StepstakesDownload the App

PRIVACY POLICY

Last updated: May 18, 2026

What We Collect

When you create an account, we collect your name, email address, date of birth, zip code, phone number, and optionally your gender. We also collect a device identifier and HealthKit identity for fraud prevention.

HealthKit Data

Stepstakes reads your daily step count from Apple HealthKit. This data is used solely to calculate your personalized daily target and determine whether you've met your target each day. We store daily step totals (not granular intraday data) in our database to power the product.

We never sell, share, or use your HealthKit data for advertising. HealthKit data is not shared with any third party. It is used only for the core product function described above, in compliance with Apple's HealthKit guidelines.

How We Use Your Information

  • To operate the sweepstakes (calculate targets, credit entries, conduct drawings)
  • To send you daily emails about your progress and prizes
  • To verify your identity if you win a prize
  • To prevent fraud and enforce our terms of service
  • To comply with legal obligations (e.g., IRS reporting for prizes over $600)

What We Don't Do

  • We do not sell your personal information
  • We do not share HealthKit data with third parties
  • We do not use your data for targeted advertising
  • We do not track your location

App Tracking Transparency

Stepstakes does not track you across other companies' apps or websites. We do not participate in ad networks or use advertising identifiers (IDFA). We do not collect data for the purpose of tracking as defined by Apple's App Tracking Transparency framework.

Data Storage and Security

Your data is stored securely using Supabase (hosted on AWS in the United States). We use row-level security policies to ensure participants can only access their own data. All data is encrypted in transit via TLS and at rest via AES-256.

Data Retention and Deletion

You can delete your account at any time from the app's settings. When you delete your account, we permanently remove your personal data within 30 days. Some data may be retained longer if required by law (e.g., winner records for tax reporting purposes are retained for 7 years per IRS requirements).

Third-Party Services

We use the following services to operate Stepstakes:

  • Supabase — database and authentication
  • Resend — email delivery
  • Twilio — SMS verification during signup
  • Sentry — error monitoring (no personal data is sent)

These services process data only as necessary to provide their respective functions. We do not share your data with any other third parties.

Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to Know: You can request what personal information we collect, use, and disclose about you.
  • Right to Delete: You can request deletion of your personal information. You can do this directly in the app settings, or by emailing us.
  • Right to Correct: You can request correction of inaccurate personal information.
  • Right to Opt-Out of Sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, email privacy@playstepstakes.com. We will respond within 45 days.

Children's Privacy

Stepstakes is not intended for anyone under 18. We do not knowingly collect information from anyone under 18. If we learn we have collected information from someone under 18, we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect.

Contact

Questions about this policy? Email us at privacy@playstepstakes.com.