Introduction
StepSavvy LLC, a Louisiana limited liability company ("StepSavvy," "we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("the App"). StepSavvy LLC is the data controller responsible for your personal data.
StepSavvy is a physical therapy and recovery companion app that uses AI-powered gait analysis, exercise tracking, and personalized recovery plans. Because our App handles health-related data, we take extra care to ensure your information is secure and handled responsibly.
By using StepSavvy, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the App.
Information We Collect
We collect the following categories of information to provide and improve the StepSavvy experience:
Account Information
When you create an account, we collect your email address and an encrypted password. You may also authenticate using Apple Sign-In or Google Sign-In, in which case only your email address and name (if you choose to share it) are provided to us by those services. StepSavvy never receives or stores your Apple or Google password. We may also collect your name if you choose to provide it.
Waitlist & Marketing Information
If you sign up for our waitlist or early access list through our website, we collect your email address. We use this solely to notify you about product availability, early access opportunities, and important updates. You can request removal from the waitlist at any time by contacting us.
Health & Recovery Data
To personalize your recovery experience, we collect information about your surgery type, surgery date, recovery phase, and physical therapy progress, including your medical conditions (such as plantar fasciitis or other musculoskeletal conditions), affected side, condition duration, whether conditions were professionally diagnosed or self-reported, and current pain level and rehab phase. We also collect pain scores (0–10) and free-text notes recorded after each exercise session, foot pain location markers with anatomical mapping and severity ratings, and AI-derived biomechanical profiles including your gait pattern type, pronation assessment, foot strike pattern classification (heel/midfoot/forefoot), confidence level, and related reasoning factors. This data further includes exercise completion records, streaks, achievement badges, daily plans, and self-reported condition check-ins.
We also track your usage of AI-powered features (number of Form Check analyses, Foot Photo analyses, gait analyses, and other AI-driven features consumed) to enforce the monthly and free-trial usage caps associated with your subscription tier. This usage data is stored alongside your account information. Current caps are listed in our Terms of Service.
Photos & Videos
Gait Analysis videos. If you use AI Gait Analysis, we access your device camera or photo library with your permission to capture a short side-view walking video. The raw video is uploaded to our secure cloud storage (Supabase media bucket, scoped to your account) so you can replay your results with a skeleton overlay. On your device, we extract individual still frames and pose landmarks from the video; those extracted frames and landmarks are sent to Google's Gemini API for biomechanical interpretation.
Form Check videos. If you use AI Form Check (squats or bench press), the recorded video is uploaded to Google's Gemini API for one-shot analysis along with the on-device biomechanics measurements. Google discards the cloud copy after returning your result; we do not retain your Form Check video on our servers. A local copy stays cached on your device so you can replay your result on the saved-result detail page; the local cache is capped at 30 sessions across all exercises and the oldest are evicted automatically.
Foot Photo Analysis photos. If you use Foot Photo Analysis, the photo you take is uploaded to Google's Gemini API for one-shot classification. Google discards the cloud copy after returning your result; we do not retain the photo on our servers.
You can delete any saved analysis from within the app, and all uploaded media plus cached local copies are removed when you delete your account.
Device & Technical Information
We automatically collect certain technical information including device model, operating system version, app version, and general usage patterns (such as which features you use and how often). This helps us improve app performance and fix issues.
We also collect product interaction data including which features you use, exercise completion patterns, shoe closet interactions, badge and achievement unlocks, and general app usage patterns. This helps us improve the app experience and tailor features to your needs.
Crash & Diagnostic Data
We use crash reporting services to collect error logs, stack traces, and diagnostic data when the App encounters problems. This data does not include your personal health information and is used solely to identify and fix bugs.
Apple Health Data
Apple Health (read-only, optional): If you tap “Connect Apple Health” in the Closet, StepSavvy requests read-only access to your walking and running distance (DistanceWalkingRunning) so we can attribute mileage to a shoe you choose and track shoe wear. We only read this single distance metric; we never write any data to Apple Health, never store it in iCloud, and never use it for advertising, sell it to data brokers, or share it with third parties for marketing. Connecting Apple Health is entirely optional and the app works fully without it.
Shoe & Footwear Data
If you use the shoe closet feature, we collect information about your shoes including brand, model, category, fit ratings, comfort assessments, pain areas associated with specific shoes, usage frequency, and cumulative mileage (which may be imported from Apple Health with your permission). This data is used to track shoe wear, provide replacement recommendations, and personalize shoe suggestions based on your gait analysis.
