Privacy Policy

We at StepsApp respect your privacy. We are glad to tell you more about which data is accessed, how it is used, and which services we use to enhance your StepsApp experience.

Privacy Policy – StepsApp GmbH

Version: 1.0
Last updated: [DATE]

This privacy policy is drafted in accordance with the General Data Protection Regulation (EU 2016/679) and applicable national data protection laws.

1. Data Controller

Company name: StepsApp GmbH
Address: Schuberstraße 6a, 8010 Graz, Austria
Email: info@steps.app
Website: https://steps.app
Support: https://steps.app/en/support/pedometer/ios

2. Scope & Purpose of Processing

PurposeData CategoriesLegal BasisRetention PeriodRecipients / Transfers
Core app functionalitysteps, distance, activity time, weight, height, age, sex, step goal, locale, timezone, language, IDFV, installation_idPerformance of contract3 years after last syncApple HealthKit (USA), GCP (USA), AWS (USA)
User profiles (default)username, auto-generated avatar (letters + color)Performance of contract3 years after last syncStored on GCP/AWS (USA)
Optional profile featuresuser-uploaded avatar image, social links (added manually)Legitimate interest (optional features, user-controlled)3 years after last syncVisible to other users, stored on USA servers
Messaging (direct/group)chat messages, media files, sender ID, recipient ID, group name, group avatarLegitimate interest (user-initiated functionality)3 years after last syncStored on private encrypted GCP buckets
Step import (Apple HealthKit)step counts and related metrics if import enabledPerformance of contractUntil disabled or account deletedLocal or cloud storage
Analyticsdevice info, app usage, crash logs, locale, timezone, languageLegitimate interest (service improvement)3 years aggregated; 15 days raw logsFirebase (USA – SCC/DPF), Sentry (USA – SCC), internal servers
Crash/log reportingdevice model, OS version, error messages, stack tracesLegitimate interest (bug resolution, improved stability)15 daysSentry (USA – SCC), Google Cloud (USA)
Push notifications & debuggingnotification content (encrypted at rest), locale, timezoneLegitimate interest (timely & relevant delivery)15 daysGoogle Cloud (USA)
AdvertisingIDFA, IDFV, usage behavior, localeLegitimate interest (based on user agreement to terms)3 years or until opt-outGoogle AdMob (USA – SCC/DPF), Meta Ads (USA – SCC/DPF), Gravite (EEA)
In‑App Purchasesanonymized purchase receipts, localePerformance of contract6 years after account closureRevenueCat (USA – SCC), Superwall (USA)
Leaderboard / Challengesstep counts, username, optional avatar and descriptionPerformance of contractUntil opt-out or deletionVisible to other users, stored in USA
Newsletteremail address, preferencesConsentUntil withdrawalInternal mailing system (EEA compliant)

3. Consent & Legal Basis

  • Core functionality is processed under the performance of a contract accepted during account creation.
  • Optional features (profile pictures, social links, messaging) are processed under legitimate interest, with full user control.
  • Step data can be imported from Apple HealthKit or the device pedometer under the performance of contract. Access to Apple HealthKit requires explicit user permission via iOS.
  • Newsletter subscriptions require separate opt-in consent.
  • You may object to processing based on legitimate interest (e.g., analytics, advertising) at any time via in-app settings or by contacting info@steps.app.

4. International Data Transfers & Safeguards

ProviderPurposeCertifiedTransfer MechanismPrivacy Policy
Google (Firebase, AdMob, Cloud)Hosting, analytics, ads✅ YesSCC + EU–U.S. DP Framework (DPF list)policies.google.com
Meta AdsAdvertising✅ YesSCC + DPFfacebook.com/privacy/policy
SentryCrash reporting✅ YesStandard Contractual Clausessentry.io/privacy
RevenueCatSubscription management✅ YesStandard Contractual Clausesrevenuecat.com/privacy
SuperwallMonetization testingNo PII transferssuperwall.com/privacy
GraviteAdvertising (EEA-hosted)Not neededNo transfer outside the EEAgravite.net/data-privacy

All transfers are encrypted. You may request copies of applicable SCCs or DPF certifications by contacting info@steps.app.

5. User Rights

You have the right to:

  1. Access, rectify, erase, or restrict your data
  2. Data portability
  3. Object to processing based on legitimate interest
  4. Withdraw consent at any time
  5. Lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at) or your local supervisory authority

Contact: info@steps.app or via in-app settings.

