Last updated: June 13, 2026
This Privacy Policy describes our policies and procedures on the collection, use and disclosure of Your information when You use our Service and tells You about Your privacy rights and how the law protects You.
We use Your personal data to provide and improve our Service. By using our Service, You agree to the collection and use of information in accordance with this Privacy Policy. If You do not agree with this Privacy Policy, please do not use the Service.
California residents should review the section entitled "California Privacy Rights (CCPA/CPRA)." Users in the European Economic Area should review the sections entitled "Legal Bases for Processing (GDPR)" and "European Union (GDPR) Rights."
Interpretation and Definitions
Interpretation
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
- Account means a unique account created for You to access our Service or parts of our Service.
- Application refers to Steppa, the software program provided by the Company.
- Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Steppa LLC, 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States.
- Country refers to: Delaware, United States.
- Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
- Health Data means health and fitness information collected through Apple HealthKit or generated by Your participation in Challenges, including step counts, distances, activity records, and inferences derived from them.
- Personal Data is any information that relates to an identified or identifiable individual.
- Service refers to the Application.
- Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
- Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Collecting and Using Your Personal Data
Types of Data Collected
Personal Data
While using our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Phone number
- Payment information (processed by Whop — We do not store full card numbers on our servers)
- Bank account information for payouts. U.S. payouts are processed by Mercury via U.S. ACH bank transfer; You enter Your bank account details in the Application and We do not store full bank account credentials on our servers. PayPal payouts are processed by PayPal; to send a payout We share with PayPal the recipient email address You provide and the payout amount, and We store only that saved payout email and PayPal's payout references (not Your PayPal login or financial credentials). International payouts are processed by Whop via Whop's payout-method network; You enter Your identity-verification and payout-destination details directly on Whop's hosted onboarding pages, and We store only the Whop sub-merchant identifier and the chosen payout-method reference returned to Us by Whop (not Your underlying bank, wallet, or crypto-wallet credentials).
- Identity verification information (processed by a third-party identity verification provider, where verification is requested)
- Tax identification information (as required by law for users approaching reporting thresholds)
- Usage Data
Important: We do not store full payment card numbers or bank account credentials on our own servers. These sensitive financial details are handled directly and securely by our Payment Processors.
Health and Fitness Data
To provide our fitness Challenge features, We collect health and fitness data from Your device, including but not limited to:
- Step counts
- Walking and running distances
- Activity data and timestamps
- Hourly breakdowns and source-attribution metadata for fraud-prevention and audit purposes
- Device and sensor information that the underlying health platform reports alongside step data
This data is collected through integration with Apple HealthKit. We only access health data that You explicitly grant permission for Us to access.
We use industry-standard security measures, including encryption in transit (TLS) and at rest, to protect health and fitness data. Your data is transmitted securely and stored in protected databases.
Important Limitations on Use of Health Data:
- We do NOT use HealthKit data for advertising, marketing, advertising measurement, or data sales
- We do NOT use HealthKit data for tracking as defined under Apple's App Tracking Transparency framework
- We do NOT share health data with advertisers or data brokers
- We do NOT use health data to build advertising or user profiles
- Health data is NEVER sold to third parties
- We do NOT disclose Your individual-level health data to third parties for the training of artificial intelligence models
- We do NOT use Your health data for medical diagnosis or treatment
We use health and fitness data ONLY to:
- Operate and manage fitness Challenges
- Verify Challenge completion and calculate results
- Display Your personal statistics and progress within the App
- Detect and prevent fraudulent activity
You can revoke our access to Your health data at any time through Your device's privacy settings (Settings > Privacy & Security > Health on iOS). If You revoke access, You will no longer be able to participate in Challenges that require fitness tracking.
Important: We rely on Apple HealthKit's aggregated step count and cannot independently verify the accuracy of data reported by Your devices, sensors, or any third-party application that writes to HealthKit. Step counts and activity metrics may vary between devices and tracking methods.
Apple HealthKit Disclosure
Steppa uses Apple HealthKit to read step counts and activity data that You authorize through iOS permissions. We do not write any data to HealthKit. HealthKit data is only used to:
- Operate fitness Challenges
- Verify Challenge completion and calculate results
- Detect fraud and prevent manipulation
- Display Your activity statistics inside the App
HealthKit data is never used for marketing, advertising, advertising measurement, or data brokerage, and is never used for other use-based data mining unrelated to providing the Service.
HealthKit data is never sold or shared with third parties except service providers acting strictly on our behalf (such as our database provider).
You can revoke HealthKit access at any time in iOS Settings > Privacy & Security > Health > Steppa. Revoking access will prevent You from participating in fitness Challenges.
