Smoothstep Privacy Policy

Last Updated: March 6, 2026

1. Introduction

Welcome to Smoothstep!

Smoothstep is a family habit management app designed to help parents establish and track daily routines for their family. We understand the importance of protecting privacy and are committed to providing a safe, transparent app environment.

This Privacy Policy explains how we collect, use, and protect your information. Please read it carefully before using this app.

2. Information We Collect

Smoothstep collects only the minimum information necessary for operation, and all data is stored locally on your device.

2.1 Profile Information

• Profile Nickname: Used to identify the profile within the app (parent-defined)
• Avatar Code: Guardian animal avatar selected for the profile (not real photos)

2.2 Habit and Progress Data

• Habit Names: Habit tasks created by the parent
• Completion Records: Daily habit completion status (Done/Later/Skip)
• Skip Reasons: Brief reasons selected when a task is skipped
• Points Records: Points earned from completing tasks and redemption history

2.3 Wish List Data

• Wish Names: Reward items on the wish list
• Required Points: Redemption threshold set by parents
• Redemption Requests: Redemption requests and approval records

2.4 Travel Mode Data (Optional)

• Destination Name: Travel location set by parents (text description only)
• Travel Date Range: Time period for pausing habit tracking

2.5 Device Information (For Backup Compatibility Only)

• OS Version: iOS/Android version number
• Device Model: Used to ensure backup file compatibility
• App Version: Used for data migration and upgrades

3. How We Use Your Data

3.1 Core Functionality

Your data is stored completely locally on your device and used for:

• Habit Tracking: Recording daily habit completion status
• Progress Statistics: Calculating streaks, completion rates, and total points
• Weekly Reports: Analyzing the past 7 days' performance and providing improvement suggestions
• Reward Redemption: Managing points and wish list redemption process

3.2 The Growth Key Mechanism

Design Purpose: To encourage honest thinking and autonomous decision-making, rather than simply "checking off" tasks.

How It Works:

• When a task is tapped, they see three options: ✅ Done / ⏰ Do it later / ⏭️ Skip today
• This design adds a "thoughtful pause" step, encouraging self-awareness and honest reporting
• If they choose to skip, a reason is selected from preset options (e.g., "Too tired", "Forgot"), providing insight into the real situation

3.3 Key Statement

3.4 Backup and Restore (By Your Initiative)

Parents can choose to:

• Export Backup Files: Export all data as a JSON format backup file
  • Recommended: Use Encryption: Set a PIN to encrypt with AES-256-GCM (default recommendation)
  • Plain Text Backup: No encryption, but requires risk confirmation
• Import Restore Data: Restore data from previous backup files (encrypted or unencrypted)

Important Notes:

• ✅ Backup files are saved and managed by you. We cannot access your backup content
• ✅ Encrypted backups provide additional security, but please remember your PIN (cannot be recovered if lost)
• ⚠️ Plain text backups are convenient, but avoid uploading to public cloud or sharing through insecure channels

4. Data Security Measures

We employ multiple layers of security to protect your data:

4.1 Encryption Protection

We employ a multi-layered encryption strategy to protect your data:

Local Database Encryption (Always Enabled)

• AES-256 Encryption: All local database uses industry-standard AES-256 encryption
• SecureStorage: Encryption keys are stored in the system's secure storage, inaccessible to other apps

Backup File Encryption (Your Choice)

• Optional Encryption: When exporting backups, you can choose to encrypt with PIN (AES-256-GCM)
• You Manage Keys: Encryption keys are managed by you; we cannot access them
• Plain Text Option: Unencrypted backups are stored in JSON format for data portability

4.2 Local Storage

• Local Database: All data is stored locally on the device, not transmitted over the network
• Sandbox Isolation: App data is completely isolated from other apps

4.3 Limited Network Transmission

Except for the font loading service and subscription verification service (see Chapter 5), Smoothstep does not perform any network communication. Your personal data, habit records, and family information are never transmitted over the network.

