PRIVACY POLICY

Last Updated: November 4, 2025

This Privacy Policy (“Policy”) is entered into by and between STEPSANDSTARS YAZILIM LİMİTED ŞİRKETİ (abbreviated as Steps&Stars Software LTD.) and the real person (“User”) who uses the mobile application named “Steps & Stars” (“Application”) as the parent/legal guardian or caregiver of a child (or children) aged 0-6.

This Policy has been prepared in compliance with the GDPR (General Data Protection Regulation), COPPA (Children’s Online Privacy Protection Act), KVKK (Turkish Personal Data Protection Law No. 6698), CCPA (California Consumer Privacy Act), and other applicable data protection legislation. By digitally approving this Policy (by clicking the “Approve” button/checkbox within the Application), you unconditionally accept all the provisions herein and, except for the non-waivable rights arising from mandatory legislation, waive any further claim or right of objection.

1. SCOPE AND APPLICABILITY

1.1. Purpose of the Application

The Application is designed to guide parents, legal guardians, or adult caregivers responsible for children aged 0-6 during the child’s development.

1.2. Intended User Profile

The Application may only be used by parents, legal guardians, or adult caregivers of children.

By registering, the User explicitly declares and undertakes that they are not a child, that they are legally of adult age, and that they have the legal permission to process data concerning the child they have registered.

1.3. Geographical Applicability

This Policy is based in İzmir, Turkey, yet it applies globally to the use of the Application in 16 different languages (English, Spanish, French, Portuguese, German, Turkish, Italian, Danish, Slovak, Croatian, Polish, Dutch, Swedish, Norwegian, Finnish, Slovenian).

1.4. Mandatory Legal Provisions

Provisions that conflict with the GDPR, COPPA, KVKK, CCPA, or other mandatory data protection and consumer protection regulations in any country are invalid only to the extent of such conflict; however, the remaining parts of this Policy remain valid.

2. TYPES OF DATA COLLECTED

While using the Application, we may collect and process the following personal data:

  • Email Address
  • Username or Nickname
  • Child’s Name or Nickname
  • Child’s Date of Birth (or age-determining date)
  • User Password (stored using two-step encryption methods)
  • Photographs (may be shared in the “My Child’s Firsts” section; protected by token-based encryption)
  • Notes (text information that can be stored in the “Notes About My Child” section)
  • Height and Weight (measurement data added in the “My Child’s Growth” section)
  • Device Information (if notification permission is granted): DeviceBrand, DeviceModel, SoftwareName, SoftwareVersion, LastLoginTime, DeviceLanguage
  • AI Chat Content and Metadata: Messages you exchange with the in-app assistant (prompts and replies), timestamps, language, per-session message count (up to 5 messages/session), and automated safety/moderation flags.
  • Virtual Currency & Transactions: Balances and transaction logs for Child Points and Parent Points, including earned/spent history, unlocked items, and timestamps.
  • Stories Usage Events: Read/watch events for the Stories feature (content ID, timestamp, duration) — collected in anonymized or pseudonymized form.
  • Technical Delivery Logs (CDN): When serving story images/videos, IP address, user-agent, and basic request headers may be processed for security and performance.
  • If the User consents to receive application notifications, the device information listed above is collected and stored. If the User revokes the notification permission, new device information will no longer be collected. Previously collected data may be deleted or anonymized upon request, except where required for legal or security reasons.
  • The User is responsible for ensuring the accuracy and timeliness of the data provided. Any legal or criminal liability arising from incorrect or misleading data lies with the User.

3. PURPOSES OF PROCESSING

The collected data is processed for the following purposes:

  • Service Provision: To perform key functionalities such as tracking the child’s developmental milestones, offering activity suggestions, and managing user accounts.
  • Personalization: To tailor content based on the User’s or child’s age, height, weight, or other information.
  • Account Management and Security: To manage user registration, identity verification, password recovery, and additional security measures.
  • Photo and Note Management: To securely store photos and notes uploaded by the User, accessible only to that User.
  • Communication and Support: To provide updates or announcements about the Application and to respond to technical support requests.
  • Analysis and Development: To improve the Application’s performance and user experience via anonymized or aggregated data analysis.
  • Compliance with Legal Obligations: To provide information and documents in official or legal processes when necessary (GDPR, COPPA, KVKK, CCPA, etc.).
  • Use of Device Information: If the User grants notification permission, device information such as brand, model, OS version, etc. may be processed for delivering app notifications, tracking last login times, checking app version compatibility, resolving technical issues, or improving user experience.

3.1. Legal Bases for the AI Assistant

  • Contract (GDPR Art. 6(1)(b)): Operating the AI assistant as a feature you requested.
  • Consent (GDPR Art. 6(1)(a)): If you share child/health-related sensitive data, we rely on your explicit consent.
  • Legitimate Interests (GDPR Art. 6(1)(f)): Abuse prevention, security, and service improvement via aggregated metrics.
  • Special Categories (GDPR Art. 9): Processing of health-related information, if shared, relies on your explicit consent; please prefer de-identified data whenever possible.
  • Model Training: We do not use your data for advertising or cross-app profiling. Our processors are instructed not to use your data to train their own models. If this ever changes, we will first obtain your explicit consent.

4. DATA RETENTION PERIOD AND SECURITY

4.1. Retention Periods

  • Personal data processed in the Application may be stored as long as the User’s account remains active.
  • If the User wishes to close their account and delete personal data, they may follow Profile > Settings > “Delete My Account.” Within a maximum of 15 days from receipt of this request, the relevant data will be deleted or anonymized to the extent permitted by technical and legal constraints.
  • Certain data may need to be retained for specific periods under legal regulations (GDPR, COPPA, KVKK, CCPA, etc.), e.g., for legal disputes or accounting records.
  • AI Chat Logs: Stored encrypted and retained for up to 12 months or until you delete your account (whichever occurs first); deleted/anonymized unless preservation is required by law.
  • Virtual Currency Records: Retained for up to 24 months for fraud prevention, audits, and accounting.
  • Stories Usage Events: Kept only in aggregated or pseudonymized form to measure product quality.

4.2. Security Measures

  • Passwords are stored using two-step encryption (e.g., salted-hash), making it impossible for even authorized personnel to access them in plain text.
  • Photographs and other sensitive data are protected by token-based encryption and are accessible only to the respective User.
  • Data transmission is carried out via secure protocols such as HTTPS wherever possible.
  • The User is responsible for safeguarding their account credentials and must not disclose them to unauthorized individuals.
  • AI chat content is protected by field-level or database-level encryption, with role-based access controls and access logging.

4.3. Data Breach Notifications

  • In the event of a data breach or unauthorized access, Steps&Stars Software LTD. will notify the relevant authorities and affected users within 72 hours of detecting the incident, in accordance with GDPR, COPPA, KVKK, and CCPA. Necessary technical and administrative measures will be taken as soon as possible.

5. INTERNATIONAL DATA TRANSFER

  • Although the Application is based in İzmir, Turkey, it has global accessibility and may use servers or service providers in different countries for data processing or storage.
  • For GDPR, data transfers outside the EU apply the European Commission’s Standard Contractual Clauses (SCC) or other recognized legal mechanisms.
  • For KVKK, when transferring data abroad, conditions set forth by the relevant legislation (e.g., transfer to countries with adequate protection or obtaining explicit consent) are taken into consideration.
  • For CCPA, users residing in California have an explicit opt-out right regarding any data processing that might be considered a “sale” of personal data.
  • For COPPA, data about children under 13 may only be transferred internationally with the explicit consent of the parent/legal guardian and through appropriate safeguards.
  • AI chat content may be processed by AI processing partner(s) acting strictly as data processors. For transfers outside the EEA, we rely on SCCs and KVKK-compliant mechanisms, including explicit consent where required.

