StepSavvy

Privacy Policy

How StepSavvy collects, uses, and protects your personal and health-related data.

Last Updated: June 16, 2026 · Effective: April 18, 2026

Contents

  1. 1. Introduction
  2. 2. Information We Collect
  3. 3. How We Use Your Information
  4. 4. Data Storage & Security
  5. 5. Data Breach Notification
  6. 6. Third-Party Services
  7. 7. AI-Powered Features & Data Processing
  8. 8. Data Retention
  9. 9. Your Rights
  10. 10. U.S. State Privacy Rights (California & Other States)
  11. 11. European Users (GDPR)
  12. 12. Children's Privacy
  13. 13. Washington State Residents (My Health My Data Act)
  14. 14. Illinois Residents (Biometric Information Privacy Act)
  15. 15. HIPAA & Health Data Disclaimer
  16. 16. Changes to This Policy
  17. 17. Contact Us
Section 1

Introduction

StepSavvy LLC, a Louisiana limited liability company ("StepSavvy," "we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("the App"). StepSavvy LLC is the data controller responsible for your personal data.

StepSavvy is a physical therapy and recovery companion app that uses AI-powered gait analysis, exercise tracking, and personalized recovery plans. Because our App handles health-related data, we take extra care to ensure your information is secure and handled responsibly.

By using StepSavvy, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the App.

Section 2

Information We Collect

We collect the following categories of information to provide and improve the StepSavvy experience:

Account Information

When you create an account, we collect your email address and an encrypted password. You may also authenticate using Apple Sign-In or Google Sign-In, in which case only your email address and name (if you choose to share it) are provided to us by those services. StepSavvy never receives or stores your Apple or Google password. We may also collect your name if you choose to provide it.

Waitlist & Marketing Information

If you sign up for our waitlist or early access list through our website, we collect your email address. We use this solely to notify you about product availability, early access opportunities, and important updates. You can request removal from the waitlist at any time by contacting us.

Health & Recovery Data

To personalize your recovery experience, we collect information about your surgery type, surgery date, recovery phase, and physical therapy progress, including your medical conditions (such as plantar fasciitis or other musculoskeletal conditions), affected side, condition duration, whether conditions were professionally diagnosed or self-reported, and current pain level and rehab phase. We also collect pain scores (0–10) and free-text notes recorded after each exercise session, foot pain location markers with anatomical mapping and severity ratings, and AI-derived biomechanical profiles including your gait pattern type, pronation assessment, foot strike pattern classification (heel/midfoot/forefoot), confidence level, and related reasoning factors. This data further includes exercise completion records, streaks, achievement badges, daily plans, and self-reported condition check-ins.

We also track your usage of AI-powered features (number of Form Check analyses, Foot Photo analyses, gait analyses, and other AI-driven features consumed) to enforce the monthly and free-trial usage caps associated with your subscription tier. This usage data is stored alongside your account information. Current caps are listed in our Terms of Service.

Photos & Videos

Gait Analysis videos. If you use AI Gait Analysis, we access your device camera or photo library with your permission to capture a short side-view walking video. The raw video is uploaded to our secure cloud storage (Supabase media bucket, scoped to your account) so you can replay your results with a skeleton overlay. On your device, we extract individual still frames and pose landmarks from the video; those extracted frames and landmarks are sent to Google's Gemini API for biomechanical interpretation.

Form Check videos. If you use AI Form Check (squats or bench press), the recorded video is uploaded to Google's Gemini API for one-shot analysis along with the on-device biomechanics measurements. Google discards the cloud copy after returning your result; we do not retain your Form Check video on our servers. A local copy stays cached on your device so you can replay your result on the saved-result detail page; the local cache is capped at 30 sessions across all exercises and the oldest are evicted automatically.

Foot Photo Analysis photos. If you use Foot Photo Analysis, the photo you take is uploaded to Google's Gemini API for one-shot classification. Google discards the cloud copy after returning your result; we do not retain the photo on our servers.

You can delete any saved analysis from within the app, and all uploaded media plus cached local copies are removed when you delete your account.

Device & Technical Information

We automatically collect certain technical information including device model, operating system version, app version, and general usage patterns (such as which features you use and how often). This helps us improve app performance and fix issues.

