Privacy Policy
We at StepsApp respect your privacy. We are glad to tell you more about which data is accessed, how it is used, and which services we use to enhance your StepsApp experience.
Privacy Policy – StepsApp GmbH
Version: 1.0
Last updated: [DATE]
This privacy policy is drafted in accordance with the General Data Protection Regulation (EU 2016/679) and applicable national data protection laws.
1. Data Controller
Company name: StepsApp GmbH
Address: Schuberstraße 6a, 8010 Graz, Austria
Email: info@steps.app
Website: https://steps.app
Support: https://steps.app/en/support/pedometer/ios
2. Scope & Purpose of Processing
| Purpose | Data Categories | Legal Basis | Retention Period | Recipients / Transfers |
|---|---|---|---|---|
| Core app functionality | steps, distance, activity time, weight, height, age, sex, step goal, locale, timezone, language, IDFV, installation_id | Performance of contract | 3 years after last sync | Apple HealthKit (USA), GCP (USA), AWS (USA) |
| User profiles (default) | username, auto-generated avatar (letters + color) | Performance of contract | 3 years after last sync | Stored on GCP/AWS (USA) |
| Optional profile features | user-uploaded avatar image, social links (added manually) | Legitimate interest (optional features, user-controlled) | 3 years after last sync | Visible to other users, stored on USA servers |
| Messaging (direct/group) | chat messages, media files, sender ID, recipient ID, group name, group avatar | Legitimate interest (user-initiated functionality) | 3 years after last sync | Stored on private encrypted GCP buckets |
| Step import (Apple HealthKit) | step counts and related metrics if import enabled | Performance of contract | Until disabled or account deleted | Local or cloud storage |
| Analytics | device info, app usage, crash logs, locale, timezone, language | Legitimate interest (service improvement) | 3 years aggregated; 15 days raw logs | Firebase (USA – SCC/DPF), Sentry (USA – SCC), internal servers |
| Crash/log reporting | device model, OS version, error messages, stack traces | Legitimate interest (bug resolution, improved stability) | 15 days | Sentry (USA – SCC), Google Cloud (USA) |
| Push notifications & debugging | notification content (encrypted at rest), locale, timezone | Legitimate interest (timely & relevant delivery) | 15 days | Google Cloud (USA) |
| Advertising | IDFA, IDFV, usage behavior, locale | Legitimate interest (based on user agreement to terms) | 3 years or until opt-out | Google AdMob (USA – SCC/DPF), Meta Ads (USA – SCC/DPF), Gravite (EEA) |
| In‑App Purchases | anonymized purchase receipts, locale | Performance of contract | 6 years after account closure | RevenueCat (USA – SCC), Superwall (USA) |
| Leaderboard / Challenges | step counts, username, optional avatar and description | Performance of contract | Until opt-out or deletion | Visible to other users, stored in USA |
| Newsletter | email address, preferences | Consent | Until withdrawal | Internal mailing system (EEA compliant) |
3. Consent & Legal Basis
- Core functionality is processed under the performance of a contract accepted during account creation.
- Optional features (profile pictures, social links, messaging) are processed under legitimate interest, with full user control.
- Step data can be imported from Apple HealthKit or the device pedometer under the performance of contract. Access to Apple HealthKit requires explicit user permission via iOS.
- Newsletter subscriptions require separate opt-in consent.
- You may object to processing based on legitimate interest (e.g., analytics, advertising) at any time via in-app settings or by contacting info@steps.app.
4. International Data Transfers & Safeguards
| Provider | Purpose | Certified | Transfer Mechanism | Privacy Policy |
|---|---|---|---|---|
| Google (Firebase, AdMob, Cloud) | Hosting, analytics, ads | ✅ Yes | SCC + EU–U.S. DP Framework (DPF list) | policies.google.com |
| Meta Ads | Advertising | ✅ Yes | SCC + DPF | facebook.com/privacy/policy |
| Sentry | Crash reporting | ✅ Yes | Standard Contractual Clauses | sentry.io/privacy |
| RevenueCat | Subscription management | ✅ Yes | Standard Contractual Clauses | revenuecat.com/privacy |
| Superwall | Monetization testing | – | No PII transfers | superwall.com/privacy |
| Gravite | Advertising (EEA-hosted) | Not needed | No transfer outside the EEA | gravite.net/data-privacy |
All transfers are encrypted. You may request copies of applicable SCCs or DPF certifications by contacting info@steps.app.
