StepSavvy - Consumer Health Data Privacy Policy

Section 1

About This Policy

This Consumer Health Data Privacy Policy is a standalone disclosure required by the Washington My Health My Data Act (RCW 19.373), Nevada Senate Bill 370, and the Connecticut Data Privacy Act. It describes how StepSavvy LLC ("StepSavvy," "we," "us," or "our") collects, uses, shares, and protects consumer health data. The App is currently distributed through an Apple App Store developer account held by Mahin Acharya, who operates the App on behalf of StepSavvy LLC pending transfer of that account to the LLC; references to "StepSavvy," "we," "us," or "our" include StepSavvy LLC and Mr. Acharya acting in that capacity.

This policy is separate from and supplements our general Privacy Policy. Where this policy addresses consumer health data specifically, its terms govern.

This policy applies to all consumers whose health data we collect, regardless of residency, and provides the rights and disclosures required under applicable state consumer health data laws.

This policy addresses data privacy only. StepSavvy is not a medical device and has not been evaluated by the U.S. Food and Drug Administration; for the full medical and regulatory disclaimers, see Sections 3 and 4 of our Terms of Service.

Effective Date: April 18, 2026 · Last Updated: June 16, 2026. The June 16, 2026 update reflects the addition of the AI Form Check and Foot Photo Analysis data flows, the biometric retention schedule, the expanded AI sharing-consent scope, and the minors disclosure.

Section 2

Categories of Consumer Health Data We Collect

We collect the following categories of consumer health data, as defined under RCW 19.373.010:

Surgical & Medical History

Surgery type, surgery date, recovery phase

Chronic Health Conditions

Plantar fasciitis, Achilles tendinopathy, shin splints, and other foot, ankle, knee, and lower-extremity conditions

Pain Data

Body region, pain intensity (1–10 scale), pain type (sharp, burning, achy, throbbing, tingling, stiffness), body side (left, right, both)

Gait Analysis Data

Short walking videos you record in-app. The raw video file is uploaded to our secure cloud storage (Supabase) so you can replay your results with a skeleton overlay. On your device, we also extract biomechanical measurements (33 pose landmarks per frame, joint angles, cadence, foot strike pattern) and individual still frames; those extracted frames and landmarks are what we transmit to our AI analysis provider for interpretation.

Form Check Data

Short side-view videos of squat or bench press exercises that you record in-app, plus on-device biomechanics measurements (joint angles, range of motion, lockout completion, tempo) computed from those videos. The video plus measurements are sent to our AI analysis provider for one-shot analysis; the cloud copy is discarded after the result is returned. A local copy of the video and pose data is cached on your device for replay (capped at 30 sessions, oldest evicted).

Foot Photo Data

A back-of-foot photo you take in-app for foot type and arch description. The photo is sent to our AI analysis provider for one-shot classification; the cloud copy is discarded after the result is returned. We do not retain the photo on our servers.

Exercise & Physical Therapy Data

Exercise completion, adherence rates, daily plan progress

Recovery Metrics

Pain trends over time, recovery milestones, phase progression

Section 3

Purposes for Collection and Use

We collect and use consumer health data for the following purposes:

Generating personalized physical therapy recovery plans based on your surgery type and health conditions
Providing AI-powered Gait Analysis and biomechanical feedback
Providing AI Form Check — squat and bench press video analysis with form score, per-rep observations, and coaching cues
Providing Foot Photo Analysis — descriptive foot type and arch classification from a back-of-foot photo
Tracking pain patterns and monitoring recovery progress over time
Generating recovery reports that you may choose to share with your healthcare providers
Maintaining app functionality, security, and technical diagnostics
Sending recovery-related communications, including welcome emails and weekly activity summaries

Section 4

Categories of Sources

We collect consumer health data from the following categories of sources:

Directly from you: Information you provide during onboarding (surgery type, conditions) and daily app use (pain logs, exercise completion)
From your device — Gait Analysis: Short walking videos you record in-app. The video is uploaded to our secure cloud storage so the app can replay your results with a skeleton overlay. Individual still frames and pose landmarks extracted from the video are separately transmitted to our AI analysis provider for interpretation.
From your device — Form Check: Short side-view videos of squats or bench press. The video plus on-device biomechanics measurements are transmitted to our AI analysis provider for one-shot analysis; the cloud copy is discarded after the result returns. A local copy is cached on your device for replay only.
From your device — Foot Photo Analysis: A back-of-foot photo you take in-app. The photo is transmitted to our AI analysis provider for one-shot classification; the cloud copy is discarded after the result returns.
Automated collection: Crash and error logs from error monitoring services, which may incidentally include app state information

Section 5

Categories of Consumer Health Data Shared

We share the following categories of consumer health data with third parties:

Gait analysis still frames and pose landmarks shared with our AI analysis provider (Google, via the Gemini API) for the purpose of generating biomechanical feedback
Form Check videos and on-device biomechanics measurements shared with our AI analysis provider (Google, via the Gemini API) for the purpose of generating a form score and coaching cues. Google discards the video after the analysis is complete.
Foot photos shared with our AI analysis provider (Google, via the Gemini API) for the purpose of generating descriptive foot type and arch classification. Google discards the photo after the analysis is complete.
Surgery type, health conditions, and pain tracking data shared with our AI analysis provider to personalize exercise recommendations, shoe compatibility scoring, and recovery report content
Raw walking videos stored with our cloud infrastructure provider (Supabase) to enable playback of your gait analysis results with a skeleton overlay. These videos remain within your private account storage and are not shared with any AI provider in raw form
Technical error data (which may incidentally include app state) shared with our error monitoring service for crash diagnostics

We do NOT sell consumer health data. We do not sell, rent, or trade your consumer health data to any third party for any purpose.

We do NOT share consumer health data for advertising. Your health data is never used for targeted advertising, marketing profiling, or shared with advertising networks.

Section 6

Third Parties and Affiliates

The following third parties receive consumer health data from StepSavvy:

Third Party	Category	Purpose	Data Received
Google LLC (Gemini API — Flash)	AI Analysis Processor	Gait interpretation, exercise recommendations with dosing, shoe compatibility, recovery report narratives. Google does not use submitted data to train AI models on the paid Gemini API.	Still frames extracted from walking videos, pose landmarks, pain context, biomechanical data, foot strike classification
Google LLC (Gemini API — Pro)	AI Analysis Processor	AI Form Check video analysis (squat / bench press) and Foot Photo classification. Google does not use submitted data to train AI models on the paid Gemini API and discards submitted media after returning the result.	Form Check videos plus on-device biomechanics measurements; foot photos for foot type / arch description
Google LLC (MediaPipe)	On-Device Processing	Body landmark detection from gait and Form Check videos. Runs entirely on the user’s device — the on-device pose pass itself does not send data to Google.	None (on-device only)
Functional Software Inc. (Sentry)	Error Monitoring Processor	Crash diagnostics	Technical error data only
Supabase Inc.	Cloud Infrastructure	Data storage and authentication	All consumer health data
Resend Inc.	Email Service	Recovery communications	Email address only (no health data in emails)
Serper (Google Search API)	Product Lookup Service	Receives shoe brand/model names for product lookup. No health data shared.	Shoe brand/model names only (no health data)
Google LLC (Sign in with Google)	Identity Provider	Optional Google Sign-In. When you choose this option, Google issues an identity token verifying your email; no health data is sent to Google.	Google account email only (no health data)
Apple Inc. (Sign in with Apple)	Identity Provider	Optional Sign in with Apple. Apple issues an identity token and, if you delete your account, we revoke your Apple refresh token so you can re-authorize StepSavvy in the future.	Apple ID / private relay email (no health data)
RevenueCat Inc.	Subscription Processor	Manages subscription entitlements. Receives an anonymous RevenueCat customer ID and your Apple IAP transaction metadata. No health data is sent to RevenueCat.	Anonymous subscription metadata only (no health data)

StepSavvy has no corporate affiliates. We are an independently operated company with no parent company, subsidiaries, or affiliated entities that receive consumer health data.

Section 7

Your Rights

Under applicable consumer health data privacy laws, you have the following rights:

Right to Confirm: You may request confirmation of whether we collect, share, or sell your consumer health data.
Right to Access: You may request a copy of the consumer health data we have collected about you.
Right to a Third-Party List: You may request a list of all third parties and affiliates, including contact information, with whom we have shared your consumer health data during the prior 12 months.
Right to Withdraw Consent: You may withdraw your consent to the collection and sharing of your consumer health data at any time.
Right to Delete: You may request that we delete your consumer health data. Upon receiving a verified deletion request, we will delete your data from active systems within 30 days and from backup systems within an additional 6 months. We will direct all third parties who received your data to delete it as well.