We also collect product interaction data including which features you use, exercise completion patterns, shoe closet interactions, badge and achievement unlocks, and general app usage patterns. This helps us improve the app experience and tailor features to your needs.

Crash & Diagnostic Data

We use crash reporting services to collect error logs, stack traces, and diagnostic data when the App encounters problems. This data does not include your personal health information and is used solely to identify and fix bugs.

Apple Health Data

Apple Health (read-only, optional): If you tap “Connect Apple Health” in the Closet, StepSavvy requests read-only access to your walking and running distance (DistanceWalkingRunning) so we can attribute mileage to a shoe you choose and track shoe wear. We only read this single distance metric; we never write any data to Apple Health, never store it in iCloud, and never use it for advertising, sell it to data brokers, or share it with third parties for marketing. Connecting Apple Health is entirely optional and the app works fully without it.

Shoe & Footwear Data

If you use the shoe closet feature, we collect information about your shoes including brand, model, category, fit ratings, comfort assessments, pain areas associated with specific shoes, usage frequency, and cumulative mileage (which may be imported from Apple Health with your permission). This data is used to track shoe wear, provide replacement recommendations, and personalize shoe suggestions based on your gait analysis.

Biometric-Style Data (Pose Landmarks, Gait & Pronation Signature, Foot Photos)

When you use our AI gait analysis feature, Google MediaPipe BlazePose runs on your device to extract 33 body landmark positions from each frame of your walking video. These pose landmarks are used exclusively to compute biomechanical measurements (joint angles, cadence, foot strike pattern) and to generate gait analysis results.

The gait and pronation “signature” that the App infers from your walking video, and the back-of-foot photographs used by Foot Photo Analysis, may likewise be treated as biometric identifiers under these laws. They receive the same protections described here and in our Illinois (BIPA) section — consent before collection, a limited and disclosed purpose, no use for identification or profit, no sale, and deletion on request.

Because some U.S. state laws (including Illinois’ Biometric Information Privacy Act and Texas’ Capture or Use of Biometric Identifier Act) may classify pose landmarks as biometric identifiers, we disclose the following: (a) Purpose: pose landmarks are used solely for on-device biomechanical analysis and AI gait interpretation, never for identification, surveillance, advertising, or profit; (b) Sharing: pose landmarks are shared only with Google (via the Gemini API) for biomechanical interpretation, as described in Section 7, and are stored with our cloud infrastructure provider (Supabase) to display your history; (c) Retention schedule: pose landmarks are retained for as long as your account is active so you can view your gait history. Upon account deletion or your written deletion request, pose landmarks are permanently removed from active systems within 30 days and from backup systems within an additional 6 months, whichever is sooner; (d) Consent: collection and sharing occur only with your affirmative consent, which you provide when you first use the AI gait analysis feature and may revoke at any time in Profile > Data & Privacy.

What we do NOT collect: We do not collect precise GPS location data, contacts, call logs, browsing history, or financial information. We do not sell your personal information to third parties.

We do not track you across apps or websites. StepSavvy does not use any advertising identifiers, analytics SDKs, or cross-app/cross-website tracking technologies. We do not link your StepSavvy data with data collected by other apps or websites owned by other companies. Because of this, we do not present the iOS App Tracking Transparency prompt.

Section 3

How We Use Your Information

We use the information we collect for the following purposes:

We process your data based on your consent (provided when you create an account and use specific features), our legitimate interest in providing and improving the service, and where necessary to comply with legal requirements.

Section 4

Data Storage & Security

Your data is stored securely using Supabase, a trusted cloud database and backend-as-a-service provider. We implement multiple layers of security to protect your information:

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using industry best practices.

Section 5

Data Breach Notification

In the event of a data breach that compromises your personal or health data, we will notify affected users within 72 hours via the email address associated with your account, in accordance with applicable data breach notification laws, including the FTC Health Breach Notification Rule (16 CFR Part 318). We will also post a notice within the app and take immediate steps to mitigate any potential harm.

Section 6

Third-Party Services

StepSavvy uses the following third-party services to operate and improve the App. Each service has its own privacy policy governing the data it processes:

All third-party service providers are contractually required to provide data protection standards equivalent to or exceeding those described in this Privacy Policy.

Supabase (Backend & Database)

We use Supabase for user authentication, database storage, file storage, and serverless functions. Supabase stores your account information, health data, exercise records, and uploaded media. Data is hosted in secure, SOC 2 compliant data centers.

