Privacy Policy

Introduction

StepSavvy LLC, a Louisiana limited liability company ("StepSavvy," "we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("the App"). StepSavvy LLC is the data controller responsible for your personal data.

StepSavvy is a physical therapy and recovery companion app that uses AI-powered gait analysis, exercise tracking, and personalized recovery plans. Because our App handles health-related data, we take extra care to ensure your information is secure and handled responsibly.

By using StepSavvy, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the App.

Information We Collect

We collect the following categories of information to provide and improve the StepSavvy experience:

How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve the StepSavvy service
• To create and manage your account and authenticate your identity
• To generate personalized physical therapy exercise plans based on your surgery type and recovery phase
• To track your exercise progress, streaks, and achievements
• To provide AI-powered Gait Analysis, Form Check, and Foot Photo Analysis from your submitted videos and photos
• To send transactional emails such as welcome messages, password reset codes, and weekly recovery summaries
• To send exercise reminders and motivational notifications (with your permission)
• To diagnose technical problems and improve app stability using crash reports
• To analyze aggregate usage patterns and improve the App experience
• To comply with legal obligations and enforce our Terms of Service

We process your data based on your consent (provided when you create an account and use specific features), our legitimate interest in providing and improving the service, and where necessary to comply with legal requirements.

Data Storage & Security

Your data is stored securely using Supabase, a trusted cloud database and backend-as-a-service provider. We implement multiple layers of security to protect your information:

• Encryption in transit: All data transmitted between the App and our servers is encrypted using HTTPS/TLS protocols
• Encryption at rest: Your data is encrypted at rest on our database servers
• Row-Level Security (RLS): Database-level access controls ensure that each user can only access their own data
• Secure authentication: Passwords are hashed using industry-standard algorithms and are never stored in plain text
• Secure media storage: Photos and videos uploaded for gait analysis are stored in access-controlled cloud storage buckets
• Regular monitoring: We conduct ongoing security monitoring and apply updates to protect against emerging threats

Data Breach Notification

In the event of a data breach that compromises your personal or health data, we will notify affected users within 72 hours via the email address associated with your account, in accordance with applicable data breach notification laws, including the FTC Health Breach Notification Rule (16 CFR Part 318). We will also post a notice within the app and take immediate steps to mitigate any potential harm.

Third-Party Services

StepSavvy uses the following third-party services to operate and improve the App. Each service has its own privacy policy governing the data it processes:

All third-party service providers are contractually required to provide data protection standards equivalent to or exceeding those described in this Privacy Policy.

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

AI-Powered Features & Data Processing

StepSavvy uses multiple AI technologies to deliver intelligent, personalized features within the App. This section explains what AI-powered features we offer, what data is shared with each provider, and how that data is handled.

AI-powered features. The following AI services power StepSavvy's capabilities:

• AI Gait Analysis: Google's Gemini API interprets your biomechanical measurements to explain what your gait numbers mean, including left-vs-right analysis and foot strike pattern classification
• AI Form Check: Google's Gemini Pro analyzes a side-view video of squats or bench press, paired with on-device biomechanics measurements, to produce a 0–100 form score with rep-by-rep observations and coaching cues
• Foot Photo Analysis: Google's Gemini Pro analyzes a back-of-foot photo to describe foot type and arch pattern, and to surface related shoe styles and movements people often explore for that pattern (educational, descriptive only — not a diagnosis)
• Personalized exercise recommendations with dosing: Based on your gait analysis results, Gemini recommends up to 3 specific exercises with frequency guidance (e.g., "once a day, 3-4 times a week"). These are wellness suggestions, not medical prescriptions
• On-device pose estimation: Google's MediaPipe BlazePose runs entirely on your device to detect body landmarks from gait and Form Check videos. The on-device pose pass itself does not send video to Google
• Shoe compatibility scoring: AI evaluates your footwear relative to your gait profile and condition to provide compatibility insights
• Recovery insights: AI processes your pain tracking data and recovery history to offer personalized recovery guidance