Biometric-Style Data (Pose Landmarks, Gait & Pronation Signature, Foot Photos)
When you use our AI gait analysis feature, Google MediaPipe BlazePose runs on your device to extract 33 body landmark positions from each frame of your walking video. These pose landmarks are used exclusively to compute biomechanical measurements (joint angles, cadence, foot strike pattern) and to generate gait analysis results.
The gait and pronation “signature” that the App infers from your walking video, and the back-of-foot photographs used by Foot Photo Analysis, may likewise be treated as biometric identifiers under these laws. They receive the same protections described here and in our Illinois (BIPA) section — consent before collection, a limited and disclosed purpose, no use for identification or profit, no sale, and deletion on request.
Because some U.S. state laws (including Illinois’ Biometric Information Privacy Act and Texas’ Capture or Use of Biometric Identifier Act) may classify pose landmarks as biometric identifiers, we disclose the following: (a) Purpose: pose landmarks are used solely for on-device biomechanical analysis and AI gait interpretation, never for identification, surveillance, advertising, or profit; (b) Sharing: pose landmarks are shared only with Google (via the Gemini API) for biomechanical interpretation, as described in Section 7, and are stored with our cloud infrastructure provider (Supabase) to display your history; (c) Retention schedule: pose landmarks are retained for as long as your account is active so you can view your gait history. Upon account deletion or your written deletion request, pose landmarks are permanently removed from active systems within 30 days and from backup systems within an additional 6 months, whichever is sooner; (d) Consent: collection and sharing occur only with your affirmative consent, which you provide when you first use the AI gait analysis feature and may revoke at any time in Profile > Data & Privacy.
What we do NOT collect: We do not collect precise GPS location data, contacts, call logs, browsing history, or financial information. We do not sell your personal information to third parties.
We do not track you across apps or websites. StepSavvy does not use any advertising identifiers, analytics SDKs, or cross-app/cross-website tracking technologies. We do not link your StepSavvy data with data collected by other apps or websites owned by other companies. Because of this, we do not present the iOS App Tracking Transparency prompt.
How We Use Your Information
We use the information we collect for the following purposes:
- To provide, maintain, and improve the StepSavvy service
- To create and manage your account and authenticate your identity
- To generate personalized physical therapy exercise plans based on your surgery type and recovery phase
- To track your exercise progress, streaks, and achievements
- To provide AI-powered Gait Analysis, Form Check, and Foot Photo Analysis from your submitted videos and photos
- To send transactional emails such as welcome messages, password reset codes, and weekly recovery summaries
- To send exercise reminders and motivational notifications (with your permission)
- To diagnose technical problems and improve app stability using crash reports
- To analyze aggregate usage patterns and improve the App experience
- To comply with legal obligations and enforce our Terms of Service
We process your data based on your consent (provided when you create an account and use specific features), our legitimate interest in providing and improving the service, and where necessary to comply with legal requirements.
Data Storage & Security
Your data is stored securely using Supabase, a trusted cloud database and backend-as-a-service provider. We implement multiple layers of security to protect your information:
- Encryption in transit: All data transmitted between the App and our servers is encrypted using HTTPS/TLS protocols
- Encryption at rest: Your data is encrypted at rest on our database servers
- Row-Level Security (RLS): Database-level access controls ensure that each user can only access their own data
- Secure authentication: Passwords are hashed using industry-standard algorithms and are never stored in plain text
- Secure media storage: Photos and videos uploaded for gait analysis are stored in access-controlled cloud storage buckets
- Regular monitoring: We conduct ongoing security monitoring and apply updates to protect against emerging threats
While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using industry best practices.
Data Breach Notification
In the event of a data breach that compromises your personal or health data, we will notify affected users within 72 hours via the email address associated with your account, in accordance with applicable data breach notification laws, including the FTC Health Breach Notification Rule (16 CFR Part 318). We will also post a notice within the app and take immediate steps to mitigate any potential harm.
Third-Party Services
StepSavvy uses the following third-party services to operate and improve the App. Each service has its own privacy policy governing the data it processes:
All third-party service providers are contractually required to provide data protection standards equivalent to or exceeding those described in this Privacy Policy.
Supabase (Backend & Database)
We use Supabase for user authentication, database storage, file storage, and serverless functions. Supabase stores your account information, health data, exercise records, and uploaded media. Data is hosted in secure, SOC 2 compliant data centers.
