Skip to main content
MySteppiMySteppi
Join waitlist

Privacy Policy

Last updated: May 26, 2026

This Privacy Policy explains what personal information is collected when you use the MySteppi product (the "Service"), how it is used, who it is shared with, and the choices you have. The same policy applies to all parts of the Service:

  • the marketing site at https://mysteppi.com, including any in-site help chat we offer
  • the application at https://app.mysteppi.com
  • the MySteppi mobile application for iOS and Android

By using the Service, you confirm that you are at least 16 years old (or that your parent or guardian has read and agreed to this Privacy Policy for you) and that you accept the practices described below.

1. Who We Are

MySteppi is operated by EmodeFlow LLC, a Delaware limited liability company with its registered address at 1111B S Governors Ave #93153, Dover, DE 19904, United States ("EmodeFlow", "we", "us", "our"). EmodeFlow is the data controller for personal information processed through the Service.

For any privacy question, request, or complaint, contact us at mysteppi@emodeflow.com.

2. Information We Collect

2.1 Account information

  • Email address
  • A securely hashed password (we never store the plaintext password)
  • The sign-in method you used (email, or a connected provider such as Google)
  • Account timestamps (created at, last sign-in)

2.2 Profile information

  • Display name
  • Gender (used to phrase astrological readings appropriately)
  • Preferred language
  • Relationship label for each profile you add (yourself, a partner, a family member, a friend, a colleague)

2.3 Birth information

  • Date of birth
  • Time of birth (optional; you can mark it as unknown)
  • Place of birth as you type it, plus the geocoded latitude, longitude, and time zone we resolve from it

2.4 Astrological and numerological data we derive

From your birth information, we compute your natal chart (planetary positions, houses, aspects), key signs (sun, moon, rising), archetype, and numerology numbers (such as life path, expression, soul urge, personality, birth-day, and personal-year). This derived data is stored alongside your profile so we do not need to recompute it on every page.

2.5 Content you create in the Service

  • Your goals and answers in onboarding
  • Chat messages exchanged with our AI features
  • Decision logs and personal context you save
  • Notes attached to profiles you add

2.6 Behavioural and analytics data

  • A pseudonymous identifier stored in your browser (the anonymous_id in localStorage) so we can measure how many people who land on a marketing page reach registration, without identifying them
  • Funnel events for steps you reach in the discover and onboarding flows
  • Anonymous events are automatically deleted after 7 days

2.7 AI usage logs

When you use an AI feature we log technical metadata: which feature was used, which model was used, token counts, estimated cost, and timestamps. We log this about AI requests, not the contents of the messages.

2.8 Billing information

If you subscribe, we store a customer identifier issued by our payment processor (Stripe for web purchases, or the relevant app store for in-app mobile purchases) and your subscription status. We never store your card number or full payment details; those are handled directly by the payment processor and the relevant app store.

2.9 Information collected automatically

  • IP address (used for security, abuse prevention, and approximate country detection)
  • Approximate location (country / region) derived from the IP address, used to suggest a birth-place format and language
  • Browser type, operating system, and device class
  • Pages or screens you visit inside the Service
  • Crash and error reports, with sensitive fields filtered before transmission

3. How We Use Your Information

  • Operate the Service: compute your chart and numbers, render your dashboard, generate AI readings, save your goals and decisions
  • Personalise readings: use your birth information and stated goals to shape the content you see
  • Authenticate and secure your account: verify sign-in, detect abuse, enforce rate limits
  • Manage subscriptions: create and update billing records, send renewal reminders, process refunds
  • Communicate with you: send transactional emails (sign-in, password reset, email change verification, receipts) and, with your consent, occasional product updates
  • Improve the Service: analyse aggregate usage patterns, debug errors, plan new features
  • Comply with the law: meet tax, accounting, consumer-protection, and law-enforcement obligations

4. AI Features and Data Sent to AI Providers

Several features of the Service generate text on demand using third-party large-language-model providers. AI features include the assistant inside the application, AI-generated readings throughout the product, and any AI-powered help chat embedded in the marketing site. AI requests are routed through a unified AI-gateway layer configured for zero data retention with the upstream providers; the providers do not store the request or use it to train their models.