5. Third-Party Services

Smoothstep uses the following third-party services:

5.1 Google Fonts (Font Loading Service)

Purpose: Load Lexend and Noto Sans TC fonts to provide the best reading experience

Data Collection:

• On first use, your device requests font files from Google CDN
• Google may collect: Device IP address, User-Agent (browser information), request time

How to Manage:

• Fonts are cached locally after loading, no subsequent requests needed
• If you wish to avoid this service, you can block fonts.googleapis.com in network settings (but may affect font display)

Applicable Policies:

• Google Privacy Policy
• Google Fonts FAQ

5.2 RevenueCat (Subscription Management Service)

Purpose: Manage and verify in-app subscription (Premium plan) purchase status

Data Transmitted:

• Anonymous user identifier (automatically generated by the system, not personal information)
• Purchase receipts (used to verify subscription status with Apple/Google)
• Subscription status (whether subscription is active, expiration date)

NOT Transmitted:

• ❌ Names, nicknames, or any personally identifiable information
• ❌ Habit records, completion status, or statistics
• ❌ Family member information
• ❌ Any local data stored on the device

Data Protection:

• All RevenueCat communications use HTTPS encryption
• Signature verification prevents data tampering via man-in-the-middle attacks

Applicable Policies:

• RevenueCat Privacy Policy

6. Parental Rights

As a parent or guardian, you have complete data control:

6.1 View Data

Through the app interface, you can view at any time:

• All members' information
• Complete habit records and statistics
• Wish list and redemption history
• Weekly reports and progress analysis

6.2 Modify Data

You can at any time:

• Modify profile name and avatar
• Edit or delete habit tasks
• Adjust wish list items
• Cancel approved rewards

6.3 Export Data

Through the "Backup" feature, you can export all data as a JSON format backup file, achieving data portability.

Backup Options:

• Encrypted Backup (Recommended): Encrypted with PIN, providing additional privacy security
• Plain Text Backup: Standard JSON format, suitable for data migration and analysis, but please keep it secure

You can choose the backup method based on your security requirements.

6.4 Delete Data

You can delete data by:

• Partial Deletion: Delete specific profiles, habits, or wishes within the app
• Complete Deletion: Uninstall the app, and the system will automatically clear all local data

Note: Deleted data cannot be recovered unless you previously exported a backup file.

7. Data Retention

7.1 Local Storage Duration

Data is stored permanently on your device until you actively delete it or uninstall the app.

7.2 After Uninstallation

When you uninstall Smoothstep, all local data will be automatically cleared by the system.

7.3 Backup Files

You manage the retention period of backup files you export. We cannot access or delete them.

8. COPPA Compliance Statement

Smoothstep strictly complies with the U.S. Children's Online Privacy Protection Act (COPPA):

8.1 Parental Consent

• The app is designed to be downloaded, set up, and managed by parents or guardians
• All data collection is actively entered by parents; we do not collect personal information without the user's knowledge
• Important Statement: This app is a parental assistance tool and does not involve direct online communication or social interaction

8.2 Data Minimization

• We collect only necessary basic information (profile nickname, avatar code)
• We do not collect real names or other sensitive information that can directly identify individuals (such as addresses, phone numbers, photos)

8.3 No Third-Party Sharing

• We do not disclose, sell, or share personal information with any third parties
• Exceptions are Google Fonts font loading and RevenueCat subscription verification (see Chapter 5), neither of which can directly identify users

8.4 Parental Control

• Parents have full rights to view, modify, export, and delete data
• If you have any questions or requests, please contact us through the contact information in Chapter 10 of this policy

9. GDPR Compliance Statement (For EU Users)

For users located in the European Economic Area (EEA), Smoothstep complies with the General Data Protection Regulation (GDPR):

9.1 Legal Basis for Data Processing

• Lawful Basis: Explicit consent of parents or guardians
• Purpose Limitation: Data is used only to provide habit tracking services, not for other purposes

