1. Introduction

Step.co Technology Inc. ("Step.co," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and related services (collectively, the "Services").

2. Information We Collect

We collect information in the following categories:

• Personal Information – name, email address, postal address, payment tokens (handled by our payment processors), and other contact details.
• Fitness Data – workouts, goals, preferences, and progress you log within the Services.
• Device Information – IP address, browser type, operating system, device identifiers.
• Usage Data – pages or classes viewed, clicks, session time, preferences, error logs.
• Aggregated/Anonymous Data – statistical insights that do not identify you.

3. Legal Bases for Processing

We rely on the following lawful bases under applicable data‑protection laws:

• Contract: processing necessary to deliver the Services you request.
• Consent: for optional features such as marketing emails or community‑sharing.
• Legitimate Interests: improving and securing our platform in a way that does not outweigh your privacy rights.
• Legal Obligations: complying with tax, accounting, and regulatory requirements.

4. How We Use Your Information

• To create and manage your account and provide the Services.
• To personalise content, class recommendations, and notifications through automated decision‑making.
• To process payments and manage subscriptions.
• To communicate with you about class updates, promotions, or policy changes.
• To detect, investigate, and prevent fraud or security incidents.
• To conduct analytics that help us understand usage trends and improve functionality.
• To comply with our legal and contractual obligations.

5. Data Sharing & International Transfers

We do not sell your personal information. We may share data with:

• Service Providers: cloud hosting (AWS), analytics (Mixpanel, Google Analytics), email, and payment processors (Stripe). Each provider is bound by contract to protect your data and process it only on our instructions.
• Legal Authorities: where required to comply with law or protect rights, property, or safety.
• Business Transfers: in connection with a merger, acquisition, or sale of assets.

Because some providers operate outside Canada, your information may be transferred and processed internationally. We rely on standard contractual clauses and comparable safeguards to protect your data in such cases.

6. Cookies & Tracking Technologies

We and our partners use cookies, SDKs, and similar technologies to recognise your device, remember preferences, and measure the effectiveness of campaigns. Where required by law, we will request your consent before setting non‑essential cookies. You can manage cookie preferences at any time in the "Cookie Settings" link in the site footer.

7. Your Rights & Choices

You may exercise the following rights, subject to legal limits:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase data ("right to be forgotten").
• Restrict or object to certain processing.
• Data portability – receive a machine‑readable copy of your data.
• Withdraw consent at any time where processing is based on consent.
• Request human review of automated decisions that significantly affect you.

To submit a request, email policy@step.co or use the in‑app privacy request form. We will respond within 30 days.

8. Data Retention

We keep data only as long as necessary:

• Fitness Data – stored while your account is active or until you delete it.
• Subscription & Transaction Records – 7 years for tax and audit purposes.
• Marketing Consent Logs – maintained until you unsubscribe plus 2 years.

9. Security

We employ administrative, technical, and physical safeguards including end‑to‑end encryption, role‑based access controls, and regular security audits. No system is impenetrable, so we encourage you to use strong, unique passwords and enable any offered multi‑factor authentication.

10. Children's Privacy

Our Services are not directed to children under 13 and we do not knowingly collect personal data from them. If you are a parent or guardian and believe your child has provided us data without consent, please contact us and we will delete it promptly. Users aged 13–17 may use the Services only with parent or guardian supervision.

11. Contact Us

Step.co Technology Inc.
240 1st Street E,
North Vancouver, BC V7L 1B3, Canada
Privacy Officer: policy@step.co

© 2025 Step.co Technology Inc.