Kingdom of Saudi Arabia

Privacy Policy

Last updated: May 2026

1. Who We Are

STEPPI DMCC ("STEPPI", "we", "us", "our") operates the STEPPI fitness and wellness platform, including the STEPPI corporate wellness platform and website at www.steppi.com. STEPPI is a Free Zone Company registered in the Dubai Multi Commodities Centre (DMCC), United Arab Emirates.

In the Kingdom of Saudi Arabia, STEPPI operates exclusively as a business-to-business (B2B) corporate wellness platform. Employers and other corporate entities ("Corporate Clients") contract directly with STEPPI to provide the platform to their employees ("Employees") as part of a structured wellness programme.

For the purposes of the Saudi Personal Data Protection Law (PDPL) (Royal Decree No. M/19, 9/2/1443H) and its implementing regulations, STEPPI DMCC acts as the data controller in respect of personal data collected from KSA-based Corporate Clients and Employees. SDAIA (the Saudi Data and Artificial Intelligence Authority) is the supervisory authority responsible for overseeing compliance with the Saudi PDPL.

STEPPI is committed to registering with SDAIA as required under the PDPL prior to processing personal data of Saudi Arabian data subjects. For all data protection enquiries, please contact us at privacy@steppi.com.

2. What Personal Data We Collect

We collect the following categories of personal data from KSA-based Corporate Clients and Employees:

2.1 Corporate Client Data

When a Corporate Client enters into a Commercial Agreement with STEPPI, we collect: legal entity name and company registration details; contact details of the designated corporate administrator(s) (name, email address, phone number); billing and invoicing details (company address, VAT registration number); and details of the corporate wellness programme configuration.

2.2 Employee Account Registration Data

When an Employee registers for the STEPPI platform in connection with a KSA corporate wellness programme, we collect: email address; mobile phone number; date of birth (to verify minimum age of 18 years); country of residence; device information (device type, operating system, and device identifiers); mobile network and area code.

2.3 Employee Profile Data

Upon activating their account, Employees may optionally provide: age, height, weight, and gender (used to personalise activity metrics); nationality; profile photograph. Employees are not required to provide this information to use the core STEPPI service.

2.4 Health and Fitness Activity Data (Sensitive Personal Data)

We collect the following activity metrics from participating Employees: steps (the number of steps taken each day); distance (the distance travelled during physical activity); active minutes (time spent in moderate to vigorous physical activity); calories (estimated calories burned during activity).

We do not collect heart rate, sleep data, blood oxygen, BMI, or any other health metric beyond those listed above.

2.5 Wearable Device and Integration Data

Employees may choose to connect STEPPI to a wearable device or third-party health application. This is entirely optional and requires the Employee's active consent within the app. We currently support: Apple HealthKit (iOS); Google Health Connect (Android); Google Fit; Fitbit; Garmin Connect.

2.6 Communications Data

When you contact us or interact with STEPPI communications, we may collect: the content of messages you send to us; email open and click data (via Mailchimp); push notification interaction data (via Twilio).

2.7 Technical and Usage Data

When Employees use the STEPPI platform or when Corporate Clients or Employees visit our website, we automatically collect: browser type and version; operating system; device type and identifiers; pages visited and features used; time and duration of sessions; crash and diagnostic data. We use Google Analytics to collect website usage data.

2.8 Data We Do Not Collect

STEPPI does not collect: precise GPS location or real-time location tracking; heart rate, blood oxygen, sleep data, or BMI; financial or payment card data from Employees (Corporate Clients are invoiced separately); or sensitive personal data beyond the health and fitness activity data described in section 2.4 above.

3. How We Use Your Data and Our Lawful Basis

Under the Saudi PDPL, we must have a lawful basis for processing personal data. For sensitive personal data (health and fitness activity data), we must obtain explicit consent. The following table sets out our processing purposes and the applicable lawful basis:

4. Health and Fitness Data — Employee Consent

4.1 What Employees Are Consenting To

When an Employee registers for the STEPPI platform and accepts this Privacy Policy, they give their explicit consent to STEPPI processing their health and fitness activity data for: tracking and displaying their daily steps, distance, active minutes and calories within the STEPPI platform; calculating their progress towards personal and challenge-based fitness goals; participating in individual and team fitness challenges; and generating their activity history and progress reports.

Employees will be asked to give separate, explicit consent to their employer (the Corporate Client) being able to view their individual activity data. This consent is separate from the general consent to use the platform.

4.2 Freely Given Consent

An Employee's consent is entirely voluntary. No Employee will be penalised for refusing to consent, and refusal will not affect their employment, in accordance with applicable Saudi labour law. Corporate Clients are required, by the terms of their Commercial Agreement with STEPPI, to ensure that Employee participation in the wellness programme is voluntary.

4.3 Withdrawing Consent

Under the Saudi PDPL, Employees have the right to withdraw their consent to the processing of their sensitive personal data at any time. Employees can do this by: deleting their STEPPI account via the platform settings; or emailing privacy@steppi.com with a request to stop processing their health data. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4.4 Wearable Device Consent

Connecting a wearable device or third-party health application to the STEPPI account is optional. Employees must actively authorise each integration within the platform. Employees can disconnect any integration at any time through their account settings.

5. Who We Share Your Data With

We do not sell personal data. We share data only in the circumstances described below.

5.1 Third-Party Service Providers (Data Processors)

We use carefully selected third-party service providers who process data only on our instructions and are bound by appropriate data processing agreements and safeguards:

5.2 Corporate Clients (Employer)

If an Employee uses STEPPI through a corporate wellness programme arranged by their employer: the Corporate Client will have access to that Employee's individual activity data — including steps, distance, active minutes, and calories. This is not anonymised or aggregated. Before this sharing occurs, the Employee will be asked to give their explicit consent during the account set-up process.

The Corporate Client has agreed to STEPPI's Data Processing Agreement and is bound by obligations to use Employee data only for the purposes of operating and evaluating the wellness programme, in accordance with the Saudi PDPL.

The Corporate Client may not use individual Employee activity data to make decisions about employment terms, performance, pay, or dismissal based solely on that data, and must comply with applicable Saudi labour law requirements.

5.3 Legal and Regulatory Disclosure

We may disclose personal data to Saudi Arabian law enforcement agencies, courts, SDAIA, the CITC, or other Saudi authorities if required by applicable Saudi law, or if we believe in good faith that such disclosure is necessary to protect our legal rights or the safety of others.

5.4 Business Transfers

If STEPPI is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will provide prior notice before data is transferred and becomes subject to a different privacy policy.

6. Corporate Wellness Programme — Additional Information

6.1 How Employees Join

If a Corporate Client has arranged access to STEPPI as part of a workplace wellness programme, Employees will be invited to download the STEPPI app and create their own personal accounts. Account creation and the consent given during that process are entirely the Employee's own decision. Employees are not required to join, and their decision will not affect their employment.

6.2 What Corporate Clients Can See

A Corporate Client's corporate wellness dashboard shows the following data about individual participating Employees: name and profile information; daily and cumulative steps, distance, active minutes and calories; participation in challenges and ranking within team challenges; activity trends over time. Before joining, Employees will be shown a clear consent screen specifically explaining that their employer will be able to see their individual activity data.

6.3 What Corporate Clients Cannot See

Corporate Clients cannot see: Employee account passwords or login credentials; any private messages or communications between Employees and STEPPI; data from wearable integrations that an Employee has not connected to STEPPI; or any health data beyond the activity metrics described above.

6.4 Rewards in KSA

Employees in KSA may be eligible for Rewards (discount vouchers and promotional codes from participating partners) available through the STEPPI platform, subject to the terms of the relevant rewards programme as communicated within the platform. STEPPI reserves the right to modify or discontinue the Rewards programme at any time.

6.5 Leaving the Programme

If an Employee leaves the corporate wellness programme — whether because they leave their employer or choose to withdraw — their individual account and data will remain active unless they choose to delete their account. If an Employee wishes to have their data removed, they may request account deletion via the platform or by emailing privacy@steppi.com.

7. International Data Transfers

STEPPI is based in the UAE and Employee personal data is stored on servers operated by Microsoft Azure in the United Arab Emirates. Transferring personal data from the Kingdom of Saudi Arabia to the UAE constitutes an international transfer of personal data under the Saudi PDPL.

To ensure that personal data transferred from Saudi Arabia to the UAE receives an equivalent level of protection, STEPPI has implemented the following safeguards:

·Standard Contractual Clauses (SCCs) adapted for Saudi PDPL requirements — contractual provisions requiring Microsoft Azure to protect data to a standard equivalent to Saudi law;

·Data Processing Agreement with Microsoft Azure requiring technical and organisational security measures equivalent to those required under the Saudi PDPL; and

·A Privacy Risk Assessment has been conducted to assess the risks of transferring Saudi personal data to UAE-based servers.

Transfer to US-Based Processors: Our third-party processors based in the United States (Twilio, Mailchimp, Google) are bound by Standard Contractual Clauses and data processing agreements requiring them to protect personal data in accordance with the Saudi PDPL requirements.

Future Infrastructure Plans: STEPPI plans to deploy Microsoft Azure infrastructure within the Kingdom of Saudi Arabia (Azure Saudi North) when operationally feasible. When this migration occurs, international transfer provisions will no longer apply to KSA-based Employee data. We will update this Privacy Policy to reflect any such change.

You may request further information about our transfer safeguards by contacting privacy@steppi.com.

8. Your Rights Under the Saudi PDPL

Under the Saudi Personal Data Protection Law (Royal Decree No. M/19, 9/2/1443H) and its implementing regulations, Corporate Clients and Employees have the following rights in relation to their personal data. There is no charge for exercising these rights. We will acknowledge requests within 5 business days and endeavour to respond in full within 30 days.

8.1 How to Exercise Your Rights

To exercise any of the rights above, please contact us at privacy@steppi.com with the subject line "Privacy Request — KSA" including your name and the right you wish to exercise. We will acknowledge your request within 5 business days and respond in full within 30 days.

8.2 Right to Complain to SDAIA

If you are not satisfied with how we handle your personal data or respond to your rights request, you have the right to make a complaint to SDAIA (the Saudi Data and Artificial Intelligence Authority), the supervisory authority responsible for enforcing the Saudi PDPL. We would appreciate the opportunity to address your concerns directly first — please contact us at privacy@steppi.com.

9. How Long We Keep Your Data

Corporate Clients and Employees can request deletion of accounts and data at any time via the STEPPI platform or by emailing privacy@steppi.com. When we no longer need personal data, we will securely delete or anonymise it.

10. Marketing Communications

With an Employee's consent, we may send marketing communications about STEPPI features, challenges, Rewards, and partner offers via email (Mailchimp) and push notifications (Twilio). Employees can withdraw consent and opt out at any time by: clicking the unsubscribe link in any marketing email; adjusting notification preferences in the STEPPI platform settings; or emailing privacy@steppi.com. Opting out will not affect service-related communications.

11. Cookies and Tracking Technologies

Our website at www.steppi.com uses cookies and similar tracking technologies. We use: strictly necessary cookies (essential for website function — cannot be disabled); analytics cookies (we use Google Analytics to understand website usage — only placed with consent); and preference cookies (remember settings and preferences).

When you first visit www.steppi.com, you will be shown a cookie consent banner. You can change your cookie preferences at any time by visiting our Cookie Preference Centre at www.steppi.com/cookies or by adjusting your browser settings.

12. Minimum Age for KSA Employees

The STEPPI corporate wellness platform in KSA is available only to Employees aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18 in connection with our KSA operations. During account registration, we collect the Employee's date of birth and do not permit account creation for users below the minimum age. If we become aware that a user under the age of 18 has created an account in connection with a KSA corporate wellness programme, we will promptly delete the account and associated data.

13. How We Protect Your Data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, including:

·encryption of data in transit using TLS/SSL;

·encryption of health and fitness data at rest;

·strict access controls — only authorised personnel with a legitimate need can access personal data;

·confidentiality obligations for all personnel with access to personal data;

·regular security reviews and assessments; and

·incident response procedures for detecting and responding to data breaches.

In the event of a personal data breach affecting KSA-based personal data, we will notify SDAIA and, where required, affected Corporate Clients and Employees in accordance with the Saudi PDPL and its implementing regulations.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, or applicable law. When we make material changes, we will: update the version number and effective date; post the updated policy on our website; and notify Corporate Clients and Employees by email and/or in-platform notification. Where a change involves a new or different use of sensitive personal data, we will seek fresh consent before the change takes effect.

Note: If required by Saudi law, a certified Arabic translation of this Privacy Policy will be made available. In the event of any inconsistency between the English and Arabic versions, the Arabic version will prevail where required by applicable Saudi law.

15. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

STEPPI DMCC • DMCC-745776 • Unit 606-A17, Platinum Tower, JLT, Dubai, UAE • privacy@steppi.com • www.steppi.com

© 2026 STEPPI. All rights reserved.