← Back to One Step

Legal

Privacy Policy

Last updated: May 2026

Overview

One Step ("we", "our", or "us") is committed to protecting your privacy. This policy explains what information we collect, how we use it, and your rights.

Information We Collect

Automatically collected:

  • IP address — used solely for rate limiting (max requests per day). Not stored long-term or linked to your identity.
  • Browser cookies — a single pro_token cookie to recognize Pro subscribers across sessions. Contains only an opaque access code, no personal data.

When you subscribe (Pro plan):

  • Payment is processed by Stripe. We never see or store your card details.
  • Your email address is stored by Stripe and used only to identify your subscription for recovery purposes.

Community posts (optional):

  • If you share a step to the community, the goal text, step text, and comment you write are stored publicly.
  • An optional display nickname is stored if you set one.

How We Use Your Information

  • IP addresses: enforce daily usage limits only. Stored in Redis with a 48-hour TTL.
  • Pro token cookie: verify your subscription status on each request.
  • Community posts: display in the public community feed.
  • We do not sell, rent, or share your data with third parties for marketing purposes.

Data Retention

  • Rate limit records: deleted automatically after 48 hours.
  • Pro subscription records: retained while your subscription is active; deleted within 7 days of cancellation.
  • Community posts: retained until removed by an administrator or until the service is discontinued.
  • Nicknames: stored for 60 days, then automatically deleted.

Third-Party Services

  • Stripe — payment processing. See Stripe's Privacy Policy.
  • Anthropic (Claude API) — AI step generation. Your goal input is sent to Anthropic's API to generate a response and is not retained by Anthropic beyond the API call per their Privacy Policy.
  • Upstash Redis — rate limiting and session data storage. Data is stored in Upstash's infrastructure.
  • Vercel — hosting. Standard server logs may be retained per Vercel's policies.

Cookies

We use a single first-party cookie (pro_token) to maintain your Pro subscription status. This cookie is httpOnly, secure, and contains no personally identifiable information. No advertising or tracking cookies are used.

Your Rights

You have the right to request deletion of any data associated with your account. Community posts can be removed upon request. To exercise your rights, contact us at the address below.

If you are in the EU or EEA, you have additional rights under GDPR including the right to access, rectify, or erase your personal data.

Children's Privacy

One Step is not directed at children under 13. We do not knowingly collect personal information from children under 13.

Changes to This Policy

We may update this policy from time to time. Material changes will be reflected in the "Last updated" date above. Continued use of the service after changes constitutes acceptance.

Questions about this policy? Contact us