ONE STEP HEALTH
Baixar iOS
Recursos Precos Blog Para Equipes Para PRO Baixar iOS
Legal

Privacy Policy

Última atualização: abril 2026

One Step Health é construído com um princípio simples: seus dados pertencem a você. Coletamos o mínimo necessário para o app funcionar, e nada mais. Esta política está em conformidade com a LGPD (Lei Geral de Proteção de Dados), o GDPR da UE e leis de privacidade aplicáveis.

1. Data controller

The data controller responsible for your personal data is:

For purposes of the GDPR, Alex Casquete acts as the data controller. We do not currently appoint a Data Protection Officer (DPO), but all privacy-related requests are handled directly by the data controller at the email address above.

2. Scope

This Privacy Policy applies to all personal data processed through the One Step Health web application, iOS application, and any associated APIs or services (collectively, "the Service"). It applies to all users regardless of location, including residents of the European Economic Area (EEA), the United Kingdom, Switzerland, California, and all other US states with applicable privacy legislation.

3. Categories of personal data we collect

We collect and process the following categories of personal data:

  • Account data: Name, email address, and profile picture received through Google OAuth 2.0 (web) or Sign in with Apple (iOS). This data is necessary to create and maintain your account.
  • Health and body profile data: Birthdate, biological sex, height, current weight, goal weight, activity level, nutrition objective, diet type (omnivore, vegetarian, vegan, pescatarian), dietary restrictions (e.g., dairy-free, gluten-free), and self-reported health conditions (e.g., diabetes, hypertension). All fields are optional and provided voluntarily by you.
  • Activity data: Workouts (exercises, sets, reps, weight), runs, food intake and meal logs, supplements, calorie and step goals, water intake, skipped days, custom foods and supplements, and daily performance scores. This data is stored in our database and associated with your account.
  • Device health data (iOS only): If you grant permission, we read Apple HealthKit data including step count, active energy burned, heart rate, workout sessions (type, duration, distance, heart rate), and sleep analysis. This data is read-only and is never transmitted to our servers, shared with third parties, or used for advertising.
  • Subscription data: Premium subscription status, subscription start and end dates. Payment card details and billing information are collected and processed entirely by Stripe; we never receive or store your payment card number or bank details.
  • Organization data (Teams): If you join a team through One Step Health for Teams, we store your organization membership, role (admin or member), department (optional), and invite status. Organization admins see only anonymous, aggregate team metrics — never individual health data.
  • Analytics data: We collect anonymous usage analytics (app launches, screen views, and feature interactions) to understand how the Service is used and to improve it. This data is not linked to your identity and is not used for advertising or tracking across apps.
  • Technical data: Minimal error logs and session metadata required to maintain service stability and security. We do not collect IP addresses for tracking purposes.

4. Data we do not collect

We are committed to data minimisation. We do not collect:

  • Precise or approximate geolocation data
  • Device identifiers, advertising IDs (IDFA), or fingerprinting data
  • Third-party tracking pixels or cross-app tracking data
  • Advertising or marketing profiles of any kind
  • Contacts, photos, videos, audio, or browsing history
  • Biometric data beyond what you voluntarily log (e.g., weight, body measurements)
  • HealthKit data is never transmitted to our servers, shared with third parties, or used for advertising, in strict compliance with Apple's HealthKit guidelines

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We have not sold personal information in the preceding twelve (12) months as defined under the CCPA.

5. Legal basis for processing (GDPR — Art. 6)

For users in the EEA, UK, and Switzerland, we process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing your account data and activity logs is necessary to provide the Service you registered for.
  • Consent (Art. 6(1)(a)): Access to Apple HealthKit data is processed solely with your explicit, informed consent, which you may revoke at any time through your device settings. Processing of special categories of data (health conditions, dietary restrictions) under Art. 9(2)(a) is also based on your explicit consent.
  • Legitimate interest (Art. 6(1)(f)): We process minimal technical data (error logs, session tokens) and anonymous usage analytics to maintain the security, integrity, and stability of the Service and to improve it. You may object to this processing at any time.

6. Use of artificial intelligence

One Step Health may use artificial intelligence (AI) and machine learning technologies to enhance the Service, including but not limited to: nutritional data enrichment, food recognition assistance, and personalised health insights.

