Privacy Policy
Last updated: June 4, 2026
LedgerBeaver, Inc. ("LedgerBeaver," "we," "us," or "our") built the LedgerBeaver platform to help small and medium-sized businesses automate their financial operations. We take your privacy — and the privacy of your financial data — seriously. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.
This policy applies to all users of the LedgerBeaver Service, including visitors to our marketing website (ledgerbeaver.com) and customers using the web application at app.ledgerbeaver.com.
1. What We Collect
We collect information you provide directly, information generated through your use of the Service, and limited information from third-party integrations. Here's what that breaks down into:
| Category | What we collect | Example |
|---|---|---|
| Account Information | Identity and contact data needed to create and maintain your account | Name, email address, company name, profile photo (optional) |
| Billing Information | Payment details processed through Stripe | Payment method, billing address, last four digits of payment card |
| Financial Data | Data you upload or your agents generate through the platform | Invoices, purchase orders, vendor names and addresses, bank account last-4 digits, chart of accounts, journal entries, payment records |
| Integration Data | Data synced from third-party services you connect | QuickBooks/Xero chart of accounts, Plaid-linked account metadata, Stripe payment history |
| Usage Data | Automatically collected information about how you interact with the Service | Pages visited, features used, API calls made, MCP tool invocations, browser type, device information |
| Agent Activity Data | Records of AI agent interactions with the platform | MCP tool calls, extracted fields, match results, approval requests, agent-generated communications |
2. How We Collect Information
- Directly from you: When you sign up, configure your account, upload documents, connect integrations, or contact support.
- Automatically: Through server logs, API call tracking, and minimal analytics as you use the Service. We use Sentry for error monitoring and application performance data.
- From third-party integrations: When you connect services like QuickBooks, Xero, Plaid, or Stripe, we receive data through their APIs as authorized by you.
- From your AI agents: When your MCP-connected agents make tool calls to our API, we log those calls and their results.
3. How We Use Your Data
We use your data for the following purposes, and only these purposes:
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing the Service | All categories | Contractual necessity — to deliver the finance automation platform you subscribed to |
| Billing and payments | Account info, billing info | Contractual necessity — to process your subscription payments via Stripe |
| Customer support | Account info, usage data | Legitimate interest — to help you when you reach out |
| Service improvement | Usage data (aggregated, anonymized) | Legitimate interest — to understand feature usage and improve the product |
| Security and abuse prevention | Usage data, agent activity data | Legitimate interest — to detect and prevent fraud, unauthorized access, and misuse |
| Legal compliance | As required by applicable law | Legal obligation — e.g., tax record keeping, responding to valid legal process |
| Product communications | Account info | Consent or legitimate interest — service announcements, feature updates, billing notices |
What we DO NOT do with your data:
- We do not sell your data — to anyone, ever
- We do not use your financial data to train AI models
- We do not use your data for targeted advertising
- We do not access your data for any reason other than providing and improving the Service, investigating support issues with your permission, or complying with legal obligations
4. Data Sharing and Third-Party Processors
We share data only with the service providers necessary to operate the platform, and only to the extent required. Here are our key sub-processors:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication, file storage | All Customer Data (encrypted at rest) | US (us-east-1) |
| Stripe | Payment processing and subscription management | Billing info, account email | US / Global |
| Railway | Application hosting and compute | Processed in transit only (no persistent storage) | US |
| Cloudflare | CDN, DDoS protection, DNS | Network traffic metadata | Global edge network |
| Sentry | Error tracking and performance monitoring | Usage data, error traces (no financial data) | US / EU |
| Resend | Transactional email delivery | Email address, email content | US |
We also share data at your direction when you:
- Connect integrations (e.g., QuickBooks, Xero, Plaid) — data flows through our Service to those providers as you configure
- Grant AI agents access via MCP tokens — your agents can read and write data as scoped by the permissions you set
- Use the vendor portal — vendors you invite can see invoices and payment status related to their relationship with you
We may also disclose data if required by law, court order, or valid legal process, or to protect our rights, property, or safety, and that of our users. We will notify you before such disclosure unless prohibited by law.