Sentry (Crash Reporting)
We use Sentry to collect crash reports and diagnostic data when the App experiences errors. Sentry receives device information, error logs, and stack traces. It does not receive your health data, exercise records, or personal photos.
Google (Gemini API)
We use Google's Gemini API as a third-party data processor to power several core features of StepSavvy. Two models are used:
- Gemini 3 Flash Preview: gait video interpretation, personalized exercise recommendations with dosing, shoe compatibility scoring and categorization, recovery report narratives, and exercise/recommendation explanations.
- Gemini 3.1 Pro Preview: AI Form Check (squat and bench press video analysis with extended reasoning) and Foot Photo Analysis (foot type and arch classification from a photo).
Google does not use submitted prompts, media, or responses to train AI models when processing through the paid Gemini API tier. Submitted media is used only for the one-shot analysis that returns your result. Your name, email, and account credentials are never sent to Google through this integration. For details on what data is shared and how it is handled, see Section 7. Google's processing of this data is governed by the Gemini API Additional Terms of Service and the Google Privacy Policy.
Google MediaPipe (On-Device Pose Estimation)
We use Google's MediaPipe BlazePose technology to detect body landmarks from gait analysis and Form Check videos. This processing runs entirely on your device — the on-device pose pass itself does not send video to Google. MediaPipe extracts 33 body landmark positions per video frame, which are used to compute biomechanical measurements (joint angles, hip and knee mechanics, foot strike, lockout completion, etc.). Pose landmarks for Gait Analysis are stored in your StepSavvy account for displaying results and skeleton overlays; pose landmarks for Form Check are cached locally on your device for replay (LRU 30 sessions) but not stored in our cloud.
Apple (Sign in with Apple)
We support Apple's Sign in with Apple flow as an optional sign-in method. When you choose this option, Apple issues a privacy-preserving identity token containing your Apple ID or Apple's private relay email address, which we use to create or sign in to your StepSavvy account. If you delete your StepSavvy account, we also revoke Apple's refresh token on your behalf so the sign-in link is cleanly severed. Apple does not receive any health data from StepSavvy. Apple's handling of your sign-in data is governed by Apple's Sign in with Apple privacy notice.
Apple Health: With your permission, StepSavvy reads your walking and running distance from Apple Health (read-only) to attribute mileage to a shoe you choose for wear tracking. We never write to Apple Health, never store this data in iCloud, never share it with third parties, and never use it for advertising or marketing. You can enable this from the Closet tab and revoke access at any time in iOS Settings > Privacy & Security > Health.
Google (Sign in with Google)
We support Google Sign-In as an optional sign-in method. When you choose this option, Google issues an identity token containing your Google account email, which we use to create or sign in to your StepSavvy account. No health data, pain data, or recovery data is sent to Google. Google's handling of your sign-in data is governed by the Google Privacy Policy.
Resend (Email Delivery)
We use Resend to send transactional emails including welcome messages, password reset codes, and weekly recovery summaries. Resend receives your email address solely for the purpose of delivering these communications.
Serper (Google Search API)
We use Serper to look up shoe brand and model information for product categorization. Only shoe brand and model names are sent — no health data, personal information, or account details are shared with this provider. Serper's privacy policy is available at serper.dev/privacy.
RevenueCat (Subscription Management)
We use RevenueCat to manage in-app subscriptions and purchase transactions. RevenueCat receives an anonymous customer ID and your Apple IAP transaction metadata (subscription status, product ID, billing dates). No health data is shared with RevenueCat. RevenueCat's privacy policy is available at revenuecat.com/privacy.
We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.
AI-Powered Features & Data Processing
StepSavvy uses multiple AI technologies to deliver intelligent, personalized features within the App. This section explains what AI-powered features we offer, what data is shared with each provider, and how that data is handled.
