Privacy Policy

Dekode (Pty) Ltd ("Dekode", "we", "us", or "our") operates the Step Up mobile application and website at thestepupchallenge.com (together, the "Service"). This Privacy Policy explains what personal information we collect, how we use it, and the choices you have.

We are committed to protecting your privacy in accordance with the Protection of Personal Information Act, 2013 (POPIA) and other applicable data protection laws.

1. Information We Collect

1.1 Account Information

When you sign in with Google, Apple, or email, we receive the account details needed to create and identify your Step Up account. This may include your name, email address, and Google profile photo. Apple may provide your name and email only on the first successful sign-in.

1.2 Health & Fitness Data

With your explicit permission, Step Up reads step count data from Apple Health (iOS) or Health Connect (Android). We collect:

• Daily step counts and the dates they were recorded
• Step count history for the duration of your active challenges

We do not access heart rate, sleep, weight, nutrition, or any other health categories. Step data is synced to our servers solely to track progress in challenges you have joined.

1.3 Device Information

We collect a stable device identifier to associate step submissions with a specific device. This helps us detect anomalies and maintain the integrity of challenge results. We do not collect your device's advertising identifier.

1.4 Usage & Analytics Data

We use PostHog to understand how the app is used. This includes events such as screens visited, features used, and performance metrics. Analytics data is associated with your account to help us improve the experience.

1.5 Crash & Error Reports

We use Sentry to collect crash reports and error logs. These may include device model, operating system version, and stack traces. Crash reports help us identify and fix bugs.

1.6 Push Notification Tokens

If you enable push notifications, we store a Firebase Cloud Messaging (FCM) token linked to your account. This token is removed when you sign out.

2. How We Use Your Information

We use your information to:

• Create and maintain your account
• Track step progress and display leaderboards in challenges you join
• Send push notifications about challenge activity (if enabled)
• Detect and prevent cheating or manipulation of step data
• Analyse usage patterns to improve the app
• Diagnose technical issues and fix bugs
• Communicate service updates or respond to support requests

3. Legal Basis for Processing (POPIA)

We process your personal information on the following grounds:

• Consent — You give explicit consent when you grant health data access and when you sign in with Google or Apple.
• Contract — Processing is necessary to provide the Service you signed up for (tracking steps in challenges).
• Legitimate interest — We have a legitimate interest in preventing fraud, improving the app, and ensuring service reliability.

4. Data Sharing

We do not sell your personal information. We share data only with the following service providers who process it on our behalf:

• Google Firebase — Authentication, database, cloud functions, and push notifications
• PostHog — Product analytics
• Sentry — Error and crash reporting

Your step counts and display name are visible to other participants in challenges you join. This is a core part of how the Service works.

5. Data Retention

We retain your account data and step history for as long as your account is active. If you request account deletion, we will remove your personal information within 30 days, except where we are required by law to retain it.

Aggregated, anonymised data (such as total steps across all users) may be retained indefinitely for analytical purposes.

6. Data Security

We use industry-standard measures to protect your data, including encrypted connections (TLS), Firebase security rules, and server-side authentication. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

7. Your Rights

Under POPIA and applicable law, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and associated data
• Object to processing based on legitimate interest
• Withdraw consent at any time (e.g., revoke health data access in your device settings)
• Lodge a complaint with the Information Regulator (South Africa)

To exercise any of these rights, contact us at privacy@thestepupchallenge.com.

8. Children

Step Up is not intended for anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

9. International Transfers

Our service providers (Google, PostHog, Sentry) may process data outside of South Africa. Where this occurs, we ensure that appropriate safeguards are in place as required by POPIA Section 72.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: privacy@thestepupchallenge.com
• Entity: Dekode (Pty) Ltd, South Africa