Legal · v0.9

Privacy Notice

Your documents stay on your device. We see only their cryptographic fingerprints. This notice tells you exactly what we collect, why, how long we keep it, and what rights you have.

Effective: May 4, 2026 · Applies to ledgerproofhq.io and the LedgerProof℠ service

Plain summary. Documents never leave your computer. We collect your reservation details (name, email, firm, ticket ID, IP at submission) and the cryptographic fingerprints you publish. We do not sell or share data with marketers. California residents have rights under the CCPA. Contact hello@ledgerproofhq.io with any privacy question.

1. The architectural privacy guarantee

LedgerProof is built so that the privacy promise is enforced by architecture, not by policy. When you drop a document into the website's hashing demo or your future receipt locker, your browser computes a SHA-256 fingerprint of the document locally, before any network call. Only the resulting 64-character fingerprint is transmitted to our servers, along with your timestamp and Ed25519 signature.

The page literally shows "Bytes uploaded: 0 · Network requests: 0" during the hash compute. Your document, its filename (unless you opt to attach one), its content, and any metadata never reach us.

2. What we collect

From the reservation form (ledgerproofhq.io)

Name, email address, optional firm name, optional use-case selection, optional ticket ID.
Your IP address at the moment of form submission, for fraud and abuse mitigation only.
Browser user-agent string, for understanding which devices and browsers our registrants use.
Timestamp of submission.

From the live hash demo on the website

Nothing. The hash demo runs entirely in your browser. We do not log demo activity, the files you drop, or the resulting fingerprints.

From the receipt locker (post-activation, June 15, 2026)

Account email used to sign in via magic link.
The cryptographic fingerprints, signatures, timestamps, and chain positions of receipts you issue.
Optional metadata you attach to a receipt at issuance time (e.g., a friendly label like "Q2 board minutes").
Authentication session cookies, if you choose "remember this device."

3. What we do not collect

Your documents. Their content. Their text.
Your filenames (unless you opt to attach one to the receipt).
Tracking cookies. Third-party advertising cookies. Cross-site fingerprinting.
Behavioral or marketing analytics from external trackers.
Payment card data (we use Stripe; card data goes to Stripe directly, not to us).

4. Why we collect what we collect

Reservation data: to send you your activation email and trial details, and to size capacity for symposium-day demand.
IP address at submission: to detect duplicate or automated reservations and protect the trial pool from abuse. Discarded after 90 days.
Receipt fingerprints and chain entries: to serve as the cryptographic record that makes your receipts verifiable. This is the entire purpose of the Service.
Account email: to authenticate you to your locker and notify you of trial milestones.

5. Retention schedule

Data	How long we keep it
Chain entries (fingerprints, signatures, anchors)	Indefinitely. Receipts work forever.
Reservation form data	24 months from reservation, unless you become a paying customer (then for the life of the account).
Server access logs	90 days.
IP address from form submission	90 days.
Authentication sessions	30 days from last activity.
Email delivery records (sent / opened)	12 months.

You can request deletion of your reservation data at any time by emailing hello@ledgerproofhq.io; we will purge within 30 days. Chain entries cannot be deleted (the chain is append-only by design), but they can be disassociated from your account upon written request.

6. Sharing and third parties

We do not sell your data. We do not share it with marketers, data brokers, or social networks. The third parties we use to operate the Service are limited to:

Cloudflare — DNS, CDN, TLS termination, Worker runtime. Sees only the fact and origin of requests, not document contents.
Supabase — Database (Postgres) and authentication. Stores reservation rows and chain entries on encrypted-at-rest storage in their U.S.-East-1 region.
Resend — Transactional email delivery (your activation email and trial notifications).
Stripe — Payment processing for paid plans (post-trial). You enter card data into Stripe's hosted forms; we never see it.
Bitcoin mainnet — Public blockchain where Merkle anchor roots are published once per day. The anchor is a 44-byte fingerprint; it does not contain your documents or even your individual receipts.

7. Your rights

If you are a California resident (CCPA / CPRA)

Right to know what personal information we collect about you (this notice).
Right to access a copy of your personal information held by us.
Right to correct inaccurate personal information.
Right to delete personal information, subject to the chain's append-only nature for receipts.
Right to opt out of any sale or sharing — we do not sell or share, but the right is yours.
Right to non-discrimination for exercising any of the above.

Exercise any of these by emailing hello@ledgerproofhq.io with the subject line "CCPA request." We respond within 45 days.

If you are an EU/UK resident (GDPR / UK GDPR)

The Service is currently operated for U.S. customers, but if you reach us from the EU/UK we honor the equivalent rights to access, rectification, erasure, restriction, portability, and objection. Email the same address; we respond within 30 days.

8. Cookies and tracking

The marketing site (ledgerproofhq.io) sets no cookies. The receipt locker (app.ledgerproofhq.io, post-activation) sets a single authentication session cookie if you choose "remember this device." We do not use Google Analytics, Meta Pixel, LinkedIn Insight, or any third-party tracking script.

9. Children

The Service is not directed at children under 16. If we learn that we have collected personal information from a child under 16, we will delete it.

10. Security

We use TLS for all transport. Reservation data is stored on Supabase Postgres with row-level security policies that prevent cross-account reads. Chain entries are signed with publisher keys. Anchor roots are published to the Bitcoin mainnet for independent verification. Detailed security disclosure policy: see /.well-known/security.txt and email security@ledgerproofhq.io for vulnerability reports.

11. Email opt-out

You can opt out of marketing email at any time by replying STOP to any email or by emailing hello@ledgerproofhq.io. Transactional email (your activation email, trial-end notice, account security notices) is required for the Service to function and cannot be opted out of while you have an active account or reservation.

12. Changes to this notice

We will notify you of material changes by email at least seven days before they take effect. Non-material changes (clarifications, typo fixes) will be posted here with the updated effective date.

13. Contact

Email: hello@ledgerproofhq.io
Security: security@ledgerproofhq.io
Privacy questions: include "Privacy" in your subject line.