AI-powered features. The following AI services power StepSavvy's capabilities:
- AI Gait Analysis: Google's Gemini API interprets your biomechanical measurements to explain what your gait numbers mean, including left-vs-right analysis and foot strike pattern classification
- AI Form Check: Google's Gemini Pro analyzes a side-view video of squats or bench press, paired with on-device biomechanics measurements, to produce a 0–100 form score with rep-by-rep observations and coaching cues
- Foot Photo Analysis: Google's Gemini Pro analyzes a back-of-foot photo to describe foot type and arch pattern, and to surface related shoe styles and movements people often explore for that pattern (educational, descriptive only — not a diagnosis)
- Personalized exercise recommendations with dosing: Based on your gait analysis results, Gemini recommends up to 3 specific exercises with frequency guidance (e.g., "once a day, 3-4 times a week"). These are wellness suggestions, not medical prescriptions
- On-device pose estimation: Google's MediaPipe BlazePose runs entirely on your device to detect body landmarks from gait and Form Check videos. The on-device pose pass itself does not send video to Google
- Shoe compatibility scoring: AI evaluates your footwear relative to your gait profile and condition to provide compatibility insights
- Recovery insights: AI processes your pain tracking data and recovery history to offer personalized recovery guidance
What data is shared with Google's Gemini API. When you use AI-powered features, the following data may be sent to Google for processing:
Gait Video Frames
Video frames captured during gait analysis are temporarily transmitted for processing. Google does not use submitted prompts or responses to train AI models on the paid Gemini API.
Condition & Surgery Information
Your condition type, surgery details, and recovery phase are anonymized before being sent for analysis. No directly identifying information (such as your name or email) is included.
Pain Tracking Data
Pain scores, pain location markers, and session notes are shared to generate accurate recovery recommendations. This data is not linked to your identity when transmitted.
Shoe Photos
Photos of your shoes submitted for categorization and compatibility scoring are processed by Google's Gemini API. Google does not use submitted prompts or responses to train AI models on the paid Gemini API.
Form Check Videos
When you run a Form Check, the recorded squat or bench-press video is sent to Google's Gemini API along with on-device biomechanics measurements (joint angles, range of motion, tempo). The video is used only for the one-shot analysis that returns your form score and coaching cues; the cloud copy is discarded after processing. We do not retain Form Check videos on our servers; the local copy on your device is cached for replay (capped at 30 sessions, oldest evicted) and removed when you delete your account.
Foot Photos
When you run Foot Photo Analysis, the back-of-foot photo you take is sent to Google's Gemini API for one-shot foot-type and arch classification. The cloud copy is discarded after processing. We do not retain the photo on our servers.
How Google handles your data. Google processes your data subject to the following safeguards:
- No training on your data: Data is processed via Google's paid Gemini API. Google does not use prompts or responses submitted through the paid Gemini API to improve their products or train AI models
- Limited retention: For paid Gemini API requests, Google logs prompts and responses for a limited period solely to detect and prevent abuse and to meet legal or regulatory obligations
- Secure transmission: All data is transmitted to Google securely via encrypted HTTPS connections
- Google's privacy practices: Google's handling of data submitted through the Gemini API is governed by the Gemini API Additional Terms of Service and the Google Privacy Policy
- Equivalent protection: We require that all third-party data processors, including Google, provide the same or equivalent level of data protection as StepSavvy. Google's enterprise-grade security infrastructure, encryption standards, and privacy commitments meet or exceed the protections we apply to your data within our own systems.
Your consent matters. StepSavvy asks for your explicit consent before any data is shared with AI services. You are prompted to consent when you first use an AI-powered feature. You can revoke this consent at any time by navigating to your Profile settings within the App. Revoking consent will disable AI-powered features but will not affect your ability to use other parts of StepSavvy.
Data Retention
We retain your personal data for as long as your account is active and as needed to provide you with the StepSavvy service. Specifically:
- Account data: Retained while your account is active
- Health and exercise data: Retained while your account is active to support your ongoing recovery tracking, and in any event no longer than 36 months after your last login or in-app interaction, after which it is deleted or anonymized unless you remain active or the law requires longer retention
- Photos and analysis results: Retained while your account is active unless you delete them individually
- Crash and diagnostic data: Retained for up to 90 days for debugging purposes
If you delete your account, we will delete or anonymize your personal data from our active systems within 30 days, and from our routine encrypted backups within an additional 6 months (after which those backups are overwritten on a rolling basis), except where we are required by law to retain certain information for longer periods.
Please note that data previously transmitted to our third-party service providers (such as crash reports sent to Sentry, images processed by our AI analysis provider, or emails sent via Resend) is subject to those providers' respective data retention policies and may not be immediately deletable upon account deletion. We encourage you to review the privacy policies of our third-party providers listed in this policy.
