Privacy Policy

1. Information We Collect

We collect information in the following ways: information you provide directly, information generated through your use of the Services, and information from third-party sources.

Information You Provide

• Account Information. When you create an account, we collect your name, email address, username, and password. If you sign up using a third-party authentication provider (such as Sign in with Apple or Google), we collect the information that provider shares with us, which may include your name, email address, and a unique account identifier.
• Profile Information. You may choose to provide additional profile information, such as a profile photo, bio, dance styles, and experience level. This information is optional.
• Your Content. We collect content you create, upload, post, or share through the Services, including videos, images, text descriptions, comments, timestamped annotations, and other materials.
• Training and Session Data. We collect information you provide about your dance training, including session logs, training notes, class details, and progress records you create within the Services.
• User-Organized Session Information. If you create, organize, are invited to, or participate in user-organized practice sessions, classes, or other activities through the Services ("User-Organized Sessions"), we collect information you provide about those sessions, which may include session names and descriptions, dates and times, location or venue information you choose to enter, invitee lists, and RSVP responses. We do not collect your device's precise location (GPS) for these purposes; any location information associated with a User-Organized Session is information you choose to enter manually.
• Messages and Communications Content. When you use the messaging features of the Services to send or receive direct messages or crew group chat messages (collectively, the "Messaging Features"), we collect the content and metadata of those communications. This includes:
  • The text of messages you send and receive;
  • Images, videos, files, and other attachments you send or receive through messages;
  • Reactions, replies, and other interactions with messages;
  • The identities of the sender and recipients of each message and the group chat, crew, or thread context;
  • Timestamps for sending, receiving, and reading messages (including read receipts where applicable);
  • Information about whether a message has been delivered, read, edited, or deleted; and
  • Technical metadata associated with message transmission, such as device and session identifiers used for message delivery and notifications.

  Messages are not end-to-end encrypted. They are transmitted and stored on our systems and the systems of our messaging infrastructure provider (currently Stream.io, Inc.). Please review Section 3 of this Policy and Section 9 of our Terms for more information about who can access your messages.

• Support Communications. We collect information you provide when you contact us for support, submit feedback, or otherwise communicate with us, including the content of those communications.
• Reports and Safety Information. When you report another user, a message, content, or behavior through our reporting tools, we collect the information you submit as part of that report, including the reason for the report and any context you provide.

Information Generated Through Use of the Services

• Usage Data. We collect information about how you interact with the Services, including the features you use, the actions you take (such as uploading videos, joining crews, posting annotations, sending messages, blocking or muting other users, or viewing content), timestamps of activity, and your interactions with other users' content.
• Device Information. We collect technical information from the device you use to access the Services, including device type, operating system and version, unique device identifiers, mobile network information, app version, and push notification tokens.
• Log Data. Our servers automatically record information when you access the Services, including your IP address, access times, pages and features accessed, app crashes, and other system activity.
• Analytics Data. We use analytics services (currently or in the future, including Mixpanel) to collect and analyze usage data. These services may collect information about your use of the Services, including the features and screens you interact with, session duration, and events within the app. Analytics providers may use cookies, device identifiers, or similar technologies to collect this information. We do not transmit the content of your messages to analytics providers.

Device Permissions

• Camera and Microphone. To record dance practice videos, the Services request access to your device's camera and microphone. Video recordings may include ambient audio, including any music playing in your environment at the time of recording. You can manage these permissions through your device settings at any time.
• Photo Library. The Services may request access to your photo library to allow you to upload previously recorded videos or to attach images to messages. You can manage this permission through your device settings.
• Push Notifications. We may request permission to send you push notifications, including notifications about new messages and other activity. You can manage this permission through your device settings.

We do not request access to your precise location (GPS), contacts or address book, health or biometric data, or any other sensitive device permissions not listed above.

Information We Do Not Collect

We want to be clear about information the Services do not collect or process:

• We do not collect precise geolocation (GPS) data.
• We do not access your contacts or address book.
• We do not collect health, fitness, or biometric data.
• We do not use audio fingerprinting, content identification, or similar technologies to identify, match, or catalog musical works or sound recordings that may be present in user-uploaded content or message attachments.
• We do not collect payment card information directly. If we introduce paid features in the future, payment processing will be handled by a PCI-compliant third-party payment processor, and we will update this Policy accordingly.

2. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Operate the Services

• Create and maintain your account;
• Host, store, transcode, and deliver your content (including videos and message attachments);
• Enable you to record, upload, organize, and share dance practice videos;
• Enable crew-based sharing and interactions between users;
• Provide timestamped annotation, progress tracking, and training log features;
• Provide direct messaging and crew group chat functionality, including delivering messages to their intended recipients, displaying message history, generating read receipts and other indicators, and synchronizing messages across your devices;
• Process and deliver notifications about activity relevant to your account, including new-message notifications; and
• Send you transactional communications (account verification, password resets, security alerts, and service updates).

To Improve and Develop the Services

• Analyze usage patterns and trends to understand how the Services are used;
• Identify and fix bugs, errors, and performance issues;
• Develop new features and functionality; and
• Conduct internal research and analysis to improve the user experience.

To Provide AI and Machine Learning Features

We may use and develop artificial intelligence ("AI") and machine learning ("ML") technologies to provide features within the Services, such as personalized recommendations, content analysis, or automated detection of prohibited content, spam, or abuse in messages and other content. We will not use Your Content (including messages) to train generalized AI or ML models unrelated to the Services without your explicit consent. Any AI-powered features will be described in this Policy or in supplemental notices within the Services.

To Communicate with You

• Respond to your support requests and inquiries;
• Send you information about the Services, including feature updates and changes to our Terms or this Policy; and
• With your consent, send you promotional or marketing communications. You can opt out of marketing communications at any time by following the unsubscribe instructions in the communication or by contacting us.

To Protect the Services and Our Users

• Enforce our Terms of Service and Community Standards;
• Review reports of abuse, harassment, or other prohibited conduct (including conduct in messages);
• Detect, prevent, and address fraud, abuse, security incidents, and technical issues;
• Identify and respond to spam, scams, phishing, and malicious content (including in messages);
• Respond to DMCA takedown notices and other legal requests;
• Comply with our reporting obligations under 18 U.S.C. § 2258A regarding apparent child sexual abuse material, by reporting such material to the National Center for Missing & Exploited Children ("NCMEC") and cooperating with law enforcement; and
• Protect the rights, property, and safety of Polyrhythm Labs, Inc., our users, and the public.

To Comply with Legal Obligations

We may use your information as necessary to comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including responding to subpoenas, court orders, and other valid legal demands.

3. How We Share Your Information

With Other Users

Depending on your privacy settings, certain information is visible to other users of the Services. By default, TwoStep is private. Content shared within a crew is visible only to members of that crew. If you choose to make content more broadly visible, it may be viewed by other users of the Services. Your profile information (such as your username and profile photo) may be visible to other users.

If you create or are invited to a User-Organized Session, certain information related to that session — including the organizer's identity, the session details (such as time, description, and any location or venue information you provide), and the list of invited or attending users — will be visible to other users invited to or attending that session. You should not include sensitive personal information (such as your home address) in a User-Organized Session unless you intend for it to be shared with other invited users.

Direct messages are visible to the participants of the message thread. Crew group chat messages are visible to all members of the relevant crew at the time the message is delivered, and may be visible to members who join later if the chat permits access to message history. Other participants may save, screenshot, copy, forward, or share the contents of messages outside of the Services. Once you send a message, you cannot guarantee that its content will remain confidential.

With Service Providers

We share information with third-party service providers who process data on our behalf to help us operate, maintain, and improve the Services. These providers are contractually obligated to use your information only for the purposes for which we disclose it to them and to maintain appropriate security measures. Our current service providers include:

• Supabase — database hosting and authentication;
• Cloudflare — content storage and delivery via R2;
• Render — application hosting and infrastructure;
• Stream.io, Inc. — in-app messaging and crew group chat infrastructure, including message transmission, storage, delivery, and related features such as notifications, read receipts, reactions, and moderation tooling;
• Resend / Postmark — transactional email delivery; and
• Mixpanel — product analytics (when implemented).

