EN TR

Privacy Policy

Last updated: 23 May 2026 · Effective immediately.

Draft notice. This document is a working draft prepared by the StepMap team and has not yet been reviewed by a lawyer. It is provided for transparency. A reviewed version will replace this page before public release.

1. Who we are

StepMap (the "App", "we", "us") is a mobile game where players walk in the real world to draw closed routes that become in-game territories. StepMap is operated as an individually-run project. You can reach us at support@stepmap.app.

2. What data we collect

We collect only the data needed to run the game.

2.1 Account data

Authentication identifier from Apple Sign In or Google OAuth
Email address (provided by the OAuth provider)
Display name and avatar chosen during onboarding
Language preference and analytics opt-in flag

2.2 Gameplay data

Walk records: start/end timestamps, step count, GPS route polyline
Territories: polygon, area, perimeter, owner, creation date
Placed emojis, HP, attack history
Team membership and team-attributed walks

2.3 Location data

While a walk is in progress we read your device's GPS coordinates to draw the route. Location reading runs in the foreground and, if you grant the "Always" permission, also in the background while a walk is active. We stop reading location the moment the walk ends or is cancelled. Coordinates are stored as the route polyline of the walk.

2.4 Health data

Step counts are read from Apple HealthKit on iOS and from Health Connect on Android. We read only the step-count type and only for the time window of the walk plus the current day. Health data is processed on-device and the resulting integer step count is attached to the walk record. We do not read heart rate, blood glucose, menstrual cycle, sleep, or other HealthKit/Health Connect data types.

2.5 Purchases

Premium subscriptions are processed by Apple App Store or Google Play. We never see your card details. RevenueCat provides us with a subscription status and expiry date tied to your StepMap user ID.

2.6 Analytics (opt-in)

If you enable "Send anonymous stats" in Profile, we send product analytics events (screen views, button taps, walk lifecycle, error events) to PostHog (EU region). The default is opt-in only — you can turn it off at any time in Profile and we will stop sending events immediately. We do not link analytics events to your real name or email; only to your StepMap user ID.

3. Where your data is stored

Supabase (EU — Ireland): the primary database holding account, walks, territories, emojis, teams.
PostHog (EU): product analytics events, opt-in only.
RevenueCat: subscription state and entitlements.
Your device: session tokens (secure storage), settings, cached game state.

4. Who we share your data with

We do not sell your data. We share it only with the processors above to operate the service. We do not share data with advertisers. We may disclose data if compelled by a valid legal request from a Turkish or EU authority.

5. How long we keep your data

Account data: until you delete your account.
Walks & territories: indefinitely while the account is active; up to 30 days after account deletion in encrypted backups.
Analytics: rolling 12 months in PostHog.
Support emails: up to 24 months.

6. Your rights

Under GDPR (EU) and KVKK (Türkiye) you have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion ("right to be forgotten")
Export your data in a machine-readable format (portability)
Withdraw consent (e.g. turn analytics off)
Lodge a complaint with your supervisory authority (KVKK in Türkiye, your national DPA in the EU)

To exercise these rights email support@stepmap.app. We respond within 30 days.

7. Children

StepMap is not directed to children under 13. We do not knowingly collect data from children under 13 (COPPA, US). Users between 13 and the digital age of consent in their country must have parental permission. If you believe a child has signed up, contact us and we will delete the account.

8. Cookies and tracking

The mobile app does not use browser cookies. Analytics events use a first-party PostHog distinct ID tied to your StepMap user ID. There are no third-party advertising trackers or SDKs.

9. HealthKit-specific terms (iOS)

In line with Apple's HealthKit policy:

We use HealthKit data only to count steps for gameplay and to display your stats.
We will never sell, share for advertising, or use HealthKit data for marketing.
We do not write data back to HealthKit. We only read the step-count sample.

10. Security

Data in transit is encrypted with TLS. Data at rest is encrypted by Supabase. Session tokens live in iOS Keychain / Android Keystore via expo-secure-store. You can revoke a device by signing out.

11. Changes to this policy

We will notify in-app and update the "Last updated" date above when we change this policy materially.

12. Contact

Email: support@stepmap.app