What we send to the AI provider for a typical request: a summary of the active profile (first name, sun / moon / rising sign, archetype, life-path number), a compact view of the relevant natal-chart context, the last few messages of the active conversation, and the question you typed. We do not send your email address, password, billing information, or precise location coordinates to AI providers.

What the AI provider does with that data: the provider generates a response and returns it to us. Under our gateway configuration, the provider does not retain the request or train on it. The provider may apply its own short-term abuse-detection systems. On request to mysteppi@emodeflow.com we will name the upstream providers we currently use.

AI content is generated, not authoritative. AI responses may be inaccurate, incomplete, or invented. You are responsible for verifying anything important before acting on it. The Service is for self-reflection and entertainment and is not medical, legal, financial, psychological, or other professional advice. See our Terms of Service for the full disclaimer.

5. Cookies, Local Storage, and Analytics

5.1 Strictly necessary cookies

These are required for the Service to function and are set automatically:

  • A session cookie issued by our authentication provider so we know you are signed in (HttpOnly, Secure, SameSite=Lax)
  • An anti-forgery token where applicable

5.2 Functional local-storage entries

Stored only in your browser, never sent to a server unless you sign up:

  • Discover-session. Temporarily stores the birth information you typed before creating an account so we can preview a reading and migrate the information into your account on signup. Cleared once migrated or after 7 days of inactivity.
  • Anonymous identifier. A random UUID used to count unique visitors to marketing pages without identifying them. The anonymous funnel events tied to it are deleted after 7 days unless you sign up.
  • Language and theme preferences.

5.3 Analytics and tag management

We use Google Tag Manager to load a small set of measurement tags. The purpose is to understand aggregate usage of the Service (page views, sign-up funnel conversion, feature adoption) so we can improve it.

Tags that set cookies or read device storage do not fire until you give consent in the cookie banner shown on your first visit. We use Google's Consent Mode v2 to enforce this: before consent, only cookieless, modeled pings are sent so we have a basic visitor count without identifying anyone. After you accept, Google Analytics 4 sets the _ga and _ga_<container> cookies and records page-view events tied to a random identifier (no email, no birth information, no advertising identifiers). You can review or change your choice at any time using the Cookie preferences link at the bottom of every page.

We do not use cross-site behavioural advertising pixels, session-replay recording, or any tool that builds a profile of you across other websites. We do not sell or share personal information with advertising networks.

6. Service Providers and Sub-processors

We use a small set of third-party service providers to operate the Service. Each is bound by a data-processing agreement and processes personal information only on our documented instructions. We disclose them by category. We will name the specific providers we currently use on request to mysteppi@emodeflow.com.

  • Cloud hosting and database providers. Run the application, host the database, store files, and deliver static content. Primary regions: European Union and the United States. We select providers that hold recognised security certifications (such as SOC 2 or ISO 27001).
  • AI model providers. Generate text for AI features. Requests are routed through a unified AI gateway configured for zero data retention with the upstream providers, as described in section 4.
  • Payment processors and merchants of record. Stripe for web subscriptions (EmodeFlow LLC is the merchant of record for web purchases); Apple Inc. for iOS in-app purchases; Google LLC for Android (Google Play) in-app purchases; and a mobile-subscription-receipt validation provider used internally.
  • Identity providers (only if you choose to use them at sign-in): Google and Apple.
  • Transactional email provider. Delivers sign-in, password reset, email change, and receipt emails.
  • Error and crash reporting provider. Collects technical error stacks with sensitive fields filtered before transmission. We do not transmit your messages or your birth information in error reports.
  • Tag-management and aggregate analytics provider. Google Tag Manager and the measurement tags loaded through it (see section 5.3).
  • Approximate geolocation provider. Determines your country from your IP at sign-up to localise the form. No precise location is collected from this lookup.
  • Rate-limiting infrastructure. Stores short-lived counters used to prevent abuse. No personal identifying information is stored in these counters beyond an opaque per-user token.

We may also disclose information when required by law, valid legal process, or to enforce our Terms or protect the rights, property, or safety of EmodeFlow, our users, or the public. If we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to this Privacy Policy.

