Data-protection processing record
Privacy
Procedure status: 16 July 2026
This notice records which personal data are processed when viewing, paying, pressing and voluntarily immortalising oneself. Despite the administrative vocabulary, no data are transmitted to a German Federal Button Authority, because no such authority exists.
GDPR record, no stamp required
Art. 01
Controller
Sole proprietor: Patrick Brockhaus
Serviceable business address to follow
E-Mail: hello@onlyabutton.com
No data protection officer has been appointed because the statutory appointment requirements are not met at the present scale of processing. Privacy enquiries may be sent directly to the controller above.
Art. 02
Register of legal bases
- Article 6(1)(b) GDPR for pre-contractual steps, payment, supply and support.
- Article 6(1)(c) GDPR for tax, commercial and other statutory retention duties.
- Article 6(1)(f) GDPR for operational security, abuse prevention, fault analysis and the defence of legal claims.
- Article 6(1)(a) GDPR for expressly voluntary publication and the deliberate loading of external video content.
Where processing relies on legitimate interests, those interests consist of maintaining a secure, functional service protected against repeated abuse. These interests have been balanced against data-subject rights.
Art. 03
Website access and hosting logs
The application is hosted by Hostinger. When it is accessed, technically necessary log data may be processed: IP address, date and time, requested address, data volume, status code, referrer, browser and operating-system details. This is necessary to deliver content, defend against attacks and investigate faults.
The recipient is Hostinger International Ltd. together with affiliated hosting and infrastructure providers. Logs are deleted once no longer required for operation and security; longer retention occurs only for a specific security incident or statutory duty.
Art. 04
Short-term IP rate-limit records
To protect checkout and file updates, the IP address is used briefly for rate limiting. For lock review requests, it is transformed into an HMAC value using a secret key; the plain-text IP is not stored in the transaction database. The value limits automated bulk requests within a 60-second window and is not used for recognition after expiry. The legal basis is Article 6(1)(f) GDPR.
Art. 05
Payment processing by Stripe
After the Button is pressed or a lock review is requested, the user is redirected to Stripe Checkout. Stripe processes in particular email address, payment and billing data, amount, currency, time, device, network and fraud-prevention data. Only a Button does not receive full card or bank-account details, but does receive payment status, transaction identifier, the email address or access to it, and billing-relevant information.
Depending on the processing, Stripe acts as a processor and, for certain regulated payment, security and compliance purposes, as an independent controller. Relevant entities include Stripe Payments Europe, Limited and Stripe Technology Company, Limited in Ireland, together with payment networks and the selected bank or payment method.
After successful payment, Stripe creates an electronic invoice or payment and contract confirmation and sends it to the email address supplied in Checkout. Stripe uses the contact, transaction, tax and billing information already collected for payment processing for this purpose.
Art. 06
Certificate and transaction database
After confirmed payment, the data required for supply and evidence are stored in a database operated through Supabase: sequential press number, Stripe session identifier, public file number, language, amount, currency, time, technical allocation and integrity values and, where voluntarily supplied, profile information and settings.
For lock review attempts, a separate internal transaction identifier, Stripe session identifier, language, amount, currency, payment time, an HMAC value of the submitted combination and the internal review result are stored. The twelve-digit combination itself is stored neither in plain text nor in Stripe metadata. The result is released to the same browser only after confirmed payment. A lock review does not create a public certificate address.
Supabase, Inc. processes these data as a processor under a data processing agreement. Sub-processors may be involved depending on the selected infrastructure.
Art. 07
Pseudonymised email matching
To recognise repeated button presses, the normalised email address received from Stripe is transformed into a SHA-256 hash. Only that hash, not the plain-text address, is stored in the certificate database. The hash is pseudonymised, not anonymised, and is therefore still treated as personal data.
The purposes are transaction consistency, abuse prevention and the technical allocation of the digital result. The legal bases are Article 6(1)(b) and (f) GDPR.
