Security & Trust

Your captures stay yours

Last updated: 2 May 2026 · Version 1.0

You're putting your whole brain into one place. We take that seriously.

This page explains exactly how we protect your data, how AI sees your captures, what we will never do, and how you stay in control. No marketing fluff. Just the facts.

How your data is protected

Encrypted in transit — every connection between your device and our servers uses TLS (HTTPS). Nothing travels in the clear.
Encrypted at rest — your captures, your account, and your settings are encrypted on the servers where they live.
Stored on Supabase in the EU (Ireland) — your data does not leave the EU.
Row-level security — only you can access your captures. Our database is configured so that even an internal query cannot return another user's data to you.
Automatic encrypted backups — so your data survives any kind of failure on our end.
UK GDPR compliant — we follow UK and EU data protection law to the letter.
72-hour breach notification — if a breach affecting your data ever occurs, we will notify you and the Information Commissioner's Office within 72 hours, as the law requires.

How AI sees your captures

My One Button uses AI in two specific ways. We want you to know exactly what happens.

Voice transcription

When you speak into the orb:

Your voice audio is sent to OpenAI's Whisper API.
Whisper converts it to text and returns the text to us.
The audio is discarded immediately.
We store only the transcribed text.

OpenAI does not use Whisper API audio to train its models when accessed through the API.

Classification

After transcription (or when you type), the text of your capture is sent to Anthropic's Claude API. Claude reads the text and decides which of the 12 categories it belongs in. The category is returned and we file the capture against your account.

When we send the text to Claude:

No name is attached.
No email is attached.
No account ID is attached.

Claude sees only the text of the capture itself.

Anthropic does not use API data to train its models by default.

What we will never do

Never sell your data. Not to advertisers. Not to data brokers. Not to anyone.
Never share your captures with advertisers.
Never read your captures except where strictly necessary to operate the service or where we are legally required to.
Never use your captures to train AI models without your explicit consent. If we ever want to do this in future, we will ask you first, and you will always be able to say no.

You stay in control

Export everything, anytime. Settings → Data → Export. You get a JSON file with all your captures, settings, and metadata.
Delete your account, anytime. Settings → Account → Delete. Account deletion is immediate. Your data is permanently deleted within 30 days, except for payment records we are legally required to keep.
Archived captures are recoverable indefinitely. Nothing you archive is ever automatically deleted.
Deleted captures are recoverable for 30 days. If you change your mind, you have a month to restore.
Two-tap delete confirmation. Nothing important gets deleted by accident.

Sub-processors

A small number of trusted third parties help us run My One Button. Each one only sees the data they need to do their job, under strict contracts that require them to protect it.

Provider	What they do	Where data is processed
Supabase	Database, authentication, file storage	EU (Ireland)
Anthropic (Claude API)	AI classifier — sorts captures into categories	US (with EU data transfer safeguards)
OpenAI (Whisper API)	Voice-to-text transcription	US (with EU data transfer safeguards)
Stripe	Payment processing for web subscriptions	UK and US
Apple App Store / Google Play Billing	Payment processing for mobile subscriptions	US
Netlify	Frontend hosting	US
GoHighLevel	Marketing emails, waitlist, CRM	US (with EU data transfer safeguards)
Mailgun	Transactional email (password resets, receipts) — configured but currently dormant; will be activated when password reset and receipt emails are enabled	US (with EU data transfer safeguards)
Google Workspace	Internal team email	US (with EU data transfer safeguards)
PostHog	Product analytics and error tracking	EU

When data is transferred outside the UK or EU, we rely on Standard Contractual Clauses approved by the UK Information Commissioner's Office, or UK Adequacy Decisions where the receiving country has been formally recognised as providing adequate protection.

Your rights

Under UK GDPR, you have the right to:

Access — get a copy of the data we hold about you
Rectification — correct any data that's wrong
Erasure — ask us to delete your data ("right to be forgotten")
Restriction — ask us to pause processing while we sort something out
Portability — get your data in a portable format to take elsewhere
Object — object to processing based on legitimate interest
Withdraw consent — for anything based on consent
Complain to the ICO — if you're not happy with how we've handled your data

To exercise any of these rights, email [email protected]. We will respond within one calendar month, free of charge.

Reporting a security vulnerability

If you discover a security vulnerability, please report it responsibly to [email protected]. We will work with you in good faith and will not take legal action against good-faith security research.

Read the full documents

Privacy Policy — what data we collect, how we use it, your rights
Terms of Service — the contract between you and us
Cookie Notice — what cookies we use and why

Contact

General privacy enquiries: [email protected]
Formal legal correspondence: [email protected]
Security vulnerability disclosure: [email protected]
Post: K.B.A. Investments Limited, 129 Marston Road, Stafford, Staffordshire, England, ST16 3BT

K.B.A. Investments Limited (Companies House number 03345267), trading as My One Button.
Last updated: 2 May 2026. Version 1.0.