We may retain anonymized, de-identified, or aggregated data that cannot be used to identify you, even after account deletion. This data may be used to improve our services and for statistical analysis.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right to Access: You can request a copy of the personal data we hold about you
- Right to Correction: You can request that we correct any inaccurate or incomplete data
- Right to Deletion: You can delete your personal data at any time from within the app at Profile > Delete Account, or by contacting us directly
- Right to Data Portability: You can request a copy, in a structured, commonly used, machine-readable format (such as JSON), of the personal data you provided that we process by automated means on the basis of your consent or our contract with you — including your account profile, health and recovery entries, pain logs, and your gait, Form Check, and foot-analysis results. Email us and we will respond within 30 days.
- Right to Withdraw Consent: Where we process your data on the basis of consent, you can withdraw that consent at any time — for AI processing, in the app at Profile > Data & Privacy; for any other consent-based processing, by emailing us — without deleting your account. Withdrawal does not affect the lawfulness of processing carried out before you withdrew, and you may also delete your account at any time.
- Right to Restrict Processing: In certain circumstances, you can request that we limit how we process your data
- Right to Opt Out of Notifications: You can disable push notifications at any time through your device settings
- Right to Revoke Permissions: You can revoke camera, photo library, and notification permissions at any time through your device settings
To exercise any of these rights, please contact us at stepsavvy.app@gmail.com. We will respond to your request within 30 days.
U.S. State Privacy Rights
Depending on your state of residence, you may have additional rights over your personal information under your state’s privacy law. We honor the rights described below regardless of which state you live in; the request methods are the same for everyone.
California (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), provides you with the following rights regarding your personal information:
- Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you
- Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you, subject to CPRA verification requirements (Cal. Civ. Code §1798.106)
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights
- Right to Opt-Out of Sale or Sharing: We do not “sell” or “share” your personal information as those terms are defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including for purposes of cross-context behavioral advertising. If this ever changes, we will provide a conspicuous “Do Not Sell or Share My Personal Information” mechanism
- Right to Limit Use of Sensitive Personal Information: Under the CPRA, you have the right to limit our use and disclosure of your Sensitive Personal Information (including health-related information) to what is reasonably necessary to provide the services you have requested. Because we process your health data solely for the core purposes you have consented to (personalized exercise plans, gait analysis, recovery tracking), no additional limitation is typically necessary. You may exercise this right directly in the app by revoking AI data consent at Profile > Data & Privacy — which stops your health data from being shared with our AI provider — or by contacting us at stepsavvy.app@gmail.com to request further restrictions
- Right to Use an Authorized Agent: You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide proof that you authorized them to act for you, and we may still verify your own identity before completing the request.
- Automated Decision-Making: We do not use your personal information to make solely automated decisions that produce legal or similarly significant effects about you. Our AI features generate informational insights only and a human is never replaced in any decision about your account; you may opt out of AI processing at any time by revoking AI consent in Profile > Data & Privacy.
Notice at Collection. In the preceding 12 months we have collected the following categories of personal information. We have not “sold” or “shared” (for cross-context behavioral advertising) any personal information.
- Identifiers (email, name, account ID) — collected from you and from Apple/Google sign-in; used to create and secure your account; disclosed to our hosting processor (Supabase).
- Sensitive Personal Information — health (gait, pain, surgery, foot-assessment, exercise, and pose data) — collected from you and your device; used to provide the App’s analysis and recovery features; disclosed to our hosting (Supabase) and AI (Google Gemini) processors.
- Audio/visual information (walking and exercise videos, foot photos) — collected from your device camera or library; used for AI analysis; disclosed to Supabase and Google Gemini (the AI provider discards its copy after processing).
- Commercial information (subscription and purchase status) — collected from Apple and RevenueCat; used to manage your subscription; disclosed to RevenueCat and Apple.
- Internet or other electronic network activity (in-app interactions, crash and diagnostic data, IP address, and device identifiers) — collected automatically from your device; used for app functionality, security, and debugging; disclosed to our analytics and crash-reporting processor (Sentry).
To submit a CCPA request, contact us at stepsavvy.app@gmail.com. We may need to verify your identity before processing your request.
Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana & Other States
If you are a resident of a state with a comprehensive consumer privacy law — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states as their laws take effect — you have the right to:
- Access / Know: confirm whether we process your personal data and obtain a copy of it.
- Correct: correct inaccuracies in your personal data.
- Delete: delete personal data we hold about you.
- Portability: obtain a copy of your data in a portable, machine-readable format.
