Privacy Policy

Last updated: April 22, 2026

LedgerAI ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our Service.

1. Information We Collect

We collect the following types of information:

Account information: Name, email address, and subscription plan when you sign up.
QuickBooks data: Financial transactions, accounts, and company information accessed via the QuickBooks Online API, solely to provide the Service.
Bank statement data: Transaction data from bank statement files you upload.
Usage data: Information about how you use the Service, including pages visited and features used.
Payment information: Processed securely by Stripe. We do not store credit card numbers.

2. How We Use Your Information

We use your information to:

Provide, operate, and improve the Service
Categorize your financial transactions using AI
Generate financial reports and audit summaries
Send you transaction emails and service updates
Respond to support requests
Comply with legal obligations

3. QuickBooks Data

We access your QuickBooks data under the permissions you grant via OAuth. We use this data only to provide the bookkeeping features of the Service. We do not share your QuickBooks data with third parties except as necessary to operate the Service (e.g., sending data to AI models for categorization). We do not use your financial data for advertising or sell it to data brokers.

4. AI Processing

Transaction descriptions and amounts are sent to Anthropic's Claude AI API for categorization. This data is processed in accordance with Anthropic's data use policies. We use Claude only for transaction categorization and do not retain conversation history beyond what is necessary for the current session.

5. Data Sharing

We share your data only with the following subprocessors, and only as needed to operate the Service:

Intuit: To access your QuickBooks data via their API.
Anthropic: To categorize transactions using Claude AI.
Stripe: To process payments.
Resend: To send transactional and account-related email (magic-link sign-in links, report-ready notifications, account emails). Your name and email address are shared with Resend for delivery.
Railway: Our hosting infrastructure and managed Postgres database provider.

We do not sell your personal data to any third parties.

6. Data Security

We use industry-standard security measures including HTTPS (TLS 1.2+) for data in transit, managed PostgreSQL storage with volume-level encryption provided by our hosting infrastructure, and access controls restricting production data to authorized personnel. Application-layer encryption of individual sensitive fields (such as OAuth tokens) is not currently applied beyond what our database infrastructure provides. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your account data for as long as your account is active. Generated reports are stored for 90 days. Upon account termination, we delete your personal data within 30 days, except where required by law.

8. International Data Transfers

LedgerAI and all of its subprocessors operate primarily in the United States. If you access the Service from outside the United States, your personal data will be transferred to, stored in, and processed in the United States, which may have data protection laws that differ from those in your jurisdiction.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on the following legal mechanisms:

Standard Contractual Clauses (SCCs) where our subprocessors offer them. Intuit, Anthropic, Stripe, Resend, and Railway each publish their own SCC-based data processing terms, which govern transfers of your data via those subprocessors.
Your explicit consent to use the Service, which constitutes a transfer necessary for the performance of the contract between you and LedgerAI.

We do not currently participate in the EU-US Data Privacy Framework. If you are uncomfortable with transfers to the United States, do not create an account.

9. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases (GDPR Article 6):

Contract (Art. 6(1)(b)): processing is necessary to provide the bookkeeping Service you have signed up for — this covers account creation, QuickBooks data access, AI categorization, report generation, and delivery of transactional emails.
Legitimate interests (Art. 6(1)(f)): to secure the Service against fraud and abuse, to maintain service logs for debugging, and to improve features. Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights.
Legal obligation (Art. 6(1)(c)): to comply with applicable laws, respond to lawful requests, and retain records where required by tax or accounting law.
Consent (Art. 6(1)(a)): for any processing outside the above — for example, marketing emails if and when we offer them. You can withdraw consent at any time without affecting prior processing.

We do not make automated decisions that produce legal or similarly significant effects about you. AI categorization is a suggestion that you remain free to override; it does not by itself determine any legal obligation.

10. Your Rights (GDPR — EEA / UK / Switzerland Residents)

If GDPR or equivalent UK/Swiss law applies to you, you have the following rights with respect to your personal data:

Right of access (Art. 15): obtain confirmation that we process your data, a copy of that data, and information about how it is processed.
Right to rectification (Art. 16): have inaccurate personal data corrected and incomplete data completed.
Right to erasure / "right to be forgotten" (Art. 17): have your personal data deleted where one of the grounds in Art. 17 applies.
Right to restriction of processing (Art. 18): require that we limit how we process your data in certain circumstances.
Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
Right to object (Art. 21): object to processing based on legitimate interests, including for direct marketing.
Right to withdraw consent: where processing is based on consent, withdraw that consent at any time.
Right to lodge a complaint: complain to your local data protection supervisory authority. A list is maintained at edpb.europa.eu. For UK residents, the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email [email protected]. We will respond within 30 days and will not charge a fee for reasonable requests. We may need to verify your identity before acting on a request.

We do not currently maintain a Data Protection Officer or an EU representative. If you believe our processing of your data causes you harm and you cannot resolve the issue directly with us, you may escalate to your local supervisory authority.

11. Your Rights (CCPA — California Residents)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you the following rights:

Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties we share it with.
Right to delete: request that we delete personal information we have collected from you, subject to exceptions in CCPA §1798.105(d) (for example, data we are required to retain for tax or security purposes).
Right to correct: request correction of inaccurate personal information we maintain about you.
Right to opt out of sale or sharing: direct a business not to sell or share your personal information to third parties. (See the next section.)
Right to limit use of sensitive personal information: direct a business to limit its use of sensitive personal information.
Right to non-discrimination: we will not discriminate against you for exercising any CCPA right. You will receive the same Service, price, and quality.

To exercise these rights, email [email protected] with the subject line "CCPA Request". We will respond within 45 days (extendable by a further 45 days if necessary, with notice). We may need to verify your identity before acting.

You may designate an authorized agent to make a request on your behalf. The agent must provide written permission from you and we may require you to verify your identity directly with us.

12. Do Not Sell or Share My Personal Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA. We also do not operate any advertising network, do not use third-party advertising cookies, and do not disclose your data to data brokers.

Because we do not sell or share personal information for targeted advertising, there is no "sale" or "sharing" for you to opt out of. Nevertheless, if you would like written confirmation of this status, email [email protected] with the subject line "Do Not Sell / Share Confirmation" and we will reply in writing.

We do not knowingly sell or share the personal information of consumers under 16 years of age.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, and in any case within 72 hours of becoming aware of the breach where feasible, consistent with GDPR Article 33-34 and applicable state data breach notification laws.

14. Cookies

We use a single session cookie (ledgerai_session) to keep you logged in, and an equivalent admin cookie for administrative access. We do not use advertising, analytics, or tracking cookies. We do not embed third-party pixels or trackers on the authenticated Service.

15. Children's Privacy

Our Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email, and the "Last updated" date at the top of this page will reflect the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact

For privacy questions, rights requests, or any other concern covered by this policy, contact us at [email protected]. Please include your account email so we can verify the request, and allow us up to 30 days (GDPR) or 45 days (CCPA) to respond.

This Privacy Policy is provided for informational purposes and is not legal advice. Nothing in this policy creates any contractual or other legal right enforceable against LedgerAI other than the rights specifically granted under applicable data protection law.