Steppr

Privacy Policy

Effective April 25, 2026

This Privacy Policy explains how Steppr (“Steppr,” “we,” or “us”) collects, uses, and shares information when you visit our website, create an account, or use our service. We act in two capacities: as a controller for our own customers (the people who sign up for Steppr to build product tours), and as a processor on behalf of those customers for the data their end users send through the SDK. This policy covers our role as a controller; for data we process on a customer’s behalf, see our Data Processing Addendum.

1. Information we collect

Account information

When you create an account, we collect your name, email address, hashed password (or Google account identifier if you sign in via Google OAuth), workspace name, and role.

Billing information

Stripe handles all payment processing. We receive billing-related metadata (last four card digits, plan, subscription status, invoice history) but do not store full payment card numbers.

Usage data

We collect logs about how you use the dashboard and API: pages visited, features used, timestamps, IP address, and browser/OS metadata. We use Plausible Analytics, a cookieless, EU-hosted analytics tool, on our marketing site.

Communications

If you email us or fill out a form, we keep that correspondence so we can respond and for support history.

End-user data ingested via the SDK

When the SDK runs on your customer’s site, it ingests data about end users (anon ID, traits passed via identify(), tour interaction events). We process that data on behalf of our customer (the operator of that site), not as a controller. Our handling is governed by the DPA.

2. How we use information

  • To provide, operate, and improve the Service.
  • To authenticate users and protect against fraud and abuse.
  • To bill you and manage your subscription.
  • To send transactional email (verification, password reset, billing notices, security alerts).
  • To send product updates and occasional marketing email (you can unsubscribe at any time).
  • To comply with legal obligations.

3. Legal bases (EEA / UK)

If you are in the EEA or UK, we rely on the following legal bases under the GDPR/UK GDPR:

  • Contract — providing the Service you signed up for.
  • Legitimate interests — securing the Service, preventing fraud, improving the product, communicating with you about the Service.
  • Consent — for any marketing email where consent is required.
  • Legal obligation — tax, accounting, and law-enforcement requests.

4. Sharing

We share information only with:

  • Sub-processors who run our infrastructure (Railway for hosting, Postgres database; Stripe for billing; Resend for transactional email; Bunny CDN for SDK delivery; Plausible for marketing-site analytics; Google Cloud for OAuth login).
  • Authorities when required by valid legal process, or to protect our rights, users, or the public.
  • Acquirers if Steppr is involved in a merger, acquisition, or asset sale; we will give notice before any change in controller.

We do not sell personal information.

5. International transfers

Our infrastructure is hosted in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. Where required, we rely on the EU Standard Contractual Clauses (and the UK Addendum) to legitimize transfers.

6. Retention

We retain account and usage data for as long as your account is active and for a reasonable period afterward to satisfy legal, accounting, and security obligations. Customer Data ingested via the SDK is retained for the period set by your plan; analytics retention is documented on the pricing page. You can request earlier deletion at any time.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data.
  • Object to or restrict certain processing.
  • Receive a copy of your data in a portable format.
  • Lodge a complaint with your local data protection authority.

To exercise any of these, email privacy@steppr.io. For requests about end-user data, contact the customer whose site collected the data — Steppr only acts as a processor for that data.

8. Cookies

Our dashboard uses a single first-party session cookie scoped to .steppr.io for authentication. We do not use third-party advertising cookies. Our marketing site runs Plausible, which is cookieless.

9. Security

We use industry-standard safeguards including encryption in transit, access controls, secret rotation, and audit logging. No system is perfect; if we ever experience a breach affecting your data, we will notify you in accordance with applicable law.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced via in-app notice or email at least 30 days before they take effect.

12. Contact

Privacy questions or requests: privacy@steppr.io.