- Opt out: opt out of any “sale” of personal data, targeted (cross-context behavioral) advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects. StepSavvy does not sell personal data, does not engage in targeted advertising, and does not use profiling to make such decisions, so there is nothing for you to opt out of today; if this ever changes, we will provide a clear opt-out mechanism.
Sensitive data consent. Your health and biometric data is “sensitive data” under these laws. We process it only with your consent, as described in this Policy and our Consumer Health Data Privacy Policy.
How to exercise these rights and to appeal. Email us at stepsavvy.app@gmail.com to make a request; we will respond within the time required by your state’s law (generally 45 days). If we decline your request, you may appeal by replying to our decision; if we deny your appeal, your state law may allow you to contact your state Attorney General. Where your state requires it (e.g., Virginia, Colorado, Connecticut, Texas, Montana), this appeal process is available to you.
Nevada
Nevada residents have the right under Nevada law (including SB 370, governing consumer health data, and NRS 603A) to direct a covered business not to sell certain personal or consumer health data. StepSavvy does not sell your personal data or consumer health data, so this prohibition is already met. To submit a verified request or ask a question, email stepsavvy.app@gmail.com; Nevada consumer-health rights are enforced by the Nevada Attorney General. See also our Consumer Health Data Privacy Policy.
European Users (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Legal Basis for Processing: We process your personal data on the following bases: (a) your consent (Article 6(1)(a)), which you give when you create an account and enable specific features; (b) the performance of our contract with you (Article 6(1)(b)) to provide the StepSavvy service you request; and (c) our legitimate interests (Article 6(1)(f)) in securing and improving the service. Because your gait, pain, surgery, condition, foot-assessment, and pose-landmark data are “special category” data concerning health within the meaning of Article 9 GDPR, we process all such health data on the basis of your explicit consent under Article 9(2)(a). You give that explicit consent at the point you provide the data — when you enter your conditions, surgery, and pain information to set up and use your recovery profile, and, before any health data is sent to our AI provider, through the in-app AI consent dialog. You may withdraw consent at any time (for AI processing, at Profile > Data & Privacy; for other consent-based health processing, by emailing us) without deleting your account; withdrawing AI consent disables the AI features, and withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Data Transfers: If you access StepSavvy from the European Economic Area, the United Kingdom, or Switzerland, your personal data — including, where applicable, health-related data — is transferred to and processed in the United States by our processors, including Supabase (cloud database and storage), Google (AI processing via the Gemini API), Sentry (crash and diagnostic reporting), RevenueCat (subscription management), Resend (transactional email), and Serper (shoe product lookup). For all such transfers, whether or not health data is involved, we rely on the European Commission’s Standard Contractual Clauses (together with the UK International Data Transfer Addendum and the Swiss addendum where applicable), the EU–US Data Privacy Framework where a recipient is certified, and other appropriate safeguards. You may request a copy of the relevant transfer safeguards by emailing stepsavvy.app@gmail.com.
- Additional Rights: In addition to the rights listed in Section 9, you have the right to: lodge a complaint with your local data protection authority, request restriction of processing, and object to processing based on legitimate interests.
- Automated Decision-Making (Article 22): We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. Our AI features (gait classification, foot-type and pronation profiling, and the Form Check score) constitute profiling for informational and wellness purposes only and do not make consequential automated decisions about you; you can withdraw AI consent at any time to stop this profiling.
- Children (Article 8): Because StepSavvy requires all users to be at least 16, we do not rely on parental consent under Article 8; our minimum age meets or exceeds the digital-consent age set by every EU/EEA member state (which ranges from 13 to 16).
- Data Controller & Contact: The data controller is StepSavvy LLC, 201 Rue Beauregard STE 202, Lafayette, LA 70508, USA. For GDPR or UK GDPR inquiries, email stepsavvy.app@gmail.com. We are established in the United States; where we are required to designate a representative under Article 27 of the EU or UK GDPR, we will appoint one and publish their contact details in this Policy.
Children's Privacy
StepSavvy requires all users to be at least 16 years of age. We do not knowingly collect personal information from individuals under the age of 16. In compliance with the Children's Online Privacy Protection Act (COPPA), we also do not knowingly collect personal information from children under the age of 13.
If you are under 16, please do not use the app or provide any personal information. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at stepsavvy.app@gmail.com, and we will take steps to delete such information promptly.
If we become aware that we have inadvertently collected personal data from an individual under 16, we will delete that information as quickly as possible.
Washington State Residents (My Health My Data Act)
StepSavvy collects "consumer health data" as defined under Washington's My Health My Data Act (RCW 19.373), including surgery information, pain data, exercise completion records, and gait analysis results.
This data is collected only with your consent, provided when you create an account and use specific features within the App.
Our commitments regarding your consumer health data:
- We do not sell consumer health data.
- We do not share consumer health data for advertising purposes.
Your rights under the My Health My Data Act:
- Access: You have the right to access your health data.
- Deletion: You have the right to delete your health data.
- Withdraw Consent: You may withdraw your consent at any time in the app at Profile > Data & Privacy (for AI processing) or by emailing us, without deleting your account. You may also delete your account at any time.
To exercise any of these rights, please contact us at stepsavvy.app@gmail.com. We will respond to your request within 30 days.
Illinois Residents (Biometric Information Privacy Act)
If you are an Illinois resident, you have additional rights under the Illinois Biometric Information Privacy Act, 740 ILCS 14/ (“BIPA”), with respect to any data that may qualify as a “biometric identifier” or “biometric information” under that statute.
As described in Section 2, StepSavvy’s AI gait analysis feature extracts pose landmarks (33 body landmark positions per video frame) from walking videos you record in-app. This extraction occurs on your device using Google MediaPipe BlazePose. While pose landmarks are used solely to compute biomechanical measurements and are not used to identify individuals, some interpretations of BIPA may treat them as biometric identifiers.
Consent. We collect and share pose landmark data only after obtaining your written affirmative consent, presented as an in-app consent modal the first time you use an AI-powered feature. This consent discloses: (a) the specific data being collected, (b) the purpose for collection, (c) the third parties receiving the data, and (d) how long the data will be retained.
Purpose. Pose landmarks are used exclusively for on-device biomechanical analysis and for AI-powered gait interpretation through Google’s Gemini API. They are never used for identification, surveillance, employment decisions, advertising, or profit.
Retention Schedule. Pose landmarks are retained for the duration of your active account so you can view your gait history. Upon (i) account deletion, (ii) your written deletion request, or (iii) the date on which the initial purpose for collection has been satisfied — whichever occurs first — pose landmarks are permanently deleted from our active systems within 30 days and from backup systems within an additional 6 months, but no later than 3 years following your last interaction with StepSavvy.
Disclosure. Pose landmarks are shared only with Google (for biomechanical interpretation via the Gemini API) and Supabase (for secure cloud storage so you can view your history). They are never sold, leased, traded, or otherwise disclosed for advertising, marketing, or profit.
Gait/Pronation Signature & Foot Photographs. We treat the gait or pronation pattern inferred from your walking videos and the back-of-foot photographs used by Foot Photo Analysis for foot-type classification as covered by the protections in this Section — affirmative consent before collection, a limited and disclosed purpose, no use for identification or profit, no sale, and deletion on request — to the extent a court or regulator construes them as biometric identifiers. Like pose landmarks, these are collected and shared with Google’s Gemini API only after your in-app consent and solely to generate your result; the cloud copy is discarded after processing, and any associated results stored in your account are deleted on the schedule described above.
Exercising Your BIPA Rights. To request deletion of your pose landmark data, revoke consent, or obtain a copy of this retention schedule, contact us at stepsavvy.app@gmail.com or use the in-app controls at Profile > Data & Privacy. We will respond within 30 days.
HIPAA & Health Data Disclaimer
StepSavvy is not a HIPAA-covered entity. While we implement strong security measures to protect your health-related information, StepSavvy is a general wellness application and is not subject to the Health Insurance Portability and Accountability Act (HIPAA). Your health and recovery data is protected through encryption, row-level security policies, and strict access controls as described in our Data Storage & Security section. If you have concerns about how your health information is handled, please contact us at stepsavvy.app@gmail.com.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify you through the App or via email for significant changes
- Provide a summary of what has changed when practical
We encourage you to review this Privacy Policy periodically. Your continued use of StepSavvy after any changes indicates your acceptance of the updated policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
StepSavvy LLC
201 Rue Beauregard STE 202, Lafayette, LA 70508
stepsavvy.app@gmail.comWe aim to respond to all privacy-related inquiries within 30 days.
Accessibility. We want StepSavvy to be usable by everyone, including people recovering from injury or surgery. We aim to follow recognized accessibility best practices (WCAG 2.1 AA as a goal). If you have difficulty accessing any part of the app or these policies, or need an accommodation, email us at stepsavvy.app@gmail.com and we will work with you.