We do not sell your personal information.

7. International Data Transfers

EmodeFlow is established in the United States. Our service providers operate in the United States, the European Union, and other regions. When we transfer personal information out of the European Economic Area, the United Kingdom, Switzerland, or Israel, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an equivalent mechanism. Where applicable, we apply supplementary measures, including encryption in transit and at rest.

8. Data Retention

  • Active accounts: we retain your information for as long as your account is active and the Service is provided to you.
  • Account deletion: when you request deletion (in account settings or by email), we immediately scrub identifying fields (name, email, birth information) and schedule a hard delete after a 30-day grace period during which you can sign back in to cancel.
  • Anonymous funnel events: automatically deleted after 7 days.
  • AI caches: retained while your account is active, removed when your account is hard-deleted.
  • Billing records: retained for as long as required by tax, accounting, and consumer-protection law (typically up to 7 years), even after account deletion.
  • Security and audit logs: retained for up to 90 days for security investigations.

9. Your Rights

Depending on where you live, you have some or all of the following rights regarding your personal information:

9.1 Rights available to everyone

  • Access. Ask what personal information we hold about you
  • Rectification. Ask us to correct inaccurate information
  • Deletion. Ask us to delete your account (you can also do this from account settings)
  • Portability. Ask for a copy of your information in a machine-readable format
  • Restriction or objection. Ask us to limit certain uses of your information
  • Withdraw consent. Where processing is based on consent

9.2 EEA, United Kingdom, and Switzerland (GDPR / UK GDPR)

You have the rights listed in section 9.1, and you may lodge a complaint with your local data-protection authority. The legal bases on which we rely are:

  • Contract: processing necessary to deliver the Service you have asked for
  • Legitimate interests: securing the Service, preventing abuse, improving features (balanced against your rights)
  • Consent: for non-essential email and any optional features you turn on
  • Legal obligation: tax, accounting, fraud prevention, regulatory requests

9.3 California (CCPA / CPRA)

California residents have the right to know what personal information is collected, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioural advertising.

9.4 Israel (Privacy Protection Law, 1981)

Israeli residents have a right to access information held about them, correct inaccurate information, and request deletion. Complaints may be filed with the Privacy Protection Authority (PPA) at the Ministry of Justice.

9.5 Other jurisdictions

Residents of Brazil (LGPD), Canada (PIPEDA), Australia, and other jurisdictions may have comparable rights under local law. Contact us using the details in section 14 to exercise them.

9.6 How to exercise your rights

Email us at mysteppi@emodeflow.com from the address on your account, or use the in-app account deletion option. We respond within 30 days. We may need to verify your identity before acting on the request.

10. Data Security

We protect your personal information with measures appropriate to the risk, including:

  • Encryption in transit (HTTPS / TLS) for all traffic between you and the Service
  • Encryption at rest for the databases and file storage that hold your information
  • Per-user data isolation enforced at the database layer
  • Industry-standard password hashing and modern session protections
  • Signed callbacks for payment events and other server-to-server messages
  • Rate limiting and abuse detection on sensitive endpoints
  • Filtering of sensitive fields before they reach error or crash reports
  • Principle-of-least-privilege access controls for our team
  • Regular review of providers and dependencies

For security reasons, we do not publish detailed information about specific tools, software versions, or configurations used inside the Service. We will share security details with legitimate auditors or law-enforcement requests where required.

No system is perfectly secure. We will notify affected users and the relevant authorities within the legally required timeframe if a breach occurs that creates a high risk to your rights.

11. Children's Privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us with personal information, contact us at mysteppi@emodeflow.com and we will delete it.

The Service may link to third-party websites or services (for example, the providers in section 6, or external articles). We are not responsible for their content or their privacy practices. We encourage you to read their privacy policies before sharing any information with them.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in the Service or by email and update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

14. Contact Us

For any privacy question, request, or complaint:

  • Email: mysteppi@emodeflow.com
  • Postal address: EmodeFlow LLC, 1111B S Governors Ave #93153, Dover, DE 19904, United States