Legal
Privacy Policy
Last updated June 3, 2026
Steady (“Steady,” “we,” “us”) is built privacy-first. This policy explains what data the Steady app and this website handle, and the choices you have. The short version: your health data lives on your device, and we never sell it.
1. Data stored on your device
By default, everything you track in Steady — habits, food, workouts, sleep, fasting, vitals, and your Life Score — is stored locally on your device using an encrypted on-device database. We do not require an account for you to use the app, and this data is not transmitted to our servers unless you explicitly enable an optional feature described below.
2. Account & profile data
If you create an account, Steady collects the information you provide during sign-up and onboarding, which may include:
- Identity: first name, last name, email address, and phone number (optional).
- Physical metrics: height, weight, age, and gender — used to calculate BMI, BMR, TDEE, and personalised nutrition targets.
- Goals & lifestyle: your primary health goal (e.g. lose weight, maintain, gain muscle), target weight, activity level, unit preference, and any habits you want to build or break.
This profile is stored on our backend (Convex) and is associated with your account. You can update or delete it at any time.
3. Sign-in methods
Steady supports three sign-in methods:
- Google Sign-In: we receive your name and email from Google after you grant consent. We do not see your Google password.
- Apple Sign-In: we receive a stable Apple-issued identifier and, at your choice, a name and relay email address. Apple may mask your real email.
- Email + one-time code (OTP): we store a short-lived OTP alongside your email address for verification. The OTP is deleted after use.
Session tokens are stored securely in your device’s platform keychain (iOS Keychain / Android Encrypted SharedPreferences) and are never written to plain storage.
4. Health & fitness data
With your permission, Steady reads data from Apple Health (iOS) and Google Health Connect (Android) to populate your metrics dashboard. The specific types we may read include:
- Steps and active energy (kilocalories)
- Heart rate (beats per minute)
- Sleep duration and, on iOS, sleep stages
- Body weight and water intake
This data is processed on-device and is not uploaded to us. You can revoke these permissions at any time from your device’s system settings. If you enable Cloud Sync (see section 7), your local database — which may include imported health snapshots — is encrypted and backed up to our servers.
5. On-device AI
Steady ships with an on-device Gemma model that runs entirely on your phone. When you use on-device AI or voice mode, your prompts and health data never leave your device.
6. Optional cloud AI (bring-your-own-key)
You may optionally connect a cloud AI provider — such as OpenAI, Anthropic, Google Gemini, or any model available via OpenRouter — using your own API key. If you do, Steady assembles a context package from your local data and sends it to your chosen provider. This package may include:
- Profile metrics (age, gender, height, weight, BMI, activity level, goals)
- Today’s nutrition summary (calories and macros)
- Recent workouts, exercise records, and recovery status
- Habit streaks and progress trends
- Health snapshot (steps, sleep, heart rate, active energy)
- Meal photos you choose to analyse (sent as encoded images)
This data is transmitted directly to your chosen provider under their terms and privacy policy. Your API key is stored in your device’s secure keychain — Steady never sees it on our servers. You can remove the key at any time in settings.
7. Optional cloud sync
If you subscribe to All-Access or the Cloud Sync add-on, Steady can keep an encrypted backup of your local database so you can restore or sync across devices. Cloud sync is off by default and only runs when you turn it on. Backups are scoped by data domain (food, habits, workouts, etc.) and stored on our backend (Convex).
AI coaching memory and AI-generated insights are treated as a separate domain with a second explicit opt-in beyond the main sync toggle. We do not sell or share backed-up data.
8. Device identifier
When you enable cloud sync, Steady generates a random UUID for your device. This identifier is used to route backups to the correct device during a restore and to prevent stale data from overwriting newer backups. It is not linked to your advertising ID and is not used for tracking. You can reset it by signing out and back in.
9. Feedback you send us
When you submit feedback through the app or this website, we store the message, category, and any optional star rating, name, or email you choose to include. Feedback can be fully anonymous — name and email are never required. We use this data only to improve Steady and, if you left an email, to reply.
10. Payments & subscriptions
Web purchases are processed by Paddle, who act as Merchant of Record. Paddle handles your payment details, billing, taxes, and receipts. Steady never receives or stores your full card details. See Paddle’s privacy policy for how they process payment data.
In-app purchases on iOS and Android are managed by RevenueCatvia Apple StoreKit and Google Play Billing respectively. RevenueCat sends Steady a subscription status (free, trial, active, expired) and an anonymised customer ID. We do not receive card or payment method details. See RevenueCat’s privacy policy for details.
11. Advertising (free tier)
If you use Steady on the free tier, banner ads are shown via Google AdMob. AdMob may use your device’s advertising identifier and other signals to serve contextual or personalised ads according to Google’s privacy policy. Upgrading to a paid plan removes all ads and all AdMob data collection.
12. Analytics
We aim to keep tracking to a minimum. Any diagnostics we collect are aggregated and used solely to keep the app stable and improve performance. We do not build advertising profiles from your health data, and we do not use third-party behavioural analytics SDKs (such as Firebase Analytics, Amplitude, or Mixpanel).
13. Cookies & website tracking
This website uses cookies only where necessary: Paddle checkout session tokens, CSRF security cookies, and functional cookies that remember dismissed notices. We do not use advertising cookies, retargeting pixels, or cross-site tracking. See our Cookie Policy for full details.
14. Data sharing
We do not sell your personal data. We share data only with the service providers strictly necessary to run features you use:
- Convex — backend database and cloud sync infrastructure.
- Paddle — web payment processing (Merchant of Record).
- RevenueCat — in-app subscription management on iOS and Android.
- Google AdMob — ad serving on the free tier.
- Your chosen cloud AI provider — only if you voluntarily connect one using your own API key.
Each provider receives only the data required to provide that specific feature.
15. Your rights
Because most data is stored locally, you can delete it at any time by clearing it in the app or removing the app. If you have enabled cloud sync or sent us feedback and would like that data deleted, email us at support@nomtrwhat.space. We honour deletion requests within 30 days. You may also request a copy of the data we hold about you.
16. Children
Steady is not directed to children under 13 (or the minimum age required in your country). We do not knowingly collect data from children.
17. Changes
We may update this policy as the app evolves. Material changes will be reflected by the “Last updated” date above.
18. Contact
Questions about privacy? Reach us at:
- Support: support@nomtrwhat.space
- Developer: shaktikarmakar23@gmail.com
- Terms of Use (EULA): https://steady.nomtrwhat.space/terms-of-service