Privacy Policy

Last updated: May 24, 2026 · Effective: May 17, 2026

This Privacy Policy describes how Step Friend ("the App", "we", "us", "our") collects, uses, stores and protects your information when you use our mobile application available on the App Store and Google Play.

Step Friend is operated by Alejandro Sánchez from Mexico. If you have questions about this policy, you can reach us at [email protected].

1. Information we collect

1.1 Information you provide

When you create an account, we collect:

Email address (required to register)
Username / display name (chosen by you)
Password (stored encrypted with bcrypt — never in plain text)
Time zone (to correctly display dates and statistics)

This data is provided voluntarily by the user and is the minimum necessary to operate the service.

1.2 Health and physical activity information

With your explicit permission, the App reads data from:

Apple HealthKit (iOS): steps, heart rate, workouts (walking, running, cycling, strength, etc.)
Google Health Connect (Android): the same types of data

Important:

The App only reads this data. It never writes to HealthKit or Health Connect.
Health data is never shared with third parties for advertising purposes.
You can revoke this permission at any time from your device settings.

1.3 App usage information

For the game to work, we store:

Your daily steps and imported workouts
Your level progress, streak, and virtual coins
Skins, outfits and items purchased or equipped on your axolotl
Your Pro subscription status (if applicable)
Your daily step goal (and its history when you change it)

1.4 Payment and subscription information

The App offers monthly and yearly Pro subscriptions. Payments are processed through:

Apple In-App Purchase (iOS)
Google Play Billing (Android)
RevenueCat (the subscription processor we use to manage entitlements)

We never receive or store your payment information (card number, CVV, etc.). Apple and Google handle that directly. From RevenueCat we only receive your entitlement status (active / cancelled / expired).

1.5 Technical information

Automatically, we log:

Device type and operating system (for support)
App version
Errors and crashes (to fix bugs)

We do not use advertising tracking cookies and we do not track your location.

1.6 Optional coaching questionnaire

The App may offer an optional questionnaire so you can request information about our personal coaching service (a separate service operated by Alejandro Sánchez, not part of the App's core functionality). Completing it is entirely voluntary — you do not need to fill it out to use the App.

If you choose to complete it, we collect the information you provide, which may include:

Full name
Phone number
Email address
Instagram username
Age
Your current fitness goals and what you find most challenging (free text)
Your budget and level of commitment for coaching

We use this information solely to contact you and follow up about personal coaching, outside the App. We do not use it for advertising and we do not sell or rent it to third parties. You can request deletion of your responses at any time by writing to [email protected].

These responses are stored on our own backend server (hosted on Railway — see Section 4) and are not shared with third-party advertising or marketing services.

2. How we use your information

We use the collected data exclusively to:

Operate the App — save your progress, display your axolotl with its outfits, calculate rewards based on your steps.
Sync across devices — so that if you reinstall the App or switch phones, you don't lose your progress.
Process subscriptions — verify that your Pro subscription is active.
Send you transactional emails — email verification, password recovery, receipts. We do not send marketing unless you explicitly request it.
Improve the App — aggregate usage analysis to understand what works and what doesn't.

We do not use your health data for:

Advertising
Analysis of individual people
Sharing with insurers, employers or third parties

3. How we store your information

3.1 Local storage

Most of your data lives locally on your device inside a SQLite database encrypted by the operating system. This includes your steps, progress, coins, and inventory.

3.2 Server storage

For cross-device sync, a copy of your progress is backed up on our backend server, hosted on Railway (a cloud infrastructure provider). The server only receives snapshots when a specific event occurs (purchase, customization, level-up, streak record) — we never do continuous polling nor track your activity in real time.

If you choose to use the App without creating an account (guest mode), no data leaves your device.

4. Sharing information with third parties

We share strictly necessary information with the following providers:

Provider	Purpose	Data shared
Railway	Backend hosting	Your account data, synced progress, and coaching questionnaire responses (if you submit them)
Resend	Sending transactional emails	Your email + message content (verification code, etc.)
RevenueCat	Subscription management	User ID + entitlement status
Apple / Google	IAP payment processing	Whatever you enter on their purchase screen

We do not sell or rent your information to anyone. Nor do we share it with advertisers.

If we integrate other providers in the future, we will update this policy and notify you.

5. Your rights

You have the right to:

Access your data — You can view your profile information inside the App.
Correct your data — You can edit your username, display name and time zone from your profile.
Delete your account — You can request deletion of your account by emailing [email protected]. We will process the request within a maximum of 30 days.
Export your data — You can request a copy of your data by contacting us.
Revoke health permissions — You can disable access to HealthKit/Health Connect from your device settings at any time.

To exercise any of these rights, write to us at [email protected].

6. Children's privacy

Step Friend is not directed to children under 13. If you are under 13, you must not use the App or provide personal information.

If we discover that we have collected information from a child under 13 without verifiable parental consent, we will delete it immediately.

If you are a parent/guardian and believe your child provided us information, contact us at [email protected].

7. Security

We implement reasonable technical measures to protect your information:

Passwords encrypted with bcrypt
Authentication tokens with expiration (JWT)
Encrypted HTTPS connections between the App and the server
Restricted access to the server database

However, no system is 100% secure. If you detect a security issue, report it to [email protected].

8. Data retention

Active account: we retain your data while your account is active.
Deleted account: upon deletion request, we erase your data from the server within 30 days (except minimal records required by tax or fraud-prevention law, kept for up to 5 years).
Health data: deleted together with your account. We do not keep it separately.

9. Changes to this policy

We may update this policy occasionally. If we make significant changes:

We will notify you within the App
We will send an email to your registered address
The "Last updated" date in the header will reflect the change

Continued use of the App after an update constitutes acceptance of the new policy.

10. Governing law

This policy is governed by the laws of the United Mexican States. Any dispute related to it will be resolved in the competent courts of Mexico City.

If you are a resident of the European Economic Area (EEA), the United Kingdom or California (USA), you may have additional rights under the GDPR, UK GDPR or CCPA respectively. To exercise them, contact us.

11. Contact

If you have questions, comments or complaints about this policy:

Step Friend
Operator: Alejandro Sánchez
Email: [email protected]
Website: https://stepfriend.app

This policy applies only to the Step Friend application available on the App Store and Google Play. It does not apply to third-party websites or services linked from the App.