Financial and Transaction Data
We collect and process financial information related to Your participation in paid Challenges, including:
- Challenge entry fees paid
- Winnings and payouts received
- Transaction history
- Cash Balance and Promotional Credit balances
- Payout requests, bank account routing details (handled by Mercury), and the PayPal recipient email used for PayPal payouts (handled by PayPal)
We retain financial records as required by law, including for tax reporting purposes. For U.S. users, We may be required to report winnings of $600 or more per calendar year to the Internal Revenue Service.
Fraud Prevention and Payment Fingerprinting
To prevent abuse of promotions, multiple-account fraud, and payment fraud, We collect and process:
- A hashed fingerprint of Your payment method (for example, a one-way hash of card brand and last four digits) provided to Us by Whop. We use this hashed value to detect duplicate or coordinated accounts. We cannot reconstruct Your full payment details from this hash.
- A log of bonus eligibility checks, fraud signals evaluated, and the outcome of those checks. This log may include the email address used, hashed payment fingerprint, device signals, and timestamps.
- Device signals such as device model, operating system version, application version, and IP address.
This data is used solely for fraud prevention, security, and enforcement of our Terms and Conditions. It is not used for marketing or shared with advertisers.
Referral and Invite Information
If You refer a friend or share an invite code, We collect the information needed to operate the referral program, such as the referral code used, the connection between referring and referred Accounts, and the status of any associated Promotional Credits. We use this information solely to administer the referral program and to detect referral abuse. If an invite feature asks You to provide a contact's email address or similar information, We use it only to deliver the invitation and any related reminders, and the recipient may contact support@playsteppa.com to have their information removed.
Notification Tokens and Communication Preferences
If You enable push notifications, We collect Your device push notification token and Your notification preferences to send You transactional and (if You have not opted out) marketing communications about Challenges, results, and other Service-related information. Notification tokens are retained while Your Account is active and deleted when Your Account is deleted or You revoke push permissions.
Community Content and Information Visible to Other Users
The Service includes features that display certain information to other users. Information that may be visible to other participants in a Challenge and, for public Challenges, to other users of the Service includes Your display name, username, profile photo or avatar, and Your Challenge progress and results where the Challenge displays them (for example, on a leaderboard). Information shown to other users can be read, collected, or re-shared by others, and We cannot guarantee that other users will respect its confidentiality. Do not make public any information You consider private. We are not responsible for information You voluntarily disclose to other users of the Service.
Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
Cookies and Tracking Technologies
Our website (playsteppa.com) uses only essential cookies necessary for basic functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies on our website.
Our mobile Application does not use cookies but may use similar technologies (such as device identifiers) for authentication, session management, and fraud prevention.
Use of Your Personal Data
The Company may use Personal Data for the following purposes:
- To provide and maintain our Service, including to monitor the usage of our Service.
- To manage Your Account: to manage Your registration as a user of the Service.
- To operate Challenges: to track Your progress in fitness Challenges, verify completion, calculate winnings, and distribute prizes.
- To process payments: to handle Challenge entry fees, process payouts, and maintain financial records.
- For identity verification: to verify Your identity where required by law or by our payment partners for receiving payouts above certain thresholds.
- To contact You: by email, push notifications, or other forms of electronic communication regarding Challenge updates, results, payouts, security alerts, or other Service-related information.
- To prevent fraud: to detect and prevent cheating, manipulation of fitness data, multi-account abuse, payment fraud, and other fraudulent activity.
- For tax compliance: to fulfill our legal obligations to report winnings and maintain financial records.
- To administer promotions: to operate referral programs, welcome bonuses, and other promotional offers, and to award any associated credits or prizes.
- To provide You with news, special offers and general information about Challenges and features unless You have opted not to receive such information.
- To manage Your requests: to attend and manage Your requests to Us.
- For analytics and improvement: to analyze how the Service is used and to improve our features and user experience, using aggregated or de-identified information wherever practical.
We do not sell Your Personal Data, and We do not share Your Personal Data with third parties for cross-context behavioral advertising.
Retention of Your Personal Data
The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.
Specifically:
- Health and fitness data: Retained while Your Account is active and for up to 3 years after Account closure for dispute resolution, fraud prevention, and historical Challenge verification. You can request earlier deletion at any time, subject to legal exceptions.
- Financial records and transaction history: Retained for at least 7 years to comply with tax laws and financial regulations.
- Account information: Retained while Your Account is active and for up to 3 years after Account closure to comply with legal obligations and resolve disputes.
- Fraud-prevention records (including hashed payment fingerprints and bonus eligibility logs): Retained for up to 7 years to detect repeat abuse and to investigate disputes.
