Privacy Notice
Your documents stay on your device. We see only their cryptographic fingerprints. This notice explains what we collect, why, how long we keep it, and what rights you have.
1. The architectural privacy guarantee
LedgerProof is built so the privacy promise is enforced by architecture, not by policy. When you drop a document into the website's fingerprint demo or the Vault app, your browser computes a SHA-256 fingerprint of the document locally, before any network call. Only the resulting 64-character fingerprint is transmitted — along with your timestamp and signature.
The demo literally shows that 0 bytes of file content are uploaded during the fingerprint compute. Your document, its filename (unless you opt to attach one), its contents, and any metadata never reach us.
2. What we collect
From contact and sign-up forms (ledgerproofhq.io)
- Name, email address, optional organization name, optional use-case or role.
- Your IP address at the moment of form submission, for fraud and abuse mitigation only.
- Browser user-agent string, to understand which devices and browsers our visitors use.
- Timestamp of submission.
From the fingerprint demo on the website
- Nothing. The demo runs entirely in your browser. We do not log demo activity, the files you drop, or the resulting fingerprints.
From the Vault app (app.ledgerproofhq.io)
- The account email used to sign in (email one-time code), and a second factor (TOTP) you set up.
- The cryptographic fingerprints, signatures, timestamps, and chain positions of receipts you issue.
- Optional metadata you attach to a receipt at issuance (e.g. a friendly label like "Q2 board minutes").
- An authentication session cookie if you choose "remember this device."
3. What we do not collect
- Your documents. Their content. Their text.
- Your filenames (unless you opt to attach one to the receipt).
- Tracking cookies. Third-party advertising cookies. Cross-site fingerprinting.
- Behavioral or marketing analytics from external trackers.
- Payment card data (we use Stripe; card data goes to Stripe directly, not to us).
4. Why we collect what we collect
- Contact data: to respond to you, operate your account, and (if you opt in) send product updates.
- IP address at submission: to detect duplicate or automated submissions and protect the service from abuse. Discarded after 90 days.
- Receipt fingerprints and chain entries: the cryptographic record that makes your receipts verifiable. This is the entire purpose of the Service.
- Account email and second factor: to authenticate you to your Vault and send account and security notices.
Legal bases (GDPR Art. 6). We process personal data to perform our contract with you (operating your account and the Service), for our legitimate interests (security, abuse prevention, and improving the Service), and — for optional product or marketing email — on the basis of your consent, which you can withdraw at any time.
5. Retention schedule
| Data | How long we keep it |
|---|---|
| Chain entries (fingerprints, signatures, anchors) | Indefinitely. Receipts work forever. |
| Contact / sign-up form data | 24 months, unless you become a customer (then for the life of the account). |
| Server access logs | 90 days. |
| IP address from form submission | 90 days. |
| Authentication sessions | 30 days from last activity. |
| Email delivery records (sent / opened) | 12 months. |
You can request deletion of your contact data at any time by emailing hello@ledgerproofhq.io; we purge within 30 days. Chain entries cannot be deleted (the chain is append-only by design), but they hold no document content — only salted commitments — and can be disassociated from your account on written request.
6. Sharing and third parties
We do not sell your data. We do not share it with marketers, data brokers, or social networks. The third parties we use to operate the Service are limited to:
- Cloudflare — DNS, CDN, TLS termination. Sees the fact and origin of requests, not document contents.
- Supabase — Database (Postgres) and authentication for the Vault app. Stores account rows and chain entries, encrypted at rest, with row-level security.
- Resend — Transactional email delivery (sign-in codes and account notices).
- Stripe — Payment processing for paid plans. You enter card data into Stripe's hosted forms; we never see it.
- Public chain — The public chain where the daily Merkle anchor root is published. The anchor is a small commitment; it does not contain your documents or your individual receipts.
International transfers. Some processors above are based in, or operate from, the United States. Where personal data is transferred outside the EEA or the UK, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum). EU data-residency options are available on the Enterprise and Government plans.
7. Your rights
If you are an EU/UK resident (GDPR / UK GDPR)
The Service is built for the EU market (it exists to help with EU AI Act Article 50). We honor your rights to access, rectification, erasure, restriction, portability, and objection. Email hello@ledgerproofhq.io; we respond within 30 days. You also have the right to lodge a complaint with your local data-protection supervisory authority. The data controller is LedgerProof Inc. (Delaware, USA); the LedgerProof Foundation owns the open protocol.
If you are a California resident (CCPA / CPRA)
- Right to know what personal information we collect (this notice).
- Right to access a copy of your personal information held by us.
- Right to correct inaccurate personal information.
- Right to delete, subject to the chain's append-only nature for receipts.
- Right to opt out of any sale or sharing — we do not sell or share, but the right is yours.
- Right to non-discrimination for exercising any of the above.
Exercise any of these by emailing hello@ledgerproofhq.io with the subject "Privacy request." We respond within 45 days.
8. Cookies and tracking
The marketing site (ledgerproofhq.io) sets no advertising cookies. The Vault app (app.ledgerproofhq.io) sets a single authentication session cookie if you choose "remember this device." We do not use Google Analytics, Meta Pixel, LinkedIn Insight, or any third-party advertising tracker.
9. Children
The Service is not directed at children under 16. If we learn that we have collected personal information from a child under 16, we will delete it.
10. Security
We use TLS for all transport. Account data is stored on Supabase Postgres with row-level security that prevents cross-account reads. Chain entries are signed with publisher keys. Anchor roots are published to the public chain for independent verification. See /.well-known/security.txt and email security@ledgerproofhq.io for vulnerability reports.
11. Email opt-out
You can opt out of product/marketing email at any time by replying STOP or emailing hello@ledgerproofhq.io. Transactional email (sign-in codes, security notices) is required for the Service to function and cannot be opted out of while you have an active account.
12. Changes to this notice
We will notify you of material changes by email at least seven days before they take effect. Non-material changes (clarifications, typo fixes) are posted here with the updated date.
13. Contact
Email: hello@ledgerproofhq.io
Security: security@ledgerproofhq.io
Privacy questions: include "Privacy" in your subject line.