कानूनी

गोपनीयता
नीति

अंतिम अपडेट: अप्रैल 2026

One Step Health एक सरल सिद्धांत पर बना है: आपका data आपका है। हम app को चलाने के लिए न्यूनतम आवश्यक data इकठ्ठा करते हैं, उससे ज़्यादा नहीं। यह नीति EU GDPR, CCPA, और भारत के DPDP Act 2023 का पालन करती है।

1. Data controller

The data controller responsible for your personal data is:

For purposes of the GDPR, One Step Co. LLC acts as the data controller. We do not currently appoint a Data Protection Officer (DPO), but all privacy-related requests are handled directly by the data controller at the email address above.

2. Scope

This Privacy Policy applies to all personal data processed through the One Step Health web application, iOS application, and any associated APIs or services (collectively, "the Service"). It applies to all users regardless of location, including residents of the European Economic Area (EEA), the United Kingdom, Switzerland, California, and all other US states with applicable privacy legislation.

3. Categories of personal data we collect

We collect and process the following categories of personal data:

  • Account data: Name, email address, and profile picture received through Google OAuth 2.0 (web) or Sign in with Apple (iOS). This data is necessary to create and maintain your account.
  • Health and body profile data: Birthdate, biological sex, height, current weight, goal weight, activity level, nutrition objective, diet type (omnivore, vegetarian, vegan, pescatarian), dietary restrictions (e.g., dairy-free, gluten-free), and self-reported health conditions (e.g., diabetes, hypertension). All fields are optional and provided voluntarily by you.
  • Activity data: Workouts (exercises, sets, reps, weight), runs, food intake and meal logs, supplements, calorie and step goals, water intake, skipped days, custom foods and supplements, and daily performance scores. This data is stored in our database and associated with your account.
  • Device health data (iOS only): If you grant permission, we read Apple HealthKit data including step count, active energy burned, heart rate, workout sessions (type, duration, distance, heart rate), and sleep analysis. This data is read-only and is never transmitted to our servers, shared with third parties, or used for advertising.
  • Subscription data: Premium subscription status, subscription start and end dates. Payment card details and billing information are collected and processed entirely by Stripe; we never receive or store your payment card number or bank details.
  • Organization data (Teams): If you join a team through One Step for Teams, we store your organization membership, role (admin or member), department (optional), and invite status. Organization admins see only anonymous, aggregate team metrics — never individual health data.
  • Analytics data: We collect anonymous usage analytics (app launches, screen views, and feature interactions) to understand how the Service is used and to improve it. This data is not linked to your identity and is not used for advertising or tracking across apps.
  • Technical data: Minimal error logs and session metadata required to maintain service stability and security. We do not collect IP addresses for tracking purposes.

4. Data we do not collect

We are committed to data minimisation. We do not collect:

  • Precise or approximate geolocation data
  • Device identifiers, advertising IDs (IDFA), or fingerprinting data
  • Third-party tracking pixels or cross-app tracking data
  • Advertising or marketing profiles of any kind
  • Contacts, photos, videos, audio, or browsing history
  • Biometric data beyond what you voluntarily log (e.g., weight, body measurements)
  • HealthKit data is never transmitted to our servers, shared with third parties, or used for advertising, in strict compliance with Apple's HealthKit guidelines

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We have not sold personal information in the preceding twelve (12) months as defined under the CCPA.

5. Legal basis for processing (GDPR — Art. 6)

For users in the EEA, UK, and Switzerland, we process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing your account data and activity logs is necessary to provide the Service you registered for.
  • Consent (Art. 6(1)(a)): Access to Apple HealthKit data is processed solely with your explicit, informed consent, which you may revoke at any time through your device settings. Processing of special categories of data (health conditions, dietary restrictions) under Art. 9(2)(a) is also based on your explicit consent.
  • Legitimate interest (Art. 6(1)(f)): We process minimal technical data (error logs, session tokens) and anonymous usage analytics to maintain the security, integrity, and stability of the Service and to improve it. You may object to this processing at any time.

6. Use of artificial intelligence

One Step Health may use artificial intelligence (AI) and machine learning technologies to enhance the Service, including but not limited to: nutritional data enrichment, food recognition assistance, and personalised health insights.

Our approach to AI is guided by the principles of ISO/IEC 42001 (Artificial Intelligence Management System) and ISO/IEC 23894 (AI Risk Management):

  • Transparency: When AI-generated content or recommendations are presented within the Service, they are clearly identified as such. We do not use AI to make automated decisions that produce legal or similarly significant effects on users.
  • Data minimisation: AI features process only the data strictly necessary for the specific function. Your personal data is not used to train general-purpose AI models.
  • Human oversight: All AI-assisted features operate under human supervision. Nutritional data, health insights, and any algorithmically generated content are reviewed and validated before deployment.
  • No automated decision-making: In accordance with GDPR Art. 22, we do not subject users to decisions based solely on automated processing that significantly affect them. You have the right to request human review of any AI-assisted output.
  • Third-party AI providers: Where we use third-party AI services (e.g., for food recognition or natural language processing), data is transmitted securely, processed in accordance with our data processing agreements, and not retained by the provider beyond the scope of the request.