- Notification tokens: Retained while Your Account is active and deleted on Account closure or revocation of push permissions.
- Unwithdrawn balances: Records relating to any Cash Balance not withdrawn at Account closure are retained as long as necessary to administer the balance, including to comply with applicable unclaimed-property and escheatment laws.
Sharing Your Personal Data with Third Parties
We share Your personal data with the following third-party service providers who help Us operate the Service:
- Whop: Payment processing for Challenge entry fees, and processing of international payouts via Whop's payout-method network. Whop processes Your payment information, provides Us with hashed payment fingerprints used for fraud prevention, and (for international payouts) collects the identity-verification and payout-destination information You provide directly on Whop's hosted onboarding pages. See Whop's Privacy Policy for details on how they handle Your data.
- Mercury: Banking and U.S. ACH payouts. Mercury processes the bank account routing details of U.S. users to deliver automated payouts of Cash Balance. International users receive payouts via PayPal or Whop instead and Mercury does not receive their information.
- PayPal: Payouts to a PayPal account. When You cash out to PayPal, We share the recipient email address You provide and the payout amount with PayPal so it can deliver the funds. We do not receive or store Your PayPal login or financial credentials. See PayPal's Privacy Policy for details on how they handle Your data.
- Identity verification providers: Where We require You to verify Your identity (for example, to enable payouts above certain thresholds), We may share Your information with a third-party identity verification provider.
- Supabase: Authentication and account sign-in services.
- DigitalOcean: Database and backend infrastructure. Our managed database stores Your account information, Challenge data, and fitness activity records. Our primary data hosting region is in the United States.
- Expo: Push notification delivery and mobile app infrastructure.
- Apple HealthKit: Health and fitness data source. We access only the data You explicitly permit through Your device's privacy settings.
These service providers have access to Your Personal Data only to perform specific tasks on our behalf and are obligated to protect Your information and use it only for the purposes We specify. We do not permit our service providers to use Your individual-level health data for their own purposes, including advertising or the training of artificial intelligence models.
Disclosure of Your Personal Data
Law Enforcement
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other Legal Requirements
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of the Company
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of users of the Service or the public
- Protect against legal liability
Transfer of Your Personal Data
Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. Our primary data hosting infrastructure is located in the United States. This information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of Your jurisdiction.
Where We transfer Personal Data of users located in the European Economic Area, the United Kingdom, or Switzerland to the United States or other countries that have not received an adequacy decision, We rely on appropriate safeguards such as Standard Contractual Clauses with our Service Providers, alongside supplementary technical and organizational measures. The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy.
Delete Your Personal Data
You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.
Our Service may give You the ability to delete certain information about You from within the Service, including the ability to delete Your Account.
You may update, amend, or delete Your information at any time by contacting Us to request access to, correct, or delete any personal information that You have provided to Us. We will respond to verified requests within the timeframes required by applicable law.
Please note, however, that We may need to retain certain information when We have a legal obligation or lawful basis to do so, including the financial, fraud-prevention, tax, and unclaimed-property records described under "Retention of Your Personal Data."
Security of Your Personal Data
The security of Your Personal Data is important to Us. We implement industry-standard security measures to protect Your information, including:
- Encryption in transit using TLS/SSL protocols
- Encryption at rest for sensitive data stored in our databases
- Access controls and authentication mechanisms, with access to personal information limited to personnel who need it to perform their roles
- Regular security assessments and updates
However, no method of transmission over the Internet or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.
Legal Bases for Processing (GDPR)
If You are located in the European Economic Area (EEA), We process Your Personal Data based on the following legal grounds:
- Contract Performance: Processing necessary to provide the Service, operate Challenges, process payments, and distribute winnings.
- Legal Obligation: Processing required to comply with tax reporting requirements, KYC/AML regulations, and financial record-keeping laws.
- Legitimate Interest: Processing for fraud prevention, security, analytics, and Service improvement, where our interests are not overridden by Your data protection rights.
- Consent: Processing health and fitness data, sending marketing communications, and delivering push notifications (You may withdraw consent at any time).
Your Privacy Rights
Access and Control
You have the following rights regarding Your Personal Data:
- Right to Access: You can request a copy of the Personal Data We hold about You.
- Right to Correction: You can request that We correct inaccurate or incomplete Personal Data.
- Right to Deletion: You can request deletion of Your Personal Data, subject to legal retention requirements for financial, tax, fraud-prevention, and unclaimed-property records.
- Right to Data Portability: You can request a copy of Your data in a machine-readable format.
- Right to Withdraw Consent: You can withdraw consent for Us to process Your health data, though this may prevent You from participating in Challenges.
To exercise these rights, contact Us at support@playsteppa.com. We may need to verify Your identity before fulfilling a request. You may also designate an authorized agent to make a request on Your behalf, subject to verification.
California Privacy Rights (CCPA/CPRA)
If You are a California resident, You have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to Know: You have the right to request information about the categories and specific pieces of Personal Data We have collected about You, the categories of sources, the business purposes for collection, and the categories of third parties with whom We disclose it.
- Right to Delete: You have the right to request deletion of Your Personal Data, subject to certain exceptions.
- Right to Correct: You have the right to request correction of inaccurate Personal Data.
- Right to Opt Out of Sale or Sharing: We do not sell Personal Data and We do not share Personal Data for cross-context behavioral advertising. If that ever changes, We will update this Policy and provide the required opt-out mechanisms first.
- Right to Limit Use of Sensitive Personal Information: Some information We collect, such as health and fitness data, precise account credentials, and government identifiers collected for tax or identity verification, is "sensitive personal information" under California law. We use sensitive personal information only for the purposes permitted by California law, such as providing the Service You request, verifying results, preventing fraud and security incidents, and complying with legal obligations. We do not use or disclose sensitive personal information for purposes that would require a Right to Limit under California law.
- Right to Non-Discrimination: You have the right not to be discriminated against for exercising Your privacy rights.
Categories of Personal Information collected in the preceding 12 months: identifiers (name, email, phone, device identifiers, IP address); financial information (transaction history, balances, hashed payment fingerprints; full payment credentials are handled by our Payment Processors); health and fitness data (step counts, activity records); commercial information (Challenge entries, payouts); internet or network activity (Usage Data); geolocation inferred from IP address at a coarse level; and inferences used solely for fraud prevention. We collect these categories from You, Your device, Apple HealthKit, and our Payment Processors, for the business purposes described in "Use of Your Personal Data," and We disclose them to the Service Providers listed in "Sharing Your Personal Data with Third Parties" for business purposes only. We have not sold or shared (for cross-context behavioral advertising) Personal Information in the preceding 12 months.
Global Privacy Control: Because We do not sell or share Personal Data, opt-out preference signals such as Global Privacy Control do not change how We process Your data; if our practices ever change, We will honor such signals as required by law.
To exercise Your California rights, email Us at support@playsteppa.com with "CCPA Request" in the subject line. We will verify and respond to Your request within the timeframes required by law (generally 45 days, extendable once by an additional 45 days with notice).
Other U.S. State Privacy Rights
If You reside in another U.S. state with a comprehensive privacy law (for example, Virginia, Colorado, Connecticut, Texas, or Oregon), You may have similar rights of access, correction, deletion, portability, and the right to appeal a refusal. To exercise these rights or appeal a decision, contact support@playsteppa.com with "Privacy Request" in the subject line.
European Union (GDPR) Rights
If You are located in the European Economic Area (EEA), You have rights under the General Data Protection Regulation (GDPR), including:
- Right to access Your Personal Data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
You also have the right to lodge a complaint with Your local supervisory authority. To exercise Your GDPR rights, contact Us at support@playsteppa.com.
Data Breach Notification
In the event of a data breach that affects Your Personal Data, We will notify You and any applicable regulators without undue delay, in the manner and within the timeframes required by applicable law. Where notification to You is required, it will describe, to the extent known:
- The nature of the breach
- The types of data affected
- Steps We are taking to address the breach
- Recommended actions You should take to protect Your information
Business Transactions
If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy, and any recipient will be required to honor commitments at least as protective as those in this Privacy Policy with respect to previously collected Personal Data.
Children's Privacy and Age Restrictions
Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18.
Participation in paid Challenges requires users to be at least 18 years old. We rely on user self-attestation of age at registration and may, at our discretion, require additional verification. If You are under 18, You may not use the Service or participate in Challenges.
If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us immediately. If We become aware that We have collected Personal Data from anyone under the age of 18, We will take steps to delete that information and terminate the account.
Links to Other Websites
Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Changes to this Privacy Policy
We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.
We will let You know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy. Use of information We collect is subject to the Privacy Policy in effect at the time such information is used.
Contact Us
If You have any questions about this Privacy Policy, You can contact Us:
- By email: support@playsteppa.com
- By phone: +1 (302) 464-8865
Data Protection Contact
For privacy-related inquiries, data protection matters, or to exercise Your privacy rights, You may contact our Data Protection contact at: support@playsteppa.com
Please include "Privacy Request" or "Data Protection" in Your subject line to ensure prompt handling of Your inquiry.