BunnySteps — Privacy Policy
Last updated: 6 May 2026
1. Who we are
BunnySteps is operated by LOYALPLAY sp. z o.o., a limited liability company incorporated under Polish law, with its registered office at ul. Wolińska 4, 03-699 Warsaw, Poland, registered with the National Court Register under KRS number 0001223867, NIP 5243064238, REGON 543987170, share capital PLN 5,000 (fully paid up).
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR (where applicable), and the Polish Personal Data Protection Act of 10 May 2018, LOYALPLAY sp. z o.o. is the controller of your personal data (referred to in this policy as "we," "us," or "LOYALPLAY").
For any matter concerning your personal data, you can contact us at:
- Email: [email protected]
- Postal address: LOYALPLAY sp. z o.o., ul. Wolińska 4, 03-699 Warsaw, Poland
This Policy explains what personal data we collect through the BunnySteps mobile application (the "App"), the website at bunnysteps.io, and any related services (together, the "Services"); why we collect it; what we do with it; and what rights you have. Capitalised terms not defined here have the meaning given in our Terms of Use.
2. Eligibility and minimum age
The Services are intended for adults only. You must be at least 18 years old to create an account and use BunnySteps. We do not knowingly collect personal data from anyone under 18; if we discover that we have collected such data, we will delete the account and the associated data without undue delay.
3. Where this Policy applies
This Policy applies to all users of the Services, including users in the European Economic Area, the United Kingdom, the United States, and elsewhere. If you reside in a jurisdiction with additional data-protection rights beyond the GDPR (for example, certain U.S. state privacy laws such as the CCPA/CPRA in California), those rights apply to you in addition to the rights described in this Policy. Contact us at [email protected] to exercise any such rights.
4. What data we collect, why, and on what legal basis
We process your data for several purposes, each grounded in one of the legal bases listed in Article 6(1) GDPR. Where we rely on consent, you can withdraw it at any time (see Section 10 — Your rights).
4.1 Data processed to provide the Service — Article 6(1)(b) GDPR (performance of the contract)
This is data we need in order to give you an account, run the App, and pay out the rewards you earn. Without it, we cannot deliver the Services.
| Category | Examples | Why we process it |
|---|---|---|
| Account & identification data | Email address, password (hashed), account ID, language, time zone, date of birth (for age verification), authentication tokens | Create and secure your account; verify you meet the 18+ minimum age; deliver the Service in your language; reset your daily step counter at local midnight |
| Sign-in data (third-party sign-in) | Sign in with Apple identifier, Sign in with Google identifier, name and email returned by the provider | Authenticate you and populate your profile |
| Step count and physical-activity data | Daily step count and related activity metrics retrieved from Apple HealthKit (with your permission) | Count your steps, validate qualifying activity, and credit you with in-app rewards |
| Reward & transaction history | In-app currency balance, accrual events, redemptions, gift-card fulfilment records | Show you your balance and history; deliver gift cards and digital rewards; comply with accounting obligations |
| In-app purchase data | Apple/Google receipt IDs, product identifiers, purchase status (we do not receive your full payment-card details) | Unlock premium features and process refunds where applicable |
| Referral data | Your referral code, referral link clicks, status of users you refer | Operate the referral programme and credit referral rewards |
| Social features data | Friend connections, leaderboard scores, friends-list visibility | Enable friends, leaderboards, and social comparison features within the App |
| Device & technical data | Device model, OS version, App version, IP address, crash logs, basic diagnostic events | Operate the App, deliver content, secure the Service, fix bugs |
| Support correspondence | Messages you send us, support tickets, attachments | Respond to your enquiries and resolve issues |
| Anti-fraud signals | Device fingerprint, hashed identifiers, behavioural signals, session timestamps, links between accounts, fraud / "cheat" score | Detect and prevent abuse of the reward system (step spoofing, fake GPS, multi-accounting, fraudulent redemptions) — see Section 4.4 |
HealthKit-specific notice (Apple). BunnySteps reads step and activity data from Apple HealthKit only with your explicit permission, granted through iOS. We never use HealthKit data for advertising or other data-mining purposes unrelated to delivering the Service, and we do not share HealthKit data with third parties for advertising. You can revoke or change HealthKit permissions at any time in iOS Settings → Privacy & Security → Health → BunnySteps. If you revoke step access, the App will not be able to credit you for walking activity.
4.2 Data processed with your consent — Article 6(1)(a) GDPR
We ask for your separate, opt-in consent before processing the following data. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
| Category | Examples | Why we process it |
|---|---|---|
| Advertising identifier (IDFA / GAID) | Apple's Identifier for Advertisers (when you grant App Tracking Transparency permission); Google Advertising ID on Android (when you do not opt out) | Measure ad-campaign performance; show personalised ads through the advertising partners listed in Section 6 |
| Marketing communications | Email address, profile attributes, in-app behaviour | Send you promotional emails and push notifications about new features, offers, challenges, and partner promotions |
| Optional profile fields | Profile photo, gender, country | Personalise your profile and the offers shown to you |
You can change consent for tracking at any time in iOS Settings → Privacy & Security → Tracking and on Android via your device's ad settings. You can unsubscribe from marketing emails at any time using the link in the footer of any such email, and disable push notifications in your device settings.
