Skip to main content

Privacy Policy

Last updated: May 2026 (16 May 2026)

Template pending legal review

This document is an engineering-prepared template published for transparency. It has not yet been reviewed by external legal counsel and should not be relied on as legal advice. It will be superseded by a lawyer-reviewed version before the Service accepts paid customers. If you are evaluating Ledger for a regulated use case, please contact us at [email protected] and we will share the most current draft.

1. Introduction — Who We Are

Ledger ("the Service") is operated by Jumpstone Technology Inc. ("we", "us", "our"), a company incorporated in the Province of Ontario, Canada. We are the data controller for personal information you provide to the Service.

This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It applies to the ledger.lk and ledgerpro.ai websites and the Ledger application.

2. Information We Collect

Account information

When you create an account we collect your name, email address, phone number, business name, country, and a hashed password. We need this to create your account and communicate with you.

Financial data you enter

The financial records you create in Ledger — transactions, invoices, receipts, customer and supplier records, chart of accounts, and bank feeds — are stored so we can provide the Service to you. We treat this data as confidential. We do not mine it for advertising, sell it, or use it to train machine learning models. Our staff only access this data if you explicitly request support that requires it, or in the rare case that we must investigate a security incident or comply with a lawful order.

Usage and device telemetry

We automatically record which pages you visit inside the app, which features you use, your device type, browser, approximate location derived from IP address, and the timestamps of requests. This helps us diagnose problems and improve the product.

Error logs

When something breaks, we capture a structured error report and send it to Sentry (our error-monitoring sub-processor). Error reports may include the URL you were on, the action you were taking, and a stack trace. We scrub these reports for obvious personal or financial data before they leave your browser, but you should assume that some contextual data may be included.

Cookies

We use a very small number of cookies, all of which are strictly necessary for the Service to function. See our Cookie Policy for the full list.

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Authenticate you and keep your account secure
  • Process payments and manage your subscription
  • Send transactional messages (security alerts, billing notices, changes to our terms)
  • Respond to your support requests
  • Diagnose bugs and improve the product
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal, tax, and accounting obligations that apply to us or to you

We do not sell your personal information. We do not use your financial data for advertising, marketing, or model training.

4. Legal Basis for Processing

For users in jurisdictions that require a lawful basis for each processing activity (such as the EU/UK GDPR, and the Sri Lanka Personal Data Protection Act No. 9 of 2022), we rely on the following bases:

  • Performance of a contract: most processing is required to deliver the Service under our Terms of Service (your contract with us).
  • Legitimate interest: securing the Service, preventing fraud, debugging, and general product improvement, where that interest is not overridden by your rights.
  • Consent: any optional marketing communications, and any non-essential cookies we may introduce in the future.
  • Legal obligation: retention of financial and tax records, responding to lawful requests from regulators or courts.

5. Data Sharing and Sub-Processors

We share your data only with the third-party service providers ("sub-processors") strictly necessary to run the Service. We do not share your data with advertisers, data brokers, or any party not listed below.

Provider Purpose Data processed Data location
Cloudflare Hosting, CDN, Workers compute, D1 database, Durable Objects, R2 storage, KV, DDoS and bot protection All customer financial data — accounts, invoices, transactions, contacts, documents European Union (WEUR region). Primary storage is EU-resident; Cloudflare edge nodes serve reads globally from cache.
Stripe Payment processing and subscription billing Billing data only: name, email, billing address, payment method. Card numbers are handled directly by Stripe; we never see or store them. United States (Stripe infrastructure). Covered by Stripe’s DPA and Standard Contractual Clauses.
SendGrid (Twilio) Transactional email delivery (invoices, receipts, password resets, billing notices) Email addresses, recipient names, and the content of transactional emails (e.g. invoice amounts and line items). Failed delivery records are purged after 30 days. United States. Covered by Twilio’s DPA and Standard Contractual Clauses.
Sentry Application error monitoring and crash reporting Anonymized error reports: URL, action, stack trace, browser and device type. We scrub PII and financial values before sending. No names, email addresses, or monetary amounts are included. United States. Covered by Sentry’s DPA and Standard Contractual Clauses.
Grafana Cloud Infrastructure metrics and operational logs (latency, error rates, uptime) Anonymized operational metrics only — request counts, latency percentiles, error rates. No customer identifiers, financial data, or PII are sent to Grafana. United States. No personal data processed; metrics are aggregate and anonymized.
GitHub Source code hosting and CI/CD pipeline No customer data. Source code, build artifacts, and engineering issue tracking only. If you file a support ticket via GitHub, only the content you choose to include is stored there. United States. No customer financial data is processed.

