Legal

Privacy Policy

Effective Date: February 27, 2026 | Last Updated: February 27, 2026

1. Introduction

This Privacy Policy describes how Goalin LLP (TOO "Goalin", Товарищество с ограниченной ответственностью "Goalin"), BIN 260240021438, registered in Astana, Republic of Kazakhstan (hereinafter "we", "us", "our", or "Company"), collects, uses, stores, and discloses information when you use the StepToGoal mobile application, web application, and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and sharing of your information as described herein, in accordance with the Law of the Republic of Kazakhstan "On Personal Data and Their Protection" No. 94-V dated May 21, 2013 ("Kazakhstan Privacy Law"), the EU General Data Protection Regulation (GDPR) where applicable, and the California Consumer Privacy Act (CCPA) where applicable.

If you do not agree with this Policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Email address, name or nickname, and profile avatar when you register or update your account.
Authentication Data: One-time passwords (OTP) sent to your email; OAuth identifiers (user ID and email) if you sign in via Google or Apple Sign-In.
User-Generated Content: Goals, sub-goals, tasks, habits, progress notes, mood logs, daily reflections, calendar entries, wish map items, and any other content you create within the Service.
Voice Input: Audio recordings you submit when using the voice input feature for goal creation or AI coaching.
Communications: Messages you send to our support team via email or in-app chat.

2.2 Information Collected Automatically

Device Information: Device type, model, operating system version, unique device identifiers, and mobile network information.
Usage Data: Screens and features you access, actions you take, timestamps, session duration, frequency of use, crash reports, and error logs.
Log Data: IP address, browser type and version, referring URLs, and access timestamps (web version).
Push Notification Token: Device token used to deliver push notifications (mobile app).
Timezone and Language: Your device timezone and language preferences.

2.3 Payment and Subscription Data

We do not collect, process, or store your payment card details, bank account information, or other sensitive financial data.

Web Payments (Lemon Squeezy): If you subscribe via our website, all payment processing is performed exclusively by Lemon Squeezy Inc., acting as Merchant of Record. We only receive non-sensitive transaction metadata: subscription status (active, cancelled, expired), plan type, purchase date, and country. Lemon Squeezy's data practices are governed by their Privacy Policy available at lemonsqueezy.com/privacy.
Mobile Payments (Apple App Store / Google Play): In-app purchases on iOS are processed by Apple Inc. and on Android by Google LLC. Subscription status data is synchronized via RevenueCat (subscription management platform). We do not receive or store your payment instrument details.

We only receive confirmation of subscription status and plan type from payment processors. We are not responsible for the data practices of Apple, Google, Lemon Squeezy, or RevenueCat.

2.4 Voice and AI Interaction Data

When you use voice input features, your audio is transmitted to OpenAI, Inc. via its API for transcription and AI processing. We do not store raw audio recordings on our servers after processing is complete. The resulting transcribed text and AI responses may be stored as part of your account data to provide the Service. Audio data sent to OpenAI is subject to OpenAI's API Data Usage Policy.

3. How We Use Your Information

Provide the Service: Display your goals, tasks, and progress; send reminders and notifications; enable AI coaching features.
AI-Powered Features: Transmit your goal content, messages, and voice transcriptions to OpenAI to generate personalized plans, coaching advice, and AI-generated images.
Subscription Management: Verify and synchronize your subscription status via RevenueCat (mobile) or Lemon Squeezy (web).
Transactional Communications: Send account-related emails (OTP codes, subscription confirmations, support responses) via Mailgun.
Service Improvement: Analyze aggregated, anonymized usage patterns to understand how users interact with the Service and improve features.
Security and Fraud Prevention: Detect, investigate, and prevent fraudulent activity, abuse, and unauthorized access.
Legal Compliance: Fulfill obligations under applicable laws, including responding to lawful requests from government authorities.

We do not use your personal data for behavioral advertising, and we do not sell, rent, or trade your personal data to third parties for their own commercial purposes.

4. Third-Party Service Providers

We share personal data only to the extent necessary with the following trusted service providers who process data on our behalf:

OpenAI, Inc. (openai.com): AI goal generation, coaching content, image generation, and voice transcription via GPT-4o API.
RevenueCat, Inc. (revenuecat.com): Mobile subscription management and entitlement verification for iOS and Android platforms.
Lemon Squeezy Inc. (lemonsqueezy.com): Web payment processing as Merchant of Record for web subscriptions. Acts as an independent data controller for payment data.
Apple Inc.: App Store distribution, in-app purchase processing (iOS), Apple Sign-In authentication, and push notifications (APNS).
Google LLC: Google Play distribution, in-app purchase processing (Android), Google Sign-In authentication, and push notifications (FCM).
DigitalOcean LLC (digitalocean.com): Cloud infrastructure, server hosting, and managed database services. Servers located in Frankfurt, EU (fra1 region).
Mailgun / Sinch (mailgun.com): Transactional email delivery (OTP codes, account notifications, receipts).
Expo (expo.dev / EAS): Mobile application build infrastructure, over-the-air update delivery, and push notification routing.

Each provider is contractually obligated to use your data only to perform services for us and in accordance with their own privacy policies. We do not share personal data with advertising networks, data brokers, or analytics companies that use data for cross-context behavioral advertising.

We may disclose your information if required by applicable law, court order, or lawful governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Goalin LLP, our users, or the public.

5. International Data Transfers

Goalin LLP is headquartered in Kazakhstan. To provide the Service, we transfer your personal data to service providers located in the United States and the European Union, including OpenAI (US), DigitalOcean (EU/US), Mailgun (US), RevenueCat (US), and Lemon Squeezy (US).

For users in the European Economic Area (EEA), UK, or Switzerland, such transfers are carried out on the basis of:

Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable; or
The adequacy decisions or appropriate safeguards implemented by the respective service provider.

By using the Service, you acknowledge that your data may be transferred to and processed in countries with different data protection laws than your country of residence. We take appropriate steps to ensure adequate protection is in place for all international transfers.

6. Data Retention

Active Accounts: We retain your personal data for as long as your account exists and as necessary to provide the Service.
Account Deletion: Upon your verified request for account deletion, we will permanently delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., financial records, fraud prevention, ongoing legal disputes).
Encrypted Backups: Residual copies in encrypted backups may persist for up to 30 additional days before being overwritten.
Voice Data: Raw audio files are not retained on our servers after transcription processing. Transcribed text follows the standard account retention schedule.
Legal Hold: If your data is subject to a legal hold or dispute, we may retain it beyond the standard retention period as required by law.

To request account deletion, use the account settings in the app or contact us at support@steptogoal.io.

7. Data Security

We implement commercially reasonable technical and organizational security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction, including:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
Encryption at Rest: Databases containing personal data are encrypted at rest using industry-standard encryption.
Secure Authentication: JSON Web Token (JWT) based API authentication; OAuth 2.0 for social sign-in.
Device-Level Security: Authentication credentials on mobile devices are stored in platform-provided secure enclaves: Keychain (iOS) and Android Keystore.
Access Controls: Data access is restricted to authorized personnel on a need-to-know basis.
Security Monitoring: Regular security assessments and anomaly monitoring on our infrastructure.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee the absolute security of your data. You are responsible for maintaining the security of your account credentials.

7.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay and within 72 hours of discovering the breach (to the extent feasible), via the email address associated with your account and/or a prominent in-app notice. We will also notify the relevant supervisory authorities as required by applicable law (including GDPR Article 33, where applicable).

8. Children's Privacy

The Service is not directed to, and not intended for use by, children under the age of 16 (or under 13 in the United States under COPPA). We do not knowingly collect personal data from children under these ages.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at support@steptogoal.io. Upon verification, we will promptly delete such data from our systems.

9. Cookies and Tracking Technologies

On the web version of StepToGoal, we use only strictly necessary and functional cookies required to operate the Service, such as session authentication tokens and user preference storage (e.g., theme, language). We do not use:

Advertising, targeting, or tracking cookies;
Third-party analytics cookies (e.g., Google Analytics, Facebook Pixel);
Social media tracking pixels or beacons;
Cross-site tracking or fingerprinting technologies.

The mobile application does not use browser cookies. Local storage on mobile devices is used only for functional purposes (authentication tokens, preferences).

You may disable cookies in your browser settings; however, doing so may impair certain functionality of the web Service.

10. Your Rights and Choices

10.1 All Users

Access and update your account information within the app settings.
Delete your account and associated data through the app settings or by contacting us.
Opt out of push notifications through your device notification settings.
Contact us with privacy-related questions or requests at support@steptogoal.io.

10.2 Kazakhstan Residents

In accordance with the Law of the Republic of Kazakhstan "On Personal Data and Their Protection" No. 94-V (May 21, 2013), you have the right to:

Obtain information about your personal data we hold and the processing thereof;
Request correction of inaccurate or incomplete personal data;
Request deletion of your personal data when no longer necessary;
Withdraw your consent to processing (this may result in loss of access to the Service);
File a complaint with the authorized body for personal data protection in Kazakhstan.

10.3 EEA, UK, and Switzerland Residents (GDPR Rights)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR (or equivalent national law):

Right of Access (Art. 15): Request a copy of your personal data we hold.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
Right to Restriction of Processing (Art. 18): Request that we limit how we process your data in certain circumstances.
Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format and, where technically feasible, transfer it to another controller.
Right to Object (Art. 21): Object to processing based on our legitimate interests.
Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

Our legal basis for processing personal data under GDPR is primarily: (a) performance of a contract (providing the Service); (b) your consent (for voice data, AI processing, and communications); and (c) legitimate interests (security, fraud prevention, service improvement).

10.4 California Residents (CCPA/CPRA Rights)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
Right to Delete: Request deletion of your personal information, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information with third parties for cross-context behavioral advertising purposes.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted by the CCPA.

To exercise your California rights, contact us at support@steptogoal.io with the subject line "California Privacy Request." We will respond within 45 days as required by the CCPA.

We do not sell your personal data. We do not share your personal data for cross-context behavioral advertising.

10.5 How to Submit a Privacy Request

To exercise any of the above rights, contact us at support@steptogoal.io with:

Your name and email address associated with your account;
A description of the right you wish to exercise;
Any information needed to verify your identity.

We will respond to verified requests within 30 days (extendable by 30 additional days with notice). We do not charge a fee for reasonable requests, but may decline manifestly unfounded or excessive requests.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes, we will notify you:

Via a prominent notice within the app or on our website; and/or
Via email to the address associated with your account, at least 14 days before the changes take effect.

The "Last Updated" date at the top of this page indicates the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree with the changes, you should stop using the Service and delete your account.

12. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data practices:

Company: Goalin LLP (TOO "Goalin")
BIN: 260240021438
Address: Republic of Kazakhstan, Astana, Esil district, Dostyk street, house 13
Privacy Email: support@steptogoal.io
Phone: +7 775 177 45 99

For EEA users, if you are not satisfied with our response to your privacy request, you have the right to lodge a complaint with your local data protection supervisory authority.