Privacy, in plain English

GemStep Privacy Policy

GemStep is designed so that the most sensitive part of the experience—your exact step history—stays on your device. This policy explains the limited information that leaves your device, when that happens, and the choices available to you.

Effective and last updated: July 18, 2026

Health dataRead-only step counts are used for crystal growth and are not sent to our servers or Mixpanel.
AnalyticsOff by default. Mixpanel is initialized only after you expressly opt in, and you can turn it off at any time.
AdvertisingNo third-party ads, no sale of personal information, and no cross-app tracking.

1. Who we are and what this policy covers

This Privacy Policy applies to the GemStep iOS app, its widgets, the Gem Credits invitation and rewards service, and the website at gemsteps.com (together, the “Services”). In this policy, “GemStep,” “we,” “us,” and “our” refer to the independent developer operating these Services.

Questions or privacy requests can be sent to support@gemsteps.com.

2. Information we process

CategoryWhat it includesWhere and why it is processed
Apple Health step data Read-only step-count totals from HealthKit, including recent daily totals and later updates. GemStep does not request routes, precise location, or permission to write health data. On your device, with your HealthKit permission, to calculate crystal growth and show step-related progress. Exact counts and raw HealthKit samples are not sent to GemStep servers or Mixpanel.
On-device app content Crystal records and seeds, custom crystal names, growth checkpoints, app settings, export state, and local backup files you create. Stored on your device to provide the app. It leaves your device only when you deliberately export, back up, or share it using an iOS share destination you choose.
Optional product analytics An anonymous installation identifier; app version, platform, and locale; feature interactions; success or error states; coarse progress buckets and milestone percentages; experiment assignments; and, when available from Apple Ads Attribution, campaign, ad group, keyword, ad, custom product page, country or region, and conversion type identifiers. Mixpanel may also process standard SDK request and device information, such as IP-derived approximate region, device type, operating system, and timestamps. Sent directly to Mixpanel only after you opt in, to understand onboarding, reliability, feature use, and product performance. We do not send exact or raw steps, HealthKit samples, routes, precise location, crystal names, crystal seeds, receipts, email addresses, or phone numbers to Mixpanel.
Gem Credits and invitations A random rewards account ID; App Attest public-key and assertion information; device eligibility results from Apple DeviceCheck; referral codes, claims, balances and credit transactions; security timestamps; and, only if you choose account recovery with Sign in with Apple, a one-way protected Apple subject identifier and an encrypted Apple refresh token. GemStep does not request your Apple name or email. Processed by the GemStep rewards service on Cloudflare to prevent fraud, issue invitation rewards, keep an auditable credits ledger, and recover the rewards account across supported devices. The service does not receive raw HealthKit data or exact step totals; it receives only that onboarding and the first Health sync succeeded when checking referral eligibility.
Purchases Product entitlement and transaction verification status provided through StoreKit. Apple processes payment and billing information. GemStep uses verified StoreKit results to unlock purchases and restore access; we do not receive your payment-card details.
Support communications Your email address, message, attachments, and any diagnostic details you choose to provide. Used to answer your request, troubleshoot problems, and maintain a record of the support exchange.
Website and network data Standard request information such as IP address, user agent, requested URL, timestamp, and security signals. Cloudflare processes this information to deliver and secure the website and rewards service. This website does not set analytics or advertising cookies and does not include behavioral analytics scripts.

3. HealthKit data

GemStep never uses HealthKit information for advertising, marketing, data brokerage, or eligibility decisions unrelated to the step-powered experience.

HealthKit permission is controlled by Apple. You can change GemStep’s access at any time in the Health app or iOS Settings. Apple intentionally does not tell apps whether read access was denied; an empty result can also mean that no steps were available. GemStep therefore may show a troubleshooting or demo state without claiming to know whether access was denied.

Confirmed crystal progress may be stored locally so it does not move backward if HealthKit later adjusts, removes, or delays samples. Local backups can contain step-derived crystal progress and other app content. You control where an exported backup is stored or sent.

4. Analytics choices

Analytics is disabled on a new installation. The Mixpanel SDK is not initialized and events are not sent until you make an explicit choice to enable analytics during onboarding or in Settings. If you later disable analytics, GemStep opts out of Mixpanel tracking and stops sending future events unless you opt in again.

You may use GemStep without enabling analytics. Disabling analytics does not disable HealthKit-powered growth, your collection, widgets, exports, purchases, or Gem Credits.

