoke our access to Your health data at any time through Your device's privacy settings (Settings > Privacy & Security > Health on iOS). If You revoke access, You will no longer be able to participate in Challenges that require fitness tracking.

Important: We rely on Apple HealthKit's aggregated step count and cannot independently verify the accuracy of data reported by Your devices, sensors, or any third-party application that writes to HealthKit. Step counts and activity metrics may vary between devices and tracking methods.

Apple HealthKit Disclosure

Steppa uses Apple HealthKit to read step counts and activity data that You authorize through iOS permissions. We do not write any data to HealthKit. HealthKit data is only used to:

• Operate fitness Challenges
• Verify Challenge completion and calculate results
• Detect fraud and prevent manipulation
• Display Your activity statistics inside the App

HealthKit data is never used for marketing, advertising, or data brokerage.

HealthKit data is never sold or shared with third parties except service providers acting strictly on our behalf (such as our database provider).

You can revoke HealthKit access at any time in iOS Settings > Privacy & Security > Health > Steppa. Revoking access will prevent You from participating in fitness Challenges.

Financial and Transaction Data

We collect and process financial information related to Your participation in paid Challenges, including:

• Challenge entry fees paid
• Winnings and payouts received
• Transaction history
• Cash Balance and Promotional Credit balances
• Payout requests and bank account routing details (handled by Mercury)

We retain financial records as required by law, including for tax reporting purposes. For U.S. users, We may be required to report winnings of $600 or more per calendar year to the Internal Revenue Service.

Fraud Prevention and Payment Fingerprinting

To prevent abuse of promotions, multiple-account fraud, and payment fraud, We collect and process:

• A hashed fingerprint of Your payment method (for example, a one-way hash of card brand and last four digits) provided to Us by Whop. We use this hashed value to detect duplicate or coordinated accounts. We cannot reconstruct Your full payment details from this hash.
• A log of bonus eligibility checks, fraud signals evaluated, and the outcome of those checks. This log may include the email address used, hashed payment fingerprint, device signals, and timestamps.
• Device signals such as device model, operating system version, application version, and IP address.

This data is used solely for fraud prevention, security, and enforcement of our Terms and Conditions. It is not used for marketing or shared with advertisers.

Notification Tokens and Communication Preferences

If You enable push notifications, We collect Your device push notification token and Your notification preferences to send You transactional and (if You have not opted out) marketing communications about Challenges, results, and other Service-related information. Notification tokens are retained while Your Account is active and deleted when Your Account is deleted or You revoke push permissions.

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

Cookies and Tracking Technologies

Our website (playsteppa.com) uses only essential cookies necessary for basic functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies on our website.

Our mobile Application does not use cookies but may use similar technologies (such as device identifiers) for authentication, session management, and fraud prevention.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

• To provide and maintain our Service, including to monitor the usage of our Service.
• To manage Your Account: to manage Your registration as a user of the Service.
• To operate Challenges: to track Your progress in fitness Challenges, verify completion, calculate winnings, and distribute prizes.
• To process payments: to handle Challenge entry fees, process payouts, and maintain financial records.
• For identity verification: to verify Your identity where required by law or by our payment partners for receiving payouts above certain thresholds.
• To contact You: by email, push notifications, or other forms of electronic communication regarding Challenge updates, results, payouts, security alerts, or other Service-related information.
• To prevent fraud: to detect and prevent cheating, manipulation of fitness data, multi-account abuse, payment fraud, and other fraudulent activity.
• For tax compliance: to fulfill our legal obligations to report winnings and maintain financial records.
• To provide You with news, special offers and general information about Challenges and features unless You have opted not to receive such information.
• To manage Your requests: to attend and manage Your requests to Us.
• For analytics and improvement: to analyze how the Service is used and to improve our features and user experience.

Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

Specifically:

• Health and fitness data: Retained while Your Account is active and for up to 3 years after Account closure for dispute resolution, fraud prevention, and historical Challenge verification. You can request earlier deletion at any time, subject to legal exceptions.
• Financial records and transaction history: Retained for at least 7 years to comply with tax laws and financial regulations.
• Account information: Retained while Your Account is active and for up to 3 years after Account closure to comply with legal obligations and resolve disputes.
• Fraud-prevention records (including hashed payment fingerprints and bonus eligibility logs): Retained for up to 7 years to detect repeat abuse and to investigate disputes.
• Notification tokens: Retained while Your Account is active and deleted on Account closure or revocation of push permissions.

