Privacy Policy

Last updated: 12/3/2025

1. Data Controller

This Privacy Policy describes how CSO CODESOFT SRL ("we", "us", "our") collects, uses, and protects your personal data when you use the Legend Steps website and mobile application.

Data Controller:

  • Company Name: CSO CODESOFT SRL
  • Registration Number (CUI): 43602018
  • Trade Registry Number: J39/45/22.01.2021
  • Headquarters: Sat Vidra, Comuna Vidra, Vrancea, Romania
  • Email: contact@legendsteps.com

This Privacy Policy is in accordance with the General Data Protection Regulation (GDPR - Regulation 2016/679) and Romanian Law 190/2018 on data protection.

2. Personal Data We Collect

We collect and process the following categories of personal data:

  • Identity Data: first name, last name, username.
  • Contact Data: email address, delivery address (if physical rewards apply).
  • Financial Data: payment information (processed securely by Stripe; we do not store full card details).
  • Transaction Data: details about your purchases and orders.
  • Technical Data: IP address, browser type, device type, operating system, cookies and similar tracking technologies.
  • Usage Data: information about how you use our website and app, including activity tracking (steps, distance).
  • Profile Data: your preferences, feedback, and challenge participation history.
3. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of GDPR:

  • Contract Performance (Art. 6(1)(b)): To provide you with access to our challenges and fulfill our contractual obligations.
  • Consent (Art. 6(1)(a)): For marketing communications and certain cookies/tracking technologies (you can withdraw consent at any time).
  • Legitimate Interests (Art. 6(1)(f)): To improve our services, ensure security, and analyze usage patterns.
  • Legal Obligation (Art. 6(1)(c)): To comply with tax, accounting, and legal requirements.
4. How We Use Your Personal Data

We use your personal data for the following purposes:

  • To provide access to virtual fitness challenges and track your activity.
  • To process payments and send order confirmations.
  • To communicate with you (e.g., customer support, updates, promotional emails with your consent).
  • To improve our services and personalize your experience.
  • To analyze usage patterns and generate aggregated statistics.
  • To comply with legal and regulatory obligations.
5. Data Sharing and Disclosure

We may share your personal data with the following third parties:

  • Service Providers (Processors): Google Firebase (authentication, database, analytics), Stripe (payment processing), TikTok Pixel (marketing analytics).
  • Legal Authorities: When required by law or to protect our rights.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets.

International Transfers: Some of our service providers are located outside the European Economic Area (EEA). We ensure adequate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions) to protect your data.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations:

  • Account Data: Retained while your account is active and for up to 2 years after deletion (for legal/audit purposes).
  • Transaction Data: Retained for 10 years as required by Romanian tax law.
  • Marketing Data: Retained until you withdraw consent or for 2 years of inactivity.
7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, secure servers, and access controls.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data (subject to legal obligations).
  • Right to Restriction: Request limitation of processing in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time (does not affect prior processing).

To exercise any of these rights, contact us at contact@legendsteps.com.

For more details, see our GDPR Policy.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (e.g., TikTok Pixel, Google Analytics) to improve your experience and analyze usage. You can manage your cookie preferences through our consent banner.

For detailed information, please visit our Cookie Policy.

10. Children's Privacy

Our services are not intended for children under the age of 16 (or the applicable age in your country). We do not knowingly collect personal data from children without parental consent. If you believe we have collected data from a child, please contact us immediately.

11. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian data protection authority:

ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)

  • Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
  • Phone: +40 318 059 211
  • Email: anspdcp@dataprotection.ro
  • Website: www.dataprotection.ro
12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

© 2025 CSO CODESOFT SRL. All rights reserved.