This Privacy Notice for WalkOff ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:
- Download and use our mobile application WalkOff: Step Battles, or any other application of ours that links to this Privacy Notice;
- Use WalkOff. WalkOff is a mobile competitive walking game that turns daily step counts into head-to-head and team battles between friends. Step count and walking distance are read from Apple HealthKit with the user's explicit permission and used to power gameplay features including 1v1 step battles, 2v2 team battles, leaderboards, achievements, and cosmetic rewards. Optional premium features are offered through in-app subscriptions processed by Apple and managed via RevenueCat;
- Engage with us in other related ways, including any marketing or events.
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].
Summary of Key Points
This summary provides key points from our Privacy Notice. You can find full details below or jump to a section via the table of contents.
What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us — the choices you make, the products and features you use, and the data your device provides through HealthKit and Apple Sign In.
Do we process any sensitive personal information? Yes — we process health and fitness data (step count and walking distance from Apple HealthKit) with your explicit permission, used solely to power gameplay.
Do we collect any information from third parties? No. We do not buy data, scrape public profiles, or receive partner audience feeds.
How do we process your information? To provide, improve, and administer our Services, communicate with you, prevent cheating in battles, ensure security, and comply with law.
With whom do we share information? Only with service providers (Supabase, RevenueCat, Cloudflare, Apple) who help us run the app. We do not sell or share your information with advertisers.
How do we keep your information safe? Through industry-standard organizational and technical security measures, including HTTPS encryption and row-level access controls. No system is 100% secure, but we work hard to protect your data.
What are your rights? Depending on where you live, you may have rights to access, correct, or delete your data. See section 10.
How do you exercise your rights? Email [email protected], or use the in-app Settings → Delete Account flow.
Table of Contents
- What information do we collect?
- How do we process your information?
- What legal bases do we rely on to process your personal information?
- When and with whom do we share your personal information?
- How do we handle your social logins?
- Is your information transferred internationally?
- How long do we keep your information?
- How do we keep your information safe?
- Do we collect information from minors?
- What are your privacy rights?
- Controls for Do-Not-Track features
- Do United States residents have specific privacy rights?
- Do we make updates to this notice?
- How can you contact us about this notice?
- How can you review, update, or delete your data?
1. What Information Do We Collect?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.
Personal Information Provided by You. The personal information we collect may include the following:
- Email addresses
- Usernames
- Contact preferences
- Contact or authentication data
- Names
- Passwords
- Profile content (avatar selection, equipped cosmetics, achievements)
Sensitive Information. When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information:
- Health and fitness data. WalkOff reads step count and walking distance from Apple HealthKit with your explicit permission. This data is used solely to power gameplay (step battles, leaderboards, achievements, progression rewards) and is never shared with third parties for advertising. You may revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health → WalkOff.
Payment Data. We may collect data necessary to process your payment if you choose to make purchases. All payment data is handled and stored by Apple and RevenueCat — WalkOff never sees your card number or billing address. You may find their privacy notices here: Apple Privacy Policy and RevenueCat Privacy Policy.
Social Media Login Data. We provide you with the option to register using Sign in with Apple or Google Sign-In. If you choose to register this way, we will collect certain profile information from the social media provider (name, email, account identifier). See section 5 for details.
Application Data. If you use our application, we may also collect the following information if you choose to provide us with access or permission:
- Mobile Device Access. We request access to Apple HealthKit for step and walking distance data. We do not request access to contacts, calendar, microphone, camera, or photos. You can change permissions at any time in your iOS Settings.
- Mobile Device Data. We automatically collect device information (device ID, model, manufacturer, operating system, OS version, app version, mobile carrier, and IP address).
- Push Notifications. We may request to send you push notifications regarding your account, battles, friend challenges, daily streaks, and similar features. You may opt out in your device settings.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.
Information automatically collected
In Short: Some information — such as your IP address and device characteristics — is collected automatically when you use our Services.
We automatically collect certain information when you use or navigate the Services. This information does not directly reveal your identity but may include device and usage information, such as your IP address, device characteristics, operating system, language preferences, country, location (derived from IP), and information about how and when you use our Services. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting.
The information we collect includes:
- Log and Usage Data. Service-related, diagnostic, usage, and performance information collected automatically when you use our Services (IP address, device info, session duration, features used, error reports).
- Device Data. Information about your device used to access the Services (device and application identifiers, hardware model, ISP, mobile carrier, operating system).
- Location Data. We do not use GPS. However, your approximate location (country/region) may be derived from your IP address by our service providers for analytics and compliance routing.
- Health and fitness data. Step count and walking distance are read automatically from Apple HealthKit (with your explicit permission) and used to power gameplay features such as step battles, leaderboards, achievements, and progression rewards. This data is collected continuously while WalkOff is installed and HealthKit access is enabled.
2. How Do We Process Your Information?
In Short: We process your information to provide, improve, and administer our Services, communicate with you, prevent cheating, ensure security, and comply with law.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
- To facilitate account creation and authentication and otherwise manage user accounts.
- To deliver and facilitate delivery of services to the user.
- To respond to user inquiries / offer support.
- To send administrative information (terms changes, password resets, security alerts).
- To fulfill and manage your orders (Pro subscription, cosmetic purchases).
- To enable user-to-user communications (friend requests, battle invites, 2v2 team-up invites).
- To request feedback.
- To send you marketing and promotional communications. You can opt out at any time.
- To protect our Services (fraud monitoring and prevention).
- To identify usage trends to better understand how our Services are being used.
- To determine the effectiveness of our marketing and promotional campaigns.
- To save or protect an individual's vital interest (e.g., to prevent harm).
- To operate gameplay features. Calculating battle outcomes, awarding rewards and achievements, generating leaderboards and rankings, tracking progression paths, applying cosmetics and frames, and detecting anomalous step activity to maintain fair competition.
- To maintain fair competition and detect cheating. Analyzing step data and account activity to identify manipulated, automated, or anomalous step counts (e.g., device shaking, HealthKit spoofing, third-party step injection) and to investigate suspicious accounts.
3. What Legal Bases Do We Rely On to Process Your Information?
In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason under applicable law.
If you are located in the EU or UK, this section applies to you.
The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on to process your personal information. We may rely on:
- Consent. We may process your information with your permission. You can withdraw consent at any time.
- Performance of a Contract. Necessary to fulfill our contractual obligations to you, including providing the Services.
- Legitimate Interests. When our interests do not outweigh your rights and freedoms, including to:
- Send users information about special offers and discounts on our products and services
- Analyze how our Services are used so we can improve them to engage and retain users
- Support our marketing activities
- Diagnose problems and/or prevent fraudulent activities
- Understand how our users use our products and services so we can improve user experience
- Prevent cheating in battles and on leaderboards, ensure rewards and rankings reflect genuine physical activity, and protect the integrity of competitive gameplay for honest users
- Legal Obligations. Necessary for compliance with legal obligations, cooperation with law enforcement, or defending legal claims.
- Vital Interests. Necessary to protect your or another person's vital interests, such as situations involving potential safety threats.
If you are located in Canada, this section applies to you.
We may process your information with your express or implied consent. You can withdraw consent at any time. In some exceptional cases, we may be legally permitted to process your information without consent — for fraud investigation, business transactions, witness statements, identifying injured persons, suspected financial abuse, breach investigations, subpoena compliance, journalism, or publicly available information per applicable regulations.
In Short: We share information only with specific service providers and only as necessary to run the app.
Vendors, Consultants, and Other Third-Party Service Providers. We share your data with third-party vendors who perform services for us and require access to do that work. We have contracts in place with these service providers that prohibit them from using your data for any other purpose.