How to Exercise Your Rights

Email: stepsavvy.app@gmail.com

In-app: Profile > Data & Privacy

We will respond to verified requests within 30 days, free of charge, up to twice per calendar year. We will not discriminate against you for exercising any of these rights.

Right to Appeal: If we deny your request, you may appeal by contacting us at stepsavvy.app@gmail.com. If you are unsatisfied with the outcome of an appeal, you may file a complaint with the Washington State Attorney General, the Connecticut Attorney General, or the Nevada Attorney General, as applicable.

Section 8

Consent

We obtain your consent to collect, use, and share consumer health data as follows:

Collection consent: Obtained when you voluntarily enter health information into the app (such as surgery type, conditions, and pain data); your act of entering this information to set up and use the recovery features is your affirmative consent to our collection and use of it for those features.
Sharing consent: Obtained separately, before any health data is shared with our AI analysis provider, through an in-app consent modal presented the first time you use any AI feature that uploads health data — Gait Analysis, AI Form Check, or Foot Photo Analysis.

We do not sell consumer health data and therefore do not require sale authorization.

Your consent must be freely given, specific, informed, and unambiguous. We will never collect consumer health data without valid consent or a permissible legal basis.

Withdrawing Consent: You may withdraw your consent at any time by navigating to Profile > Data & Privacy within the app, or by emailing stepsavvy.app@gmail.com, without deleting your account. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

Children and Minors. StepSavvy requires all users to be at least 16 years old. We do not knowingly collect consumer health data from anyone under 16, and, consistent with the U.S. Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If we learn that we have collected consumer health data from someone under 16, we delete it promptly. If you believe a minor has provided us data, contact us at stepsavvy.app@gmail.com.

Section 9

Geofencing

StepSavvy does not use geofencing technology in any form. We do not use GPS, cell tower data, Wi-Fi signals, Bluetooth beacons, or any other location technology to establish virtual boundaries around health care facilities, mental health facilities, reproductive health clinics, or any other physical locations.

This disclosure is made in compliance with RCW 19.373.080, which prohibits the use of geofencing around health care facilities for the purpose of collecting consumer health data.

Section 10

Data Security

We implement administrative, technical, and physical security measures appropriate to the sensitivity of consumer health data, including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest on our infrastructure provider's servers
Access controls and authentication mechanisms to limit data access to authorized personnel
Regular security reviews of our systems and practices

All third-party processors who receive consumer health data are contractually required to maintain appropriate security measures consistent with industry standards.

Section 11

Data Retention

We retain your consumer health data only for as long as your account is active or as needed to provide you with our services.

Upon account deletion or a verified deletion request, your consumer health data is removed from active systems within 30 days and from backup systems within 6 months.

Biometric-Style Data Retention Schedule. Pose landmarks extracted from walking videos (which some jurisdictions may classify as biometric identifiers under laws such as Illinois’ Biometric Information Privacy Act) are retained for the duration of your active account so you can view your gait history. Upon account deletion, a verified deletion request, or the date on which the purpose for collection has been satisfied — whichever occurs first — pose landmarks are permanently deleted from active systems within 30 days and from backup systems within 6 months, but in no event later than 3 years following your last interaction with StepSavvy. This schedule, and the same consent, limited-purpose, and no-sale protections, also apply to any other data that may be construed as a biometric identifier — including the gait or pronation pattern inferred from your walking videos and the back-of-foot photographs used for foot-type classification — which are sent to Google’s Gemini API only to generate your result and whose cloud copy is discarded after processing.

You may request deletion of your consumer health data at any time by contacting us at stepsavvy.app@gmail.com, or through the in-app privacy settings.

Section 12

Changes to This Policy

If we make material changes to this Consumer Health Data Privacy Policy, we will notify you before those changes take effect. Material changes include, but are not limited to, new categories of consumer health data collected, new purposes for collection, or new third parties with whom data is shared.

If we collect new categories of consumer health data or use existing data for materially different purposes, we will update this policy and obtain your affirmative consent before proceeding.

Section 13

Contact Us

If you have questions about this Consumer Health Data Privacy Policy or wish to exercise your rights, please contact us:

StepSavvy LLC

Consumer Health Data Privacy Inquiries

stepsavvy.app@gmail.com

201 Rue Beauregard STE 202
Lafayette, LA 70508

Website: stepsavvy.app

We respond to verified requests within 30 days.