Last Updated: March 4, 2026
1. Introduction
Welcome to Stepster. This Privacy Policy explains how Mobixo AI ("we," "us," or "our") collects, uses, protects, and shares your personal information when you use the Stepster mobile application ("App").
We are committed to protecting your privacy and complying with applicable data protection regulations, including GDPR (General Data Protection Regulation) and KVKK (Turkish Personal Data Protection Law).
Key Privacy Principles
- Your health data is stored securely and never sold to third parties
- You control what data you share and can delete it at any time
- We use industry-standard encryption to protect your information
- We comply with GDPR, KVKK, and health data protection regulations
2. Information We Collect
Health and Fitness Data
With your explicit permission, we collect and process the following health-related information:
- Step Count: Daily step data from Apple Health (HealthKit)
- Calorie Data: Food intake and exercise calorie information you manually enter or upload
- Food Photos: Images of food you upload for AI calorie analysis
- Exercise Data: Workout information and activity logs
- Body Metrics: Weight, height, and other health metrics you optionally provide
Account Information
- Email Address: For account creation and communication
- Name: Optional, for personalization
- Profile Photo: Optional user avatar
Usage Data
- App Activity: Features used, session duration, interaction patterns
- Device Information: iOS version, device model, app version
- Analytics: Crash reports, performance metrics, feature usage statistics
Payment Information
- Subscription Data: Purchase records, subscription status (processed by Apple)
- Note: We do not store your payment card details. All payments are securely processed through Apple's App Store.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Step Tracking | Step count from HealthKit | Your explicit consent |
| Calorie Analysis | Food photos, manual entries | Performance of service |
| AI Features | Food images, text input | Performance of service |
| Subscription Management | Purchase records, email | Contractual necessity |
| Customer Support | Email, usage data | Legitimate interest |
| App Improvement | Analytics, crash reports | Legitimate interest |
4. Third-Party Services
Services We Use
Apple Health (HealthKit): We integrate with Apple Health to read step count data. Your health data is stored locally on your device and synced with our servers only with your permission.
Firebase (Google): We use Firebase for authentication, analytics, and cloud storage. Firebase complies with GDPR and provides data processing agreements.
OpenAI API: Food photos and text descriptions are securely transmitted to OpenAI's API for calorie analysis and health coaching. See the "AI-Powered Features" section below for full details.
Apple App Store: Subscription payments are processed through Apple's secure payment system. We receive only purchase confirmation data, not your payment details.
AI-Powered Features & Data Sharing Disclosure
Stepster uses artificial intelligence (AI) powered by OpenAI to provide the following features. Before any data is sent to OpenAI, the app will ask for your explicit consent through an in-app dialog.
What Data Is Shared With OpenAI
- Calorie AI Analysis: Food descriptions (text you type) and food photos you upload are sent to OpenAI GPT-4o-mini for nutritional analysis
- Health Coach: Your name, age, gender, BMI, daily step count, and calorie data are sent to OpenAI to provide personalized health coaching advice
Who Processes Your Data: Your data is processed by OpenAI (OpenAI, L.L.C.) through our secure Firebase Cloud Functions servers. Data is transmitted using encrypted connections (TLS/SSL).
Purpose: The sole purpose of sharing this data is to provide AI-powered nutritional analysis and personalized health coaching within the app.
What Is NOT Shared: Your email address, phone number, account credentials, payment information, or any other personally identifiable account information is never sent to OpenAI.
Your Consent: You will be asked to provide consent before any data is sent to OpenAI. You can decline and continue using the app without AI features. If you previously declined, you will be asked again the next time you try to use an AI feature.
Data Retention by OpenAI: According to OpenAI's data usage policy, data sent through the API is not used to train their models and is retained for a maximum of 30 days for abuse monitoring purposes before being deleted.
Data Sharing
We do NOT sell, rent, or share your personal information with third parties for marketing purposes. We only share data with:
- Service Providers: Companies that help us operate the App (Firebase, OpenAI) under strict data protection agreements
- Legal Requirements: When required by law or to protect our legal rights
- Business Transfers: In the event of a merger or acquisition (you will be notified)
5. Data Security
Security Measures
- Encryption: All data transmission uses TLS/SSL encryption
- Secure Storage: Data is stored on Google Cloud Platform with industry-standard security
- Access Control: Strict access controls limit who can view your data
- Regular Audits: We conduct regular security assessments
- Data Minimization: We collect only necessary information
Important: While we implement robust security measures, no internet transmission is 100% secure. Please use a strong password and keep your device secure.
6. Your Rights (GDPR & KVKK)
You Have the Right To:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Limit how we process your data
- Data Portability: Receive your data in a machine-readable format
- Objection: Object to data processing for specific purposes
- Withdraw Consent: Revoke consent for data processing at any time
How to Exercise Your Rights
To exercise any of these rights, please contact us at support@mobixo.ai
We will respond to your request within 30 days as required by GDPR and KVKK.
Account Deletion
You can delete your account and all associated data at any time:
- Open Stepster app
- Go to Settings - Account
- Tap "Delete Account"
- Confirm deletion
Note: This action is permanent and cannot be undone. All your health data, progress, and subscription information will be permanently deleted.
7. Data Retention
- Active Accounts: We retain your data as long as your account is active
- Deleted Accounts: Data is permanently deleted within 30 days of account deletion
- Legal Requirements: Some data may be retained longer if required by law (e.g., payment records for tax purposes)
- Analytics: Anonymized usage data may be retained for statistical purposes
8. Children's Privacy
Stepster is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.
9. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States (where Firebase and OpenAI servers are located). We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses approved by the European Commission
- Data Processing Agreements with all service providers
- Compliance with GDPR requirements for international transfers
10. Cookies and Tracking
The App does not use traditional web cookies. However, we use similar technologies for:
- Firebase Analytics: To understand app usage and improve features
- Crash Reporting: To identify and fix technical issues
- Session Management: To keep you logged in
You can disable analytics in Settings - Privacy - Analytics, though this may limit some functionality.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
- Posting the new policy in the App
- Updating the "Last Updated" date
- Sending an email notification for significant changes
Your continued use of the App after changes become effective constitutes acceptance of the revised policy.
12. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information we collect
- Right to delete your personal information
- Right to opt-out of sale of personal information (we do not sell your data)
- Right to non-discrimination for exercising your rights
13. Contact Us & Data Controller
Data Controller: Mobixo AI
Address: Istanbul, Turkey
For privacy questions or to exercise your rights:
support@mobixo.aiWe respond to all privacy requests within 30 days