The third parties we share personal information with are:
Cloud Computing Services
- Supabase — database, authentication, and storage backend
- Cloudflare — DNS, content delivery, and email routing
Invoicing and Billing
- Apple Pay — handles all in-app purchases through Apple's StoreKit
- RevenueCat — subscription management and receipt validation
User Account Registration and Authentication
- Apple (Sign in with Apple)
- Google Sign-In (if used)
We may also share your personal information in the following situations:
- Business Transfers. We may share or transfer your information in connection with a merger, sale of company assets, financing, or acquisition.
- Other Users. When you interact with public areas of the Services (leaderboards, battles, friends, achievements), your username, avatar, frame, step counts during battles, battle history, and rankings may be viewed by other users. Your email, real name, phone number, IP address, device identifiers, and raw HealthKit data are never shared with other users.
In Short: If you choose to register or log in using a social media account, we may have access to certain information about you.
Our Services offer you the ability to register and log in using your Apple or Google account. Where you choose to do this, we will receive certain profile information about you from your provider — typically your name, email address (which may be an Apple private-relay address), and a unique account identifier.
We will use the information we receive only for the purposes described in this Privacy Notice. We do not control, and are not responsible for, other uses of your personal information by your third-party provider. We recommend you review their privacy notice to understand how they collect, use, and share your personal information.
6. Is Your Information Transferred Internationally?
In Short: We may transfer, store, and process your information in countries other than your own.
Our servers are located in the United States. Regardless of your location, your information may be transferred to, stored by, and processed by us and the third parties listed in section 4, including in the United States.
If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, these countries may not necessarily have data protection laws as comprehensive as those in your country. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure your personal information is protected to a comparable standard when transferred internationally.
7. How Long Do We Keep Your Information?
In Short: We keep your information for as long as necessary to provide the Services, plus a short grace period after account closure.
We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us to keep your personal information for longer than the period of time in which users have an account with us, plus one (1) month after account termination to allow for backup retention and undo of accidental deletion.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because it has been stored in backup archives), then we will securely store it and isolate it from any further processing until deletion is possible.
8. How Do We Keep Your Information Safe?
In Short: We protect your personal information through organizational and technical security measures.
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. These include HTTPS encryption in transit, encryption at rest, row-level access controls in our database, and limited employee access. However, despite our safeguards, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. You should only access the Services within a secure environment.
9. Do We Collect Information from Minors?
In Short: We do not knowingly collect data from or market to children under 13 years of age.
We do not knowingly collect, solicit data from, or market to children under 13 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 13 or the equivalent age as specified by law in your jurisdiction, or that you are the parent or guardian of such a minor and consent to such minor's use of the Services. If we learn that personal information from users less than 13 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete the data. If you become aware of any data we may have collected from children under age 13, please contact us at [email protected].
10. What Are Your Privacy Rights?
In Short: Depending on your state of residence in the US or your region (EEA, UK, Switzerland, Canada), you have rights that allow greater access to and control over your personal information. You may review, change, or terminate your account at any time.
In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include:
- Request access to and obtain a copy of your personal information
- Request rectification or erasure
- Restrict the processing of your personal information
- If applicable, data portability
- Not to be subject to automated decision-making
If a decision that produces legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a simple way to request human review.
You can make such a request by contacting us at [email protected].
If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or the UK data protection authority.
If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.
Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. You can do so by contacting us at [email protected] or by updating your preferences in the app. However, this will not affect the lawfulness of processing before its withdrawal nor processing conducted in reliance on other lawful grounds.
Opting out of marketing and promotional communications: You can unsubscribe from our marketing communications at any time by clicking the unsubscribe link in our emails, adjusting notification preferences in the WalkOff app under Settings → Notifications, or by contacting us at [email protected]. We may still communicate with you about service-related matters (battle results, account changes, security alerts).
Account Information
If you would at any time like to review or change the information in your account or terminate your account, you can:
- Log in to your account settings and update your user account
- Use the Delete Account option in Settings to permanently remove your account
- Contact us at [email protected]
Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our legal terms, and/or comply with applicable legal requirements.
11. Controls for Do-Not-Track Features
Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard is adopted that we must follow, we will inform you in a revised version of this Privacy Notice.