All sub-processors that handle personal data maintain SOC 2 Type II certification or an equivalent independently audited security standard, and we have a Data Processing Agreement (DPA) in place with each. We maintain an up-to-date sub-processor register and will notify customers of material changes at least 30 days before they take effect.

6. Data Location and EU Residency

All customer financial data is stored in the European Union. Our primary database, object storage (R2), and Durable Objects are all provisioned in Cloudflare’s WEUR region (Western Europe). This is a hard architectural constraint — not a preference — chosen to satisfy GDPR Article 44, the Sri Lanka Personal Data Protection Act 2022, and Canada’s PIPEDA cross-border transfer requirements simultaneously.

Cloudflare’s edge network serves requests from data centres closest to your location, which means your HTTP requests may be received at a Cloudflare point of presence outside the EU. However, all durable writes — the records that constitute your financial data — are committed to WEUR storage only. Read replicas for performance may exist in other regions (e.g. North America, Asia-Pacific) but are read-only copies; no personal data is written outside the EU.

Cloudflare is SOC 2 Type II, ISO 27001, and ISO 27701 certified. We have a Data Processing Agreement with Cloudflare that includes Standard Contractual Clauses (SCCs) for transfers outside the EEA where applicable.

7. Data Retention

We retain your data according to the following schedule:

  • Active account data: retained for as long as your account is active.
  • Financial records (invoices, journal entries, tax filings): retained for 7 years after the relevant accounting period, to comply with accounting and tax record-keeping obligations in Sri Lanka, Canada, and other jurisdictions where we operate. This retention period satisfies Canadian Income Tax Act requirements (s.230), Sri Lanka Inland Revenue Act requirements, and aligns with standard international accounting practice.
  • Soft-deleted records (documents or contacts you delete within the app): retained for 90 days in a soft-deleted state, recoverable on request. Permanently purged after 90 days.
  • Email delivery records: failed delivery logs held by SendGrid are purged after 30 days. Successfully delivered emails are not stored by us beyond what is necessary to generate the email.
  • Application and access logs: retained for 90 days for security monitoring and incident investigation, then automatically deleted.
  • Deleted accounts: when you delete your account, data enters a 30-day grace period during which it can be restored on request. After 30 days, active records are purged; financial records we are legally required to retain are moved to a restricted archive for the 7-year retention period and then permanently deleted.
  • Backups: encrypted backups age out on a rolling basis within 35 days.

8. Your Rights

Depending on where you live, you have some or all of the following rights over your personal information:

  • Access (PIPEDA s.8; GDPR Art. 15; SL PDPA s.19) — ask for a copy of the personal data we hold about you. We will respond within 30 days of receiving your written request and will provide the information at no charge (or explain any reasons for refusing, as required by PIPEDA s.8(3)).
  • Correct (PIPEDA s.8(7); GDPR Art. 16) — have inaccurate or incomplete personal information amended. Where we cannot make a correction, we will annotate your file to note your challenge.
  • Delete (GDPR Art. 17; SL PDPA s.21) — have your data erased, subject to legal retention requirements (e.g. the 7-year financial record obligation).
  • Export / portability (GDPR Art. 20) — receive your data in a structured, machine-readable format (JSON or CSV).
  • Object (GDPR Art. 21) — object to processing based on legitimate interest, including profiling.
  • Withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint — with a data protection authority (see below).