What data is shared with Google's Gemini API. When you use AI-powered features, the following data may be sent to Google for processing:

How Google handles your data. Google processes your data subject to the following safeguards:

• No training on your data: Data is processed via Google's paid Gemini API. Google does not use prompts or responses submitted through the paid Gemini API to improve their products or train AI models
• Limited retention: For paid Gemini API requests, Google logs prompts and responses for a limited period solely to detect and prevent abuse and to meet legal or regulatory obligations
• Secure transmission: All data is transmitted to Google securely via encrypted HTTPS connections
• Google's privacy practices: Google's handling of data submitted through the Gemini API is governed by the Gemini API Additional Terms of Service and the Google Privacy Policy
• Equivalent protection: We require that all third-party data processors, including Google, provide the same or equivalent level of data protection as StepSavvy. Google's enterprise-grade security infrastructure, encryption standards, and privacy commitments meet or exceed the protections we apply to your data within our own systems.

Data Retention

We retain your personal data for as long as your account is active and as needed to provide you with the StepSavvy service. Specifically:

• Account data: Retained while your account is active
• Health and exercise data: Retained while your account is active to support your ongoing recovery tracking
• Photos and analysis results: Retained while your account is active unless you delete them individually
• Crash and diagnostic data: Retained for up to 90 days for debugging purposes

If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain certain information for longer periods.

Please note that data previously transmitted to our third-party service providers (such as crash reports sent to Sentry, images processed by our AI analysis provider, or emails sent via Resend) is subject to those providers' respective data retention policies and may not be immediately deletable upon account deletion. We encourage you to review the privacy policies of our third-party providers listed in this policy.

We may retain anonymized, de-identified, or aggregated data that cannot be used to identify you, even after account deletion. This data may be used to improve our services and for statistical analysis.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to Access: You can request a copy of the personal data we hold about you
• Right to Correction: You can request that we correct any inaccurate or incomplete data
• Right to Deletion: You can request that we delete your personal data by deleting your account or contacting us directly
• Right to Data Portability: You can email us to request a copy of your account data in a structured, machine-readable format (such as JSON). We respond within 30 days.
• Right to Withdraw Consent: You can withdraw your consent for data processing at any time by deleting your account
• Right to Restrict Processing: In certain circumstances, you can request that we limit how we process your data
• Right to Opt Out of Notifications: You can disable push notifications at any time through your device settings
• Right to Revoke Permissions: You can revoke camera, photo library, and notification permissions at any time through your device settings

To exercise any of these rights, please contact us at stepsavvy.app@gmail.com. We will respond to your request within 30 days.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights
• Right to Opt-Out of Sale or Sharing: We do not “sell” or “share” your personal information as those terms are defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including for purposes of cross-context behavioral advertising. If this ever changes, we will provide a conspicuous “Do Not Sell or Share My Personal Information” mechanism
• Right to Limit Use of Sensitive Personal Information: Under the CPRA, you have the right to limit our use and disclosure of your Sensitive Personal Information (including health-related information) to what is reasonably necessary to provide the services you have requested. Because we process your health data solely for the core purposes you have consented to (personalized exercise plans, gait analysis, recovery tracking), no additional limitation is typically necessary. You may contact us at any time to request further restrictions

To submit a CCPA request, contact us at stepsavvy.app@gmail.com. We may need to verify your identity before processing your request.

European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis for Processing: We process your personal data based on: (a) your consent when you create an account and use our services, (b) the performance of our contract with you to provide the StepSavvy service, and (c) our legitimate interests in improving our service and ensuring security.
• Data Transfers: Your data is stored on servers in the United States via Supabase. We rely on standard contractual clauses and other appropriate safeguards for international data transfers.
• Additional Rights: In addition to the rights listed in Section 9, you have the right to: lodge a complaint with your local data protection authority, request restriction of processing, and object to processing based on legitimate interests.
• Data Protection Contact: For GDPR-related inquiries, contact us at stepsavvy.app@gmail.com.

