StepCheckAI
Legal

Privacy Policy

Last updated: April 26, 2026

StepCheckAI ("StepCheckAI", "we", "us") makes a homework helper app for students. This policy explains what we collect, why, how long we keep it, and the rights you have over your data. We try to keep it short and in plain English. Where we use a legal term, we mean the standard one used under the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and the U.S. Children's Online Privacy Protection Act (COPPA).

Quick summary

  • We collect only what we need to make the app work: your account, your homework history, and per-day usage counts.
  • We do not run third-party advertising SDKs. We do not sell your data. We do not train AI models on your work.
  • You can delete any history item or your entire account from inside the app at any time.
  • Contact: privacy@stepcheck.app

1. Who is the controller

StepCheckAI is the data controller for personal information processed through the app and this site. For any privacy questions, requests, or to exercise your rights under GDPR / CCPA / COPPA, contact us at privacy@stepcheck.app.

2. What we collect

Account data

We use Supabase to handle accounts. When you sign up, we collect your email address and a hashed password. We never see or store your password in plaintext.

Homework history

While you are signed in, we store the questions you submit so you can come back to them. Each entry includes:

  • The photo you took (if you used the camera). Stored in Supabase Storage.
  • The text we extracted from your photo, or the text you pasted.
  • The solution or feedback the app produced.
  • A timestamp, and which mode (Solve, Check, Hint, Multi-question) you used.

You can delete any single history entry from inside the app. Deleting your account wipes all of these via a server RPC. No soft delete. No archived copy.

Usage counters

We keep a per-day count of how many solves and checks you've used. This is the only way we enforce the free-plan limits and unlock the paid tiers. The counter is tied to your account.

Anonymous (signed-out) use

If you use the app without signing in, your history is kept on your device only. Nothing about your homework is sent to or stored on our servers. You can clear it any time by deleting the app.

Subscription data

When you subscribe, payment is processed by Apple App Store or Google Play. We do not see your card number. RevenueCat (our subscription manager) tells us whether your subscription is active and what tier it is, so we can unlock the right features.

Diagnostic data

Today the app does not include a third-party crash reporter or product analytics SDK. If we add one in the future (such as Sentry for crash reports or PostHog for product analytics), we will update this policy and list it as a subprocessor below before turning it on.

3. What we do not collect

  • No third-party ad SDKs. No Facebook Pixel, no Google Ads pixel.
  • No location, no contacts, no microphone, no clipboard monitoring.
  • No background tracking of any kind.

4. Why we use this data (legal bases under GDPR)

  • To provide the service (contract): account, history, usage counters, subscription unlocks.
  • To keep the service safe (legitimate interest): rate-limit abuse, investigate bug reports.
  • To comply with the law (legal obligation): respond to lawful requests.

We do not rely on consent for any of the above, because none of them require optional tracking.

5. AI processing of your homework

To solve or check a problem, we send your question (text and, if applicable, photo) to Google's Gemini API. Each request is one-shot: Gemini returns an answer, our server passes it back to your phone, and our server discards the request.

We do not train AI models on your content. Google's own retention and processing for Gemini API requests are governed by their API terms. See Google's privacy policy at policies.google.com/privacy.

6. Subprocessors

We share the minimum data needed with these processors so the app works:

  • Supabase (US/EU regions): authentication, database, file storage for your photos and history.
  • Google Gemini API: AI processing of homework questions. Request-only, not used for training.
  • RevenueCat: subscription state.
  • Apple App Store and Google Play: payment processing for subscriptions.

We will update this list before adding any new subprocessor.

7. Where your data is stored

By default, account and history data are stored in Supabase regions in the United States. We may add EU storage regions in the future. International transfers (for example to Google's Gemini API) rely on Standard Contractual Clauses or equivalent safeguards.

8. How long we keep it

  • Account data: until you delete your account.
  • History (photos, parsed text, solutions): kept indefinitely until you delete the entry or your account.
  • Usage counters: rolling. The per-day count resets daily.
  • Subscription receipts: retained as required by Apple/Google and by tax law.

9. Your rights

Wherever you live, you can ask us to:

  • See what we have about you.
  • Correct anything wrong.
  • Delete your data.
  • Export your data in a machine-readable format.
  • Object to or restrict certain processing.

Most of these you can do yourself from inside the app (Settings → Privacy / Delete account). For anything else, email privacy@stepcheck.app and we'll respond within 30 days.

If you live in the EEA / UK (GDPR)

You have the right to lodge a complaint with your local data protection authority. We hope you'll come to us first.

If you live in California (CCPA / CPRA)

You have the right to know, delete, correct, and opt out of "sale" or "sharing" of your personal information. We do not sell or share your personal information as those terms are defined under California law.

10. Children's privacy (COPPA)

StepCheckAI is intended for grades 3 through 12 and early college, which means we expect some of our users are children under 13.

  • In jurisdictions where COPPA-style verifiable parental consent applies (including the U.S.), a parent or guardian must create the account on a child's behalf.
  • We do not knowingly collect more data than we need to run the app for that child.
  • We do not show third-party ads to children.
  • We do not sell or share children's personal information.

Parents can review, delete, or refuse further collection of their child's information by emailing privacy@stepcheck.app. Account deletion in-app removes everything via server RPC.

11. Security

Passwords are hashed by Supabase. Data in transit is encrypted with TLS. Data at rest in Supabase is encrypted with AES-256. Access to production systems is limited to the team members who need it.

No system is perfectly secure. If we ever experience a breach affecting your data, we will notify you and the relevant regulators within the timelines required by law.

12. Changes to this policy

When we change this policy, we'll update the "Last updated" date at the top. For material changes, we'll also notify you in the app or by email before the change takes effect.

13. Contact us

Privacy questions or requests: privacy@stepcheck.app
General support: support@stepcheck.app