Privacy Policy

This Privacy Policy explains how One Small Step ("we", "us") handles personal data when you use the Little Ledger application at bank.onesmallstep.hk ("the Service"). It is written to comply with the Hong Kong Personal Data (Privacy) Ordinance, Cap. 486 (PDPO).

1. Who we are

The Service is operated by One Small Step, based in Hong Kong. For data-protection purposes the data controller is One Small Step.

Contact: hkonesmallstep@gmail.com

2. What we collect

When a parent creates an account:

• Email address (used as the login identifier)
• Password (stored only as a salted bcrypt hash; we cannot read it back)
• A unique family code (auto-generated)

When a parent registers a child:

• Child's first name
• Child's date of birth (used to display age; optional for accounts created before this field existed)
• A 4-digit PIN, stored only as a salted bcrypt hash
• Optionally, a wallpaper image uploaded by a parent

While the Service is in use:

• Virtual transactions (give, spend, deposit, request, interest accrual) in Hong Kong Dollar units, with parent-supplied notes and timestamps
• An audit log of significant actions for parental oversight
• A "last seen" timestamp per child to drive the welcome popup
• Per-child preferences such as central-bank choice, interest rate mode, and savings goals

Automatically:

• A signed session cookie (fb_session) so signed-in users stay signed in for up to 7 days
• A family cookie (fb_family) so children can sign in to the right family on a given device
• Standard server logs from our hosting provider (Netlify), including IP address, user agent, and request timestamps, for security and abuse prevention

We do not collect: real banking information, payment card data, government IDs, location data, contacts, or any data beyond what is listed above.

3. Why we collect it

• To run the Service (your account, your children's balances, your transactions)
• To keep your account secure (sessions, hashed passwords/PINs)
• To detect and prevent abuse (server logs)

We do not sell or share individual data, and we do not use it for advertising.

4. Where it's stored

Personal data is stored using Netlify Blobs, a managed key-value store provided by Netlify, Inc. Netlify hosts data in cloud datacenters which may be located outside Hong Kong (principally the United States and Singapore). Netlify acts as our data processor and is bound by their published Data Processing Addendum.

Within One Small Step, only the operator of the One Small Step Netlify account can access stored data, and only for the purposes of operating the Service.

5. Third-party services

• Netlify, Inc. — hosting, serverless functions, blob storage, SSL. netlify.com/privacy
• Federal Reserve Bank of St. Louis (FRED) — we fetch published interest-rate data. No personal data is sent.
• Hong Kong Monetary Authority (HKMA) Open Data API — same purpose as FRED. No personal data is sent.

We do not use Google Analytics, advertising trackers, social-media pixels, or any third-party analytics that profile users.

6. Cookies

• fb_session — HttpOnly, SameSite=Lax, expires after 7 days. Identifies your signed-in user.
• fb_family — SameSite=Lax, expires after 1 year. Remembers which family this device belongs to so the child login picker shows the right names.

We do not set advertising cookies, analytics cookies, or third-party cookies.

7. Retention and deletion

We retain personal data for as long as your account is active. When a parent deletes a child from the dashboard, all of that child's data (balance, transactions, deposits, requests, goals, wallpaper) is permanently deleted. The audit log retains a record that the deletion occurred (without recovering the deleted data).

To delete your entire family ledger, email hkonesmallstep@gmail.com. We will delete all your family data within 30 days.

Server logs from Netlify are retained per Netlify's policy (typically 30–90 days).

8. Your rights under PDPO

You have the right to:

• Be informed about what we collect (this policy)
• Access your personal data that we hold
• Correct any inaccurate personal data
• Request deletion of your personal data
• Withdraw consent for future processing (which may mean closing your account)
• Lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD)

Send requests to hkonesmallstep@gmail.com. We will respond within 40 days as required by PDPO.

9. Children's data

This Service is intended to be set up by parents/guardians for use by their own children. The parent/guardian who registers a child consents on the child's behalf to the processing of that child's data for the educational purpose of the Service.

Children's names, DOBs, and PINs are accessible only to guardians within the same family (and to the child themselves, via their PIN). PINs are stored as salted bcrypt hashes; we cannot recover a forgotten PIN — only reset it.

We do not knowingly target the Service at children for direct advertising or commercial purposes.

10. Data security

• Passwords and PINs: bcrypt-hashed before storage
• Sessions: HMAC-SHA256 signed cookies, server-side secret
• HTTPS enforced
• Wallpaper images served only to authorized users (the child themselves or a guardian in the same family)
• All data access is scoped to the requestor's family

Despite our efforts, no system is perfectly secure. By using the Service you accept that you understand this.

11. International transfers

Because the Service uses Netlify's global infrastructure, your data may be transferred to and stored in countries outside Hong Kong. By using the Service you consent to such transfers.

12. Changes

We may update this policy. The "Last updated" date will reflect any change. Material changes will be communicated within the Service.

13. Contact

Questions, requests, or complaints: hkonesmallstep@gmail.com