Privacy policy

Last updated: 3 June 2026

This policy describes how Stompa (“we”, “us”, “our”) handles personal information when you use the Stompa mobile application and this website (together, the “Service”). It applies to users in the United Kingdom and elsewhere, in line with applicable data protection law including the UK General Data Protection Regulation (UK GDPR).

Data controller: Stompa
Contact: contact@stompa.uk
Website: stompa.uk

1. Who this policy is for

This policy is for anyone who downloads Stompa, creates an account, joins a group, adds friends and family, participates in challenges, or visits this website. If you use the app on behalf of a child, you are responsible for ensuring use is appropriate and for any permissions you grant on their device.

2. Information we collect

2.1 Account information

• Email address and authentication identifiers (including Sign in with Apple, where you choose it).
• Display name, handle, optional profile avatar, and onboarding preferences you provide.
• Expo push notification token if you enable notifications.

2.2 Health and activity data

With your explicit permission through your device, Stompa reads step count data from Apple Health (iOS) or Health Connect (Android). We sync aggregated daily step totals to our servers so leaderboards and challenges can be calculated. We do not use Stompa to read other health categories (heart rate, sleep, location workouts, and so on) unless we clearly tell you otherwise in the app and update this policy.

On supported devices, Stompa may sync steps periodically in the background (for example about once an hour when the operating system allows). Background sync depends on settings such as Background App Refresh (iPhone) or Health Connect background access (Android).

2.3 Social and group data

• Groups you create or join, membership role, join codes, invite links, and direct invites for friends and family to join groups.
• Requests and connections between friends and family, blocked users, and in-app notifications.
• Challenge participation, progress, winners, and leaderboard rankings within your groups.

2.4 Subscriptions and billing (Stompa Pro)

If you subscribe to Stompa Pro through the Apple App Store or Google Play, payment is handled by the store. We receive subscription status, product identifiers, and transaction identifiers (including original transaction IDs) needed to grant and restore Pro entitlements. We do not receive your full payment card details through the app.

2.5 Join codes, PINs, and invite links

Groups may have a join code and PIN (managed by group admins) and time-limited invite links. We store these to operate joining and sharing features. Only group admins can view join codes and PINs in the app; invite link secrets are stored in hashed form on our servers.

2.6 Technical data

• Device type, operating system, app version, and general diagnostic logs.
• IP address and timestamps when you use our API (for security and abuse prevention).

2.7 What we do not collect through the app

• Precise location tracking for its own sake (step data may come from health platforms that use motion sensors; we do not request location permission for core features).
• Your phone contacts or address book (unless a future feature clearly asks permission separately).
• Payment card details through the app.

3. How we use your information

We use personal information to:

• Provide the Service — accounts, groups, leaderboards, challenges, and friends-and-family features.
• Sync and display step totals you authorise, including optional background sync.
• Send notifications you have agreed to (invites, requests from friends and family, challenge updates).
• Keep the Service secure, debug issues, and prevent abuse (including honouring blocks between users).
• Comply with law and respond to lawful requests.
• Improve the product in aggregate or anonymised form where possible.

4. Legal bases (UK / EEA users)

Where UK GDPR or EU GDPR applies, we rely on:

• Contract — processing needed to provide the app you signed up for.
• Consent — health data access, push notifications, and optional features where required.
• Legitimate interests — security, fraud prevention, and product improvement, balanced against your rights.
• Legal obligation — where we must retain or disclose data by law.

5. Who we share information with

We share information only as needed to run the Service:

• Other people in your groups and friends list — display name, avatar, handle, steps, rankings, and challenge progress visible as part of the product. Users you block cannot add you as a friend.
• Service providers — for example Supabase (database and authentication), cloud hosting for our API (e.g. Railway), Microsoft Azure (this marketing website), and push notification delivery, under contracts that require them to protect your data.
• Apple / Google — if you use their sign-in, app store, or health platforms, their policies apply to those interactions.
• Authorities — if required by law or to protect rights, safety, and security.

We do not sell your personal information.

6. International transfers

Our providers may process data in the UK, EEA, United States, or other countries. Where data leaves the UK, we use appropriate safeguards (such as UK adequacy regulations, standard contractual clauses, or equivalent measures) as required by law.

7. Retention

• Account data — while your account is active and for a reasonable period after deletion to allow recovery and legal compliance.
• Step records — for as long as needed for leaderboards, challenge history, and backups, unless you delete your account or we anonymise data sooner.
• Logs — typically rotated within months unless needed for security investigations. Our API and website hosts may retain standard access logs (IP address, user agent, timestamps) for security and reliability.

8. Deleting your account

You can delete your account from the Me tab in the app. This permanently removes your profile, step history, friend connections, and personal challenge progress. Shared groups you belong to with other people remain; groups where you were the only member may be removed. If you were the only admin in a shared group, another member becomes admin. Deletion cannot be undone; you would need to sign up again to use Stompa in future.

You may also contact contact@stompa.uk. Some data may be retained where law requires.

9. Security

We use industry-standard measures including encrypted transport (HTTPS), access controls, and authenticated APIs. No system is perfectly secure; please use a strong device passcode and keep your account credentials private.

10. Your rights

Depending on where you live, you may have the right to:

• Access a copy of your personal data.
• Correct inaccurate data.
• Delete your data or close your account.
• Restrict or object to certain processing.
• Withdraw consent (e.g. health or notifications) via device or app settings.
• Data portability, where applicable.
• Complain to the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

To exercise rights, contact contact@stompa.uk. We may need to verify your identity.

11. Children

Stompa is not directed at children under 13 (or the minimum age in your country). We do not knowingly collect personal data from children below that age. Contact us if you believe a child has provided data without appropriate consent.

12. Third-party links

This website or the app may link to third-party sites (app stores, and so on). Their privacy practices are not covered by this policy.

13. Changes to this policy

We may update this policy from time to time. We will post the new version on this page with an updated date. Material changes may also be highlighted in the app where appropriate.

14. Contact

Questions or requests: contact@stompa.uk