Our approach to AI is guided by the principles of ISO/IEC 42001 (Artificial Intelligence Management System) and ISO/IEC 23894 (AI Risk Management):

  • Transparency: When AI-generated content or recommendations are presented within the Service, they are clearly identified as such. We do not use AI to make automated decisions that produce legal or similarly significant effects on users.
  • Data minimisation: AI features process only the data strictly necessary for the specific function. Your personal data is not used to train general-purpose AI models.
  • Human oversight: All AI-assisted features operate under human supervision. Nutritional data, health insights, and any algorithmically generated content are reviewed and validated before deployment.
  • No automated decision-making: In accordance with GDPR Art. 22, we do not subject users to decisions based solely on automated processing that significantly affect them. You have the right to request human review of any AI-assisted output.
  • Third-party AI providers: Where we use third-party AI services (e.g., for food recognition or natural language processing), data is transmitted securely, processed in accordance with our data processing agreements, and not retained by the provider beyond the scope of the request.

7. Data storage and security

Your data is stored in a PostgreSQL database hosted on Google Cloud SQL in the United States (us-central1 region). We implement technical and organisational measures aligned with industry best practices and the principles of ISO/IEC 27001 (Information Security Management):

  • Encryption at rest: All stored data is encrypted using AES-256 encryption.
  • Encryption in transit: All communications are secured via TLS 1.2 or higher.
  • Access control: Database access is restricted to authenticated services and authorised personnel only.
  • Monitoring: We maintain audit logs and monitor access patterns to detect and respond to potential security incidents.

8. International data transfers

Your personal data is stored and processed in the United States. For users located in the EEA, UK, or Switzerland, this constitutes an international data transfer. We rely on the following safeguards:

  • Standard Contractual Clauses (SCCs): Our agreements with sub-processors incorporate the European Commission's Standard Contractual Clauses (Decision 2021/914) to ensure an adequate level of data protection.
  • EU-US Data Privacy Framework: Where applicable, we rely on our service providers' certification under the EU-US Data Privacy Framework.

9. Data retention

We retain your personal data for as long as your account is active and as necessary to provide the Service. Specifically:

  • Active accounts: Data is retained for the duration of your account.
  • Account deletion: Upon deletion request, all associated personal data is permanently erased from production systems within thirty (30) days.
  • Backups: Residual data in encrypted backups is purged within ninety (90) days of the deletion request.
  • Legal obligations: We may retain certain data beyond the above periods where required by applicable law (e.g., tax, accounting, or legal compliance).

10. Authentication

We use Google OAuth 2.0 (web) and Sign in with Apple (iOS) for authentication. We do not store your Google or Apple password at any point. Sessions are managed via JSON Web Tokens (JWT) that expire after seven (7) days. You may log out at any time to invalidate your session.

11. Your rights

For EEA, UK, and Swiss residents (GDPR):

  • Right of access (Art. 15): Obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your account and all associated data.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, and machine-readable format.
  • Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to lodge a complaint: You have the right to file a complaint with your local Data Protection Authority.

For California residents (CCPA / CPRA):

  • Right to know: Request disclosure of the categories and specific pieces of personal information collected about you.
  • Right to delete: Request deletion of personal information we have collected.
  • Right to opt-out: We do not sell your personal information. No opt-out is required.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, email privacy@onestep.health. We will acknowledge your request within five (5) business days and respond substantively within thirty (30) days, or forty-five (45) days for complex requests with prior notice.

12. Data export and deletion

You may export all your data at any time from within the app. To request complete account deletion, email privacy@onestep.health. We will delete your account and all associated data within thirty (30) days of identity verification.

13. Cookies and local storage

We use a single session token stored in the browser's localStorage to maintain your authenticated session. We do not use tracking cookies, third-party cookies, web beacons, or any other persistent tracking technologies. No cookie consent banner is required because we do not use cookies as defined under the EU ePrivacy Directive (2002/58/EC).

14. Third-party sub-processors

We use the following third-party services to operate the Service. Each sub-processor is bound by data processing agreements that ensure compliance with applicable data protection laws:

  • Google Cloud Platform (US): Infrastructure, database hosting, and cloud computing. Subject to Google Cloud's Data Processing Amendment.
  • Firebase Hosting (Google, US): Static web application hosting. Subject to Google Cloud's Data Processing Amendment.
  • Google OAuth 2.0: Authentication on the web application. Only name, email, and profile picture are received.
  • Apple Sign In: Authentication on the iOS application. Apple may provide a private relay email address at the user's discretion.
  • Apple HealthKit: Read-only, on-device access to health data on iOS. Data is never transmitted to our servers or shared with any third party.
  • Stripe (US): Payment processing for premium subscriptions. Stripe collects and processes payment card details directly; we only receive subscription status and identifiers. Subject to Stripe's Data Processing Agreement.
  • Brevo (EU): Transactional email delivery for account notifications, team invitations, trial reminders, the double-opt-in confirmation email, and weekly newsletter delivery. We share the recipient's email address and language preference with Brevo solely for email delivery. Brevo is based in the European Union. Subject to Brevo's Data Processing Agreement.