Sentry (Crash Reporting)

We use Sentry to collect crash reports and diagnostic data when the App experiences errors. Sentry receives device information, error logs, and stack traces. It does not receive your health data, exercise records, or personal photos.

Google (Gemini API)

We use Google's Gemini API as a third-party data processor to power several core features of StepSavvy. Two models are used:

  • Gemini 3 Flash Preview: gait video interpretation, personalized exercise recommendations with dosing, shoe compatibility scoring and categorization, recovery report narratives, and exercise/recommendation explanations.
  • Gemini 3.1 Pro Preview: AI Form Check (squat and bench press video analysis with extended reasoning) and Foot Photo Analysis (foot type and arch classification from a photo).

Google does not use submitted prompts, media, or responses to train AI models when processing through the paid Gemini API tier. Submitted media is used only for the one-shot analysis that returns your result. Your name, email, and account credentials are never sent to Google through this integration. For details on what data is shared and how it is handled, see Section 7. Google's processing of this data is governed by the Gemini API Additional Terms of Service and the Google Privacy Policy.

Google MediaPipe (On-Device Pose Estimation)

We use Google's MediaPipe BlazePose technology to detect body landmarks from gait analysis and Form Check videos. This processing runs entirely on your device — the on-device pose pass itself does not send video to Google. MediaPipe extracts 33 body landmark positions per video frame, which are used to compute biomechanical measurements (joint angles, hip and knee mechanics, foot strike, lockout completion, etc.). Pose landmarks for Gait Analysis are stored in your StepSavvy account for displaying results and skeleton overlays; pose landmarks for Form Check are cached locally on your device for replay (LRU 30 sessions) but not stored in our cloud.

Apple (Sign in with Apple)

We support Apple's Sign in with Apple flow as an optional sign-in method. When you choose this option, Apple issues a privacy-preserving identity token containing your Apple ID or Apple's private relay email address, which we use to create or sign in to your StepSavvy account. If you delete your StepSavvy account, we also revoke Apple's refresh token on your behalf so the sign-in link is cleanly severed. Apple does not receive any health data from StepSavvy. Apple's handling of your sign-in data is governed by Apple's Sign in with Apple privacy notice.

Apple Health: With your permission, StepSavvy reads your walking and running distance from Apple Health (read-only) to attribute mileage to a shoe you choose for wear tracking. We never write to Apple Health, never store this data in iCloud, never share it with third parties, and never use it for advertising or marketing. You can enable this from the Closet tab and revoke access at any time in iOS Settings > Privacy & Security > Health.

Google (Sign in with Google)

We support Google Sign-In as an optional sign-in method. When you choose this option, Google issues an identity token containing your Google account email, which we use to create or sign in to your StepSavvy account. No health data, pain data, or recovery data is sent to Google. Google's handling of your sign-in data is governed by the Google Privacy Policy.

Resend (Email Delivery)

We use Resend to send transactional emails including welcome messages, password reset codes, and weekly recovery summaries. Resend receives your email address solely for the purpose of delivering these communications.

Serper (Google Search API)

We use Serper to look up shoe brand and model information for product categorization. Only shoe brand and model names are sent — no health data, personal information, or account details are shared with this provider. Serper's privacy policy is available at serper.dev/privacy.

RevenueCat (Subscription Management)

We use RevenueCat to manage in-app subscriptions and purchase transactions. RevenueCat receives an anonymous customer ID and your Apple IAP transaction metadata (subscription status, product ID, billing dates). No health data is shared with RevenueCat. RevenueCat's privacy policy is available at revenuecat.com/privacy.

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

Section 7

AI-Powered Features & Data Processing

StepSavvy uses multiple AI technologies to deliver intelligent, personalized features within the App. This section explains what AI-powered features we offer, what data is shared with each provider, and how that data is handled.

AI-powered features. The following AI services power StepSavvy's capabilities:

What data is shared with Google's Gemini API. When you use AI-powered features, the following data may be sent to Google for processing:

Gait Video Frames

Video frames captured during gait analysis are temporarily transmitted for processing. Google does not use submitted prompts or responses to train AI models on the paid Gemini API.

Condition & Surgery Information

Your condition type, surgery details, and recovery phase are anonymized before being sent for analysis. No directly identifying information (such as your name or email) is included.

