Legal
My One Button is a product of K.B.A. Investments Limited, a private limited company registered in England and Wales.
In this policy, "we", "us", and "our" mean K.B.A. Investments Limited trading as My One Button. "You" and "your" mean the person using the My One Button app or website.
K.B.A. Investments Limited is the data controller for personal data processed through My One Button. This means we decide what data is collected and why.
This policy applies to:
If you click a link from our app or website to a third-party service (for example, a payment provider), that service has its own privacy policy. This one only covers what we do.
We collect only what we need to make the product work. Here is everything we collect, broken down by category.
When you sign up, we ask for:
We use this to create your account, send you transactional emails (such as password resets), and identify you when you sign back in.
When you use My One Button, you can capture text or speak into the microphone. Whatever you say or type is your capture.
We store:
We do not store voice audio. When you speak, your audio is sent to a transcription service (see Section 6), converted to text, and discarded. Only the text is kept.
Anything you set up in Settings — your enabled categories, your daily focus count, your reminder preferences, your persona choice, your notification settings — is stored against your account so the app behaves the way you want it to.
To keep the service running and improve it, we collect:
This is collected via PostHog (see Section 6), in cookieless mode where possible. We do not use this data for advertising or share it with advertisers.
When you subscribe to a paid tier, we collect:
We do not see or store your card details. Card processing is handled by Stripe (or by Apple / Google when you subscribe through the App Store or Play Store). They send us the result of the transaction; we never touch the card itself.
If you email us at [email protected] or use our in-app feedback form, we keep the conversation so we can help you. This includes your name, email, and the content of the message.
We use your data only for these purposes:
We do not:
UK GDPR requires us to have a lawful reason for processing your data. Here are the bases we rely on:
| What we process | Why | Lawful basis (UK GDPR Article 6) |
|---|---|---|
| Account data, captures, settings | To deliver the service you signed up for | Contract performance (Article 6(1)(b)) |
| Device and usage data | To keep the service running, fix bugs, improve the product | Legitimate interest (Article 6(1)(f)) — running and improving a paid service |
| Payment data | To process subscriptions and meet tax obligations | Contract performance + Legal obligation (Articles 6(1)(b) and 6(1)(c)) |
| Marketing emails (if you opt in) | To send product updates and offers you've agreed to receive | Consent (Article 6(1)(a)) |
| Fraud prevention | To protect the service from abuse | Legitimate interest (Article 6(1)(f)) |
You can withdraw consent at any time for anything based on consent. Withdrawing consent does not affect processing that took place before you withdrew it.
We use a small number of trusted third parties to operate My One Button. Each one only sees the data they need to do their job, under strict contracts that require them to protect it.
| Provider | What they do | What data they see | Where data is processed |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, captures, settings | EU (Ireland — eu-west-1) |
| Anthropic (Claude API) | AI classifier — sorts captures into categories | The text of each capture (no name, no email attached) | US (with EU data transfer safeguards) |
| OpenAI (Whisper API) | Voice-to-text transcription | Voice audio (discarded after transcription) | US (with EU data transfer safeguards) |
| Stripe | Payment processing for web subscriptions | Name, email, billing details, transaction data | UK and US (Stripe handles its own card data securely) |
| Apple App Store / Google Play Billing | Payment processing for mobile subscriptions | Subscription status, transaction data | US (managed by Apple / Google) |
| Netlify | Frontend hosting (the website and app) | IP address, browser type, request logs | US |
| GoHighLevel (GHL) | Marketing emails, waitlist, CRM | Name, email, marketing preferences | US (with EU data transfer safeguards) |
| Mailgun | Transactional email delivery (password resets, receipts) — configured but currently dormant; will be activated when password reset and receipt emails are enabled | Email address, message content (when activated) | US (with EU data transfer safeguards) |
| Google Workspace | Internal team email (your support emails reach us here) | Anything you email us | US (with EU data transfer safeguards) |
| PostHog | Product analytics and error tracking | Usage events, page views, error logs (no captures) | EU |
Some of our sub-processors are based in the United States. When your data is transferred outside the UK or EU, we rely on:
This means your data has the same legal protections wherever it's processed.
This section is important. We use AI in two specific ways, and we want you to know exactly what happens.
When you speak into the microphone:
OpenAI does not use Whisper API audio to train its models when accessed through the API. We have confirmed this with their published API terms.
After transcription (or when you type), the text of your capture is sent to Anthropic's Claude API. Claude reads the text and decides which of the 12 categories it belongs in. The category is returned to us and we file the capture accordingly.
Which model classifies your captures depends on your subscription tier:
Either way:
If we ever want to do any of this in the future, we will ask you for explicit consent first. You will always be able to say no.
We keep your data only as long as we need to.
| Data | Retention period |
|---|---|
| Account data | While your account is active, plus 30 days after you delete it |
| Captures | While your account is active, plus 30 days after you delete it |
| Deleted captures (recoverable) | 30 days, then permanently deleted |
| Archived captures | Indefinitely, until you delete them |
| Payment records | 7 years (UK tax law requirement) |
| Support correspondence | 2 years from the last message |
| Server logs | 90 days |
| Backups | 30 days, rolling |
When you delete your account, we permanently delete all your personal data within 30 days, except for payment records we are legally required to keep.
Under UK GDPR, you have the following rights:
Email [email protected] with the right you want to exercise. We will respond within one calendar month, free of charge. If your request is unusually complex, we may extend by two months and let you know.
We will ask you to verify your identity before acting on a request, to make sure we're not handing your data to someone pretending to be you.
If you believe we have not handled your data properly, please contact us first at [email protected] so we can try to put it right.
If you remain unsatisfied, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator:
We take security seriously. Our practices include:
If you discover a security vulnerability, please report it responsibly to [email protected]. We will work with you in good faith and will not take legal action against good-faith security research.
No system is 100% secure. If a breach affecting your data occurs, we will notify you and the ICO within 72 hours, as UK GDPR requires.
Encrypted. Private. Only you can see what you capture. We don't sell your data. We never will.
The My One Button app uses the minimum number of cookies and storage items needed to make the service work:
We do not use:
PostHog (our analytics) runs in cookieless mode where possible.
When you make a payment, you'll be redirected to Stripe's checkout page. Stripe sets its own cookies for fraud prevention and security, governed by Stripe's privacy policy.
If we add any non-essential cookies in future, we will ask for your consent before using them.
For more detail, see our Cookie Notice at https://myonebutton.com/cookies.
My One Button is not intended for children under 16. Under UK GDPR, online services for children require special protections, and we have not designed the product to meet those.
If you are under 16, please do not use My One Button. If we find out we've collected data from someone under 16, we will delete it.
If you believe a child under 16 has signed up, please email [email protected] and we will investigate.
We may update this policy from time to time as the product changes or the law changes.
When we make a substantive change (one that affects your rights or how we use your data), we will:
When we make a minor change (typos, clarifications, restructuring), we will update the date at the top but not necessarily email you.
The current version of this policy is always available at https://myonebutton.com/privacy.
For any privacy question, request, or complaint:
We aim to respond to all privacy enquiries within 5 working days, and to formal UK GDPR rights requests within one calendar month as the law requires.
This policy was prepared in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations 2003.
K.B.A. Investments Limited (Companies House number 03345267), trading as My One Button.
Last updated: 2 May 2026. Version 1.0.