7. Data storage and security

Your data is stored in a PostgreSQL database hosted on Google Cloud SQL in the United States (us-central1 region). We implement technical and organisational measures aligned with industry best practices and the principles of ISO/IEC 27001 (Information Security Management):

  • Encryption at rest: All stored data is encrypted using AES-256 encryption.
  • Encryption in transit: All communications are secured via TLS 1.2 or higher.
  • Access control: Database access is restricted to authenticated services and authorised personnel only.
  • Monitoring: We maintain audit logs and monitor access patterns to detect and respond to potential security incidents.

8. International data transfers

Your personal data is stored and processed in the United States. For users located in the EEA, UK, or Switzerland, this constitutes an international data transfer. We rely on the following safeguards:

  • Standard Contractual Clauses (SCCs): Our agreements with sub-processors incorporate the European Commission's Standard Contractual Clauses (Decision 2021/914) to ensure an adequate level of data protection.
  • EU-US Data Privacy Framework: Where applicable, we rely on our service providers' certification under the EU-US Data Privacy Framework.

9. Data retention

We retain your personal data for as long as your account is active and as necessary to provide the Service. Specifically:

  • Active accounts: Data is retained for the duration of your account.
  • Account deletion: Upon deletion request, all associated personal data is permanently erased from production systems within thirty (30) days.
  • Backups: Residual data in encrypted backups is purged within ninety (90) days of the deletion request.
  • Legal obligations: We may retain certain data beyond the above periods where required by applicable law (e.g., tax, accounting, or legal compliance).

10. Authentication

We use Google OAuth 2.0 (web) and Sign in with Apple (iOS) for authentication. We do not store your Google or Apple password at any point. Sessions are managed via JSON Web Tokens (JWT) that expire after seven (7) days. You may log out at any time to invalidate your session.

11. Your rights

For EEA, UK, and Swiss residents (GDPR):

  • Right of access (Art. 15): Obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your account and all associated data.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, and machine-readable format.
  • Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to lodge a complaint: You have the right to file a complaint with your local Data Protection Authority.

For California residents (CCPA / CPRA):

  • Right to know: Request disclosure of the categories and specific pieces of personal information collected about you.
  • Right to delete: Request deletion of personal information we have collected.
  • Right to opt-out: We do not sell your personal information. No opt-out is required.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, email privacy@onestep.health. We will acknowledge your request within five (5) business days and respond substantively within thirty (30) days, or forty-five (45) days for complex requests with prior notice.

12. Data export and deletion

You may export all your data at any time from within the app. To request complete account deletion, email privacy@onestep.health. We will delete your account and all associated data within thirty (30) days of identity verification.

13. Cookies and local storage

We use a single session token stored in the browser's localStorage to maintain your authenticated session. We do not use tracking cookies, third-party cookies, web beacons, or any other persistent tracking technologies. No cookie consent banner is required because we do not use cookies as defined under the EU ePrivacy Directive (2002/58/EC).

14. Third-party sub-processors

We use the following third-party services to operate the Service. Each sub-processor is bound by data processing agreements that ensure compliance with applicable data protection laws:

  • Google Cloud Platform (US): Infrastructure, database hosting, and cloud computing. Subject to Google Cloud's Data Processing Amendment.
  • Firebase Hosting (Google, US): Static web application hosting. Subject to Google Cloud's Data Processing Amendment.
  • Google OAuth 2.0: Authentication on the web application. Only name, email, and profile picture are received.
  • Apple Sign In: Authentication on the iOS application. Apple may provide a private relay email address at the user's discretion.
  • Apple HealthKit: Read-only, on-device access to health data on iOS. Data is never transmitted to our servers or shared with any third party.
  • Stripe (US): Payment processing for premium subscriptions. Stripe collects and processes payment card details directly; we only receive subscription status and identifiers. Subject to Stripe's Data Processing Agreement.
  • Brevo (EU): Transactional email delivery for account notifications, team invitations, and trial reminders. We share the recipient's email address with Brevo solely for email delivery. Subject to Brevo's Data Processing Agreement.

15. Children's privacy

One Step Health is not directed at, and is not intended for use by, anyone under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child under 16 has provided us with personal data, please contact privacy@onestep.health.

16. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the competent Data Protection Authority within seventy-two (72) hours of becoming aware of the breach, in compliance with GDPR Art. 33.
  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights, in compliance with GDPR Art. 34.
  • Comply with applicable US state breach notification laws, including the Washington State Data Breach Notification Act (RCW 19.255.010).

17. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the app and/or by email at least thirty (30) days before the changes take effect. Continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. Previous versions of this policy are available upon request.

18. Contact

For privacy-related questions, data subject requests, or complaints:

If you are located in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.