PRIVACY POLICY for StepOut

Last updated September 26, 2025

​​

This Privacy Notice for UNIque CnS Ltd (doing business as StepOut or StepOut Social) (“we,” “us,” or “our”) explains how and why we collect, store, use, and share (“process”) your personal information when you interact with our services (“Services”).

Our Services include:

• Visiting our websites, such as https://uniquecns.com, https://theuniquecnsapp.wixsite.com/unique-cns, www.stepout.social, or any other website of ours that links to this Privacy Notice.

• Downloading and using our mobile applications, including StepOut (and previously UNIque: Clubs & Societies), or any other application of ours that links to this Privacy Notice.

• Using StepOut to dream, plan, and cherish activities with friends, communities, or individually — including creating posts, managing your social battery, connecting and communicating with others, and saving memories.

• Engaging with us in other related ways, such as customer support, marketing, or events.

• StepOut uses Supabase, a secure backend service provider, to manage authentication, data storage, and content management. Supabase acts as a data processor on our behalf and does not sell, share, or use your data for any purpose other than providing its contracted services to StepOut.

​

Questions or concerns?

Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at hello@stepout.social.

​

Summary of Key Points – StepOut Privacy

This summary provides key points from our Privacy Notice. For full details, please read the sections below.

​​

What personal information do we process?

When you visit, use, or navigate StepOut, we may process personal information depending on how you interact with the Services, the choices you make, and the products or features you use.

Examples include:

• Account details: name, email, password, username

• Optional profile information: gender, sexual orientation, university/course information, generation, interests

• Content you submit: posts, comments, photos

• Device and usage information: IP address, browser, device type, app usage

Some information is collected automatically (like device info, IP address, and usage patterns) to maintain security, improve the app, and personalize your experience.

​

Do we process sensitive personal information?

Yes — in some cases, we process sensitive or “special category” data, such as:

• Gender and sexual orientation (used only for analytics and understanding our user base)

Sensitive data is collected only with your consent, and we clearly explain how it is used.

​

Do we collect information from third parties?

No, StepOut does not currently collect personal information from third-party sources.

​

How do we process your information?

We process your information to:

• Provide, improve, and manage StepOut

• Communicate with you (support, updates, marketing with consent)

• Ensure security and prevent fraud

• Comply with laws and legal obligations

• Analyze usage patterns to improve features and content recommendations

We only process your information when we have a valid legal basis (consent, contractual necessity, legal obligation, vital interests, or legitimate interests).

​

When and with whom do we share personal information?

We may share information in specific situations or with certain third-party service providers, such as:

• Hosting, analytics, email, or payment processing partners

• Vendors or consultants who perform services on our behalf

We also may share data if required for legal obligations, business transfers, or when you post content publicly in the app.

​​

This includes us sharing information in specific situations or with certain trusted service providers to enhance the experience of our service, including:

• Supabase (Backend Infrastructure): We use Supabase to securely handle user authentication, database storage, and content management. Supabase processes your data solely to support the functionality of StepOut and is contractually prohibited from selling or sharing user data.

• RevenueCat (for secure payment and subscription management).

• Apple ID or Google Sign-In (for authentication, when you choose these login options).

• Email or cloud hosting partners, where applicable, to deliver updates or support messages.

​

How do we keep your information safe?

We use reasonable organizational and technical measures to protect your personal information. However, no system is 100% secure. Transmission of personal information to and from StepOut is at your own risk.

​

Children’s privacy

StepOut is intended for users aged 13 and above. We do not knowingly collect information from children under 13. Users who indicate they are Gen Alpha (born after 2012) must confirm they are at least 13 before continuing. If we discover that we have collected personal information from someone under 13, it will be deleted.

​

Your rights

Depending on where you live, you may have rights under applicable data protection laws, such as:

• Accessing the personal information we hold about you

• Correcting or updating your information

• Requesting deletion or restriction of processing

• Withdrawing consent

• Opting out of marketing communications

​

How to exercise your rights

You can exercise your rights by:

• Visiting: https://stepout.social/personal-information (once live)

• Emailing us at: hello@stepout.social

We will respond in accordance with applicable data protection laws.

​

Want to learn more?

For full details about how we process and protect your information, please read our complete Privacy Notice.