4.3 Data processed under our legitimate interests — Article 6(1)(f) GDPR
We rely on legitimate interests where the processing is necessary for our reasonable business purposes and your rights and interests do not override them. You have the right to object to this processing (see Section 10).
| Category | Why we process it | Our legitimate interest |
|---|---|---|
| Aggregate / anonymised usage statistics | Understand how the App is used, improve features, measure retention | Product development and service quality |
| Performance and crash diagnostics | Detect bugs and instability | Maintain a working, secure App |
| Anti-fraud and security analytics | Detect coordinated abuse, payment fraud, and reward-system gaming | Protect our users, partners, and economic interests |
| Internal records of communications, transactions, and rights requests | Keep evidence in case of dispute or audit | Comply with our legal obligations and defend ourselves in litigation |
| Service-related (non-marketing) emails | Inform you about important changes to the App, your account, or this Policy | Keep you properly informed about the Service you are using |
4.4 Anti-fraud processing
Walking-rewards apps are heavily targeted by automated abuse (step-spoofing apps, fake GPS, emulators, multi-account farms). To protect the integrity of the reward system, we run automated checks each time you request a payout, redeem a reward, or use the referral programme. These checks may produce a fraud risk score based on signals such as device characteristics, network data, behavioural patterns, IP history, links between accounts, and HealthKit data quality. Some of these signals are processed on our behalf by our anti-fraud provider (see Section 6).
If we detect serious abuse, we may suspend or terminate the account in accordance with the Terms of Use. You will be informed and have the right to contest the decision. To the extent any decision producing legal or similarly significant effects is made by automated means, you have the right to obtain human review under Article 22 GDPR.
4.5 Compliance with legal obligations — Article 6(1)(c) GDPR
We process certain data because the law requires it — for example, accounting and tax records relating to payouts and in-app purchases, responses to lawful requests from authorities, and records demonstrating compliance with the GDPR.
5. Data we receive from third parties
To run the Service, we may receive information about you from third parties:
- Authentication providers (Apple, Google) — basic profile data when you choose to sign in with their service.
- Mobile attribution partners — measurement data showing whether ads or campaigns led to your install or in-app actions, subject to ATT consent where applicable.
- Offerwall and survey partners — confirmation that you completed an action so that we can credit your reward; these partners remain separate controllers for their own activities.
- Anti-fraud provider — risk signals derived from your device and session.
6. Who we share your data with
We share personal data only where it is necessary and lawful. The categories of recipients are:
(a) Our processors. Trusted vendors who process data on our behalf and under our written instructions, in line with Article 28 GDPR. The current list is:
- Hosting and backend infrastructure: DigitalOcean, Google Cloud
- Database and storage: DigitalOcean, Google Cloud
- Product analytics: Mixpanel, Firebase Analytics
- Crash reporting: Sentry, Firebase Crashlytics, Bugsnag
- Customer support: Intercom, Zendesk, Helpscout, direct email
- Transactional email: Postmark, SendGrid, Amazon SES, Resend
- Marketing email and lifecycle messaging: Customer.io
- Push notifications: OneSignal, Firebase Cloud Messaging, Apple Push Notification service (APNs)
- Mobile attribution: Adjust, Singular
- Anti-fraud and device-risk: Verisoul
- Gift-card fulfilment and payouts: Tremendous
(b) Advertising partners (only where you have granted ATT consent on iOS or have not opted out on Android, and any other required consent): AppLovin MAX, ironSource, Unity Ads, Google AdMob, Meta Audience Network. These partners may act as independent or joint controllers for the targeting and measurement they perform; we encourage you to review their privacy notices.
(c) Offerwall partners: Adjoe, Mistplay. When you choose to participate in their offers, they may collect additional data under their own privacy policies as separate controllers.
(d) Authentication providers: Apple, Google — when you use Sign in with Apple or Sign in with Google.
(e) Reward fulfilment. When you redeem a digital gift card or other digital reward, we transmit the data needed to fulfil the reward (typically your email address and the redemption details) to Tremendous and, where relevant, to the merchant issuing the gift card.
(f) Public authorities, courts, and law enforcement, where disclosure is required by law, regulation, or a binding order, or necessary to protect our rights, our users' safety, or the integrity of the Service.
(g) Successors in interest in the event of a merger, acquisition, reorganisation, or sale of assets; in such case the recipient will be bound by terms at least as protective as this Policy.
We do not sell your personal data.
7. International transfers
Some of our processors and partners are located outside the European Economic Area, including in the United States and the United Kingdom. Where a transfer is necessary, we rely on:
- the European Commission's adequacy decisions (including UK adequacy and the EU–US Data Privacy Framework, where applicable to the recipient); or
- Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum where the UK GDPR applies), supplemented where necessary by additional technical and organisational measures such as encryption in transit and at rest, access controls, and pseudonymisation.