Our messaging infrastructure provider receives and stores message content and metadata on our behalf in order to provide the Messaging Features. We encourage you to review the privacy practices of these providers, including Stream.io's privacy policy, for additional information about how they process information on our behalf.

We may engage additional service providers from time to time. When we do, they will be subject to equivalent contractual obligations regarding the handling of your information.

For Legal and Safety Reasons

We may disclose your information, including the content and metadata of your messages, to third parties, including law enforcement, government agencies, NCMEC, or private parties, if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request (including subpoenas, search warrants, and court orders);
• Report apparent child sexual abuse material to NCMEC and cooperate with law enforcement as required by 18 U.S.C. § 2258A;
• Enforce our Terms of Service, including investigation of potential violations and reports of abuse;
• Detect, prevent, or address fraud, security, or technical issues;
• Respond to valid DMCA takedown notices or other intellectual property claims; or
• Protect the rights, property, or safety of Polyrhythm Labs, Inc., our users, or the public, including in the case of threats of harm to any person.

In Connection with a Business Transfer

If Polyrhythm Labs, Inc. is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your information.

With Your Consent

We may share your information with third parties when you direct us to do so or provide your explicit consent.

Information We Do Not Sell

We do not sell your personal information to third parties. We do not share your personal information with third parties for their own direct marketing purposes. We do not use your information for targeted advertising by third parties. We do not sell or share the content of your messages with third parties for advertising purposes.

4. Your Privacy Controls and Defaults

Private by Default

TwoStep is designed with a private-by-default approach. When you create an account, your content is not publicly visible. Content shared within a crew is visible only to members of that crew. Direct messages are visible only to the participants of the message thread, and crew group chat messages are visible only to members of the relevant crew. You control much of who can interact with you through your sharing and privacy settings and through the user-control tools described below.

Controls Available to You

• Sharing Settings: You can control who sees your content by managing your crew memberships and sharing preferences within the app.
• Profile Information: You can edit or remove optional profile information at any time through your account settings.
• Messaging Controls: Subject to the functionality available in the App, you can block another user, mute notifications from a user or chat, leave a crew group chat, delete messages you have sent (subject to the limitations described in Section 5 and in our Terms of Service), and report messages, users, or chats to us for review.
• Notifications: You can manage push notification preferences through your device settings and email notification preferences through the app or by contacting us.
• Marketing Communications: You can opt out of promotional emails at any time by following the unsubscribe link in the email or by contacting us. Opting out of marketing communications does not affect transactional communications related to your account.
• Device Permissions: You can revoke camera, microphone, and photo library permissions at any time through your device settings. Note that revoking camera or microphone access will prevent you from recording new videos within the app, and revoking photo library access will prevent you from attaching saved images to messages.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Services. When you delete your account, the deletion process will begin no more than 30 days after your request, and it may take up to 90 days to fully remove your content and data from our active systems. During the deletion process, your content will no longer be visible to other users.

Messages. Messages and message attachments are retained on our systems and the systems of our messaging infrastructure provider for the period necessary to provide the Messaging Features, including making message history available to participants. Messages that you delete may be removed from the chat for other participants going forward, but copies may remain in our backups, in our service providers' systems, on other users' devices (including in cached or screenshotted form), or as required for legal, safety, or operational purposes. When you delete your account, messages you have sent to other users may remain visible to those users in their own message histories. Message metadata associated with reports, investigations, or legal matters may be retained for longer periods as necessary.

We may retain certain information after account deletion as required by law, for legitimate business purposes (such as resolving disputes, enforcing our Terms, defending legal claims, or maintaining security and abuse records), or where deletion is not technically feasible in backup or archival systems. Backup copies are overwritten on a regular cycle.

Copies of your content, including messages, that were shared with or saved by other users prior to your deletion request may remain available to those users.

6. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, alteration, and destruction. These measures include encryption of data in transit (TLS/SSL) — including for messages transmitted between your device, our servers, and our messaging infrastructure provider — access controls limiting employee and contractor access to personal information on a need-to-know basis, and regular review of our security practices.

