One Step is a private fitness competition app. We don't run analytics. We don't sell your data. We don't share with advertisers. This page explains exactly what we collect, why, and where it goes.
1. Who We Are
One Step (the "app") is operated by Justin Mayeur as a sole proprietorship trading as One Step Collective, based in Washington State, United States. References to "we," "us," and "our" mean Justin Mayeur d/b/a One Step Collective.
If you have questions about this policy or your data, contact us at onestepapp.feedback@gmail.com.
2. What We Collect
Information you provide
- Email address — used only to sign you in via a one-time magic link. We don't store passwords.
- Profile information — name, date of birth, biological sex, height, weight, and your fitness goal and dietary approach. You enter these during onboarding.
Information from Apple HealthKit
If you grant HealthKit permission, the app reads (but never writes) the following:
- Steps
- Heart rate samples (during workout sessions)
- Resting heart rate
- Heart rate variability (HRV)
- VO2 max
- Active energy burned
- Apple Exercise Time and Apple Stand Time
- Recorded workouts
HealthKit data stays on your device. Raw heart rate, raw workout records, GPS, and route data are never transmitted off your device. The app processes this data locally and only sends derived numbers — your fitness points, total steps, zone-minute counts — to our servers.
Information generated by app use
- Daily fitness scores — workout points, nutrition points, step points, streak bonus, total points, and the input metrics they were derived from (steps, active calories, exercise minutes, time spent in heart rate zones 1–5).
- Nutrition check-ins — whether you logged on plan, fasted, or off plan that day.
- Challenges you create or join — challenge name, dates, configuration, invite code, participants.
- Reactions you send — fist bump or fire reactions on participants' daily scores within shared challenges.
Information we don't collect
- We don't collect your raw heart rate time series or individual workout records.
- We don't collect your location or GPS data.
- We don't access your contacts, photos, microphone, camera, or calendar.
- We don't use any third-party analytics or crash reporting (no Sentry, no Crashlytics, no Mixpanel, no Firebase, no Amplitude, none).
- We don't use advertising SDKs, social login SDKs, or any tracking pixels.
- We don't fingerprint your device or build a behavioral profile.
- We don't ask about or collect any data related to alcohol, drug, or recovery status.
3. How We Use Your Information
- To authenticate you and keep your account secure.
- To calculate your fitness scores and apply your handicap multiplier.
- To show your scores and progress to other participants in challenges you've joined.
- To send the optional notifications you've enabled (challenge updates, daily check-in reminders, streak alerts, participant activity).
We do not use your information for advertising, marketing profiling, or any purpose unrelated to operating the app.
4. Where Your Data Goes
- Supabase (our backend provider) — stores your account information and computed fitness scores. Access is gated by row-level security policies that scope reads and writes to your own data and challenges you participate in.
- Apple Push Notification Service (APNs) — delivers push notifications, only if you've granted notification permission.
- Apple HealthKit — read-only, on your device only.
That's the complete list. We don't share data with any other third parties.
5. How We Store Data
Account data and fitness scores are stored on Supabase's infrastructure, which uses industry-standard encryption in transit (TLS) and at rest. Locally on your device, app data is stored using iOS's standard sandboxed storage and is protected by your device's security model.
6. Children
The app is not intended for children under 13. We do not knowingly collect data from anyone under 13. If you believe a child under 13 has used the app, please contact us and we'll delete the associated account and data.
7. Your Rights and Choices
- Access and correction — you can view and edit your profile information from inside the app.
- Deletion — to delete your account and associated data, email us at onestepapp.feedback@gmail.com from the address tied to your account. We'll confirm and delete within 30 days.
- Notifications — toggle any notification type on or off in the app's Settings, or revoke notification permission entirely in iOS Settings.
- HealthKit permissions — revoke any individual HealthKit permission in iOS Settings → Health → Data Access & Devices → One Step. The app will continue to function but workout-based scoring will stop until permissions are restored.
8. Data Retention
We retain your account data and scores for as long as your account is active. If you delete your account, we delete your data within 30 days, with the exception of records we're legally required to retain.
9. Beta Status
The app is currently in beta. During the beta period, we may make changes to data structures, scoring formulas, or features that could affect previously stored data. We'll communicate significant changes in advance where possible.
10. Changes to This Policy
If we make material changes to this policy, we'll update the "Last updated" date at the top of the page and, where appropriate, notify you in the app or by email.
11. Contact
Questions, deletion requests, or anything else: onestepapp.feedback@gmail.com