United Kingdom

Privacy Policy

Last updated: May 2026

1. Who We Are

STEPPI UK LIMITED ("STEPPI", "we", "us", "our") operates the STEPPI fitness and wellness platform, including the STEPPI mobile application and website at www.steppi.com. STEPPI UK LIMITED is a company incorporated in England and Wales (Company No. 15763243).

For the purposes of UK data protection law, STEPPI UK LIMITED is the data controller in respect of personal data collected from users in the United Kingdom. As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that processing is carried out lawfully and in accordance with this Privacy Policy and the UK General Data Protection Regulation (UK GDPR).

If you have any questions about this Privacy Policy, please contact our Data Protection Officer at privacy@steppi.com.

2. What Personal Data We Collect

We collect the following categories of personal data when you use the STEPPI platform:

2.1 Account Registration Data

When you create a STEPPI account, we collect: email address; mobile phone number; date of birth (to verify minimum age of 13 years); country of residence (country-level only — we do not collect precise GPS location); device information (device type, operating system, and device identifiers); mobile network and area code.

2.2 Profile Data

Upon activating your account, you may optionally provide: age, height, weight, and gender (used to personalise activity metrics); nationality; profile photograph. You are not required to provide this information to use the core STEPPI service, but some personalised features may not be available without it.

2.3 Health and Fitness Activity Data

We collect the following activity metrics: steps (the number of steps you take each day); distance (the distance you travel during physical activity); active minutes (time spent in moderate to vigorous physical activity); calories (estimated calories burned during activity).

We do not collect heart rate, sleep data, blood oxygen, BMI, or any other health metric beyond those listed above.

2.4 Wearable Device and Integration Data

You may choose to connect STEPPI to a wearable device or third-party health application. This is entirely optional and requires your active consent within the app. If you connect a wearable or integration, we will read your activity data (steps, distance, active minutes and calories) from that source. We currently support: Apple HealthKit (iOS); Google Health Connect (Android); Google Fit; Fitbit; Garmin Connect.

Data received from Apple HealthKit will not be used by STEPPI for marketing or advertising purposes, and will not be shared with third parties for marketing or advertising, in accordance with Apple's HealthKit guidelines. Data received via Google Health Connect will be used in accordance with the Health Connect Permissions Policy, including the Limited Use requirements.

2.5 Communications Data

When you contact us or interact with STEPPI communications, we may collect: the content of messages you send to us; email open and click data (via Mailchimp); push notification interaction data (via Twilio).

2.6 Technical and Usage Data

When you use the STEPPI platform or visit our website, we automatically collect certain technical data, including: browser type and version; operating system; device type and identifiers; pages visited and features used; time and duration of sessions; crash and diagnostic data. We use Google Analytics to collect website usage data.

2.7 Data We Do Not Collect

STEPPI does not collect: precise GPS location or real-time location tracking; heart rate, blood oxygen, sleep data, or BMI; financial or payment card data; sensitive personal data beyond the health and fitness activity data described in section 2.3 above.

3. How We Use Your Data and Our Lawful Basis

UK GDPR requires us to have a lawful basis for every way we process your personal data. Where we process special category health data, we must also satisfy an additional condition under Article 9 UK GDPR.

Where we rely on legitimate interests as our lawful basis, we have assessed that our legitimate interests are not overridden by your rights and interests. You have the right to object to processing based on legitimate interests — see Section 8 for details.

4. Health and Fitness Data — Your Explicit Consent

Under Article 9 of the UK GDPR, data relating to your physical health — including fitness and activity data — is classified as special category data. STEPPI collects this type of data as it is central to the service we provide.

4.1 What You Are Consenting To

When you create a STEPPI account and accept this Privacy Policy, you give your explicit consent to STEPPI processing your health and fitness activity data for the following purposes:

·tracking and displaying your daily steps, distance, active minutes and calories within the STEPPI app;

·calculating your progress towards personal and challenge-based fitness goals;

·participating in individual and team fitness challenges on the platform; and

·generating your activity history and progress reports.

If you participate in a corporate wellness programme through STEPPI, you will be asked to give separate, explicit consent to your employer being able to view your individual activity data.

4.2 Your Consent is Freely Given

Your consent is entirely voluntary. You will not be penalised for refusing to consent, and refusal will not affect your employment or any other relationship with your employer.

4.3 Withdrawing Your Consent

You have the right to withdraw your consent to the processing of your health and fitness data at any time. You can do this by: deleting your STEPPI account via the app settings; or emailing privacy@steppi.com with a request to stop processing your health data. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4.4 Wearable Device Consent

Connecting a wearable device or third-party health application to your STEPPI account is optional. You must actively authorise each integration within the app. You can disconnect any integration at any time through your account settings.

5. Who We Share Your Data With

We do not sell your personal data. We share your data only in the circumstances described below.

5.1 Third-Party Service Providers (Data Processors)

We use carefully selected third-party service providers who act as data processors — they process your data only on our instructions and are bound by data processing agreements.

5.2 Corporate Wellness Clients (Your Employer)

If you use STEPPI through a corporate wellness programme arranged by your employer: your employer will have access to your individual activity data — including your steps, distance, active minutes and calories. This is not anonymised or aggregated. Before this sharing occurs, you will be asked to give your explicit consent during the account set-up process. You are under no obligation to participate and your employment will not be affected if you choose not to join.

Your employer has agreed to STEPPI's Data Processing Agreement and is bound by obligations to use your data only for the purposes of operating and evaluating the wellness programme. Your employer may not use your individual activity data to make decisions about your employment, performance, or pay without your knowledge and consent.

5.3 Legal and Regulatory Disclosure

We may disclose your personal data to law enforcement agencies, courts, regulators, or other authorities if required to do so by law, or if we believe in good faith that such disclosure is necessary to protect our legal rights or the safety of others.

5.4 Business Transfers

If STEPPI is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Corporate Wellness Users — Additional Information

6.1 How You Join

If your employer has arranged access to STEPPI as part of a workplace wellness programme, you will be invited to download the STEPPI app and create your own personal account. Account creation, and the consent you give during that process, is entirely your own decision. You are not required to join, and your decision will not affect your employment.

6.2 What Your Employer Can See

Your employer's corporate wellness dashboard shows: your name and profile information; your daily and cumulative steps, distance, active minutes and calories; your participation in challenges and your ranking within team challenges; your activity trends over time. Before you join, you will be shown a clear consent screen specifically explaining that your employer will be able to see your individual activity data.

6.3 What Your Employer Cannot See

Your employer cannot see: your account password or login credentials; any private messages or communications with STEPPI; data from wearable integrations that you have not connected to STEPPI; or any health data beyond the activity metrics described above.

6.4 Leaving the Programme

If you leave the corporate wellness programme, your individual account and data will remain active unless you choose to delete your account. If you wish to have your data removed, you may request account deletion via the app or by emailing privacy@steppi.com.

7. International Data Transfers

STEPPI is based in the United Arab Emirates (UAE) and your personal data is currently stored on servers operated by Microsoft Azure in the UAE. The UAE is not currently recognised by the UK as a country providing an adequate level of data protection. Transferring your data to our UAE servers therefore constitutes a restricted international transfer under UK GDPR.

To ensure your data receives an equivalent level of protection, we have implemented the following safeguard:

·Transfer Mechanism: UK International Data Transfer Agreement (IDTA) — We have executed a UK IDTA with Microsoft Azure, the ICO-approved mechanism for restricted transfers under UK GDPR. This requires Microsoft Azure to protect your data to the same standard as UK law.

Future Infrastructure Plans: We intend to migrate UK user data to Microsoft Azure infrastructure located within the United Kingdom as soon as this becomes operationally feasible. When this migration occurs, we will update this Privacy Policy.

Our third-party processors based in the United States participate in the UK Extension to the EU-US Data Privacy Framework (DPF), which provides a valid transfer mechanism for UK personal data transferred to certified US organisations. Where reliance on the DPF is not possible, we use the International Data Transfer Addendum (UK Addendum) to the EU Standard Contractual Clauses.

You may request a copy of the transfer safeguards we have in place by contacting privacy@steppi.com.

8. Your Rights Under UK GDPR

Under the UK GDPR, you have the following rights in relation to your personal data. There is no charge for exercising your rights, and we will respond within one calendar month.

8.1 How to Exercise Your Rights

To exercise any of the rights above, please contact our Data Protection Officer at privacy@steppi.com with the subject line "Data Subject Request" including your name and the right you wish to exercise. We will acknowledge your request within 5 working days and respond in full within one calendar month.

8.2 Right to Complain to the ICO

If you are not satisfied with how we handle your personal data, you have the right to make a complaint to the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113. We would appreciate the opportunity to address your concerns directly first — please contact us at privacy@steppi.com.

9. How Long We Keep Your Data

You can request deletion of your account and data at any time via the STEPPI app or by emailing privacy@steppi.com. When we no longer need your data, we will securely delete or anonymise it.

10. Marketing Communications

With your consent, we may send you marketing communications about STEPPI features, challenges, partner offers, and updates via email (Mailchimp) and push notifications (Twilio). You can withdraw consent and opt out at any time by: clicking the unsubscribe link in any marketing email; adjusting your notification preferences in the STEPPI app settings; or emailing privacy@steppi.com.

Please note that STEPPI rewards (discount vouchers) are currently available to users in the UAE and KSA only and are not available to UK users. Opting out of marketing will not affect service-related communications.

11. Cookies and Tracking Technologies

Our website at www.steppi.com uses cookies and similar tracking technologies. We use the following categories of cookies: strictly necessary cookies (essential for the website to function — cannot be disabled); analytics cookies (we use Google Analytics to understand how visitors use our website — only placed with your consent); preference cookies (remember your settings and preferences).

Under the Privacy and Electronic Communications Regulations (PECR), we are required to obtain your consent before placing non-essential cookies on your device. When you first visit www.steppi.com, you will be shown a cookie consent banner. You can change your cookie preferences at any time by visiting our Cookie Preference Centre at www.steppi.com/cookies. For full details, please see our Cookie Notice at www.steppi.com/cookies.

12. Children and Young People

The STEPPI platform is intended for users aged 13 and over. We do not knowingly collect personal data from children under the age of 13. We take the ICO's Age Appropriate Design Code (Children's Code) seriously and have implemented the following safeguards for younger users:

·we do not use the personal data of under-18 users for profiling or targeted advertising;

·we do not share the data of under-18 users with corporate clients without verified parental or guardian consent;

·privacy settings for under-18 users default to the most protective available settings; and

·we do not send marketing communications to users who indicated they are under 18 at registration.

If you believe that a child under the age of 13 has created a STEPPI account, please contact us at privacy@steppi.com and we will promptly investigate and delete the account and associated data.

13. How We Protect Your Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. Our security measures include:

·encryption of data in transit using TLS/SSL;

·encryption of health and fitness data at rest;

·strict access controls — only authorised personnel with a legitimate need can access your personal data;

·confidentiality obligations for all personnel with access to personal data;

·regular security reviews and assessments; and

·incident response procedures for detecting and responding to data breaches.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, or applicable law. When we make changes, we will: update the version number and effective date; post the updated policy on our website; and notify you by email and/or in-app notification of any material changes. Where a change involves a new or different use of your personal data — particularly your health and fitness data — we will seek your fresh consent before the change takes effect.

15. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact our Data Protection Officer:

STEPPI UK LIMITED • Company No. 15763243 • privacy@steppi.com • www.steppi.com

© 2026 STEPPI. All rights reserved.