15. One Step Health PRO — Trainer access to your data

One Step Health PRO is our coaching workspace for personal trainers and gyms. If you are a PRO client — that is, you have been invited by a trainer or gym admin and have explicitly consented — the following additional terms apply to you:

  • What your trainer sees: with your consent, your assigned trainer can see the activity you log in the app, including workouts, food, water, sleep, and body weight, alongside aggregate adherence metrics. Your trainer cannot see data you logged before the consent timestamp.
  • Your gym admin: the administrator of the PRO organization you joined can see all clients in their business as a "super-trainer" for operational purposes (assigning trainers, billing, support). This is documented in the consent flow and cannot be disabled while you are part of the organization.
  • Other trainers and clients: trainers in the same PRO organization who are not your assigned trainer cannot see your data. Other PRO clients cannot see your data under any circumstance.
  • Consent & revocation: consent is explicit, time-stamped, and revocable. You can revoke trainer access at any time from your account settings. Revocation is immediate — your trainer loses access to your data on the next request. Your personal data remains in your account.
  • Trainer obligations: trainers must use the data only to advise you on training, nutrition, and recovery within their professional scope. Trainers must not provide medical advice, share your data outside the platform, or use it for any purpose unrelated to coaching you.
  • Notifications: with your consent, your trainer may send you in-app and email notifications about your program or coaching messages. You can adjust notification preferences in settings.
  • Cross-platform isolation: if you are simultaneously a PRO client and an employee in a One Step for Teams organization, the two contexts are isolated. Your Teams employer never sees your PRO trainer data, and your PRO trainer never sees your Teams aggregate participation.

Outside of the PRO context described above, the standard privacy terms in this policy apply — in particular, individual data is private to you and never visible to other users, organizations, or our staff except as required to operate the Service.

16. Newsletter ("Unnoisy")

"Unnoisy" is our free weekly letter. If you explicitly opt in — by ticking the consent checkbox on the public newsletter page, by ticking the newsletter checkbox at signup, or by enabling it from your account settings — you will receive a weekly email with three of our latest articles and two external research signals, written in plain language. Each issue is also published as a public web page at onestep.health/<language>/issue/<number> in all supported languages (English, Spanish, Portuguese, German, Hindi).

  • Legal basis: your consent under GDPR Art. 6(1)(a). We keep a record of when and how you gave consent (timestamp, source page, and IP address at the moment of confirmation) for as long as the subscription is active, plus the period required to evidence consent if challenged.
  • Double opt-in: after you submit the form, we send a confirmation email with a one-time link. Your subscription is only activated once you click that link — this verifies you control the email address and protects you from accidental or malicious signups. Until you confirm, your email is stored as "pending" and is automatically removed if not confirmed within thirty (30) days.
  • Frequency: at most one email per week, normally on Sunday.
  • Content: editorial content authored by us (article summaries with links to our blog, and short research notes that link to publicly available external sources). No advertising, no third-party promotions, no sponsorships.
  • What we share with our email provider: only your email address and your chosen language are sent to Brevo (EU) for delivery. No name, no health data, no activity data. No tracking pixels are embedded in the emails — we do not measure opens or clicks.
  • No bundling: the newsletter is optional and never required to use the Service. Declining or unsubscribing does not affect any other part of your account or the features available to you.
  • How to unsubscribe: use the "Unsubscribe" link at the bottom of any newsletter email — one click and you are out. You can also revoke consent from your account settings or by emailing privacy@onestep.health. Revocation takes effect immediately for future sends.
  • Retention after unsubscribe: when you unsubscribe, your subscription record is marked as unsubscribed and we keep the email hash plus the unsubscribe timestamp for up to twenty-four (24) months. This serves only to honour your unsubscribe (so the address cannot be re-added by mistake) and to evidence consent withdrawal if challenged. After that period, the record is fully erased. You can request immediate full deletion at any time at privacy@onestep.health.
  • No sharing for marketing: we do not share, rent, or sell newsletter subscriber data with any third party for marketing purposes — ever.

17. Children's privacy

One Step Health is not directed at, and is not intended for use by, anyone under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child under 16 has provided us with personal data, please contact privacy@onestep.health.

18. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the competent Data Protection Authority within seventy-two (72) hours of becoming aware of the breach, in compliance with GDPR Art. 33.
  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights, in compliance with GDPR Art. 34.
  • Comply with applicable US state breach notification laws, including the Washington State Data Breach Notification Act (RCW 19.255.010).

19. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the app and/or by email at least thirty (30) days before the changes take effect. Continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. Previous versions of this policy are available upon request.

20. Contact

For privacy-related questions, data subject requests, or complaints:

If you are located in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.