Home

Privacy Policy

Last Updated: May 11, 2026

This Privacy Policy explains how we handle your information when you use the One Small Step iOS app ("the app").

Who We Are

The app is built by Marta Basznianin Software, operating as Nami Apps, an independent software studio based in Poland. We are the data controller for any personal data described below. You can reach us at [email protected].

The Short Version

  • We don't have user accounts. You don't give us your name, email, or contact info.
  • Your tasks, brain dumps, and focus session data live on your device — not on our servers.
  • When you tap the AI breakdown feature, the text you typed is sent to OpenAI through a relay we operate. That's the only thing that leaves your device because of us.
  • We don't run any third-party analytics, attribution, or advertising SDKs in the app.
  • You don't need to subscribe to use core features.

What Stays on Your Device

  • Brain-dump text you type
  • AI-generated and edited steps
  • Focus-session timing and history
  • Subscription status, cached for offline checks

This data sits in the app's iOS sandbox. It's encrypted when your device is locked (standard iOS Data Protection) and is included in your iOS backups (iCloud or local) if you have those turned on. Apple — not us — controls what happens in those backups; see Apple's Privacy Policy.

The app does not actively sync your data to any server. We do not have copies of it.

What Leaves Your Device — and Why

AI Breakdown (only when you choose to use it)

When you tap the breakdown button, the text from your brain dump is sent over HTTPS to a server we operate (a Supabase Edge Function), which forwards it to OpenAI's API and returns the result. We use the relay so the OpenAI API key isn't exposed in the app — it's a pass-through that doesn't log the body of your request.

  • What's sent in the request body: only the text you typed. No name, email, advertising ID, or device location. As with any HTTPS request, your device's IP address is visible at the network level to our relay (Supabase) and to OpenAI.
  • OpenAI processing: per OpenAI's current API data usage policy, API data is not used to train OpenAI's models. OpenAI may retain API inputs for up to 30 days for abuse monitoring and then deletes them, except where retained longer for legal reasons. Processing happens in the United States. See OpenAI's Privacy Policy.
  • Our retention: we don't store your text. The Edge Function does not log request bodies.

Supabase (host of our AI relay)

Our relay function is hosted by Supabase, based in the United States. Supabase processes the request only to forward it; we have not configured the function to log request bodies. Supabase sees standard request metadata (timestamps, status codes, and your device's IP address, which counts as personal data under GDPR). See Supabase's Privacy Policy.

Subscription Management — RevenueCat

If you subscribe to One Small Step Pro, we use RevenueCat to verify your subscription status without operating our own server. RevenueCat receives:

  • An identifier RevenueCat generates for your install (not your Apple ID, name, or email).
  • Your iOS Identifier for Vendor (IDFV) — a per-app identifier Apple supplies that resets when you delete the app.
  • Your purchase receipt from Apple.

RevenueCat does not receive your tasks, brain dumps, or focus-session data. Apple processes the actual payment; we never see your Apple ID, payment method, or billing address. RevenueCat is based in the United States. See RevenueCat's Privacy Policy.

Apple — App Store, IAP, and App Analytics

Standard interactions with the App Store (download, install, in-app purchase) are governed by Apple's Privacy Policy. If you have Share With App Developers enabled in iOS Settings → Privacy & Security → Analytics & Improvements, Apple may share aggregated, non-identifying usage and crash data with us through App Store Connect. We do not receive identifiers tied to you through this channel, and we do not run any third-party analytics SDK in the app.

What We Do Not Collect

We do not collect names, emails, contacts, location, photos, calendar data, device identifiers used for advertising, or any other category not listed above. The app does not request permission to access your camera, microphone, photo library, contacts, or location.

International Data Transfers

If you use the AI breakdown feature, your text is transferred to the United States (OpenAI, Supabase). Subscription metadata is processed in the United States (RevenueCat). These providers contractually rely on the European Commission's Standard Contractual Clauses or equivalent safeguards under Articles 44–49 of the GDPR.

Legal Bases (EEA / UK Users)

  • AI breakdown: Article 6(1)(b) GDPR — performance of a service you specifically request by tapping the breakdown button. Stopping use of the feature prevents any further transfers; data already sent is governed by the providers' policies.
  • Subscription: performance of a contract — needed to deliver the subscription you bought.
  • Local on-device data: not processed by us as a controller, since it doesn't leave your device through our systems.

Your Rights (EEA / UK Users)

You have the right to access, correct, erase, restrict, port, or object to the processing of personal data we hold, and to withdraw consent at any time. Because we don't keep a copy of your data, in practice:

  • Delete everything we have any indirect connection to: stop using the AI feature (no new transfers) and delete the app (removes all local data).
  • Stop further processing: simply stop using the AI breakdown — no further data is sent.
  • Any other right: email us at [email protected]. We aim to respond within 30 days.

If you believe we've handled your data incorrectly, you can lodge a complaint with your local data protection authority. In Poland, this is the President of the Personal Data Protection Office (UODO) — uodo.gov.pl.

Retention

  • Data on your device: until you clear it in the app, delete the app, or uninstall iOS.
  • AI requests at OpenAI: up to 30 days, per OpenAI's policy, except where retained longer for legal reasons.
  • Subscription data at RevenueCat and Apple: as needed to manage purchases under their policies.

Children

One Small Step is not directed at children. Where the GDPR digital-consent threshold applies (16 in most EEA countries, including Poland), we do not knowingly process data from children below the applicable threshold. If you believe a child has used the app in a way that resulted in personal data being sent to us, contact us and we will act on it.

Security

Data is encrypted in transit (HTTPS/TLS) and on your device (iOS Data Protection, encrypted while the device is locked). We don't store user data, so there's no central database to breach. The only credential held is the OpenAI API key, which lives on the Edge Function and is never shipped with the app.

Changes

We'll update this policy as the app evolves. The "Last Updated" date at the top will reflect any change. For material changes that affect what leaves your device, we will additionally make the change visible from inside the app or on this website before continuing to process data under the new terms.

Contact

Marta Basznianin Software (Nami Apps), Poland

Email: [email protected]