6. Data Retention

  • Last interaction = the last time steps were synced to the server.
  • User data is retained for up to 3 years due to common reactivation patterns (e.g., New Year's resolutions).
  • Crash logs, analytics logs, and push data are retained for up to 15 days.

7. Security Measures

  • Data in transit and at rest is encrypted.
  • Passwords are hashed and salted using Argon2 (RFC 9106).
  • Text content in chat messages is encrypted with AES-GCM.
  • Media files are stored in private, encrypted GCS buckets (time-limited access tokens).
    • Group files are only accessible by group members.
    • Users can delete sent files by deleting messages in the chat.
    • In case a user deletes a chat, the sent files are still kept as the other user might want to keep the chat.

8. Children

This app is not intended for users under 16 in the EU or 13 elsewhere.
If you are not over the applicable age, DO NOT DOWNLOAD OR USE THE SERVICES.

9. Cookies & Tracking

TypePurposeProviders
AnalyticsApp performance & behaviorFirebase, Sentry, internal
AdvertisingPersonalized targetingGoogle AdMob, Meta Ads
AttributionCampaign performanceGravite
Device IDsUser profilingApple IDFV, IDFA, installation_id

On iOS, we use Apple's ATT prompt:
"Allow StepsApp to track your activity across other companies' apps and websites?"

Users can deny tracking at any time via iOS privacy settings or contact us at info@steps.app.

You may also disable analytics and crash reporting in the app under:
Settings > Privacy Policy > Crash Logs / Usage Statistics / Personalized Ads
Additionally, you may disable personalized tracking at the operating system level:
iOS > Settings > Privacy & Security > Tracking

A full list of third-party SDKs and processors includes:

ServicePurposeLocation
FirebaseAnalytics, crash logging, cloud backendUSA – SCC/DPF
SentryCrash reportingUSA – SCC
Google CloudInfrastructure, notification deliveryUSA – SCC/DPF
AWSInfrastructure hostingUSA – SCC
AdMobAdvertisingUSA – SCC/DPF
Meta AdsAdvertisingUSA – SCC/DPF
GraviteAdvertisingEEA (no transfer)
RevenueCatIn-app purchases & subscription handlingUSA – SCC
SuperwallPaywall & monetization A/B testingUSA

Users may disable analytics and crash reporting in-app (Settings → Privacy Policy) and can also opt out at the operating system level:
iOS → Settings → Privacy & Security → Tracking

10. Profiling & Minimisation

We use behavioral data to generate rankings in leaderboard and challenges and to send motivational notifications. This profiling is based on our legitimate interest and does not result in decisions with legal or similarly significant effects.

Users can disable leaderboard/challenge functionality under Settings → My Profile, and notifications can be managed more granularly under Settings → My Profile → Notifications.

A Legitimate Interests Assessment confirms this processing is balanced and respectful of user rights. A copy is available on request at info@steps.app.

11. Other Apps by StepsApp GmbH

Some of our applications may differ in how data is used and processed. Below are additional providers and the differences in comparison to StepsApp for other StepsApp GmbH apps:

CalApp

Purpose: Provide personalized nutritional feedback using OpenAI.

Shared Data: user input (e.g., meals), age, gender, weight, language
Legal Basis: Performance of contract
Retention: Up to 30 days (API inputs retained for abuse monitoring)
Recipient / Transfer: OpenAI (USA – SCC)

ProviderPurposeCertifiedTransfer MechanismPrivacy Policy
OpenAINutritional analysis/assistant✅ YesSCC + EU–U.S. DPFopenai.com/privacy

Notes:

  • OpenAI retains API data for up to 30 days for abuse monitoring, after which it is deleted.
  • Users interact directly; no automated decisions are made.
  • Transfers are encrypted and protected under SCCs.

12. Contacts & Representatives

  • No Data Protection Officer (DPO) is required.
  • Contact info@steps.app for privacy-related inquiries.

13. Policy Versioning & Changes

  • Version: 1.0
  • Last Updated: [DATE]
  • Significant updates will be announced in-app and on our website.
  • Previous versions are available upon request via info@steps.app.

StepsApp App Contapassi - Pedometro e Conta Calorie

Più di 20 milioni di utenti utilizzano già StepsApp.
StepsApp trasforma il tuo telefono in un contapassi semplice e accattivante.
Basta mettere il telefono in tasca e partire.