Pain Tracking Data

Pain scores, pain location markers, and session notes are shared to generate accurate recovery recommendations. This data is not linked to your identity when transmitted.

Shoe Photos

Photos of your shoes submitted for categorization and compatibility scoring are processed by Google's Gemini API. Google does not use submitted prompts or responses to train AI models on the paid Gemini API.

Form Check Videos

When you run a Form Check, the recorded squat or bench-press video is sent to Google's Gemini API along with on-device biomechanics measurements (joint angles, range of motion, tempo). The video is used only for the one-shot analysis that returns your form score and coaching cues; the cloud copy is discarded after processing. We do not retain Form Check videos on our servers; the local copy on your device is cached for replay (capped at 30 sessions, oldest evicted) and removed when you delete your account.

Foot Photos

When you run Foot Photo Analysis, the back-of-foot photo you take is sent to Google's Gemini API for one-shot foot-type and arch classification. The cloud copy is discarded after processing. We do not retain the photo on our servers.

How Google handles your data. Google processes your data subject to the following safeguards:

Your consent matters. StepSavvy asks for your explicit consent before any data is shared with AI services. You are prompted to consent when you first use an AI-powered feature. You can revoke this consent at any time by navigating to your Profile settings within the App. Revoking consent will disable AI-powered features but will not affect your ability to use other parts of StepSavvy.

Section 8

Data Retention

We retain your personal data for as long as your account is active and as needed to provide you with the StepSavvy service. Specifically:

If you delete your account, we will delete or anonymize your personal data from our active systems within 30 days, and from our routine encrypted backups within an additional 6 months (after which those backups are overwritten on a rolling basis), except where we are required by law to retain certain information for longer periods.

Please note that data previously transmitted to our third-party service providers (such as crash reports sent to Sentry, images processed by our AI analysis provider, or emails sent via Resend) is subject to those providers' respective data retention policies and may not be immediately deletable upon account deletion. We encourage you to review the privacy policies of our third-party providers listed in this policy.

We may retain anonymized, de-identified, or aggregated data that cannot be used to identify you, even after account deletion. This data may be used to improve our services and for statistical analysis.

Section 9

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

To exercise any of these rights, please contact us at stepsavvy.app@gmail.com. We will respond to your request within 30 days.

Section 10

U.S. State Privacy Rights

Depending on your state of residence, you may have additional rights over your personal information under your state’s privacy law. We honor the rights described below regardless of which state you live in; the request methods are the same for everyone.

California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), provides you with the following rights regarding your personal information:

Notice at Collection. In the preceding 12 months we have collected the following categories of personal information. We have not “sold” or “shared” (for cross-context behavioral advertising) any personal information.

To submit a CCPA request, contact us at stepsavvy.app@gmail.com. We may need to verify your identity before processing your request.

Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana & Other States

If you are a resident of a state with a comprehensive consumer privacy law — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states as their laws take effect — you have the right to:

Sensitive data consent. Your health and biometric data is “sensitive data” under these laws. We process it only with your consent, as described in this Policy and our Consumer Health Data Privacy Policy.

How to exercise these rights and to appeal. Email us at stepsavvy.app@gmail.com to make a request; we will respond within the time required by your state’s law (generally 45 days). If we decline your request, you may appeal by replying to our decision; if we deny your appeal, your state law may allow you to contact your state Attorney General. Where your state requires it (e.g., Virginia, Colorado, Connecticut, Texas, Montana), this appeal process is available to you.

Nevada

Nevada residents have the right under Nevada law (including SB 370, governing consumer health data, and NRS 603A) to direct a covered business not to sell certain personal or consumer health data. StepSavvy does not sell your personal data or consumer health data, so this prohibition is already met. To submit a verified request or ask a question, email stepsavvy.app@gmail.com; Nevada consumer-health rights are enforced by the Nevada Attorney General. See also our Consumer Health Data Privacy Policy.

Section 11

European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Section 12

Children's Privacy

StepSavvy requires all users to be at least 16 years of age. We do not knowingly collect personal information from individuals under the age of 16. In compliance with the Children's Online Privacy Protection Act (COPPA), we also do not knowingly collect personal information from children under the age of 13.

If you are under 16, please do not use the app or provide any personal information. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at stepsavvy.app@gmail.com, and we will take steps to delete such information promptly.