Children's Privacy

StepSavvy requires all users to be at least 16 years of age. We do not knowingly collect personal information from individuals under the age of 16. In compliance with the Children's Online Privacy Protection Act (COPPA), we also do not knowingly collect personal information from children under the age of 13.

If you are under 16, please do not use the app or provide any personal information. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at stepsavvy.app@gmail.com, and we will take steps to delete such information promptly.

If we become aware that we have inadvertently collected personal data from an individual under 16, we will delete that information as quickly as possible.

Washington State Residents (My Health My Data Act)

StepSavvy collects "consumer health data" as defined under Washington's My Health My Data Act (RCW 19.373), including surgery information, pain data, exercise completion records, and gait analysis results.

This data is collected only with your consent, provided when you create an account and use specific features within the App.

Our commitments regarding your consumer health data:

• We do not sell consumer health data.
• We do not share consumer health data for advertising purposes.

Your rights under the My Health My Data Act:

• Access: You have the right to access your health data.
• Deletion: You have the right to delete your health data.
• Withdraw Consent: You may withdraw consent for health data collection at any time by deleting your account.

To exercise any of these rights, please contact us at stepsavvy.app@gmail.com. We will respond to your request within 30 days.

Illinois Residents (Biometric Information Privacy Act)

If you are an Illinois resident, you have additional rights under the Illinois Biometric Information Privacy Act, 740 ILCS 14/ (“BIPA”), with respect to any data that may qualify as a “biometric identifier” or “biometric information” under that statute.

As described in Section 2, StepSavvy’s AI gait analysis feature extracts pose landmarks (33 body landmark positions per video frame) from walking videos you record in-app. This extraction occurs on your device using Google MediaPipe BlazePose. While pose landmarks are used solely to compute biomechanical measurements and are not used to identify individuals, some interpretations of BIPA may treat them as biometric identifiers.

Consent. We collect and share pose landmark data only after obtaining your written affirmative consent, presented as an in-app consent modal the first time you use an AI-powered feature. This consent discloses: (a) the specific data being collected, (b) the purpose for collection, (c) the third parties receiving the data, and (d) how long the data will be retained.

Purpose. Pose landmarks are used exclusively for on-device biomechanical analysis and for AI-powered gait interpretation through Google’s Gemini API. They are never used for identification, surveillance, employment decisions, advertising, or profit.

Retention Schedule. Pose landmarks are retained for the duration of your active account so you can view your gait history. Upon (i) account deletion, (ii) your written deletion request, or (iii) the date on which the initial purpose for collection has been satisfied — whichever occurs first — pose landmarks are permanently deleted from our active systems within 30 days and from backup systems within an additional 6 months, but no later than 3 years following your last interaction with StepSavvy.

Disclosure. Pose landmarks are shared only with Google (for biomechanical interpretation via the Gemini API) and Supabase (for secure cloud storage so you can view your history). They are never sold, leased, traded, or otherwise disclosed for advertising, marketing, or profit.

Exercising Your BIPA Rights. To request deletion of your pose landmark data, revoke consent, or obtain a copy of this retention schedule, contact us at stepsavvy.app@gmail.com or use the in-app controls at Profile > Data & Privacy. We will respond within 30 days.

HIPAA & Health Data Disclaimer

StepSavvy is not a HIPAA-covered entity. While we implement strong security measures to protect your health-related information, StepSavvy is a general wellness application and is not subject to the Health Insurance Portability and Accountability Act (HIPAA). Your health and recovery data is protected through encryption, row-level security policies, and strict access controls as described in our Data Storage & Security section. If you have concerns about how your health information is handled, please contact us at stepsavvy.app@gmail.com.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you through the App or via email for significant changes
• Provide a summary of what has changed when practical

We encourage you to review this Privacy Policy periodically. Your continued use of StepSavvy after any changes indicates your acceptance of the updated policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: