Privacy Policy

01 Introduction

LuckyStep ("we", "our", or "us") operates the LuckyStep mobile application (the "App") and the website at luckystep.org (the "Site"). This Privacy Policy explains what personal information we collect when you use the App or Site, how we use that information, the choices you have about your information, and the rights you can exercise.

We've structured this policy to comply with the EU General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), the UK Data Protection Act 2018, and similar regulations worldwide. By using LuckyStep, you agree to the collection and use of information in accordance with this policy.

The short version: we collect your step count, your account email, and basic device info. We use that to operate the app and pay out your gift cards. We don't sell your data. You can request a copy of everything we have on you, or delete it entirely, at any time.

02 Information we collect

2.1 Information you provide directly

Account information. When you create a LuckyStep account, you provide an email address and choose a display name. You may optionally add a profile photo, date of birth (used to verify age and to compute health metrics), and gender (used to estimate calorie burn).
Reward delivery information. When you redeem coins for a gift card, we need a delivery email address (which defaults to your account email) and, in some cases, a phone number to complete fraud-prevention checks.
Support communications. If you contact our support team, we store the messages you send and any information you choose to share in them.

2.2 Information collected automatically

Step & activity data. The App reads step counts from your device's built-in motion sensor (Android's SensorManager step-counter API). This includes step counts, walking time, and derived metrics such as estimated distance and calories burned. We do not collect GPS location.
Device information. Device model, operating system version, app version, language, time zone, and a randomly generated device identifier used to detect duplicate accounts. We do not collect IMEI, phone number, contacts, or your installed-app list.
Usage data. Which screens you view, which features you tap, anonymized error logs, and which quests you complete. We use this to fix bugs and to improve the App.
Network information. IP address (used for fraud prevention and to deliver region-appropriate rewards) and approximate country derived from IP. We do not store precise location.

2.3 Information from third parties

If you sign in with Google, we receive your email address, name, and profile picture from Google in accordance with their respective privacy policies. We may also receive aggregated, non-identifying information from our advertising partners (e.g., that a particular ad campaign drove an install).

03 How we use your information

We use the information we collect for the following purposes. Each use is mapped to a lawful basis under GDPR Article 6.

To operate the App — count steps, award coins, run quests, deliver gift cards. Lawful basis: performance of a contract (Art. 6(1)(b)).
To prevent fraud and abuse — detect duplicate accounts, bot activity, and suspicious patterns to keep the rewards system fair. Lawful basis: legitimate interests (Art. 6(1)(f)).
To communicate with you — send transactional emails (reward delivery confirmations, password resets) and, with your consent, occasional product updates. Lawful basis: performance of a contract / consent (Art. 6(1)(a)).
To improve our service — analyze anonymized usage to improve features and fix bugs. Lawful basis: legitimate interests.
To show relevant advertising — display ads from our advertising partners. You can opt out at any time (see Section 11). Lawful basis: consent.
To comply with the law — respond to lawful requests from authorities, enforce our terms, prevent illegal activities. Lawful basis: legal obligation / legitimate interests.

We do not use your information for automated decision-making that produces legal effects, and we do not profile you for any purpose beyond fraud prevention.

We do not sell your personal information. We share it only in the limited circumstances below:

Reward providers. When you redeem a gift card, we share your delivery email address with the gift card issuer (e.g., Amazon, Starbucks) so they can deliver the card. We share only what's necessary to fulfill that order.
Service providers. We use trusted third parties to operate the App: cloud hosting (Amazon Web Services), email delivery (Amazon SES), error monitoring (Sentry), analytics (Firebase Analytics), and customer support (Zendesk). These providers are contractually obligated to protect your data and use it only on our instructions.
Advertising partners. If you have consented to personalized advertising, we may share anonymized advertising identifiers (such as your Android Advertising ID) with our advertising partners. You can reset or opt out of this identifier in your device's settings.
Legal compliance. We may disclose information when required by law, court order, or to protect the rights, property, or safety of LuckyStep, our users, or the public.
Business transfers. If LuckyStep is involved in a merger, acquisition, or sale of assets, we may transfer your information to the acquiring party. You will be notified by email before any such transfer becomes effective.

05 Data security

We use industry-standard security measures to protect your data:

All data in transit is encrypted using TLS 1.3.
All data at rest is encrypted using AES-256.
Passwords are hashed using bcrypt with per-user salt.
Access to production systems is restricted to a small number of engineers and requires multi-factor authentication.
We perform regular security audits and penetration testing.

No security measure is perfect, however. If you believe your account has been compromised, please contact us immediately at [email protected].

06 Data retention

We keep your information only as long as we need it:

Account & activity data: kept while your account is active, plus up to 30 days after deletion to allow recovery of accidentally deleted accounts.
Reward transaction records: kept for 7 years to comply with tax and financial reporting obligations in our operating jurisdictions.
Support communications: kept for 2 years.
Anonymized analytics: kept indefinitely (cannot be associated with you).

07 Cookies & tracking technologies

The Site uses cookies and similar technologies. We use:

Strictly necessary cookies. Required for the Site to function (e.g., remembering your cookie consent choice). These do not require consent.
Analytics cookies. Help us understand how visitors use the Site (e.g., Plausible Analytics — privacy-friendly, no personal identifiers).
Functional cookies. Remember your preferences (e.g., language).

You can manage cookie settings through your browser. Note that disabling necessary cookies may break some Site features.

Within the App, we use anonymized in-app analytics events and an Advertising Identifier (if you've consented). You can reset or opt out of the Advertising Identifier at any time in your device's settings.

08 Third-party services

LuckyStep integrates with the following third-party services. Each has its own privacy policy, which we encourage you to review:

Google Play Services — sign-in and step-counter API. Google Privacy Policy
Amazon Web Services — cloud hosting. AWS Privacy Notice
Firebase — analytics and crash reporting. Firebase Privacy Notice
Sentry — error monitoring. Sentry Privacy Policy
Tango Card / Tremendous — gift card fulfillment. Tango Card Privacy Policy

09 Children's privacy

LuckyStep is not intended for children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children under these ages.

If you believe we have collected information from a child under the applicable age, please contact us at [email protected] and we will delete the information and the child's account.

10 International data transfers

LuckyStep is operated from the United States. If you access the App from outside the U.S., your information will be transferred to, stored in, and processed in the United States, which may have data protection laws that differ from those in your country.

For users in the European Economic Area, United Kingdom, and Switzerland, we rely on the European Commission's Standard Contractual Clauses ("SCCs") to ensure your data is protected to the standard required by GDPR when it leaves Europe. A copy of the SCCs is available on request.

11 Your rights & choices

11.1 For everyone

Access: request a copy of the personal information we hold about you.
Correction: ask us to fix information that is inaccurate.
Deletion: ask us to delete your account and personal information.
Export: receive your data in a structured, machine-readable format.
Opt-out of marketing emails: click "unsubscribe" in any email we send, or change your preferences in the App.

To exercise any of these rights, email [email protected] from the address associated with your account. We respond within 30 days.

11.2 Additional rights for EU / UK / Swiss residents (GDPR)

Restrict processing of your data in specific circumstances.
Object to processing based on legitimate interests or for direct marketing.
Withdraw consent at any time where we rely on consent.
Lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.

11.3 Additional rights for California residents (CCPA / CPRA)

Right to know what categories of personal information we collect, the sources, the business purposes, and the parties with whom we share it.
Right to delete personal information we have collected, subject to certain exceptions.
Right to correct inaccurate personal information.
Right to opt out of "sale" or "sharing" — we do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
Right to limit use of sensitive personal information — we do not use sensitive personal information for any purpose other than what is necessary to operate the service.
Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise CCPA rights, email [email protected] or call us at the number listed in Section 13. We verify your identity by confirming you have access to the email registered to your account.

12 Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (sent to the address associated with your account) and by posting a prominent notice in the App at least 14 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was last revised. We encourage you to review this policy periodically.

13 Contact us

If you have questions about this Privacy Policy or our data practices, please contact us:

General privacy questions: [email protected]
Data subject requests (GDPR / CCPA): [email protected]
Security incidents: [email protected]
General support: [email protected]
Postal mail: LuckyStep, Attn: Privacy Team, 1 LuckyStep Way, Wilmington, DE 19801, USA

For residents of the European Economic Area, our EU representative under GDPR Article 27 can be contacted at [email protected].