Privacy Policy
Effective Date: March 9, 2026
Last Updated: March 14, 2026
Bakkum ("Company," "we," "us") operates the StepRewards app ("Service"). This Privacy Policy explains how we collect, use, and protect your personal information.
1. Information We Collect
1.1 Information You Provide
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account creation, login, support | 30 days after deletion |
| Gender (optional) | Personalized experience | 30 days after deletion |
| Birth year (optional) | Personalized experience | 30 days after deletion |
| Bank account number | Cash withdrawal (Toss Payments) | 5 years after transaction |
| Bank account info | Cash withdrawal (Wise) | 5 years after transaction |
1.2 Information Collected Automatically
| Data | Purpose | Retention |
|---|---|---|
| Step count data | Point accumulation, core feature | 30 days after deletion |
| Device fingerprint | Fraud detection and prevention | 90 days after deletion |
| Push token (FCM) | Notifications | Deleted upon account deletion |
| Firebase Analytics data | Usage analysis, service improvement | 14 months (Google default) |
| Advertising ID | Personalized ads (AdMob) | 30 days after deletion |
1.3 Health Data (HealthKit / Health Connect)
- Step count data is accessed through HealthKit (iOS) and Health Connect (Android) only with your explicit consent.
- Health data is never used for advertising or sold to third parties.
1.4 Information We Do NOT Collect
- Location data: StepRewards does not collect your location.
2. How We Use Your Information
- Provide and operate the Service
- Calculate and award points based on step counts
- Process gift card exchanges and cash withdrawals
- Detect and prevent fraud or cheating
- Serve reward ads (AdMob)
- Analyze usage and improve the Service
- Send push notifications
- Respond to support requests
3. Third-Party Sharing
We do not sell your personal information. We share data with the following parties only as necessary to operate the Service:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Google (Firebase) | Usage data, push tokens | Analytics, notifications |
| Google (AdMob) | Advertising ID | Personalized ads |
| Toss Payments | Bank account info | Cash withdrawals (Korea) |
| Wise | Bank account info | Cash withdrawals |
| Giftishow Biz / Tremendous / Dgift | Email | Gift card delivery |
We may also disclose information when required by law.
4. Data Security
- Payment information (bank account numbers) is stored encrypted.
- All data transmission uses SSL/TLS encryption.
- Access to personal data is restricted on a need-to-know basis.
5. Data Retention and Deletion
- Account data is deleted within 30 days of account deletion.
- Payment/withdrawal records are retained for 5 years as required by financial regulations.
- Device fingerprints are retained for 90 days after account deletion for fraud prevention.
- All deletions are performed using irreversible methods.
6. Your Rights
You have the right to:
- Access your personal data
- Correct inaccurate information
- Delete your data
- Restrict processing of your data
- Withdraw consent previously given
Exercise your rights through the app settings or by contacting wonwookimnida@gmail.com.
7. Advertising and Tracking
- StepRewards serves reward ads, app-opening ads, and banner ads through Google AdMob.
- Reward ads: Watching a reward ad is required to earn points after reaching a step milestone. Ad completion is verified through Google AdMob Server-Side Verification (SSV).
- App-opening ads / Banner ads: Displayed for service operation purposes and are unrelated to point accumulation.
- On iOS, personalized ads are shown only after ATT (App Tracking Transparency) consent.
- If you decline, non-personalized ads will be shown instead.
8. Children's Privacy
StepRewards is not intended for children under 14 (or the applicable age of consent in your jurisdiction). If we learn that we have collected data from a child, we will delete it promptly.
9. International Data Transfers
Your data may be transferred to:
- United States: Google (Firebase, AdMob), Wise, Tremendous
- Japan: Wise, Dgift
- South Korea: Wise, Giftishow Biz
We apply appropriate safeguards for all international transfers.
10. For EU/EEA Residents (GDPR)
- Legal bases: Consent (health data), contract performance (service delivery), legitimate interest (fraud prevention)
- Special category data: Step count data is treated as health data under GDPR Article 9 and processed based on your explicit consent.
- Data portability: You may request your data in a structured, machine-readable format.
- Right to complain: You may file a complaint with your local data protection authority.
- Data Protection Officer: Contact wonwookimnida@gmail.com.
11. For California Residents (CCPA)
- You have the right to know what personal information we collect and how it is used.
- You may request deletion of your personal information.
- We do not sell personal information.
- You will not be discriminated against for exercising your rights.
12. For Japan Residents (APPI)
- You may request disclosure, correction, or deletion of your personal information.
- Sensitive personal information (health data) is processed only with your prior consent.
13. Changes to This Policy
We will notify you of changes at least 7 days before they take effect via in-app notice or push notification. Material changes will be notified 30 days in advance.
14. Contact Us
- Email: wonwookimnida@gmail.com