/Legal/Privacy
TermsSecurity
Effective May 19, 2026 · v3.1

Your firm's data, your firm's data.

This is the long version. Plain English. Short enough to read in one sitting. If you'd rather have the engineering view, our Security page covers the same ground in technical terms.

TL;DR

We hold bank-line descriptions, your firm's categorization rules, and your QBO API tokens. We do not sell, share, broker, or train AI on any of it. We never see bank logins (Plaid handles those). The model sees bank lines + your policy memory, never balances or client PII. You can export or delete everything, self-serve, in Settings.

§ 01

What we collect.

Three buckets. Nothing else.

BucketWhat's in itWhere it lives
Account & firmstuff you type into SettingsYour name, email, firm name, role, billing contact, timezone, vertical preset.Postgres · per-firm RLS · AES-256 at rest
Bookkeeping datawhat arrives via Plaid + QBOBank-line descriptions, amounts, dates, account types, vendor names, chart-of-accounts, your firm's rules, your overrides.Postgres · per-firm RLS · per-firm column-level encryption for any client-identifying fields
Usage telemetryhow the app gets usedKeystroke timings (the pace meter), feature toggles, error stacks, login timestamps. Never the bank-line text itself.30-day rolling window · aggregated for the 90-day status page

We do not collect: bank passwords, ACH credentials, client SSNs, payroll details, document scans beyond what you forward to receipts@, your client's QBO admin password, or your browser history.

§ 02

How it's used.

Only to run the product you're paying for.

  • To categorize transactions — bank-line + vendor + your policy memory → categorization suggestion.
  • To match receipts — forwarded receipts get OCR'd by Veryfi, the extracted fields compared to your bank lines.
  • To remember your decisions — every override becomes part of your firm's policy memory for next time.
  • To bill you — your contact email gets the invoice. Stripe handles the card.
  • To answer your support ticket — only when you open one, and only the engineer you're talking to.
What we don't doWe do not train any AI model on your data. We do not sell it to data brokers, lead generators, or “analytics” partners. We do not retarget you on ad networks. The categorization model (Claude Sonnet) sees data per request, zero-retention, then never sees it again.
§ 03

Who sees it.

Two groups. That's it.

Subprocessors (vendors who run parts of the product)

Each one has a DPA. Each one has a defined, narrow purpose. The full current list with addresses and data scope is at Security → Subprocessors — we update it at least 30 days before changing.

Ledger staff (small team)

Production database access is restricted to four named people, gated behind hardware-key SSO, audit-logged on every query, and requires a ticket reference. No one at Ledger can read your books “to check something” without a documented support request from you. If a court ever orders production access, we will notify you within 24 hours unless legally prohibited.

§ 04

What the AI sees.

We use Anthropic's Claude Sonnet for categorization, under a zero-retention business agreement. What gets sent per request:

  • The bank-line description (e.g. HOME DEPOT 1947)
  • The amount and date
  • Your firm's vertical preset (e.g. construction)
  • The 10 most-relevant past categorizations for that vendor, from your firm's policy memory
  • Your chart-of-accounts (account names only)

What's never sent: account balances, client owner names beyond what's in the QBO company file name, payroll details, receipt image content (OCR happens at Veryfi, not Anthropic), or anything from books you haven't explicitly linked.

We log every prompt and completion for 14 days, internally only, for debugging. After 14 days, the logs are aggregated to category-level counts and the raw text is deleted.

§ 05

How long we keep it.

DataRetentionOn firm deletion
Account & firm dataFor the life of the firm + 30 daysHard-deleted within 7 days
Bookkeeping dataFor the life of the firmHard-deleted within 7 days; encrypted backups expire on their own cycle (max 1 year on Team)
Telemetry30-day rollingAlready gone
AI prompt/completion logs14 days, then aggregatedAggregates don't identify any firm
Support ticket history3 yearsAnonymized on firm deletion
Billing / invoices7 years (US tax requirement)Retained anonymized
§ 06

Your rights.

Under GDPR, CCPA, and just generally, you have these and we honor them within 30 days, self-serve where possible:

  • Export — Settings → Danger zone → Export all firm data. JSON + CSV bundle, signed, delivered to your account email.
  • Delete — Settings → Danger zone → Delete firm. Hard-deletes within 7 days, irreversibly.
  • Correct — most fields are self-edit. For anything you can't edit, email privacy@ledgerinbox.com.
  • Object — to specific processing. Email us, we'll either fix it or tell you why we can't.
  • Portability — your export is in formats every other bookkeeping tool can read.
  • Lodge a complaint — with your local data protection authority. We won't retaliate, full stop.
§ 07

Kids.

Ledger is for licensed bookkeepers and accountants running a firm. We don't expect minors to use it. We don't knowingly collect data on anyone under 16. If you believe we have, email privacy@ledgerinbox.com and we'll delete on confirmation.

§ 08

When this changes.

Every meaningful change is announced 30 days in advance via the email on your account and in our changelog. The footer date at the bottom of this page always reflects the current effective version. Past versions live at ledgerinbox.com/privacy/archive.

§ 09

Reach a human.

For privacy questions, data requests, or anything that doesn't fit in support:

Privacy v3.1 · effective May 19, 2026 · supersedes v3.0 (Feb 14, 2026)Terms → · Security →