​

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us
In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you:

• Register on the Services

• Express interest in obtaining information about us or our products and Services

• Participate in activities on the Services

• Contact us through other means

​

Personal Information Provided by You
The personal information we collect depends on your interactions with us and the Services, the choices you make, and the products and features you use. This may include:

• Name

• Email address

• Username and password

• Contact preferences

• Authentication data

• Profile details you choose to share (e.g., biography, interests, activities you want to do, profile photo)

• Content you submit through posts, comments, photos, or profile updates

​

Optional Profile Information
You may choose to share additional details to personalize your profile or experience, such as:

• University or workplace information

• Course or role details

• Demographic information (such as age, gender, or sexual orientation)

​​

Children’s Privacy and Generational Signup

StepOut is intended for users aged 13 and above. We do not knowingly collect personal information from children under 13.

​

Generational Signup

During account creation, users are asked to select their generation (e.g., Gen Z, Millennials, Gen Alpha).

• Gen Alpha refers to individuals born in 2013 or later (currently under 13). Users who select Gen Alpha must actively confirm via a checkbox that they are at least 13 years old before they can continue using StepOut.

• This confirmation serves as your acknowledgement that you are above 13.

​

Responsibility and Data Handling

By using StepOut, users confirm they meet the minimum age requirement. If we discover that we have inadvertently collected personal information from someone under 13, we will promptly delete such information from our systems.

This approach ensures that StepOut complies with legal requirements for the protection of children while allowing users aged 13 and older to safely enjoy our Services.

​

Sensitive Information
Some information, such as sexual orientation, is considered special category data under GDPR. We only collect and process this information if you voluntarily provide it and give your explicit consent (for example, by selecting the consent box when creating or updating your profile). This information may be used for personalization and for aggregated analytics to help us understand our user base. Any insights shared with partners will always be anonymized and will never identify you personally.

​

Payment Data
If you make purchases, we may collect payment-related information. All payment processing is handled securely by RevenueCat. We do not store or process your card details directly. You can view their privacy policy here: RevenueCat Privacy Policy.

​

Social Login Data
You may choose to register or log in using your Google or Apple ID. In such cases, we will receive basic profile information you authorize them to share with us, such as your name and email address.

​

Application Data
If you use our application(s), we may collect the following information when you grant us access or permission:

• Mobile Device Access. We may request access or permission to certain features from your mobile device, including your mobile device’s camera, microphone, reminders, storage, and notifications. If you wish to change our access or permissions, you may do so in your device’s settings.

• Mobile Device Data. We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration, app identification numbers, browser type and version, hardware model, Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server).

• Location Data. We may collect location information either from your device (with your permission) or from information you voluntarily provide (such as listing your city in your profile). This data helps us provide local content, event recommendations, and app analytics. Location sharing is always optional and can be managed in your device or in-app settings.

• Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). You may opt out from receiving these types of communications in your device settings or by adjusting your in-app notification preferences.

​

Accuracy of Information
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

​​

Information Automatically Collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit or use our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or direct contact details) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical data.

This information is primarily needed to:

• Maintain the security and stability of our Services

• Support troubleshooting and performance monitoring

• Generate internal analytics and reporting to improve StepOut

​

Our app uses Supabase’s backend infrastructure to process and store user-generated content and metadata (e.g., posts, likes, timestamps). Supabase may automatically log limited technical data such as API request details and system errors to maintain platform stability and prevent abuse. This information is not used to identify you personally and is retained only as long as necessary for security and operational purposes

​

Like many businesses, we also collect information through cookies and similar technologies. You can find out more about this in our Cookie Policy (link will be updated to https://stepout.social once available).

The information we collect includes:

• Log and Usage Data. Service-related, diagnostic, usage, and performance information automatically collected when you access or use our Services. This may include your IP address, device information, browser type and settings, actions taken within the Services (such as date/time stamps, pages or screens viewed, searches, and features used), as well as device event information (such as system activity, error reports or “crash dumps,” and hardware settings).

• Device Data. Information about the computer, phone, tablet, or other device you use to access the Services. Depending on the device, this may include your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration details.

• Derivative Data. We may generate derivative data by analyzing your personal information and usage patterns. This may include user preferences, activity summaries, engagement metrics, and social interaction patterns. We use this information to personalize your experience, recommend activities or events, suggest relevant connections, and improve the overall StepOut community. Where used for analytics or partnerships, such data is always anonymized or aggregated so that it cannot identify you personally.​​

​

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services; to communicate with you; for security and fraud prevention; to comply with legal obligations; and, where appropriate, with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services. These include:

• Account Creation and Authentication. To create and manage your account, verify your identity, and enable secure access to the Services.

• Service Delivery. To deliver the features and functions of StepOut, such as enabling you to plan activities, connect with others, and share memories.

• Personalization. To tailor your user experience, recommend relevant activities or events, suggest potential connections, and surface content that matches your preferences.

• User Communications. To respond to inquiries, provide customer support, and enable user-to-user interactions where applicable.

• Administrative Communications. To send important updates about your account, changes to our policies or terms, and other essential service-related information.

• Marketing and Promotions. With your consent, to send you promotional materials, newsletters, and updates about StepOut. You may opt out of these communications at any time.

• Targeted Content and Advertising. To deliver personalized content and advertising based on your interests and location. For more details, see our Cookie Policy (link to be updated once live).

• Feedback and Research. To request feedback, measure user satisfaction, and conduct surveys or studies to improve the Services.

• Usage Analytics. To analyze trends in how our Services are used, improve features and performance, and support future development.

• Security and Fraud Prevention. To protect the integrity of our Services, detect unauthorized activity, monitor for fraud, and ensure user safety. Supabase employs encryption in transit (HTTPS/TLS) and encryption at rest for all stored data. Only authorized StepOut team members can access user data for legitimate operational purposes, and access is protected by strict authentication controls.

• Legal Compliance. To comply with applicable laws and regulations, respond to lawful requests from authorities, and enforce our terms of service.

• Vital Interests. To process information when necessary to protect the safety of individuals, such as to prevent harm.

• Data Backup and Recovery. To securely back up and restore user data in the event of data loss or technical issues.

• Service Providers. To share personal data with trusted third-party partners who assist in delivering features or services (e.g., hosting, analytics, email delivery, payments).

​

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and when we have a valid legal reason (i.e., legal basis) under applicable law. These include your consent, our contractual obligations, compliance with laws, protection of vital interests, or our legitimate business interests.

Under the General Data Protection Regulation (GDPR) and UK GDPR, we rely on the following legal bases:

• Consent. We process your information where you have actively given us permission. For example:

  • To send you marketing and promotional communications.

  • To process demographic and sensitive data (such as gender or sexual orientation, if provided).

  • To use your location data for personalized content and event suggestions.
    You can withdraw your consent at any time. Learn more about withdrawing your consent [link to relevant section].

• Performance of a Contract. We process your personal information where it is necessary to fulfil our contractual obligations, such as:

  • To create and manage your account.

  • To deliver the services you have requested (e.g., connecting with others, saving memories, or accessing app features).

• Legitimate Interests. We process your information when it is reasonably necessary to achieve our legitimate business interests, provided these do not override your rights and freedoms. For example:

  • To analyze and improve our services and user experience.

  • To personalize recommendations and activity suggestions.

  • To monitor service usage and ensure platform reliability.

  • To detect and prevent fraud or unauthorized activity.

• Legal Obligations. We process your information where required to comply with applicable laws and regulations. For example:

  • Responding to lawful requests from law enforcement or regulators.

  • Retaining records for tax, accounting, or compliance purposes.

• Vital Interests. We may process your information where necessary to protect your vital interests or those of another person. For example:

  • Sharing information to prevent imminent harm or to respond to urgent safety risks.

 

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We only share information when it is necessary, lawful, and consistent with this Privacy Notice.

We may share your personal information in the following ways:

• Vendors, Consultants, and Service Providers. We share data with trusted third parties who perform services on our behalf. These parties may include:

  • Cloud hosting and storage providers (to store and back up data securely).

  • Analytics providers (to help us understand usage and improve the app).

  • Communication and collaboration tools (to send notifications and updates).

  • Authentication services (such as Apple ID or Google Sign-In).

  • Payment processors (for handling transactions — we do not store card details ourselves; all payments are securely handled by RevenueCat).
    These providers are bound by contracts that limit their ability to use your data for anything other than providing their services to us.

• Business Transfers. We may share or transfer your information in connection with a merger, sale of assets, financing, or acquisition of all or part of our business.

• Other Users. Some features of StepOut involve sharing information with other users. For example:

  • Profile information you choose to make visible (such as your name, username, and photo).

  • Posts, comments, and other contributions in public areas of the app.

  • Your activity (e.g., events joined, memories shared) if you choose to interact publicly.
    We will never publicly share sensitive demographic data (e.g., gender or sexual orientation) — this remains private and is only used in aggregate analytics.

• Legal Obligations and Safety. We may disclose information if required by law, or if we believe disclosure is necessary to protect rights, property, or safety of StepOut, our users, or others.

• Offer Walls (if applicable). Our app may include third-party “offer walls” where advertisers provide rewards in exchange for completing offers. If you interact with an offer wall, you will be redirected outside of StepOut, and a unique identifier (such as your user ID) may be shared with the offer provider to track rewards.

​

5. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?

In Short: We are not responsible for the privacy or security practices of third parties that are not under our control.

Our Services may link to third-party websites, mobile apps, or online services. These third parties are not affiliated with StepOut, and we cannot guarantee the safety of any data you share with them. Any data collected by such parties is governed by their own privacy notices, not ours.

We recommend reviewing the privacy policies of all third-party services you interact with and contacting them directly if you have questions.

⚖️ Compliance notes for you (not shown in policy):

• Since you’re collecting special category data, you should state clearly that this is never shared with advertisers or other users — only aggregated stats (e.g., “70% of our users are female”). That way, you’re GDPR-safe while still able to use it in pitch decks.

• For payments → good that you already pass everything to RevenueCat. Just confirm with them that they are your data processor, and you keep a Data Processing Agreement (DPA) on file.

• For “offer walls” → if you don’t plan to use them immediately, you can either keep it for future-proofing or remove it for now (less risk).

​

6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: Yes, we use cookies and similar technologies to collect and store your information.

We and our third-party partners (such as analytics and advertising providers) may use cookies, pixel tags, web beacons, and other tracking technologies to help operate our Services, improve user experience, and measure performance.

• Google Analytics. We use Google Analytics to understand how users interact with our Services. Google Analytics collects information such as your device type, browser, IP address, and how you use the app or website. We may also enable Google Analytics Advertising Features, such as:

  • Google Display Network Impression Reporting

  • Demographics and Interests Reporting
    To learn more about Google’s practices, please visit the Google Privacy & Terms page.

• Opting Out. You can opt out of Google Analytics by:

  • Installing the Google Analytics opt-out browser add-on

  • Adjusting your ad settings at Google Ads Settings

  • Using Network Advertising Initiative opt-out tools

• Cookie Management. You can control or disable cookies through your browser or device settings. For more detail, please see our Cookie Notice (we’ll update this at https://stepout.social/cookies-policy once the new domain is live).

​

7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register using Apple ID or Google Sign-In, we will only receive the information necessary to create your account.

Our Services currently allow registration and login through:

• Apple ID

• Google Sign-In (Gmail)

When you use these login methods, we may receive information such as your name and email address directly from the provider. We will only use this information to create and manage your account, and in accordance with this Privacy Notice.

We do not collect or store passwords from these providers, and we do not control how Apple or Google handle your data. We recommend reviewing their privacy notices:

• Apple Privacy Policy

• Google Privacy Policy

​

8. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We retain your personal information only for as long as necessary to fulfil the purposes described in this Privacy Notice, unless a longer retention period is required by law.

We keep personal information for the following periods:

• Account data — for as long as your account is active. If you delete your account, we will delete or anonymise your personal information within 3 months unless required by law to retain it.

• Sensitive demographic data (e.g., gender, orientation, or location) — stored only with your active consent and anonymised if you withdraw consent.

• Payment records — handled by RevenueCat and retained only as long as legally required for financial and compliance purposes.

• Backup archives — if your personal information is stored in backups, it will be securely isolated and deleted as part of our normal backup cycle.

When we no longer have a legitimate business need to process your personal information, we will delete or anonymise it.

​

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use technical and organisational measures to protect your data, but no system can be 100% secure. Our data is stored and processed primarily through Supabase, which follows industry-standard security and encryption practices, including AES-256 encryption at rest and secure HTTPS transmission.

We have implemented appropriate and reasonable measures designed to protect the personal information we process. These include:

• Technical safeguards such as encryption, secure servers, firewalls, and regular vulnerability testing.

• Organisational measures such as access controls, staff training, and internal data protection policies.