To exercise any of these rights, email [email protected]. We will verify your identity and respond within 30 days. Under PIPEDA, if we refuse a request, we will give you reasons in writing and tell you which provision of PIPEDA we are relying on.

Where to complain

If you believe we have mishandled your data, we would prefer you contact us first so we can put it right. You also have the right to lodge a complaint with the data protection authority for your country, including:

  • Canada (PIPEDA): Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca, or the privacy commissioner of your province (e.g. Information and Privacy Commissioner of Ontario). Under PIPEDA, you must first contact us before complaining to the OPC, and we have 30 days to respond.
  • Sri Lanka (PDPA 2022): the Data Protection Authority of Sri Lanka, established under the Personal Data Protection Act No. 9 of 2022.
  • European Union / UK (GDPR): the supervisory authority in the EU member state where you live, work, or where the alleged infringement took place; or the UK Information Commissioner's Office (ICO).
  • California, USA (CCPA/CPRA): California Privacy Protection Agency (CPPA).

9. Data Security

We protect your data with defence-in-depth controls:

  • TLS 1.2+ for all data in transit, with HSTS enforced
  • Encryption at rest on all Cloudflare storage primitives
  • Tenant isolation at the database level (each firm's data lives in its own Durable Object)
  • Hash-chained, append-only audit trail on every write
  • Strict access controls and least-privilege for Jumpstone staff
  • Session revocation on password change and on suspicious activity

We are actively working toward SOC 2 Type II and ISO 27001 certification. Certification has not yet been achieved. See our Security page for the full, candid status.

10. Cross-Border Data Transfers

Jumpstone Technology Inc. is incorporated in Ontario, Canada. We operate a global service. This section explains how we handle cross-border transfers of personal data under each applicable privacy regime.

For Canadian users (PIPEDA)

Under PIPEDA Principle 4.1.3, organizations are accountable for personal information transferred to third parties for processing. Your financial data is stored in Cloudflare’s EU infrastructure (see Section 6). Cloudflare Inc. is a US-headquartered company; however, the data itself is stored and written exclusively in the European Union under our contractual arrangement.

Sub-processors such as Stripe, SendGrid, Sentry, and Grafana Cloud operate infrastructure in the United States. Where personal data is transferred to these processors, we rely on contractual protections (Data Processing Agreements) to require that they provide a comparable level of protection to PIPEDA Principle 4.1.3. The nature of the data transferred to each processor is limited and described in the sub-processor table in Section 5.

By using the Service, you acknowledge that your personal information may be transferred to and processed in countries outside Canada. We take contractual steps to ensure that personal information receives protection equivalent to PIPEDA wherever it is processed.

For EU/EEA users (GDPR Art. 44–46)

All primary storage of customer financial data is in the EU (Cloudflare WEUR region), so the main data store does not involve a transfer outside the EEA within the meaning of GDPR Article 44.

For ancillary processing by Stripe, SendGrid, Sentry, and Grafana Cloud (all US-based), we rely on Standard Contractual Clauses (SCCs) adopted under GDPR Article 46(2)(c) as the transfer mechanism. We carry out Transfer Impact Assessments for these transfers and apply supplementary measures (data minimization, PII scrubbing, pseudonymization) where appropriate.

For Sri Lankan users (PDPA 2022)

Under the Sri Lanka Personal Data Protection Act No. 9 of 2022, personal data may only be transferred outside Sri Lanka if adequate protections are in place. We store all customer financial data in the European Union, which provides a comprehensive data protection framework (GDPR). Transfers to ancillary sub-processors in the United States are covered by contractual safeguards equivalent to those required by the PDPA.

11. PIPEDA-Specific Disclosures (Canadian Users)

This section fulfills disclosure requirements under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and its ten fair information principles.