Sharing Your Personal Data with Third Parties

We share Your personal data with the following third-party service providers who help Us operate the Service:

• Whop: Payment processing for Challenge entry fees. Whop processes Your payment information and provides Us with hashed payment fingerprints used for fraud prevention. See Whop's Privacy Policy for details on how they handle Your data.
• Mercury: Banking and ACH payouts. Mercury processes Your bank account routing details to deliver payouts of Cash Balance.
• Identity verification providers: Where We require You to verify Your identity (for example, to enable payouts above certain thresholds), We may share Your information with a third-party identity verification provider.
• Supabase: Database and backend infrastructure. Supabase stores Your account information, Challenge data, and fitness activity records. Our primary data hosting region is in the United States.
• Expo: Push notification delivery and mobile app infrastructure.
• Apple HealthKit: Health and fitness data source. We access only the data You explicitly permit through Your device's privacy settings.

These service providers have access to Your Personal Data only to perform specific tasks on our behalf and are obligated to protect Your information and use it only for the purposes We specify.

Disclosure of Your Personal Data

Law Enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other Legal Requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. Our primary data hosting infrastructure is located in the United States. This information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.

Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

Our Service may give You the ability to delete certain information about You from within the Service, including the ability to delete Your Account.

You may update, amend, or delete Your information at any time by contacting Us to request access to, correct, or delete any personal information that You have provided to Us.

Please note, however, that We may need to retain certain information when We have a legal obligation or lawful basis to do so, including the financial, fraud-prevention, and tax records described under "Retention of Your Personal Data."

Security of Your Personal Data

The security of Your Personal Data is important to Us. We implement industry-standard security measures to protect Your information, including:

• Encryption in transit using TLS/SSL protocols
• Encryption at rest for sensitive data stored in our databases
• Access controls and authentication mechanisms
• Regular security assessments and updates

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Legal Bases for Processing (GDPR)

If You are located in the European Economic Area (EEA), We process Your Personal Data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service, operate Challenges, process payments, and distribute winnings.
• Legal Obligation: Processing required to comply with tax reporting requirements, KYC/AML regulations, and financial record-keeping laws.
• Legitimate Interest: Processing for fraud prevention, security, analytics, and Service improvement, where our interests are not overridden by Your data protection rights.
• Consent: Processing health and fitness data, sending marketing communications, and delivering push notifications (You may withdraw consent at any time).

Your Privacy Rights

Access and Control

You have the following rights regarding Your Personal Data:

• Right to Access: You can request a copy of the Personal Data We hold about You.
• Right to Correction: You can request that We correct inaccurate or incomplete Personal Data.
• Right to Deletion: You can request deletion of Your Personal Data, subject to legal retention requirements for financial, tax, and fraud-prevention records.
• Right to Data Portability: You can request a copy of Your data in a machine-readable format.
• Right to Withdraw Consent: You can withdraw consent for Us to process Your health data, though this may prevent You from participating in Challenges.

To exercise these rights, contact Us at support@playsteppa.com.

California Privacy Rights (CCPA)

If You are a California resident, You have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to know what Personal Data We collect, use, disclose, and sell (We do not sell Personal Data).
• Right to Delete: You have the right to request deletion of Your Personal Data, subject to certain exceptions.
• Right to Non-Discrimination: You have the right not to be discriminated against for exercising Your privacy rights.
• Right to Opt-Out: You have the right to opt-out of the sale of Personal Data (We do not sell Personal Data).

To exercise Your CCPA rights, email Us at support@playsteppa.com with "CCPA Request" in the subject line.

European Union (GDPR) Rights

If You are located in the European Economic Area (EEA), You have rights under the General Data Protection Regulation (GDPR), including:

• Right to access Your Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

To exercise Your GDPR rights, contact Us at support@playsteppa.com.

Data Breach Notification

In the event of a data breach that affects Your Personal Data, We will notify You via email within 72 hours of becoming aware of the breach, or as required by applicable law. The notification will include:

• The nature of the breach
• The types of data affected
• Steps We are taking to address the breach
• Recommended actions You should take to protect Your information

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Children's Privacy and Age Restrictions

Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18.

Participation in paid Challenges requires users to be at least 18 years old. We rely on user self-attestation of age at registration and may, at our discretion, require additional verification. If You are under 18, You may not use the Service or participate in Challenges.

If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us immediately. If We become aware that We have collected Personal Data from anyone under the age of 18, We will take steps to delete that information and terminate the account.

Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

Contact Us

If You have any questions about this Privacy Policy, You can contact Us:

• By email: support@playsteppa.com
• By phone: +1 (302) 464-8865

Data Protection Contact

For privacy-related inquiries, data protection matters, or to exercise Your privacy rights, You may contact our Data Protection contact at: support@playsteppa.com

Please include "Privacy Request" or "Data Protection" in Your subject line to ensure prompt handling of Your inquiry.