6. USER RIGHTS AND OBLIGATIONS

6.1. Rights Arising from Mandatory Regulations

  • Under the GDPR: Rights to access, rectify, erase, restrict processing, data portability, and object.
  • Under COPPA: The parent/legal guardian has the right to give explicit consent for the child’s data to be processed and may withdraw this consent at any time.
  • Under KVKK (Turkish Law): Users have the right (as per Article 11) to learn whether their personal data is being processed, to request corrections of incomplete or incorrect data, to request deletion or destruction of such data, etc.
  • Under CCPA: California residents have the right to request information about the personal data collected, to request deletion, to opt out of the “sale” of personal data, and to not be discriminated against for exercising these rights.

6.2. Waiver Within the Scope of This Policy

Except for non-waivable rights arising from mandatory legislation, the User declares that they waive any additional claims or rights to compensation not explicitly stated in this Policy.

6.3. User Responsibilities

  • The User undertakes that any content (photos, notes, etc.) they upload to the Application is lawful and does not infringe the rights of third parties.
  • In the case of children’s data, the User declares that they are the parent/legal guardian and have obtained the necessary consents.

6.4. AI Assistant — Rights and Automated Decisions

  • You may request deletion of individual chats or all chats.
  • You may object to or request restriction of processing used for aggregated analytics.
  • You may withdraw consent for processing of special-category data at any time (e.g., by not using the assistant or by contacting support).
  • The assistant may automatically refuse prompts that fall outside parenting/child topics. You can contest such refusals and request a review.

7. CHILDREN’S PRIVACY (COPPA COMPLIANCE) AND PARENTAL CONSENT FORM

7.1. General Principle

The Application is intended for parents or adults to track the development of children aged 0-6. It is not envisaged for direct use by children.

Steps&Stars Software LTD. strives to ensure that no content is provided that could adversely affect children’s mental, emotional, or physical development.

7.2. Parental Consent Form (COPPA and International Regulations)

(Consent and Information Form with International Validity for Children Aged 0-6)

  1. Purpose and Scope of This Form: • The mobile application “Steps & Stars” (“Application”) is designed to help you track the development of children aged 0-6 and benefit from supportive activities. • This form seeks parental or legal guardian consent for processing personal data of children under 13 (ages 0-6). • The form has been prepared in compliance with GDPR, COPPA, KVKK, CCPA, and other international data protection regulations.
  2. Data Collected and Its Processing: • Email Address, Username/Nickname, Child’s Name/Nickname, Child’s Date of Birth, User Password, Photographs, Notes, Height-Weight Data, Milestones, Activities, Blog Posts, etc. • Your data is processed to assist you in tracking your child’s development, to offer personalized content, and to maintain/improve the functioning of the application.
  3. How We Protect Your Information: • Personal data like your email address, password, and photos is protected by multi-layered security protocols and token-based encryption. • Your data is retained as long as your account remains active; it is deleted or anonymized upon your account deletion or upon expiration of any mandatory retention period.
  4. How to Access and Correct Your Data: • You can access, edit, transfer, or delete your child’s data at any time within the application. • For additional requests, please contact us at contact@stepsandstars.com.
  5. Consent Withdrawal Process: • Due to the fundamental structure of our application, at least one child profile must be added in order to use the app. Therefore, if you wish to withdraw your consent for the processing of your child’s personal data, you will need to delete your account. • You can delete your account by following the steps Profile > Settings > 'Delete My Account' within the app, or by contacting us at contact@stepsandstars.com for assistance. • Once your request is received, your data will be permanently deleted or anonymized within 15 days, unless retention is required by legal obligations.
  6. Child Safety Responsibility: ⚠️ For all activities provided in the Steps & Stars application, your child’s safety is entirely your responsibility. Never leave your child unsupervised. The company is not responsible for any accidents, injuries, or damages.

7.3. Disclaimer of Liability (Medical and Legal)

General Information: All content (including text, graphics, videos, audio, suggestions, and activities) provided in the Application is for informational purposes only. It does not constitute medical, psychological, or pedagogical advice and should not be construed as such.

Need for Professional Consultation: Before applying any content, suggestions, or activities from the Application, it is strongly recommended that you consult a qualified physician, psychologist, or other relevant professional regarding your child’s health, psychological and physical condition, or development. The Company does not accept any liability for these matters.

