Step2Fit – Privacy Notice

Concerning Websites, Mobile App, Marketing Activities, and Partners

This privacy notice addresses the processing of personal data by Step2Fit on its websites, mobile application, in its marketing activities, and in its partner operations. The purpose of the aforementioned activities is to enable the company's commercial operations. Processing the registered personal data is necessary to achieve the above-mentioned purposes. Detailed purposes, grounds for processing, and other principles of personal data processing, as well as a description of the rights of the registered, are described in this notice. The purpose of this notice is to describe how Step2Fit processes personal data in accordance with legislative requirements, including the EU General Data Protection Regulation (GDPR) and applicable app store policies.

The integrity, protection, and accuracy of the processing of registered data are of paramount importance to Step2Fit. Step2Fit is committed to collecting and processing the personal data of all registered persons in a fair and transparent manner and in compliance with personal data processing legislation.

Purposes and Legal Basis for Personal Data Processing

Marketing

For marketing purposes, we collect personal data from the registered person themselves, e.g., when subscribing to newsletters and when making contact requests, from public sources (e.g., company websites and trade registers) and from information obtained during other transactions or participation in events.

The personal data collected for marketing purposes is used, among other things, for the following purposes:

For marketing purposes, including direct marketing, which includes e.g. sending newsletters, sending event invitations, and processing, communicating with potential and current customers
For the development of Step2Fit and its group companies' customer service and business
For analytical and statistical purposes
For opinion and market research
For targeted advertising, including on social channels or through partners

Personal data is processed based on the following legal bases, depending on the processing situation: consent given by the registered person, realization of Step2Fit's legitimate interests, and preparation and/or implementation of a contract in which the registered person is a party.

Partner Operations

For cooperation with partners (e.g., suppliers and other partners), we collect personal data regularly from the registered person themselves or from the entity they represent (e.g., contact persons of suppliers) or from information obtained during other transactions or participation in events. Information can also be collected from public sources (e.g., company websites and trade registers).

Personal data of partners is used, among other things, for communication purposes and other management of the partnership.

Personal data is processed based on the following legal bases, depending on the processing situation: consent given by the registered person, realization of Step2Fit's legitimate interests, preparation and/or implementation of a contract in which the registered person is a party, and compliance with statutory obligations.

Website and Mobile App Usage

During website and mobile app operation, personal data is collected from the registered person based on their behavior and interactions. The information is used for website and app analytics, optimization, and general tracking of visitor numbers.

Health Data — Collection, Access, and Use

All health data in Step2Fit is entered manually by the user themselves, with their full knowledge and consent.

The following categories of user-entered Health and Fitness Data may be collected:

Body metrics – e.g. weight, height, and BMI entered by the user
Exercise and training data – workout type, duration, intensity, and frequency logged by the user
Nutrition data – calorie intake and dietary information entered by the user
Personal fitness goals – target metrics and progress milestones set by the user

This health data is collected solely for the following purposes:

To provide and personalize the Step2Fit fitness and wellness service to the user
To display progress, statistics, and insights within the app
To enable goal tracking and coaching features
To improve app functionality and user experience (in anonymized/aggregated form only)

Health data is never used for advertising, sold to third parties, or shared with partners for commercial purposes. It is not used for automated decision-making.

Health data is processed on the legal basis of explicit consent given by the user at the time of entering the data. Users may withdraw consent and request deletion of their health data at any time (see Data Deletion and Rights of the Data Subjects below).

Processed Personal Data Categories

The following categories of data are processed within the scope of this privacy notice:

Marketing data:

Contact information (name, email address)
Direct marketing permissions and prohibitions
Information related to online behavior and campaign interactions
Information on the implementation and results of targeted measures

App and service data:

Account credentials and profile information
Health and fitness data as described in the Health Data section above
Device identifiers and usage logs
App interaction and feature usage data

Access to Personal Data

Only those individuals who need the information to ensure system operation and to perform their work have access to the data. Within our company, the following actors have access to personal data:

Step2Fit key personnel – 2 people
Creative agency Ensemble Oy (product developer and marketing person) – 2 people
Dyme Solutions Oy (product development team) - 3 people

Step2Fit may use subcontractors and service providers for the processing of personal data. Personal data can be transferred to subcontractors and service providers only to the extent that they participate in the implementation of the uses described in this statement. Such third parties may not use the information for any purpose other than those described in this statement and defined by Step2Fit. The data controller obliges them to keep the information confidential and to adequately ensure data security to protect personal data.

Personal data can be handed over according to the requirements and conditions based on the law presented by the competent authority.

More information: Microsoft Trust Center

Transfer of Personal Data Outside the EU/EEA

Personal data is not transferred outside the EU/EEA.

Data Retention — How Long We Store Your Data

Step2Fit retains personal data only for as long as necessary to fulfil the purposes described in this notice, or as required by applicable law. The specific retention periods are as follows:

Data Category	Retention Period
Account and profile data	For the duration of the active account, plus 30 days after account deletion
Health and fitness data	For the duration of the active account, plus 30 days after account deletion
Marketing contact data	Until consent is withdrawn or an opt-out request is made, or 2 years from last interaction
Partner contact data	For the duration of the partnership, plus 2 years thereafter
Website/app analytics data (Google Analytics)	26 months, stored on Google's EU servers

After the applicable retention period, data is securely deleted or anonymized so that it can no longer be attributed to an individual.

Data Deletion — How to Have Your Data Deleted

You have the right to request deletion of your personal data at any time (the "right to be forgotten"), subject to certain legal exceptions.

You can request data deletion in the following ways:

In-app deletion: Navigate to Settings → Account → Delete Account in the Step2Fit app. This will initiate deletion of your account and all associated personal data, including health and fitness data.
By email: Send a deletion request to info@step2.fit with the subject line "Data Deletion Request." Please include the email address associated with your account.

What happens after a deletion request:

Your account and personal data will be deleted within 30 days of the request
You will receive a confirmation email once deletion is complete
Some data may be retained beyond this period where required by law (e.g., financial records), but will not be used for any other purpose
Anonymized, aggregated analytics data that cannot be linked back to you may be retained

If you have questions about the deletion process, contact us at info@step2.fit.

Automated Decision-Making

Personal data is not used in automated decision-making.

Rights of the Data Subjects and Their Exercise

The data subject has the following rights in relation to personal data covered by this privacy notice:

Right to access the data – you may request a copy of the personal data we hold about you
Right to rectify incorrect data – you may request correction of inaccurate or incomplete data
Right to erasure ("right to be forgotten") – you may request deletion of your data under certain conditions (see Data Deletion above)
Right to restrict processing – you may request that we limit the processing of your data under certain conditions
Right to object to processing – you may object to processing in certain circumstances
Right to data portability – you may request transfer of your data from one system to another under certain conditions
Right to withdraw consent – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

If a data subject feels that their data has been processed unlawfully, they also have the right to file a complaint with the supervisory authority — in this case, the Finnish Data Protection Authority (Tietosuojavaltuutettu). The data subject also has the right to complain to the supervisory authority in the country of their permanent residence.

To exercise any of the above rights, contact: info@step2.fit

Technical and Organizational Measures to Protect Personal Data

The company has implemented appropriate organizational measures, including:

Integrating data protection into the company's operations, product and service development, and company governance
Restricting access only to those designated individuals whose access to the data is necessary for the performance of their duties
Using locked premises, passwords, and antivirus and firewall software
Training staff and implementing other appropriate cybersecurity and data protection measures

Contact

For questions or requests related to this privacy notice or your personal data, please contact:

Step2Fit
Email: info@step2.fit

This privacy notice was last updated: March 2026