5. User Rights
You have the right to:
- Access, rectify, erase, or restrict your data
- Data portability
- Object to processing based on legitimate interest
- Withdraw consent at any time
- Lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at) or your local supervisory authority
Contact: info@steps.app or via in-app settings.
6. Data Retention
- Last interaction = the last time steps were synced to the server.
- User data is retained for up to 3 years due to common reactivation patterns (e.g., New Year's resolutions).
- Crash logs, analytics logs, and push data are retained for up to 15 days.
7. Security Measures
- Data in transit and at rest is encrypted.
- Passwords are hashed and salted using Argon2 (RFC 9106).
- Text content in chat messages is encrypted with AES-GCM.
- Media files are stored in private, encrypted GCS buckets (time-limited access tokens).
- Group files are only accessible by group members.
- Users can delete sent files by deleting messages in the chat.
- In case a user deletes a chat, the sent files are still kept as the other user might want to keep the chat.
8. Children
This app is not intended for users under 16 in the EU or 13 elsewhere.
If you are not over the applicable age, DO NOT DOWNLOAD OR USE THE SERVICES.
9. Cookies & Tracking
| Type | Purpose | Providers |
|---|---|---|
| Analytics | App performance & behavior | Firebase, Sentry, internal |
| Advertising | Personalized targeting | Google AdMob, Meta Ads |
| Attribution | Campaign performance | Gravite |
| Device IDs | User profiling | Apple IDFV, IDFA, installation_id |
On iOS, we use Apple's ATT prompt:
"Allow StepsApp to track your activity across other companies' apps and websites?"
Users can deny tracking at any time via iOS privacy settings or contact us at info@steps.app.
You may also disable analytics and crash reporting in the app under:
Settings > Privacy Policy > Crash Logs / Usage Statistics / Personalized Ads
Additionally, you may disable personalized tracking at the operating system level:
iOS > Settings > Privacy & Security > Tracking
A full list of third-party SDKs and processors includes:
| Service | Purpose | Location |
|---|---|---|
| Firebase | Analytics, crash logging, cloud backend | USA – SCC/DPF |
| Sentry | Crash reporting | USA – SCC |
| Google Cloud | Infrastructure, notification delivery | USA – SCC/DPF |
| AWS | Infrastructure hosting | USA – SCC |
| AdMob | Advertising | USA – SCC/DPF |
| Meta Ads | Advertising | USA – SCC/DPF |
| Gravite | Advertising | EEA (no transfer) |
| RevenueCat | In-app purchases & subscription handling | USA – SCC |
| Superwall | Paywall & monetization A/B testing | USA |
Users may disable analytics and crash reporting in-app (Settings → Privacy Policy) and can also opt out at the operating system level:
iOS → Settings → Privacy & Security → Tracking
10. Profiling & Minimisation
We use behavioral data to generate rankings in leaderboard and challenges and to send motivational notifications. This profiling is based on our legitimate interest and does not result in decisions with legal or similarly significant effects.
Users can disable leaderboard/challenge functionality under Settings → My Profile, and notifications can be managed more granularly under Settings → My Profile → Notifications.
A Legitimate Interests Assessment confirms this processing is balanced and respectful of user rights. A copy is available on request at info@steps.app.
11. Other Apps by StepsApp GmbH
Some of our applications may differ in how data is used and processed. Below are additional providers and the differences in comparison to StepsApp for other StepsApp GmbH apps:
CalApp
Purpose: Provide personalized nutritional feedback using OpenAI.
Shared Data: user input (e.g., meals), age, gender, weight, language
Legal Basis: Performance of contract
Retention: Up to 30 days (API inputs retained for abuse monitoring)
Recipient / Transfer: OpenAI (USA – SCC)
| Provider | Purpose | Certified | Transfer Mechanism | Privacy Policy |
|---|---|---|---|---|
| OpenAI | Nutritional analysis/assistant | ✅ Yes | SCC + EU–U.S. DPF | openai.com/privacy |
Notes:
- OpenAI retains API data for up to 30 days for abuse monitoring, after which it is deleted.
- Users interact directly; no automated decisions are made.
- Transfers are encrypted and protected under SCCs.
12. Contacts & Representatives
- No Data Protection Officer (DPO) is required.
- Contact info@steps.app for privacy-related inquiries.
13. Policy Versioning & Changes
- Version: 1.0
- Last Updated: [DATE]
- Significant updates will be announced in-app and on our website.
- Previous versions are available upon request via info@steps.app.