Apple Ads Attribution may be requested from Apple to determine whether the installation came from an Apple Search Ads campaign. Attribution details are sent to Mixpanel only while analytics is enabled. GemStep does not use third-party advertising identifiers and does not track you across other companies’ apps or websites.

5. How we use information

Depending on the information and applicable law, we process information to:

  • provide crystal growth, collections, widgets, exports, backups, purchases, invitations, rewards, and account recovery;
  • maintain security, verify legitimate devices, prevent duplicate or fraudulent rewards, and diagnose failures;
  • measure and improve the Services when you consent to analytics;
  • respond to support and privacy requests; and
  • comply with legal obligations and enforce our rights.

Where required, we rely on your consent for optional analytics and HealthKit access; on performance of the service you request for core app and rewards functions; and on legitimate interests or legal obligations for security, fraud prevention, support, and compliance. You may withdraw consent for future processing at any time through the controls described in this policy.

6. When information is disclosed

We disclose limited information only as needed to the following recipients:

  • Apple, for HealthKit permission, StoreKit purchases, Apple Ads Attribution, App Attest, DeviceCheck, and optional Sign in with Apple;
  • Mixpanel, as our product analytics processor, but only after analytics opt-in;
  • Cloudflare, for website delivery, edge security, the rewards Worker, and rewards database hosting;
  • professional advisers or authorities when reasonably necessary to comply with law, protect safety, investigate abuse, or establish and defend legal claims; and
  • a successor in a merger, acquisition, financing, reorganization, or sale, subject to this policy and applicable law.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not disclose HealthKit data to advertising platforms, data brokers, or information resellers.

7. Retention and deletion

  • On-device data remains until you delete it in GemStep, replace it through an import, or delete the app. Files you exported must be deleted from their destination separately.
  • Analytics data is retained in the Mixpanel project according to our configured service retention and legal needs. You may ask us to delete data associated with your GemStep installation identifier.
  • Rewards data is retained while the rewards account is active and as needed to provide and secure Gem Credits. If you delete the rewards account in the app, the Sign in with Apple recovery binding is removed and any Apple refresh token is revoked. Historical referral and credit-ledger records, a deactivated anonymous account record, and a one-way device tombstone may be retained to preserve ledger integrity, prevent repeated reward abuse, resolve disputes, and meet legal obligations. These retained records are not used to restore a deleted account or for advertising.
  • Support messages are retained only as long as reasonably needed to resolve the request, keep necessary business records, and comply with law.

8. Your choices and rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or receive a copy of personal information; object to certain processing; withdraw consent; and appeal or complain to a data-protection authority.

  • Manage Health access in Apple Health or iOS Settings.
  • Turn analytics on or off in GemStep → Settings → Privacy → Share Analytics.
  • Delete the optional Gem Credits account in GemStep → Settings → Invite & Gem Credits.
  • Delete local app data by deleting content where available or deleting the app. Deleting the app does not automatically remove exported files, Mixpanel data already sent with consent, or server-side Gem Credits records.
  • Send a request to support@gemsteps.com. We may ask for information needed to locate the relevant record and verify the request without collecting unnecessary identity data.

See the concise Privacy Choices page for these controls in one place.

9. International processing

GemStep is available internationally. Service providers such as Apple, Mixpanel, and Cloudflare may process information in the United States, European Union, Japan, and other countries where they operate. Those countries may have different data-protection laws. Where required, we and our processors use recognized safeguards for international transfers.

10. Security

We use measures appropriate to the nature of the information, including encrypted HTTPS transport, Apple App Attest assertions for protected rewards requests, one-way hashing for Apple account references, encryption for recovery tokens, and separation of HealthKit data from analytics and rewards records. No security measure is perfect, so we cannot guarantee absolute security.

11. Children

GemStep is a general-audience wellness experience and is not designed to solicit names, email addresses, or other contact information from children. Health sharing and purchases remain subject to Apple’s account, family, and device controls. If you believe a child provided personal information to us without appropriate authorization, contact us so we can review and delete it as required.

12. Changes to this policy

We may update this policy as GemStep changes or legal requirements evolve. We will publish the revised policy here, update the date above, and provide additional notice in the app when a change materially affects your choices or how personal information is used.

13. Contact

For privacy questions or requests, email support@gemsteps.com. For product troubleshooting, visit GemStep Support.

Third-party privacy information: Apple Privacy, Mixpanel Privacy, and Cloudflare Privacy.