United Arab Emirates

Privacy Policy

Last updated: May 2026

1. Who We Are

STEPPI DMCC ("STEPPI", "we", "us", "our") operates the STEPPI fitness and wellness platform, including the STEPPI mobile application and website at www.steppi.com. STEPPI is a Free Zone Company registered in the Dubai Multi Commodities Centre (DMCC), United Arab Emirates.

For the purposes of UAE data protection law, including the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL") and its implementing regulations, STEPPI DMCC acts as the data controller in respect of personal data collected from users in the UAE. As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring processing is carried out lawfully and in accordance with this Privacy Policy and the UAE PDPL.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at privacy@steppi.com.

2. What Personal Data We Collect

We collect the following categories of personal data when you use the STEPPI platform:

2.1 Account Registration Data

When you create a STEPPI account, we collect: email address; mobile phone number; date of birth (to verify minimum age of 13 years); country of residence (country-level only — we do not collect precise GPS location); device information (device type, operating system, and device identifiers); mobile network and area code.

2.2 Profile Data

Upon activating your account, you may optionally provide: age, height, weight, and gender (used to personalise activity metrics); nationality; profile photograph. You are not required to provide this information to use the core STEPPI service.

2.3 Health and Fitness Activity Data (Sensitive Personal Data)

We collect the following activity metrics: steps (the number of steps you take each day); distance (the distance you travel during physical activity); active minutes (time spent in moderate to vigorous physical activity); calories (estimated calories burned during activity).

We do not collect heart rate, sleep data, blood oxygen, BMI, or any other health metric beyond those listed above.

2.4 Wearable Device and Integration Data

You may choose to connect STEPPI to a wearable device or third-party health application. This is entirely optional and requires your active consent within the app. We currently support: Apple HealthKit (iOS); Google Health Connect (Android); Google Fit; Fitbit; Garmin Connect.

2.5 Communications Data

When you contact us or interact with STEPPI communications, we may collect: the content of messages you send to us; email open and click data (via Mailchimp); push notification interaction data (via Twilio).

2.6 Technical and Usage Data

When you use the STEPPI platform or visit our website, we automatically collect: browser type and version; operating system; device type and identifiers; pages visited and features used; time and duration of sessions; crash and diagnostic data. We use Google Analytics to collect website usage data.

2.7 Data We Do Not Collect

STEPPI does not collect: precise GPS location or real-time location tracking; heart rate, blood oxygen, sleep data, or BMI; financial or payment card data; sensitive personal data beyond the health and fitness activity data described in section 2.3 above.

3. How We Use Your Data and Our Lawful Basis

Under the UAE PDPL, we must have a lawful basis for processing your personal data. For sensitive personal data (health and fitness data), we must obtain your explicit consent. The following table sets out our processing purposes and the basis for each:

4. Health and Fitness Data — Your Explicit Consent

Under the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), data relating to your physical health — including fitness and activity data — is classified as Sensitive Personal Data requiring explicit consent.

4.1 What You Are Consenting To

When you create a STEPPI account and accept this Privacy Policy, you give your explicit consent to STEPPI processing your health and fitness activity data for: tracking and displaying your daily steps, distance, active minutes and calories within the STEPPI app; calculating your progress towards personal and challenge-based fitness goals; participating in individual and team fitness challenges; and generating your activity history and progress reports.

If you participate in a corporate wellness programme through STEPPI, you will be asked to give separate, explicit consent to your employer being able to view your individual activity data.

4.2 Freely Given Consent

Your consent is entirely voluntary. You will not be penalised for refusing to consent, and refusal will not affect your employment or any other relationship with your employer.

4.3 Withdrawing Your Consent

Under the UAE PDPL, you have the right to withdraw your consent to the processing of your sensitive personal data at any time. You can do this by: deleting your STEPPI account via the app settings; or emailing privacy@steppi.com with a request to stop processing your health data. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4.4 Wearable Device Consent

Connecting a wearable device or third-party health application to your STEPPI account is optional. You must actively authorise each integration within the app. You can disconnect any integration at any time through your account settings.

5. Who We Share Your Data With

We do not sell your personal data. We share your data only in the circumstances described below.

5.1 Third-Party Service Providers (Data Processors)

We use carefully selected third-party service providers who process your data only on our instructions and are bound by appropriate data processing agreements and safeguards:

5.2 Corporate Wellness Clients (Your Employer)

If you use STEPPI through a corporate wellness programme arranged by your employer: your employer will have access to your individual activity data — including your steps, distance, active minutes and calories. Before this sharing occurs, you will be asked to give your explicit consent during the account set-up process. You are under no obligation to participate.

Your employer has agreed to STEPPI's Data Processing Agreement and is bound by obligations to use your data only for the purposes of operating and evaluating the wellness programme, in accordance with the UAE PDPL.

5.3 Legal and Regulatory Disclosure

We may disclose your personal data to UAE law enforcement agencies, courts, regulators (including the UAE Data Office), or other authorities if required by applicable UAE law, or if we believe in good faith that such disclosure is necessary to protect our legal rights or the safety of others.

5.4 Business Transfers

If STEPPI is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Corporate Wellness Users — Additional Information

6.1 How You Join

If your employer has arranged access to STEPPI as part of a workplace wellness programme, you will be invited to download the STEPPI app and create your own personal account. Account creation and the consent you give are entirely your own decision. You are not required to join, and your decision will not affect your employment.

