Privacy Policy

Ledg (“Ledg,” “we,” “us”) operates ledg.ca and app.ledg.ca from British Columbia, Canada. This Privacy Policy explains what personal information we collect, why we collect it, with whom we share it, how long we keep it, and the rights you have under the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), the British Columbia Personal Information Protection Act (“BC PIPA”), and the Quebec Act respecting the protection of personal information in the private sector (the “Quebec Act,” as amended by Law 25).

Our Privacy Officer is reachable at legal@ledg.ca. Complaints may also be directed to the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner for British Columbia, or the Commission d'accès à l'information du Québec, as appropriate.

Account information

Email address, hashed password, display name, and profile data returned by Google when you sign in with Google.

Business information you enter

Corporation name, optional website, province, fiscal year-end, transactions, categories, receipts you upload, GST/HST/PST configuration, and any other bookkeeping data you choose to record.

Device and usage signals

IP address, user agent, device type, the pages you visit in the Service, actions you take, and approximate timing. Used to operate the Service, prevent abuse, and improve reliability.

Communications

Messages you send to support, feedback you submit, and the records of notices we send you (account verification, receipts, security alerts).

• To provide the Service, including authenticating you, storing your books, and displaying them back to you.
• To send transactional messages that the Service depends on (email verification, password reset, security alerts, receipts).
• To support you when you contact us.
• To detect, investigate, and prevent abuse, fraud, and security incidents.
• To improve the Service, using aggregated or anonymized signals that do not identify you.
• To comply with applicable law and respond to valid legal process.

We do not sell your personal information. We do not use your books to train public machine-learning models. We do not share your personal information with advertising networks.

By creating an account or using the Service, you consent to the collection, use, and disclosure of your personal information described in this policy. Where the law requires express consent for specific activities (for example, marketing communications under the Canadian Anti-Spam Legislation), we will ask for it separately.

You may withdraw consent for optional processing at any time. Some withdrawals (for example, withdrawing consent to store your books) will require us to close your account because the Service cannot function without that data.

We share personal information only with (a) service providers who help us run the Service under a written agreement, (b) competent authorities when required by valid legal process, and (c) an acquirer in the event of a merger or acquisition, in which case we will give you notice so you can exercise your rights before any transfer.

Our sub-processors

• Supabase - Authentication and primary database. Data stored in a Canadian region. Privacy policy.
• Vercel - Application hosting and global edge delivery. Privacy policy.
• Google - Google Sign-In, Gemini (used for optional receipt capture and Ledg AI vendor / category cleanup), and Google Drive (used only when you explicitly connect Drive in Settings - see the Google Drive integration section below). Privacy policy.
• Resend - Transactional email delivery (verification, receipts, notices). Privacy policy.
• Plaid - Bank-feed import. Only used when you explicitly link an account in Stage. See the dedicated Banking data section below. Privacy policy.
• Stripe - Subscription billing for paid plans. Privacy policy.

Our primary database is hosted by Supabase in a Canadian region. Some ancillary services (edge CDN, OAuth, email delivery, optional AI receipt capture, and Ledg AI vendor / category cleanup) may route limited data through infrastructure outside Canada, primarily in the United States. While outside Canada, information may be accessible to foreign authorities under applicable laws.

The complete list of sub-processors, including those that handle payments, banking-data import, source-code, and DNS, is published and kept current at /sub-processors.

When you click Connect Bankin Stage, we open Plaid Link. You authenticate directly with your bank inside Plaid's widget; we never see your bank login. Plaid returns us a token that lets us pull transactions for the accounts you authorized. We store transactions, account names, masks, types, balances at the time of import, and the access token (server-side only). We do not request, receive, or store your bank password.

We use Plaid's Transactionsproduct only. We do not use Plaid's Auth, Identity, Balance, Income, or Investments products.

Plaid's own collection, use, and disclosure of your data is governed by the Plaid End User Privacy Policy.

How to disconnect and delete bank data

1. Open the Stage page.
2. In the Connected banks list, click Disconnect on the institution you want to remove.
3. Confirm the dialog.

On disconnect we (a) call Plaid's Item Remove endpoint so Plaid revokes its own access and stops sending us new transactions, (b) delete the bank-connection record and any transactions we imported but you never moved into the ledger, and (c) clear the access token on our side.

Transactions you already moved to the ledger remain. Once moved, they are bookkeeping records your corporation must keep for at least six years under section 230 of the federal Income Tax Act. You can edit or delete individual ledger entries at any time, but disconnecting your bank does not erase them automatically.

To request full deletion of your account and all associated data, including ledger entries (subject to legal retention obligations), email legal@ledg.ca.