Parent’s and User’s Responsibility: The use of any activity, suggestion, or information in the Steps & Stars mobile application is entirely at the User’s own risk. All risks (physical, psychological, financial, or otherwise) arising from using the application’s content lie with the User.

Liability for User-Uploaded Content: Any content uploaded by Users (photos, videos, text, notes, etc.) is entirely the responsibility of the User who uploads it. Steps&Stars Software LTD. is not obligated to verify the legality or compliance of such content with third-party rights or societal norms. Any legal or criminal liability arising from such content rests with the User who posted it.

Limitation of Liability: Steps&Stars Software LTD. and its staff are not liable for any direct or indirect damages (physical injuries, health problems, psychological issues, financial losses, etc.) arising from the application or non-application of information and suggestions in the Application. By continuing to use the Application, the User explicitly acknowledges these responsibilities and releases Steps&Stars Software LTD. from any potential damages.

7.4. Use of the AI Assistant

  • The assistant is intended for adults only; do not allow unsupervised child use.
  • Avoid sharing unnecessary identifying data about your child (e.g., surname, national ID). Prefer nicknames and de-identified descriptions.
  • When using the assistant with child data, you confirm you are the parent/legal guardian and have obtained the necessary consent.

8. COOKIES AND TRACKING TECHNOLOGIES

8.1. Cookie Usage and Consent

The Application may use cookies or similar tracking technologies (e.g., pixel tags) to improve user experience, manage sessions, and measure performance.

When first using the Application, the User is explicitly informed about the use of cookies and similar technologies, and explicit consent is obtained. The User may change cookie settings or withdraw consent at any time.

Within the Application Settings or through the device’s settings, the User can manage, restrict, or disable cookies. Some features may operate with limited functionality if cookies are disabled.

8.2. SDKs and CDN Logs

The AI assistant and Stories delivery may rely on specific mobile SDKs and/or CDN logs to ensure reliability and security.

These data are not used for cross-context behavioral advertising without your consent.

9. THIRD-PARTY SERVICE PROVIDERS AND LINKS

9.1. Third-Party Links

The Application may contain links to third-party websites or services. Steps&Stars Software LTD. is not responsible for the privacy practices or policies of these platforms.

9.2. Third-Party Service Providers

Within the scope of the Application, user data may be processed by the following service providers:

  • Amazon Web Services (AWS): For hosting, server services, and database management
  • Google AdMob: For advertisement delivery and performance analytics
  • These entities process data on behalf of Steps&Stars Software LTD. under confidentiality and data protection agreements binding upon both parties.

9.3. Ad Tracking and Personalization

  • The Application may display advertisements via Google AdMob. Users can manage their ad personalization preferences in the Application settings or in the relevant ad settings on their device.
  • The performance of displayed ads is measured via anonymized statistics. The User’s personal data is not processed for ad personalization without explicit consent.

9.4. AI Processing Partners and CDNs

Within the scope of the Application, the following additional providers may process data:

  • AI Processing Partner(s): Large-language-model inference and safety filtering (as processors only).
  • Content Delivery Network(s) (CDN): Secure/performance-optimized global delivery of story images and videos (may process IP and user-agent).
  • These providers act as data processors for Steps&Stars Software LTD. under data-protection agreements. Using your data to train their own models is not permitted.

10. IN-APP PURCHASES AND REFUNDS

10.1. Purchase Conditions

The Application may allow the purchase of in-app points (credits, etc.) or additional features for a certain fee. These items are used to access extra content or services within the Application.

While the Application is offered free of charge, in-app purchases are non-refundable. By making a purchase, the User explicitly agrees to these terms.

10.2. Protection for Children

In-app purchases should only be made by adult users, who must take the necessary security measures to prevent unauthorized purchases. The User is responsible for any damages arising from unauthorized purchases.

10.3. Virtual Currency (Child Points / Parent Points) and Refunds

AI chats operate with Child Points and Stories unlocks with Parent Points; balances and transaction logs are processed to provide the service and prevent abuse.