California law requires us to let you know how we respond to web browser DNT signals. Because there is currently no industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.
12. Do United States Residents Have Specific Privacy Rights?
In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you, correct inaccuracies, get a copy of, or delete your personal information. These rights may be limited in some circumstances by applicable law.
Categories of Personal Information We Collect
The table below shows the categories of personal information we have collected in the past twelve (12) months.
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name | YES |
| B. Personal information as defined in the California Customer Records statute | Name, contact information, education, employment, employment history, and financial information | YES |
| C. Protected classification characteristics under state or federal law | Gender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic data | NO |
| D. Commercial information | Transaction information, purchase history, financial details, and payment information | YES |
| E. Biometric information | Fingerprints and voiceprints | NO |
| F. Internet or other similar network activity | Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements | YES |
| G. Geolocation data | Device location | YES |
| H. Audio, electronic, sensory, or similar information | Images and audio, video or call recordings created in connection with our business activities | NO |
| I. Professional or employment-related information | Business contact details, job title, work history, professional qualifications | NO |
| J. Education Information | Student records and directory information | NO |
| K. Inferences drawn from collected personal information | Inferences drawn from any of the collected personal information listed above to create a profile or summary | NO |
| L. Sensitive personal information | Account login information and health data | YES |
We only collect sensitive personal information, as defined by applicable privacy laws, for the purposes allowed by law or with your consent. Sensitive personal information may be used, or disclosed to a service provider or contractor, for additional specified purposes. You have the right to limit the use or disclosure of your sensitive personal information. We do not collect or process sensitive personal information for the purpose of inferring characteristics about you.
We will use and retain the collected personal information as needed to provide the Services or for the period in which users have an account with us.
How We Use and Share Personal Information
Learn more about how we use your personal information in section 2.
Will your information be shared with anyone else? We may disclose your personal information to our service providers pursuant to a written contract between us and each service provider, listed in section 4.
We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be "selling" of your personal information.
We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We have disclosed the following categories of personal information to third parties for a business or commercial purpose in the preceding twelve (12) months: Identifiers (A), Personal information under the California Customer Records statute (B), Commercial information (D), Internet activity (F), Geolocation (G), and Sensitive personal information (L).
Your Rights
You have rights under certain US state data protection laws. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law. These rights include:
- Right to know whether or not we are processing your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to request the deletion of your personal data
- Right to obtain a copy of the personal data you previously shared with us
- Right to non-discrimination for exercising your rights
- Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California's privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects
Depending on the state where you live, you may also have:
- Right to access the categories of personal data being processed (Minnesota)
- Right to obtain a list of the categories of third parties to which we have disclosed personal data (California, Delaware, Maryland)
- Right to obtain a list of specific third parties to which we have disclosed personal data (Minnesota, Oregon)
- Right to review, understand, question, and correct how personal data has been profiled (Connecticut, Minnesota)
- Right to limit use and disclosure of sensitive personal data (California)
- Right to opt out of the collection of sensitive data and personal data collected through voice or facial recognition (Florida)
How to Exercise Your Rights
To exercise these rights, you can email us at [email protected], use the in-app Settings to update or delete your account, or refer to the contact details at the bottom of this document.
Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf.
Request Verification
Upon receiving your request, we will need to verify your identity to determine you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. If we cannot verify your identity, we may request additional information for verification and security purposes.
Appeals
Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at [email protected]. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation. If your appeal is denied, you may submit a complaint to your state attorney general.
California "Shine The Light" Law
California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. To make such a request, please email us at [email protected].
13. Do We Make Updates to This Notice?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice. If we make material changes, we may notify you by prominently posting a notice or sending you a direct notification. We encourage you to review this Privacy Notice frequently.
14. How Can You Contact Us About This Notice?
If you have questions or comments about this notice, you may email us at [email protected].
15. How Can You Review, Update, or Delete the Data We Collect From You?
Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. To request to review, update, or delete your personal information, please email [email protected] or use the Delete Account flow in the app's Settings.
5. How Do We Handle Your Social Logins?