Privacy Policy for Steppa Last Updated: December 16th, 2025 Steppa ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information when you use the Steppa mobile application (the "App"). By using Steppa, you agree to the collection and use of information in accordance with this policy. Information We Collect Account Information When you create an account, we collect: - Email address (required for account creation and authentication) - Username (required, visible to other users) - User ID (Firebase UID - automatically generated unique identifier for your account) - Account creation timestamp After account creation, you may optionally provide: - Avatar image or gradient colors - Step goals (daily, weekly, monthly, yearly targets) - Email verification status Health Data (iOS) Steppa accesses the following health data from Apple HealthKit: - Step counts (hourly and daily data) - Distance walked/running (hourly and daily data) We only READ data from HealthKit - we do not write data back to HealthKit. The original health data remains in Apple's HealthKit database. We sync aggregated daily step totals from HealthKit to our servers for rankings and statistics. You can revoke HealthKit permissions at any time in iOS Settings. The app will continue to function with reduced functionality if permissions are revoked. Step Data We collect and store: - Daily step counts (aggregated daily totals) - Step history (historical daily records) - Step statistics (daily, weekly, monthly, yearly totals, all-time totals, daily averages) This data is synced from HealthKit (iOS) or device motion sensors (Android) to our servers for rankings and cross-device access. Rankings Data Steppa features competitive rankings that are public by default. All user accounts appear in rankings unless set to private. Rankings display: - Username - Avatar (if set) - Step counts for selected time period - Rank position Rankings are calculated and updated hourly. You can set your account to private in Profile Settings to opt out of all rankings (world rankings and group rankings). Privacy changes take effect after the next rankings update cycle. Groups Data If you participate in groups, we collect: - Group membership information (role, join date, activity status) - Group invitations (sender, recipient, status, expiration) Public groups are visible to all authenticated users. Private groups are only visible to active members. Device Information We collect device information for error tracking and app functionality: - Device type and model - Operating system version - App version - Device ID (for account security) Location Information Our error monitoring service (Sentry) automatically collects coarse location data (city and state) derived from your IP address for debugging purposes. We do not collect precise location data (GPS coordinates) or use location data for any purpose other than error tracking and debugging. Analytics and Error Tracking We use two monitoring systems: 1. Sentry (Error Monitoring) - Error messages and stack traces - Device information - Operation breadcrumbs - Performance metrics - Coarse location data (city, state) derived from IP address - Sentry assigns anonymous user IDs that do not match your Firebase account and cannot be used to identify you 2. Custom Analytics - User actions (tab navigation, feature usage) - Function calls (for performance monitoring) - Feature interactions - We track only: event type, identifier (button/screen/function names), app version - We do NOT track user IDs or email addresses How We Use Your Information We use the information we collect to: - Provide step tracking and statistics - Calculate and display rankings and competitions - Enable group features and competitions - Authenticate your account and manage your profile - Sync your data across devices - Monitor app performance and fix bugs - Improve the app experience Data Storage Your data is stored in: - Firebase (Google Cloud): User accounts, step data, rankings, groups - Apple HealthKit (iOS): Original health data remains in Apple's HealthKit database - Sentry: Error logs and performance data (30-day retention) - Local device: Cached data and preferences Data Sharing Public Data The following information is visible to all authenticated users: - World rankings: Username, avatar, step counts, rank position - Public group information: Group name, description, member count, group rankings You can opt out of rankings by setting your account to private. Group Data - Public groups: Rankings visible to all authenticated users (even non-members) - Private groups: Rankings only visible to active members Third-Party Services We use the following third-party services: - Firebase/Google Cloud: Hosts user data, step data, and rankings (subject to Google Cloud privacy policies) - Sentry: Receives error logs and performance data (subject to Sentry privacy policy) - Apple HealthKit: Health data stored in Apple's HealthKit database (subject to Apple's privacy policies) We do not sell your data to third parties. Your Rights and Choices Privacy Controls - You can set your account to private in Profile Settings to exclude yourself from all rankings - You can control your avatar visibility - Your username is always visible (required for account identification) Data Access You can: - View all your personal data through the app - Access your step history and statistics - View your group memberships - See your ranking positions Data Deletion You can delete your account at any time. Account deletion will remove: - User profile data - Step data - Group memberships - Rankings data Some data may be retained in backups for a limited period as required by law or for business purposes. HealthKit Permissions You can revoke HealthKit permissions at any time in iOS Settings. You can re-grant permissions at any time. Data Security We implement security measures to protect your information: - Firebase Authentication for secure user accounts - Data encrypted in transit and at rest via Firebase - Firestore security rules restrict data access - Device-based account locking for security Children's Privacy Steppa is not intended for users under 13 years of age. We do not knowingly collect data from children under 13. If we become aware that we have collected data from a child under 13, we will delete that data. Changes to This Privacy Policy We may update this Privacy Policy periodically. Continued use of the app after changes constitutes acceptance of the updated policy. Contact Us If you have questions about this Privacy Policy or our data practices, please contact us through the app's support section.