You can request a copy of the safeguards applied to a specific transfer by writing to [email protected].
8. Social features and visibility to other users
When you use the social features of BunnySteps (friends, leaderboards), certain information is visible to other users:
- To your friends: your username, profile photo (if set), step counts and reward-related metrics shown in shared leaderboards.
- On public or community leaderboards: your username, profile photo (if set), and the metric used to rank the leaderboard.
You can manage friend connections within the App. If a feature allows you to make your profile private or hidden from leaderboards, those controls will be available in Settings → Privacy in the App.
9. How long we keep your data
We keep personal data only for as long as needed for the purpose for which it was collected, plus any retention required by law.
| Data | Retention |
|---|---|
| Account data | For the lifetime of your account; deleted within 7 days of account deletion, or after 24 months of inactivity (followed by archival for legally mandated periods) |
| Step / activity data and reward events | For the lifetime of your account; same archival rules as above |
| IP address | Up to 3 months after your last activity, or 7 days after account deletion |
| Support correspondence | Up to 4 years from the last interaction |
| Accounting / tax records (payouts, in-app purchases, invoices) | 5 years from the end of the relevant tax year, in line with Polish tax and accounting law |
| Anti-fraud / fraud-score data | Retained in anonymised form after account deletion, for fraud-prevention purposes |
| GDPR rights requests log | 3 years from the end of the calendar year of the request |
| Marketing consent and unsubscribe records | 3 years after withdrawal of consent |
10. Your rights
Under the GDPR (and the UK GDPR where applicable), you have the following rights:
- Right of access — to know whether we hold data about you and to obtain a copy.
- Right to rectification — to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — to have your data deleted in the cases listed in Article 17 GDPR.
- Right to restriction of processing — to limit how we use your data in certain circumstances.
- Right to data portability — to receive your data in a structured, machine-readable format and have it transmitted to another controller.
- Right to object — including to processing based on our legitimate interests and to direct marketing.
- Right to withdraw consent — at any time, where processing is based on consent.
- Right not to be subject to solely automated decisions producing legal or similarly significant effects, except in the cases permitted by Article 22 GDPR.
- Right to lodge a complaint with a supervisory authority (see below).
If you reside in a U.S. state with applicable privacy laws, you may also have rights to know, delete, correct, opt out of "sale" or "sharing" of personal information, and limit the use of sensitive personal information. To exercise any of these rights, contact us at [email protected].
To exercise these rights, contact us at [email protected]. We will respond within one month (extendable by two further months for complex requests, in which case we will inform you). We may need to verify your identity before acting on your request.
You can also delete your account at any time from Settings → Account → Delete account in the App, by emailing us, or by submitting our account-deletion request form.
Supervisory authorities.
For users in Poland (LOYALPLAY's lead supervisory authority):
Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland — Tel.: +48 22 531 03 00 — Website: https://uodo.gov.pl
For users in the United Kingdom:
Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK — Website: https://ico.org.uk
If you reside in another EEA Member State, you may also lodge a complaint with the supervisory authority in your country of residence.
11. Cookies, SDKs, and similar technologies
The BunnySteps mobile App does not use website cookies. It uses software development kits (SDKs) integrated into the App for the following purposes:
- Strictly necessary — authentication, session management, language and region detection.
- Performance and diagnostics — crash reporting and stability metrics (Sentry, Firebase Crashlytics, Bugsnag).
- Analytics — pseudonymised product-usage analytics (Mixpanel, Firebase Analytics).
- Push notifications — service-related and (with your consent) promotional notifications, delivered via OneSignal, Firebase Cloud Messaging, and APNs. You can disable these in iOS Settings → Notifications → BunnySteps or your Android equivalent.
- Mobile attribution — to measure where installs and in-app conversions come from (Adjust, Singular), subject to ATT consent where required.
- Advertising and monetization — only where you have granted ATT consent or have not opted out on Android (AppLovin MAX, ironSource, Unity Ads, Google AdMob, Meta Audience Network).
- Offerwall providers — when you choose to interact with them (Adjoe, Mistplay).
- Anti-fraud — Verisoul.
A separate cookie notice applies to the website at bunnysteps.io.
12. Third-party services and links
The App may contain links to third-party websites or integrate third-party offers. We do not control these third parties and are not responsible for their data practices. We recommend you review their privacy policies before sharing any data with them.
13. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction, including encryption in transit, encryption at rest for sensitive fields, role-based access controls, vendor due diligence, secure software-development practices, and incident-response procedures.
No system is perfectly secure. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform you directly without undue delay.
14. Changes to this Policy
We may update this Policy from time to time. The current version is always available in the App and at bunnysteps.io/privacy. If we make a material change — for example, a change requiring your renewed consent — we will notify you in advance through the App or by email and, where required by law, ask for your consent again.
15. Contact
Questions, complaints, or requests:
- Email: [email protected]
- Post: LOYALPLAY sp. z o.o., ul. Wolińska 4, 03-699 Warsaw, Poland