🏃 Steppe RUN

Privacy Policy

Effective date: 1 May 2026

This Privacy Policy describes how Steppe RUN (the “Operator”, “we”, “us”) collects, uses, stores, and shares personal data of users of the Service. We process personal data in accordance with the Law of the Republic of Kazakhstan“On Personal Data and Its Protection” No. 94-V dated 21 May 2013 (the “Personal Data Law”) and other applicable legislation.

1. Data Controller

The data controller (Operator) is Steppe RUN, contactable at support@stepperun.kz.

2. Personal Data We Collect

  • Account data — provided by your authentication provider (typically Google): email address, display name, profile picture URL, and a stable user identifier.
  • Profile data — runner profile claim information (full name, city, country) submitted by you, and verification evidence you choose to provide.
  • Strava data — if you connect Strava: athlete ID, OAuth tokens, and activity metadata (distance, pace, dates) used for training analytics.
  • AI Coach uploads — video files you upload, extracted frames, and AI-generated analysis output.
  • Transaction data — record of Coin balance, awards, debits, and purchases.
  • Technical data — IP address, browser user agent, device type, access logs, and similar diagnostic information.

3. Public Race Results

The Service also displays running event results that are publicly published by event organisers on their official websites. These results (name, city, finish time, place, etc.) are aggregated for informational purposes. If you wish to be excluded, contact us at support@stepperun.kz and we will remove your record within a reasonable period.

4. Purposes of Processing and Legal Basis

  • to create and operate your account — performance of a contract (Article 9 of the Personal Data Law);
  • to verify runner profile claims — your consent;
  • to provide training analytics from Strava — your consent and contract;
  • to deliver AI Coach analysis — performance of a contract and your consent to processing of uploaded video;
  • to process Coin purchases and prevent fraud — performance of a contract and legitimate interests;
  • to comply with legal obligations — statutory requirements.

5. Consent

By creating an account and using the Service, you provide consent to the collection and processing of your personal data for the purposes described above. You may withdraw consent at any time by deleting your account or by contacting support@stepperun.kz. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.

6. Sharing and Disclosure

We share personal data only with:

  • Sub-processors acting on our instructions, including: Supabase (database and storage), Vercel (hosting), Google (authentication), Strava (training data integration), and AI model providers used by AI Coach for inference.
  • Payment processors when you purchase Coins. We do not store full payment card numbers on our servers.
  • Authorities when required by law, court order, or to protect the rights, property, or safety of the Operator or others.

Some sub-processors may process data outside the Republic of Kazakhstan. Where such cross-border transfer occurs, we ensure adequate protection in accordance with Article 16 of the Personal Data Law.

7. Data Retention

We retain personal data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. AI Coach video files and extracted frames are retained while the session is visible in your account and may be deleted at your request.

8. Your Rights

Subject to the Personal Data Law, you have the right to:

  • access the personal data we hold about you;
  • request rectification of inaccurate or incomplete data;
  • request blocking or destruction of your data;
  • withdraw consent and request deletion of your account;
  • lodge a complaint with the authorised body for personal data protection of the Republic of Kazakhstan.

To exercise these rights, contact us at support@stepperun.kz. We will respond within the period prescribed by applicable law.

9. Security

We apply organisational and technical measures appropriate to the risks of processing, including encrypted connections (HTTPS/TLS), access control, server-side handling of secrets, and least-privilege database policies. No method of transmission or storage is fully secure; we cannot guarantee absolute security.

10. Cookies

The Service uses strictly necessary cookies for authentication session management and preferences (e.g. theme). We do not use advertising cookies or third-party tracking cookies for behavioural advertising.

11. Children

The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The “Effective date” above reflects the latest revision.

13. Contact

Privacy questions and data-subject requests: support@stepperun.kz.