Art. 08
Public certificate and voluntary register details
A publicly accessible certificate address is created for every paid transaction. The file number, sequential number, time and resulting certificate are publicly visible. A neutral placeholder name is used unless information is supplied voluntarily.
Display name and city are published only when entered separately after payment. Publication is voluntary and not required for contract performance. A pseudonym should be used and unnecessary personal details should be omitted. The public address can be shared, indexed by search engines, cached in previews and copied by third parties.
Consent may be withdrawn at any time with future effect by writing to hello@onlyabutton.com. The public entry will then be removed or pseudonymised unless an overriding duty applies. Copies already made by third parties cannot be fully retrieved.
Art. 09
Cookies, device storage and audience measurement
Only a Button does not place analytics, advertising or profiling cookies on its own pages and stores no visit counters in the device’s Local Storage or Session Storage. After a paid lock review, a technically necessary HttpOnly result cookie is set for no more than one hour. It is used solely to display the paid result to the same browser after returning from Stripe.
When voluntarily proceeding to Stripe Checkout or loading YouTube content as described below, the respective third party’s storage and cookie procedures also apply.
Art. 10
Optional external media content
Where external media content is offered, a connection to YouTube is made only when the control for loading that third-party content is expressly activated. Until then, no data for that content are transmitted to Google or YouTube.
After consent, the IP address, device and browser data and usage information may in particular be transmitted to Google Ireland Limited and affiliated entities; where the user is signed in to a Google account, the activity may be associated with that account. The more privacy-oriented youtube-nocookie domain is used, but this does not exclude all data transfer. The legal basis is Article 6(1)(a) GDPR together with Section 25 TDDDG.
Art. 11
Retention and disposal periods
- Accounting records and tax-relevant payment documents are generally retained for eight years from the end of the year in which they arose (Section 147 AO and Section 14b UStG).
- Contract, certificate and integrity data are retained for supply, support and legal defence until the ordinary civil limitation period expires; where they form part of records subject to statutory retention, the longer statutory period applies.
- Unpaid lock review applications are removed during subsequent cleanup runs after their technical validity expires. Paid lock transaction and integrity data are retained for the periods required for contract evidence, support, legal defence and accounting.
- The pseudonymised email hash is generally retained until the ordinary limitation period following the last transaction expires and is then deleted unless a dispute or abuse case remains open.
- Voluntary public information remains visible until consent is withdrawn, a justified erasure request is made or the public register is discontinued.
- Support messages are deleted once the enquiry has been fully resolved and no statutory retention or evidentiary interest remains.
Where statutory duties require continued retention, data are restricted instead of erased. Backups may contain residual copies until overwritten in the ordinary cycle.
Art. 12
International transfer notice
Some service providers or their sub-processors may process data outside the European Economic Area. Transfers are made only on a basis permitted by Chapter V GDPR, in particular an adequacy decision, the EU-US Data Privacy Framework for certified recipients, or EU Standard Contractual Clauses together with required supplementary measures.
Art. 13
Required information and automated decisions
The payment and contact data requested by Stripe are required for the contract; without them no paid transaction can be created. Additional profile information and the loading of external media are voluntary.
No automated decision with legal or similarly significant effects within the meaning of Article 22 GDPR takes place. No advertising profiling takes place either.
Art. 14
Data-subject rights and complaint route
Subject to the statutory conditions, data subjects have in particular the rights of access, rectification, erasure, restriction of processing, data portability and objection. Consent may be withdrawn at any time with future effect. A complaint may also be lodged with a data protection supervisory authority.
Competent supervisory authority: The State Commissioner for Data Protection of Lower Saxony
Requests to the controller: hello@onlyabutton.com
To avoid disclosure to an unauthorised third party, suitable evidence may be requested that the request genuinely concerns the applicant. Form A38 is not required.
Art. 15
Amendment record
This notice will be updated where processing, service providers or the law changes. The current version and its processing date are published on this page. Material retroactive changes of purpose will not be made by quietly refiling the record.