Last updated: June 13, 2026

This Privacy Policy describes our policies and procedures on the collection, use and disclosure of Your information when You use our Service and tells You about Your privacy rights and how the law protects You.

We use Your personal data to provide and improve our Service. By using our Service, You agree to the collection and use of information in accordance with this Privacy Policy. If You do not agree with this Privacy Policy, please do not use the Service.

California residents should review the section entitled "California Privacy Rights (CCPA/CPRA)." Users in the European Economic Area should review the sections entitled "Legal Bases for Processing (GDPR)" and "European Union (GDPR) Rights."

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

Important: We do not store full payment card numbers or bank account credentials on our own servers. These sensitive financial details are handled directly and securely by our Payment Processors.

Health and Fitness Data

To provide our fitness Challenge features, We collect health and fitness data from Your device, including but not limited to:

This data is collected through integration with Apple HealthKit. We only access health data that You explicitly grant permission for Us to access.

We use industry-standard security measures, including encryption in transit (TLS) and at rest, to protect health and fitness data. Your data is transmitted securely and stored in protected databases.

Important Limitations on Use of Health Data:

We use health and fitness data ONLY to:

You can revoke our access to Your health data at any time through Your device's privacy settings (Settings > Privacy & Security > Health on iOS). If You revoke access, You will no longer be able to participate in Challenges that require fitness tracking.

Important: We rely on Apple HealthKit's aggregated step count and cannot independently verify the accuracy of data reported by Your devices, sensors, or any third-party application that writes to HealthKit. Step counts and activity metrics may vary between devices and tracking methods.

Apple HealthKit Disclosure

Steppa uses Apple HealthKit to read step counts and activity data that You authorize through iOS permissions. We do not write any data to HealthKit. HealthKit data is only used to:

HealthKit data is never used for marketing, advertising, advertising measurement, or data brokerage, and is never used for other use-based data mining unrelated to providing the Service.

HealthKit data is never sold or shared with third parties except service providers acting strictly on our behalf (such as our database provider).

You can revoke HealthKit access at any time in iOS Settings > Privacy & Security > Health > Steppa. Revoking access will prevent You from participating in fitness Challenges.

Financial and Transaction Data

We collect and process financial information related to Your participation in paid Challenges, including:

We retain financial records as required by law, including for tax reporting purposes. For U.S. users, We may be required to report winnings of $600 or more per calendar year to the Internal Revenue Service.

Fraud Prevention and Payment Fingerprinting

To prevent abuse of promotions, multiple-account fraud, and payment fraud, We collect and process:

This data is used solely for fraud prevention, security, and enforcement of our Terms and Conditions. It is not used for marketing or shared with advertisers.

Referral and Invite Information

If You refer a friend or share an invite code, We collect the information needed to operate the referral program, such as the referral code used, the connection between referring and referred Accounts, and the status of any associated Promotional Credits. We use this information solely to administer the referral program and to detect referral abuse. If an invite feature asks You to provide a contact's email address or similar information, We use it only to deliver the invitation and any related reminders, and the recipient may contact support@playsteppa.com to have their information removed.

Notification Tokens and Communication Preferences

If You enable push notifications, We collect Your device push notification token and Your notification preferences to send You transactional and (if You have not opted out) marketing communications about Challenges, results, and other Service-related information. Notification tokens are retained while Your Account is active and deleted when Your Account is deleted or You revoke push permissions.

Community Content and Information Visible to Other Users

The Service includes features that display certain information to other users. Information that may be visible to other participants in a Challenge and, for public Challenges, to other users of the Service includes Your display name, username, profile photo or avatar, and Your Challenge progress and results where the Challenge displays them (for example, on a leaderboard). Information shown to other users can be read, collected, or re-shared by others, and We cannot guarantee that other users will respect its confidentiality. Do not make public any information You consider private. We are not responsible for information You voluntarily disclose to other users of the Service.

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

Cookies and Tracking Technologies

Our website (playsteppa.com) uses only essential cookies necessary for basic functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies on our website.

Our mobile Application does not use cookies but may use similar technologies (such as device identifiers) for authentication, session management, and fraud prevention.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

We do not sell Your Personal Data, and We do not share Your Personal Data with third parties for cross-context behavioral advertising.

Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

Specifically:

Sharing Your Personal Data with Third Parties

We share Your personal data with the following third-party service providers who help Us operate the Service:

These service providers have access to Your Personal Data only to perform specific tasks on our behalf and are obligated to protect Your information and use it only for the purposes We specify. We do not permit our service providers to use Your individual-level health data for their own purposes, including advertising or the training of artificial intelligence models.

Disclosure of Your Personal Data

Law Enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other Legal Requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. Our primary data hosting infrastructure is located in the United States. This information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of Your jurisdiction.

Where We transfer Personal Data of users located in the European Economic Area, the United Kingdom, or Switzerland to the United States or other countries that have not received an adequacy decision, We rely on appropriate safeguards such as Standard Contractual Clauses with our Service Providers, alongside supplementary technical and organizational measures. The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy.

Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

Our Service may give You the ability to delete certain information about You from within the Service, including the ability to delete Your Account.

You may update, amend, or delete Your information at any time by contacting Us to request access to, correct, or delete any personal information that You have provided to Us. We will respond to verified requests within the timeframes required by applicable law.

Please note, however, that We may need to retain certain information when We have a legal obligation or lawful basis to do so, including the financial, fraud-prevention, tax, and unclaimed-property records described under "Retention of Your Personal Data."

Security of Your Personal Data

The security of Your Personal Data is important to Us. We implement industry-standard security measures to protect Your information, including:

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Legal Bases for Processing (GDPR)

If You are located in the European Economic Area (EEA), We process Your Personal Data based on the following legal grounds:

Your Privacy Rights

Access and Control

You have the following rights regarding Your Personal Data:

To exercise these rights, contact Us at support@playsteppa.com. We may need to verify Your identity before fulfilling a request. You may also designate an authorized agent to make a request on Your behalf, subject to verification.

California Privacy Rights (CCPA/CPRA)

If You are a California resident, You have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Categories of Personal Information collected in the preceding 12 months: identifiers (name, email, phone, device identifiers, IP address); financial information (transaction history, balances, hashed payment fingerprints; full payment credentials are handled by our Payment Processors); health and fitness data (step counts, activity records); commercial information (Challenge entries, payouts); internet or network activity (Usage Data); geolocation inferred from IP address at a coarse level; and inferences used solely for fraud prevention. We collect these categories from You, Your device, Apple HealthKit, and our Payment Processors, for the business purposes described in "Use of Your Personal Data," and We disclose them to the Service Providers listed in "Sharing Your Personal Data with Third Parties" for business purposes only. We have not sold or shared (for cross-context behavioral advertising) Personal Information in the preceding 12 months.

Global Privacy Control: Because We do not sell or share Personal Data, opt-out preference signals such as Global Privacy Control do not change how We process Your data; if our practices ever change, We will honor such signals as required by law.

To exercise Your California rights, email Us at support@playsteppa.com with "CCPA Request" in the subject line. We will verify and respond to Your request within the timeframes required by law (generally 45 days, extendable once by an additional 45 days with notice).

Other U.S. State Privacy Rights

If You reside in another U.S. state with a comprehensive privacy law (for example, Virginia, Colorado, Connecticut, Texas, or Oregon), You may have similar rights of access, correction, deletion, portability, and the right to appeal a refusal. To exercise these rights or appeal a decision, contact support@playsteppa.com with "Privacy Request" in the subject line.

European Union (GDPR) Rights

If You are located in the European Economic Area (EEA), You have rights under the General Data Protection Regulation (GDPR), including:

You also have the right to lodge a complaint with Your local supervisory authority. To exercise Your GDPR rights, contact Us at support@playsteppa.com.

Data Breach Notification

In the event of a data breach that affects Your Personal Data, We will notify You and any applicable regulators without undue delay, in the manner and within the timeframes required by applicable law. Where notification to You is required, it will describe, to the extent known:

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy, and any recipient will be required to honor commitments at least as protective as those in this Privacy Policy with respect to previously collected Personal Data.

Children's Privacy and Age Restrictions

Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18.

Participation in paid Challenges requires users to be at least 18 years old. We rely on user self-attestation of age at registration and may, at our discretion, require additional verification. If You are under 18, You may not use the Service or participate in Challenges.

If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us immediately. If We become aware that We have collected Personal Data from anyone under the age of 18, We will take steps to delete that information and terminate the account.

Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy. Use of information We collect is subject to the Privacy Policy in effect at the time such information is used.

Contact Us

If You have any questions about this Privacy Policy, You can contact Us:

Data Protection Contact

For privacy-related inquiries, data protection matters, or to exercise Your privacy rights, You may contact our Data Protection contact at: support@playsteppa.com

Please include "Privacy Request" or "Data Protection" in Your subject line to ensure prompt handling of Your inquiry.