6.2 What Your Employer Can See

Your employer's corporate wellness dashboard shows: your name and profile information; your daily and cumulative steps, distance, active minutes and calories; your participation in challenges and your ranking within team challenges; your activity trends over time. Before you join, you will be shown a clear consent screen specifically explaining that your employer will be able to see your individual activity data.

6.3 What Your Employer Cannot See

Your employer cannot see: your account password or login credentials; any private messages or communications with STEPPI; data from wearable integrations you have not connected to STEPPI; or any health data beyond the activity metrics described above.

6.4 Rewards in the UAE

UAE users may be eligible for Rewards (discount vouchers and promotional codes) available through the STEPPI platform. Rewards are provided by third-party partners and are subject to the terms of those partners. STEPPI reserves the right to modify or discontinue the Rewards programme at any time.

6.5 Leaving the Programme

If you leave the corporate wellness programme, your individual account and data will remain active unless you choose to delete your account. If you wish to have your data removed, you may request account deletion via the app or by emailing privacy@steppi.com.

7. International Data Transfers

STEPPI is based in the UAE and your personal data is stored on servers operated by Microsoft Azure within the United Arab Emirates. There is no international transfer of your data to our hosting servers.

However, certain third-party processors (Twilio, Mailchimp, Google) are based in the United States and will process your data in the US. Under the UAE PDPL, transferring personal data outside the UAE requires appropriate safeguards. We have implemented the following measures for transfers to our US-based processors:

·Standard Contractual Clauses (SCCs) adapted for UAE PDPL requirements;

·Contractual obligations requiring US processors to protect your data to a standard equivalent to UAE law;

·Data processing agreements binding all third-party processors to our data protection standards.

You may request a copy of the transfer safeguards we have in place by contacting privacy@steppi.com.

Future Infrastructure Plans: As our operations grow, we may migrate to additional Azure regions within the UAE or GCC region. We will update this Privacy Policy to reflect any material changes to our infrastructure.

8. Your Rights Under the UAE PDPL

Under the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, you have the following rights in relation to your personal data. There is no charge for exercising your rights. We will respond within 5 business days and endeavour to resolve requests within one calendar month.

8.1 How to Exercise Your Rights

To exercise any of the rights above, please contact us at privacy@steppi.com with the subject line "Privacy Request" including your name and the right you wish to exercise. We will acknowledge your request within 5 business days and respond in full within one calendar month.

8.2 Right to Complain to the UAE Data Office

If you are not satisfied with how we handle your personal data, you have the right to make a complaint to the UAE Data Office (the supervisory authority responsible for enforcing the UAE PDPL). We would appreciate the opportunity to address your concerns directly first — please contact us at privacy@steppi.com.

9. How Long We Keep Your Data

You can request deletion of your account and data at any time via the STEPPI app or by emailing privacy@steppi.com. When we no longer need your data, we will securely delete or anonymise it.

10. Marketing Communications

With your consent, we may send you marketing communications about STEPPI features, challenges, Rewards, partner offers, and updates via email (Mailchimp) and push notifications (Twilio). You can withdraw consent and opt out at any time by: clicking the unsubscribe link in any marketing email; adjusting your notification preferences in the STEPPI app settings; or emailing privacy@steppi.com. Opting out will not affect service-related communications.

STEPPI rewards (discount vouchers and promotional codes from participating partners) are available to UAE users through the STEPPI platform, subject to the terms of the relevant rewards programme.

11. Cookies and Tracking Technologies

Our website at www.steppi.com uses cookies and similar tracking technologies. We use: strictly necessary cookies (essential for website function — cannot be disabled); analytics cookies (we use Google Analytics to understand website usage — only placed with your consent); and preference cookies (remember your settings and preferences).

When you first visit www.steppi.com, you will be shown a cookie consent banner through which you can accept or decline non-essential cookies. You can change your cookie preferences at any time by visiting our Cookie Preference Centre at www.steppi.com/cookies, or by adjusting your browser settings.

12. Children and Young People

The STEPPI platform is intended for users aged 13 and over. We do not knowingly collect personal data from children under the age of 13. Under UAE law and DMCC regulations, we take the following safeguards for younger users:

·we do not use the personal data of users under 18 for profiling or targeted advertising;

·privacy settings for under-18 users default to the most protective available settings; and

·we do not send marketing communications to users who indicated they are under 18 at registration.

If a minor under 18 does not have parental or guardian consent, they may not use the Services. If you believe that a child under the age of 13 has created a STEPPI account, please contact us at privacy@steppi.com and we will promptly investigate and delete the account.

13. How We Protect Your Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration, including:

·encryption of data in transit using TLS/SSL;

·encryption of health and fitness data at rest;

·strict access controls — only authorised personnel with a legitimate need can access your personal data;

·confidentiality obligations for all personnel with access to personal data;

·regular security reviews and assessments; and

·incident response procedures for detecting and responding to data breaches.

In the event of a personal data breach, we will notify the UAE Data Office and, where required, affected individuals in accordance with the UAE PDPL and its implementing regulations.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, or applicable law. When we make material changes, we will: update the version number and effective date; post the updated policy on our website; and notify you by email and/or in-app notification. Where a change involves a new or different use of your sensitive personal data, we will seek your fresh consent before the change takes effect.

15. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

STEPPI DMCC • DMCC-745776 • Unit 606-A17, Platinum Tower, JLT, Dubai, UAE • privacy@steppi.com • www.steppi.com

© 2026 STEPPI. All rights reserved.