Connecting Google Drive is optional. You can use every feature of Ledg without it; without it, the receipt-attach and minute-book features are disabled. When you click Connect Google Drive in Settings → Connections, we open Google's OAuth consent screen. You authenticate directly with Google; Ledg never sees your Google password.

We request only the following scopes:

• https://www.googleapis.com/auth/drive.file - the narrowest Drive scope. It lets Ledg create files, then read, update, and delete files that Ledg created. It does not grant access to any other files in your Drive, including files you created outside Ledg, files shared with you, or your folder structure outside what Ledg builds.
• openid email profile - so we can show you which Google account is connected on the Settings page.

The OAuth access token (short-lived, ~1 hour) and refresh token (long-lived) are stored encrypted at rest using AES-256-GCM. The encryption key is held in our infrastructure, separate from the database, so a database leak alone cannot decrypt the tokens.

When you attach a receipt or upload a minute-book document, Ledg uploads the file to your Drive into a folder named Ledg / <your corporation name> / Receipts / <Year> or Ledg / <your corporation name> / MinuteBook. Ledg stores only a pointer to the file (Google file id, original filename, MIME type, size, and upload timestamp) - the file content lives in your Drive, not on Ledg's servers.

Limited Use Disclosure

Specifically, Ledg uses Google Drive data only to:

• Upload receipts and minute-book documents that you explicitly attach in Ledg.
• Retrieve, update, or delete files that Ledg created at your direction.
• Display filenames and clickable links back to you inside the Ledg interface.

Ledg does not:

• Use Google Drive data for advertising or any third-party purpose.
• Transfer Google Drive data to third parties except as necessary for the operations above, and only with service providers under written confidentiality agreements.
• Allow humans to read your Drive data, except (i) with your explicit consent, (ii) for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) for internal operations and only after the data has been aggregated and anonymized.
• Use Google Drive data to develop, improve, or train generalized AI or ML models.

How to disconnect

1. Open Settings → Connections in Ledg.
2. Click Disconnect on the Google Drive row.

You can also revoke directly through Google:

1. Visit myaccount.google.com/permissions.
2. Find “ledg” in the list and click Remove access.

On disconnect, we (a) call Google's token-revocation endpoint to invalidate our refresh token, (b) mark the connection revoked in our database, and (c) leave any files we already uploaded in your Drive - they belong to you. Files you previously uploaded remain in your Drive even after you cancel Ledg or delete your Ledg account.

We retain personal information for as long as your account is active. When you close your account, we delete your personal information within thirty (30) days, except where we are required to retain it to comply with legal obligations (for example, financial records, tax records under the Income Tax Act, or breach-log retention under PIPEDA) or to resolve disputes and enforce our agreements.

You are responsible for exporting any records you want to keep before closing your account. The Service includes an export feature for that purpose.

We protect personal information using administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including encryption in transit (TLS) and at rest, row-level security in our database, password hashing, principled access controls, and audit logging. No system can guarantee perfect security. You can read more about our approach on the Security page.

Under PIPEDA section 10.1, we will notify you and the Office of the Privacy Commissioner of Canada of any breach of security safeguards that creates a real risk of significant harm. We maintain a log of breaches involving personal information under our control for at least 24 months, as required by law.

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Request correction of information that is inaccurate or incomplete.
• Request deletion of your personal information, subject to legal retention obligations.
• Export your personal information in a portable format.
• Withdraw consent for optional processing.
• Object to processing in certain limited circumstances and make a complaint to the appropriate regulator.

To exercise any of these rights, email legal@ledg.ca. We will respond within thirty (30) days. We may ask you to verify your identity before acting on a request.

Person in charge of personal information: our Privacy Officer, reachable at legal@ledg.ca.

Automated decision-making: the Service uses rules-based categorization, optional AI-assisted receipt capture, and Ledg AI vendor-name and category cleanup for transactions in Stage. These are recommendations. They do not make decisions that produce legal effects for you, and you confirm every commit to the ledger. If that ever changes, we will disclose it here and give you the right to ask that a human review the outcome.

Portability: you may request a copy of your personal information in a structured, commonly used technological format.

Complaint:you may lodge a complaint with the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.

The Service is directed at Canadian corporations and is hosted primarily in Canada. If you access the Service from outside Canada, you understand that your personal information will be transferred to, stored, and processed in Canada, which may have data-protection laws different from those in your country.

The Service is not intended for individuals under the age of majority in their province or territory of residence. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it.

We may update this policy from time to time. If we make material changes, we will notify you by email or through the Service at least fourteen (14) days before the changes take effect. The updated policy takes effect on the date listed at the top of this page.

Privacy Officer, Ledg
Email: legal@ledg.ca
Vancouver, British Columbia, Canada