If a prompt is outside parenting/child topics, the assistant may refuse the request and Child Points are not refunded.

Existing non-refund terms also apply to point-based features.

11. LIMITATIONS OF LIABILITY

11.1. No Guarantee of Continuity

Steps&Stars Software LTD. does not guarantee that the Application will operate continuously or without error. Service interruptions may occur temporarily due to technical issues, maintenance, or force majeure.

11.2. Data Loss

If data loss occurs due to technical problems on the User’s device or our servers, Steps&Stars Software LTD. shall not be held liable unless required by regulations such as GDPR, COPPA, KVKK, or CCPA.

11.3. Limit of Compensation Liability

Except where mandatory provisions of GDPR, COPPA, KVKK, or CCPA dictate otherwise, Steps&Stars Software LTD.’s liability is limited to the total amount the User has paid for any in-app purchases, if applicable.

In-app purchases are non-refundable.

12. TERMINATION OF THE POLICY AND ACCOUNT DELETION

  • The User may close their account at any time by following Profile > Settings > “Delete My Account.” Within a maximum of 15 days from receipt of such request, the User’s data will be deleted or anonymized (unless subject to mandatory retention requirements).
  • Steps&Stars Software LTD. may suspend or terminate the User’s account if it detects violations of this Policy or applicable legislation (GDPR, COPPA, KVKK, CCPA, etc.).
  • Account deletion results in the irreversible removal of all photos, notes, and other personal content uploaded to the Application.
  • Upon account deletion, AI chat logs and point/transaction records are deleted or anonymized within 15 days (subject to statutory retention).

13. GOVERNING LAW AND JURISDICTION

  • This Policy and any related disputes shall be governed by the laws of the Republic of Turkey.
  • Where mandatory international regulations (GDPR, COPPA, KVKK, CCPA) apply, the non-waivable rights they grant to Users are reserved.
  • Any disputes shall be resolved by the courts and enforcement offices in İzmir, Turkey.

14. CONTACT INFORMATION

Company: STEPSANDSTARS YAZILIM LİMİTED ŞİRKETİ (Steps&Stars Software LTD.)

Address: Yeşil Mahalle, 56/1 Sokak, Gülpembe, No:18/8, Gaziemir/İZMİR, Turkey

Email: contact@stepsandstars.com

14.1. Data Protection Officer (DPO)

For any questions or requests regarding privacy, personal data processing, or our data protection practices, please email our Data Protection Officer (DPO).

Please include the phrase “Data Protection Officer” in the subject or body of your email so that your request is directed to the DPO promptly.

DPO Contact: contact@stepsandstars.com

15. ACCEPTANCE AND DECLARATION

By digitally approving this Policy (by clicking the “Approve” button/checkbox within the Application), the User:

  • States that they have read, understood, and accepted the entire Policy without reservation,
  • Declares that they have the necessary rights, authority, and consent to process data on behalf of themselves and/or their child within the scope of using the Application,
  • Declares that they are the parent or legal guardian and have obtained the necessary consent regarding the child’s data,
  • Acknowledges that they can withdraw their consent at any time,
  • Consents to the personal data processing activities (including international data transfer) described in this Policy,
  • Except for non-waivable rights under GDPR, COPPA, KVKK, and CCPA, waives all other additional claims or rights to compensation,
  • Acknowledges that the Company reserves the right to suspend or terminate the account in the event of any violation of this Policy or relevant legislation.
  • Acknowledges that the AI assistant is limited to parenting/child topics and that out-of-scope prompts may be automatically refused.
  • Accepts the non-refund policy for Child Points in cases of out-of-scope refusals.
  • This Policy may be updated regularly. It is the User’s responsibility to follow any changes.
  • This Policy is effective as of March 22, 2025. Continued use of the Application signifies your acceptance of the most current version of the Policy.

STEPSANDSTARS YAZILIM LİMİTED ŞİRKETİ (Steps&Stars Software LTD.)

Steps & Stars Mobile Application