Messages are not end-to-end encrypted. While they are encrypted in transit and stored using industry-standard protections, they can be accessed by Polyrhythm Labs, Inc. and our messaging infrastructure provider in the limited circumstances described in Section 3 of this Policy and Section 9 of our Terms of Service.

No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.

7. Third-Party Services and Links

The Services may contain links to third-party websites or services, or allow you to interact with third-party platforms (such as Sign in with Apple or Google). The Services also incorporate certain third-party infrastructure components, including a third-party messaging provider that powers our Messaging Features. This Policy does not apply to information collected by third parties through their own services or websites. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Services.

If you use a third-party authentication provider to create your account, we receive only the information that provider shares with us in accordance with their terms and your settings. We do not receive your password from third-party authentication providers.

8. Children's Privacy

The Services are intended only for adults aged 18 and over. We do not direct the Services to, knowingly market to, or knowingly collect personal information from anyone under the age of 18. If you are under 18, do not use the Services or provide any information to us.

If we learn that we have collected personal information from a person under 18, we will take steps to delete that information and terminate the associated account as quickly as is reasonably practical. If you believe we have collected information from a person under 18, please contact us at privacy@twostepapp.com. If you believe a minor is using the Services, or that a minor is being contacted, solicited, or exposed to harm through the Services, please contact us immediately at safety@twostepapp.com.

In accordance with 18 U.S.C. § 2258A, we report apparent child sexual abuse material to the National Center for Missing & Exploited Children and cooperate with law enforcement investigations.

9. International Data Transfers

The Services are hosted in the United States. If you access the Services from outside the United States, you understand and consent to the transfer, processing, and storage of your information in the United States, where data protection laws may differ from those in your country of residence.

We take steps to ensure that your information receives an adequate level of protection in the jurisdictions in which we process it.

10. Your Privacy Rights

Depending on where you live, you may have certain rights regarding your personal information under applicable privacy laws. These may include:

• Access and Portability: You may have the right to request access to the personal information we hold about you, and to receive a copy of that information in a portable format. You can access and download much of your information directly through your account settings.
• Correction: You may have the right to request correction of inaccurate personal information. You can update your account and profile information directly through the app.
• Deletion: You may have the right to request deletion of your personal information. You can delete your account through the app settings or by contacting us at privacy@twostepapp.com. See Section 5 for details on the deletion process and any retention exceptions, including with respect to messages.
• Restriction and Objection: Where applicable under local law, you may have the right to restrict or object to certain processing of your personal information.
• Withdraw Consent: Where we rely on your consent to process your information, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal. If you wish to withdraw consent to the processing of messages, you may stop using the Messaging Features and delete your account.
• Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please contact us at privacy@twostepapp.com. We may need to verify your identity before processing your request. We will respond to your request within the time period required by applicable law.

11. Notice for California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), including:

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of collection, the purposes for collection, and the categories of third parties with whom we share your information.
• Right to Delete: You have the right to request that we delete your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than providing the Services.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, username, IP address, device identifiers); internet or electronic network activity information (usage data, log data); audio, electronic, and visual information (videos, images, audio, and message attachments uploaded or transmitted by users); the content and metadata of electronic communications, including direct messages and crew group chat messages; and inferences drawn from the above (such as analytics data).

Sources

We collect personal information directly from you, automatically through your use of the Services, and from third-party authentication providers (such as Apple or Google).

Business Purposes

We use personal information for the purposes described in Section 2 of this Policy.

Disclosure for Business Purposes

We disclose personal information to service providers as described in Section 3 of this Policy, including our messaging infrastructure provider. We do not sell personal information or share it for targeted advertising.

To exercise your rights under California law, please contact us at privacy@twostepapp.com. You may also designate an authorized agent to make a request on your behalf.

12. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice through the Services or by other means (such as email) prior to the changes becoming effective. The "Effective Date" at the top of this Policy indicates when it was last updated. Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the revised Policy.

We encourage you to review this Policy periodically.

13. Contact Us

If you have questions about this Privacy Policy, your personal information, or our data practices, please contact us at: