Legal

Privacy Policy

App: Stepper  ·  Developer: Daniel Ryman  ·  Last updated: February 2026

1. Overview

This Privacy Policy explains what data Stepper collects, how it is used, and your rights. By using Stepper you agree to this policy.

This policy covers users worldwide, including those protected by the UK GDPR, EU GDPR, and the California Consumer Privacy Act (CCPA).

2. Data We Collect

2.1 Health & Fitness Data (HealthKit)

Stepper reads the following data from Apple HealthKit with your explicit permission:

• Step count and daily step history
• Walking and running distance
• Workout sessions (walking, running, hiking) including duration, distance, route, heart rate, and calories
• Active energy burned, exercise minutes, and stand hours (activity rings)
• Weight entries
• Cardio fitness (VO2 max)

This data never leaves your device except as described in section 3. It is not sold or shared with advertisers.

2.2 Account Information

If you choose to sign in with Apple:

• Your display name (as provided by Apple)
• A unique user identifier (anonymised by Apple)
• Profile photo (if you add one within the app)

Sign-in is optional. Most features work without an account.

2.3 Social & Activity Data

If you use the Friends and Challenges features, the following is stored on our servers:

• Your display name and profile photo
• Step counts synced daily for the friends leaderboard
• Friend connections (who you are friends with)
• Friend challenge records (goal, start/end dates, progress)

2.4 Location Data

Stepper accesses your location only in the following cases:

• Territory feature: your GPS route while the recording screen is active, to colour in map tiles
• Workout routes: GPS data recorded during tracked workouts (stored in HealthKit)
• Challenge map picker: one-time reverse geocoding to name a destination

Location is not tracked in the background except during an active workout or territory recording session.

2.5 Screen Time Data (Focus Mode)

The Focus Mode feature uses Apple's FamilyControls framework. App selections made in Focus Mode are stored using opaque system tokens and never leave your device. Stepper cannot read which specific apps you have selected — only the iOS system can interpret those tokens. No app selection data is sent to our servers.

2.6 Push Notification Token

If you grant notification permission, your APNs device token is stored on our servers solely to deliver social notifications (friend requests, challenge updates). It is never used for marketing.

2.7 Diagnostics & Crash Reports (Sentry)

Stepper uses Sentry for crash reporting and stability monitoring. This may include:

• Crash stack traces
• Anonymous breadcrumb events (e.g. "workout started", "goal changed") — no health values are included
• Device type and iOS version

Sentry data is processed by Functional Software, Inc. under their Privacy Policy.

2.8 Purchase Information (RevenueCat)

Stepper uses RevenueCat to manage the Stepper Pro subscription. RevenueCat receives:

• A pseudonymous user identifier
• Purchase and subscription status (from the App Store receipt)

RevenueCat does not receive your name, email, or health data. See their Privacy Policy.

3. How We Use Your Data

Data	Purpose
HealthKit data	Display your stats, streaks, achievements, and widget
Account info	Identify you on the social leaderboard
Social data	Friends list, challenges, leaderboard
Location	Territory map, workout route display
Push token	Deliver social and reminder notifications
Diagnostics	Fix crashes and improve stability
Purchase info	Unlock Stepper Pro features

We do not use your data for advertising, profiling, or any purpose beyond operating the app.

4. Data Storage & Security

Data	Stored
HealthKit data	On your device (Apple's HealthKit store)
Screen Time / Focus Mode selections	On your device only
Social data, push tokens	Supabase (EU region)
Crash reports	Sentry (EU region)
Purchase status	RevenueCat (United States)
App settings, streak, goals	On your device (UserDefaults)

All server communication uses TLS. Supabase enforces Row Level Security so users can only access their own data and data shared with friends.

5. International Data Transfers

Some of our third-party processors are based outside your country. Where personal data is transferred internationally, we rely on appropriate safeguards:

• Supabase — data stored in the EU; subject to EU GDPR adequacy provisions
• RevenueCat — based in the United States; transfers covered by Standard Contractual Clauses (SCCs)
• Sentry — data stored in the EU; subject to EU GDPR adequacy provisions

6. Third-Party Services

Service	Purpose	Privacy Policy
Apple HealthKit	Health data	apple.com/privacy
Apple Sign In	Authentication	apple.com/privacy
Apple Screen Time	Focus Mode app blocking	apple.com/privacy
Supabase	Social features backend	supabase.com/privacy
RevenueCat	Subscription management	revenuecat.com/privacy
Sentry	Crash reporting	sentry.io/privacy

7. Data Retention

• Social profile & activity data: retained while your account is active. You can delete your account at any time from Settings → Account → Delete Account, which permanently removes all social data from our servers.
• Push tokens: deleted when you delete your account or sign out.
• Crash reports: retained by Sentry for 90 days.
• HealthKit data: managed entirely by Apple on your device.

8. Your Rights

UK & EU Users (UK GDPR / EU GDPR)

You have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate data
• Erasure ("right to be forgotten") — delete your account in Settings
• Restriction of processing
• Data portability
• Object to processing

To exercise these rights, email support@stepper.fit. We will respond within 30 days.

UK users may lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

EU users may lodge a complaint with your local Data Protection Authority (DPA).

California Users (CCPA)

California residents have the right to:

• Know what personal information is collected and how it is used
• Delete personal information we hold about you
• Opt out of the sale of personal information — we do not sell personal information to third parties
• Non-discrimination for exercising your privacy rights

To make a CCPA request, email support@stepper.fit with the subject line "CCPA Request". We will respond within 45 days.

9. Children's Privacy

Stepper is not directed at children. The minimum age to use the social features is 13 (or 16 in countries where EU GDPR applies a higher age of digital consent). We do not knowingly collect personal data from children below the applicable age. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via an in-app notice. Continued use of the app after changes constitutes acceptance.

11. Contact

Daniel Ryman
Email: support@stepper.fit