Identity of the data controller

  • Legal name: Jumpstone Technology Inc.
  • Jurisdiction of incorporation: Province of Ontario, Canada
  • Privacy contact: [email protected]
  • Designated Privacy Officer: Ashwin B. Mohan (Data Protection Officer)

Purposes of data collection (PIPEDA Principle 2)

We collect personal information for the following identified purposes, disclosed at or before the time of collection:

  • To create and maintain your account and authenticate your identity
  • To provide the accounting and bookkeeping features of the Ledger Service
  • To process subscription payments and manage your billing relationship with us
  • To send transactional communications required for the operation of the Service (security alerts, billing notices, system notifications)
  • To diagnose software errors, investigate security incidents, and improve the Service
  • To comply with legal obligations applicable to us or to you (tax record retention, lawful court orders)

We do not use personal information for purposes beyond those listed above without obtaining fresh consent or as permitted by law. We do not collect personal information indiscriminately; collection is limited to what is reasonably necessary for the identified purposes (PIPEDA Principle 4).

Consent (PIPEDA Principle 3)

By creating an account and accepting our Terms of Service, you provide meaningful consent to the collection, use, and disclosure of your personal information for the purposes described above. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us at [email protected]. Withdrawal of consent may mean we can no longer provide some or all of the Service.

Right to access and correct personal information (PIPEDA s.8)

Under PIPEDA s.8, you have the right to:

  • Access — request, in writing, access to your personal information held by us. We will respond within 30 days of receiving your written request (or advise you if we need an extension, up to an additional 30 days as permitted by PIPEDA s.8(4)). We will provide the information at no charge unless the volume of information requested makes a nominal fee reasonable, in which case we will notify you in advance.
  • Correction — challenge the accuracy or completeness of your personal information. Where we agree a correction is warranted, we will amend the information and, where appropriate, send the corrected information to third parties who received the original. Where we disagree, we will annotate your file to note your challenge (PIPEDA s.8(7)).
  • Refusal reasons — if we refuse an access request, we will tell you in writing which provision of PIPEDA we are relying on and that you may complain to the Office of the Privacy Commissioner of Canada.

To submit an access or correction request: email [email protected] with subject line "PIPEDA Access Request" or "PIPEDA Correction Request". Include your full name, the email address associated with your account, and a description of the information you are requesting or the correction you are seeking.

How to submit a privacy complaint (PIPEDA s.11)

If you believe we have not complied with PIPEDA, you may:

  1. Contact us first — email [email protected]. We will acknowledge receipt within 5 business days and investigate within 30 days.
  2. Escalate to the OPC — if you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or by mail to 30 Victoria Street, Gatineau, Quebec K1A 1H3.

12. Cookies

We use a minimal set of strictly necessary cookies — no analytics, no advertising, no third-party tracking. Details are in our Cookie Policy. If we ever introduce non-essential cookies, we will gate them behind a consent mechanism before setting them.

13. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has given us personal information, please contact [email protected] and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or by posting a notice inside the application at least 30 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

15. Data Protection Officer

We have designated a Data Protection Officer (DPO) responsible for overseeing our compliance with this Privacy Policy and applicable data protection law (including the EU/UK GDPR and the Sri Lanka Personal Data Protection Act No. 9 of 2022).

  • Name: Ashwin B. Mohan
  • Role: Data Protection Officer, Jumpstone Technology Inc.
  • Contact: [email protected]

You may contact the DPO directly with any question about how we process your personal data, to exercise the rights described in Section 8, or to raise a concern before lodging a complaint with a supervisory authority. We aim to acknowledge enquiries within 5 working days and respond substantively within 30 days.

16. Contact Us

Questions about this Privacy Policy, or want to exercise a privacy right? Email [email protected].

For general support, use [email protected]. Our postal address: Jumpstone Technology Inc., Ontario, Canada (full registered address provided on request).