If we become aware that we have inadvertently collected personal data from an individual under 16, we will delete that information as quickly as possible.

Section 13

Washington State Residents (My Health My Data Act)

StepSavvy collects "consumer health data" as defined under Washington's My Health My Data Act (RCW 19.373), including surgery information, pain data, exercise completion records, and gait analysis results.

This data is collected only with your consent, provided when you create an account and use specific features within the App.

Our commitments regarding your consumer health data:

Your rights under the My Health My Data Act:

To exercise any of these rights, please contact us at stepsavvy.app@gmail.com. We will respond to your request within 30 days.

Section 14

Illinois Residents (Biometric Information Privacy Act)

If you are an Illinois resident, you have additional rights under the Illinois Biometric Information Privacy Act, 740 ILCS 14/ (“BIPA”), with respect to any data that may qualify as a “biometric identifier” or “biometric information” under that statute.

As described in Section 2, StepSavvy’s AI gait analysis feature extracts pose landmarks (33 body landmark positions per video frame) from walking videos you record in-app. This extraction occurs on your device using Google MediaPipe BlazePose. While pose landmarks are used solely to compute biomechanical measurements and are not used to identify individuals, some interpretations of BIPA may treat them as biometric identifiers.

Consent. We collect and share pose landmark data only after obtaining your written affirmative consent, presented as an in-app consent modal the first time you use an AI-powered feature. This consent discloses: (a) the specific data being collected, (b) the purpose for collection, (c) the third parties receiving the data, and (d) how long the data will be retained.

Purpose. Pose landmarks are used exclusively for on-device biomechanical analysis and for AI-powered gait interpretation through Google’s Gemini API. They are never used for identification, surveillance, employment decisions, advertising, or profit.

Retention Schedule. Pose landmarks are retained for the duration of your active account so you can view your gait history. Upon (i) account deletion, (ii) your written deletion request, or (iii) the date on which the initial purpose for collection has been satisfied — whichever occurs first — pose landmarks are permanently deleted from our active systems within 30 days and from backup systems within an additional 6 months, but no later than 3 years following your last interaction with StepSavvy.

Disclosure. Pose landmarks are shared only with Google (for biomechanical interpretation via the Gemini API) and Supabase (for secure cloud storage so you can view your history). They are never sold, leased, traded, or otherwise disclosed for advertising, marketing, or profit.

Gait/Pronation Signature & Foot Photographs. We treat the gait or pronation pattern inferred from your walking videos and the back-of-foot photographs used by Foot Photo Analysis for foot-type classification as covered by the protections in this Section — affirmative consent before collection, a limited and disclosed purpose, no use for identification or profit, no sale, and deletion on request — to the extent a court or regulator construes them as biometric identifiers. Like pose landmarks, these are collected and shared with Google’s Gemini API only after your in-app consent and solely to generate your result; the cloud copy is discarded after processing, and any associated results stored in your account are deleted on the schedule described above.

Exercising Your BIPA Rights. To request deletion of your pose landmark data, revoke consent, or obtain a copy of this retention schedule, contact us at stepsavvy.app@gmail.com or use the in-app controls at Profile > Data & Privacy. We will respond within 30 days.

Section 15

HIPAA & Health Data Disclaimer

StepSavvy is not a HIPAA-covered entity. While we implement strong security measures to protect your health-related information, StepSavvy is a general wellness application and is not subject to the Health Insurance Portability and Accountability Act (HIPAA). Your health and recovery data is protected through encryption, row-level security policies, and strict access controls as described in our Data Storage & Security section. If you have concerns about how your health information is handled, please contact us at stepsavvy.app@gmail.com.

Section 16

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

We encourage you to review this Privacy Policy periodically. Your continued use of StepSavvy after any changes indicates your acceptance of the updated policy.

Section 17

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

StepSavvy LLC

201 Rue Beauregard STE 202, Lafayette, LA 70508

stepsavvy.app@gmail.com

We aim to respond to all privacy-related inquiries within 30 days.

Accessibility. We want StepSavvy to be usable by everyone, including people recovering from injury or surgery. We aim to follow recognized accessibility best practices (WCAG 2.1 AA as a goal). If you have difficulty accessing any part of the app or these policies, or need an accommodation, email us at stepsavvy.app@gmail.com and we will work with you.