Privacy Policy

Introduction

This Privacy Policy explains how StepScroll ("we", "us", or "our") collects, uses, stores, and shares personal data when you use our iOS mobile application (the "App") and related services (together, the "Services"). We are committed to protecting your privacy and complying with applicable data protection laws, including the UK GDPR, the EU GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").

By using the Services, you acknowledge that you have read this Privacy Policy. If you do not agree, please do not use the Services.

Data controller

The data controller responsible for your personal data is the operator of StepScroll, contactable at contact@stepscroll.dev. For EU/UK matters you may also contact us at the same address to reach our privacy contact.

Data we collect

We collect only what is reasonably necessary to provide and improve the Services, comply with law, and keep your account secure.

Health and activity data (Apple HealthKit)

With your explicit permission, the App may read step count and related activity metrics from Apple HealthKit on your device. HealthKit data is used solely to operate core App features (for example, converting steps into screen time allowances). We do not use HealthKit data for advertising, sale, or data brokering. HealthKit data is accessed in read-only form as permitted by Apple's HealthKit guidelines.

Account and authentication data (Supabase)

If you create an account, we process authentication identifiers such as your email address and/or Apple Sign In tokens/identifiers as processed by Supabase, our authentication provider. We may also process security logs related to sign-in events (for example, timestamps and device metadata necessary to secure accounts).

Subscription and billing data (RevenueCat)

Subscription status, trial eligibility, renewal dates, purchase receipts, and related transaction metadata may be processed by RevenueCat on our behalf to manage in-app purchases and entitlements. We do not receive your full payment card details from RevenueCat; payments are handled by Apple.

Product analytics (PostHog)

We use PostHog to understand how the App is used in aggregate (for example, funnels, feature adoption, crash diagnostics where enabled). Analytics are configured to emphasise privacy-preserving practices and to avoid collecting sensitive HealthKit fields as analytics events. Where possible, analytics events are pseudonymous and minimised.

Push notification tokens

If you opt in to notifications, Apple provides a device push token so we can deliver messages such as trial reminders and daily prompts. You may disable notifications at any time in iOS settings.

Support communications

If you contact us, we will process your email content and metadata needed to respond.

How we use personal data

• To provide, operate, and secure the App and its features.
• To authenticate users, manage sessions, and prevent fraud or misuse.
• To validate subscriptions, trials, renewals, cancellations, and refunds in line with platform rules.
• To send transactional and service messages, including push notifications you have consented to (such as trial ending reminders and daily reminders).
• To improve reliability and usability through analytics and diagnostics.
• To comply with legal obligations and enforce our Terms of Service.

Legal bases (UK & EU)

Where UK GDPR / EU GDPR applies, we rely on one or more of the following:

• Contract: processing necessary to provide the Services you request (for example, account creation, subscription management).
• Consent: where required (for example, HealthKit access, certain analytics or marketing communications if ever offered).
• Legitimate interests: securing the Services, preventing abuse, improving performance, and understanding aggregate usage, balanced against your rights.
• Legal obligation: where we must retain or disclose information to comply with law.

Third parties and processors

We use service providers who process personal data on our instructions:

• Supabase for authentication and related backend infrastructure.
• RevenueCat for subscription management and receipt validation.
• PostHog for product analytics and (where configured) diagnostics.
• Apple for App distribution, payments, Sign in with Apple, HealthKit, push notifications, and device-level controls.

We do not sell your personal information as defined under the CCPA/CPRA, and we do not sell HealthKit data. We do not use HealthKit data for marketing or advertising. Any use of analytics is intended to be consistent with Apple's HealthKit requirements and our minimisation practices described above.

Retention

We retain personal data only as long as necessary for the purposes described in this Policy, including legal, accounting, and reporting requirements. Health and activity metrics are primarily processed on your device; where copies exist in our systems, they are retained according to operational need and then deleted or anonymised where feasible. Aggregated statistics may be retained without identifying you.

International transfers

Our service providers may process data in the United Kingdom, the European Economic Area, the United States, and other countries. Where data is transferred from the UK/EEA to countries not deemed adequate, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures where required.

Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. No method of transmission over the internet is completely secure; you use the Services at your own risk to the extent permitted by law.

Your rights (UK & EU)

Subject to conditions and exemptions in applicable law, you may have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Erase data ("right to be forgotten") in certain cases.
• Restrict processing in certain cases.
• Object to processing based on legitimate interests.
• Data portability for data you provided where processing is automated and based on consent or contract.
• Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing).
• Lodge a complaint with a supervisory authority.

To exercise these rights, contact contact@stepscroll.dev. We may need to verify your identity before responding.

California privacy rights (CCPA/CPRA)

If you are a California resident, you may have rights to know, access, delete, and correct personal information, and to opt out of certain sharing (including "sale" or "sharing" as defined by law). We do not knowingly sell or share personal information for cross-context behavioural advertising as part of the App's core operation as described here. You may designate an authorised agent where permitted by law.

You can contact us at contact@stepscroll.dev to submit a request. We will not discriminate against you for exercising your privacy rights.

Children

The Services are not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will take appropriate steps to delete it.

Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version in the App and/or on https://stepscroll.dev and update the effective date. Where changes are material and consent is required by law, we will seek consent as appropriate.

Contact

Questions about this Privacy Policy or your data: contact@stepscroll.dev