9.2 Data Subject Rights

Under GDPR, you have the following rights:

• Right of Access: View all data through the app at any time
• Right to Rectification: Modify incorrect or outdated data at any time
• Right to Erasure (Right to be Forgotten): Delete specific data or uninstall the app
• Right to Data Portability: Export data in standard JSON format through the backup feature
• Right to Restriction of Processing: Stop using specific features (such as travel mode)
• Right to Object: You can stop using the app at any time

9.3 Data Protection Principles

• Data Minimization: Collect only necessary information
• Storage Limitation: Data is stored only locally, not uploaded to servers
• Integrity and Confidentiality: Protected with AES-256 encryption
• Transparency: This privacy policy clearly explains all data processing behaviors

9.4 Cross-Border Data Transfers

Data Processing Location:

• ✅ All personal data and habit records: Stored completely locally on your device (in your country), no cross-border transfers involved
• ✅ Backup files: You choose the storage location (local or cloud service of your choice), we cannot access them

Limited Network Communications:

Only the following services involve network requests (not including personal data):

1. Google Fonts: Font file requests (CDN may be in EU/US)
   • Transmitted data: Device IP, User-Agent (no personally identifiable information)
   • Subject to Google's EU data protection commitments
2. RevenueCat: Subscription verification service (servers in the US)
   • Transmitted data: Anonymous identifier + purchase receipts (no personally identifiable information)
   • Protected by Standard Contractual Clauses

Important Statement: Your habit records, family member information, progress statistics and other personal data are never transmitted over the network or processed across borders.

9.5 Data Protection Officer (DPO)

To comply with GDPR Article 37 requirements, we designate the following contact for data protection matters:

Data Protection Contact (DPO): privacy@caiyu.app

• Scope: GDPR rights exercise, data protection complaints, cross-border transfer questions
• Response time: Within 30 days

Rights You Can Exercise with the DPO:

• Access your data (Right of Access - Article 15)
• Rectify incorrect data (Right to Rectification - Article 16)
• Erase your data (Right to Erasure - Article 17)
• Restrict processing (Article 18)
• Data portability (Article 20)
• Object to processing (Article 21)

9.6 Supervisory Authority

If you believe we have not properly protected your data, you have the right to file a complaint with the data protection supervisory authority in your country.

10. Contact Us

If you have any questions, comments, or requests regarding this privacy policy or data protection, please contact us through:

10.1 General Privacy Questions

Privacy Questions Email: support@caiyu.app

• Scope: General privacy policy questions, feature usage inquiries
• Response time: Within 30 days

10.2 GDPR Data Protection Officer (For EU Users)

Data Protection Contact (DPO): privacy@caiyu.app

• Scope: GDPR rights exercise, data protection complaints, cross-border transfer questions
• Response time: Within 30 days

Questions You Can Ask the DPO:

• Exercise GDPR-related rights (access, rectification, erasure, portability, restriction of processing, objection)
• Cross-border data transfer questions
• Coordination before filing a complaint with supervisory authority
• Data Protection Impact Assessment (DPIA) questions

10.3 COPPA Parental Rights

Parental Rights Email: support@caiyu.app

• Scope: COPPA-related rights exercise, withdrawal of parental consent

Questions You Can Ask:

• What data has been collected?
• How do I delete all profile data?
• How do I export data backups?
• How to exercise COPPA-related rights
• Withdraw parental consent

11. Privacy Policy Changes

We may update this privacy policy periodically to reflect app feature changes or regulatory requirements.

Change Notification Method:

• Major changes will be notified through in-app notifications
• The latest version of the privacy policy will always display the "Last Updated" date at the top of this page

Recommendation: Please check this privacy policy regularly to stay informed of the latest data protection measures.

12. Data Safety Commitment

Protecting your family's digital privacy and safety is our top priority.

Thank you for choosing Smoothstep to build great habits together!