However, no electronic transmission over the Internet or storage technology can be guaranteed to be completely secure. While we do our best to protect your information, we cannot guarantee that unauthorised third parties (e.g., hackers or cybercriminals) will never be able to overcome our safeguards.

You are responsible for accessing our Services in a secure environment and choosing strong, unique passwords for your account.

​

10. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on where you live (EEA, UK, Switzerland), you may have rights to access, update, delete, restrict, or object to the use of your personal data.

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have the following rights under data protection law:

1. Access — Request a copy of the personal information we hold about you.

2. Rectification — Ask us to correct inaccurate or incomplete data.

3. Erasure (“Right to be Forgotten”) — Request that we delete your personal data.

4. Restriction — Ask us to stop processing your data in certain circumstances.

5. Data Portability — Receive your personal data in a structured, commonly used format.

6. Object — Object to processing of your personal data (e.g., for marketing).

7. Not to be subject to automated decision-making — You have the right not to be subject to decisions based solely on automated processing, unless legally permitted.

📍 Supervisory Authorities:

• If you are in the EEA, you can find your local authority here: EU Data Protection Authorities.

• If you are in the UK, you can complain to the ICO here: ICO Complaints.

• If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC): FDPIC.

​

Withdrawing Consent

Where processing is based on your consent (e.g., sensitive demographic data), you can withdraw it at any time by:

• Updating your preferences in the app

• Contacting us at hello@stepout.social

Withdrawal will not affect the lawfulness of prior processing, but we will stop any new processing relying on consent.

​

Marketing Preferences

You can unsubscribe from marketing emails at any time by:

• Clicking “unsubscribe” in our emails

• Replying “STOP” or “UNSUBSCRIBE” to SMS messages

• Contacting us directly

You may still receive service-related communications (e.g., account updates, security alerts).

​

Account Information

You may review, update, or delete your account information by:

• Logging into your account settings, or

• Contacting us at hello@stepout.social

If you request account deletion, we will deactivate or delete your account and remove your data from our active systems within 3 months, unless we are legally required to retain certain information (e.g., for fraud prevention or compliance).

​

Cookies and Similar Technologies

Most browsers accept cookies by default. You can remove or reject cookies in your browser settings. Some features of our Services may not function properly if you disable cookies. For more details, see our Cookie Notice at:
https://stepout.social/cookies-policy

 

10A. USE OF THIRD-PARTY SDKs AND BACKEND SERVICES

In Short: StepOut uses limited third-party SDKs and backend services to operate core functionality.

StepOut is built using FlutterFlow and integrates Supabase as its backend platform. These tools are essential for managing authentication, content storage, and real-time data synchronization.

We do not use advertising SDKs or third-party trackers. No personal information is sold or shared for marketing purposes.

If additional SDKs (e.g., for analytics or push notifications) are added in future app versions, this Privacy Notice and our Data Safety disclosures will be updated accordingly

​

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers, mobile operating systems, and apps include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your preference not to be tracked.

At present, there is no uniform standard for recognising and implementing DNT signals. Therefore, we do not currently respond to DNT browser signals or other automated tracking mechanisms.

If a DNT standard is adopted in the future, we will update this Privacy Notice accordingly.

12. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we may update this Privacy Notice as needed to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The “Revised” date at the top of the notice will indicate when the latest changes were made.

If we make material changes, we may:

• Post a prominent notice within the app, or

• Send you a direct notification (e.g., email).

We encourage you to review this Privacy Notice regularly to stay informed about how we are protecting your information.

13. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this Privacy Notice, you may contact us:

By email: hello@stepout.social
By post:
UNIque CNS LTD
21/4 Craigmillar Castle Loan
Edinburgh, Scotland
EH16 4BJ
United Kingdom

​

For privacy-related inquiries specifically concerning Supabase data handling or SDK integrations, please include “Supabase Privacy” in your email subject line so we can direct your request appropriately.

​

14. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Depending on your country of residence, you may have the right to:

• Request access to the personal information we hold about you

• Request corrections to inaccuracies in your data

• Request deletion of your personal data

• Withdraw your consent for certain types of processing

➡️ To submit a request, you can either:

• Email us at hello@stepout.social, or

• Visit: https://stepout.social/personal-information (replace with your real domain once live).

We will respond in accordance with applicable data protection laws (e.g., GDPR, UK GDPR).

​​