5. Data Retention and Deletion
5.1 Active Accounts
We retain your Customer Data for as long as your account is active and for 30 days after termination or cancellation. During those 30 days, you may request a full export of your data by contacting support@ledgerbeaver.com.
5.2 After Account Deletion
After the 30-day post-termination window, we permanently delete your Customer Data from our active systems. We may retain certain records (transaction logs, payment records) as required by applicable law (e.g., tax regulations requiring 7-year retention) or to resolve disputes and enforce our agreements. Any retained records are stored with the same security controls as active data.
5.3 Backups
Data in our backup systems is purged within 90 days of account deletion as part of our regular backup rotation.
6. Security
We protect your data with industry-standard technical and organizational measures:
- Encryption at rest: All Customer Data stored in Supabase is encrypted using AES-256. Database backups are also encrypted.
- Encryption in transit: All communication between your browser, our servers, and third-party APIs uses TLS 1.3 (minimum TLS 1.2).
- Access controls: Strict role-based access — only essential engineering personnel have production access, and all access is logged and audited. MCP tokens are scoped per-tool; you control what your agents can access.
- Infrastructure: Hosted on Cloudflare (edge security, WAF, DDoS mitigation), Railway (isolated containerized compute), and Supabase (managed PostgreSQL with row-level security).
- SOC 2: We are actively pursuing SOC 2 Type I certification. An independent audit is in progress; we will publish our report when complete. Until then, this policy describes our current security posture.
- Payment security: We never handle raw credit card numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 Service Provider. We only store the last four digits and expiration date for account reference.
If you believe you've discovered a security vulnerability, please email security@ledgerbeaver.com. We participate in coordinated disclosure and will respond promptly.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Ask us to fix inaccurate or incomplete data |
| Deletion | Request that we delete your personal data (subject to legal retention requirements) |
| Portability | Receive your data in a structured, machine-readable format and transfer it elsewhere |
| Restriction | Ask us to limit how we process your data in certain circumstances |
| Objection | Object to processing based on legitimate interests |
| Non-discrimination | We will not discriminate against you for exercising any of these rights |
To exercise any of these rights, email privacy@ledgerbeaver.com. We will verify your identity before processing your request and respond within 30 days (or 45 days for complex requests, with notice).
CCPA Notice (California Residents): Under the California Consumer Privacy Act, as amended by the CPRA, California residents have the rights listed above. The categories of personal information we collect are described in Section 1. We do not sell personal information as defined by the CCPA. To exercise your CCPA rights, contact privacy@ledgerbeaver.com or call (302) 555-0199.
GDPR Notice (EEA and UK Residents): If you are located in the European Economic Area or the United Kingdom, the legal bases for our processing are set out in Section 3. LedgerBeaver, Inc. is the data controller for personal data collected through the Service. Our headquarters in Delaware, USA serves as our main establishment. For GDPR inquiries, contact privacy@ledgerbeaver.com. You also have the right to lodge a complaint with your local data protection authority.
Data Processing Agreement (DPA): For customers who require a DPA (e.g., for GDPR compliance), we offer a standard DPA upon request for paid plans. Contact privacy@ledgerbeaver.com to request one.
8. Cookies and Tracking
LedgerBeaver's web application uses minimal cookies:
- Essential cookies: Authentication tokens for session management — required for the Service to function. These are first-party cookies set by Supabase Auth.
- Preference cookies: Theme preference (light/dark mode) stored in your browser's localStorage.
We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking services on the application. Our marketing website may use Cloudflare Web Analytics (privacy-first, no cookies) for aggregated page-view counts.
9. International Data Transfers
LedgerBeaver is based in the United States and processes data primarily on US-based infrastructure. If you are located outside the US, your data will be transferred to and processed in the United States. We take appropriate safeguards to ensure your data remains protected, including:
- Standard Contractual Clauses (SCCs) where applicable
- Data Processing Agreements with all sub-processors
- Encryption at rest and in transit for all data regardless of location
10. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that a child under 18 has provided us with personal data, we will delete it promptly. If you believe a child has provided us with data, please contact privacy@ledgerbeaver.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify you via email and/or in-app notice at least 30 days in advance. The "Last updated" date at the top of this page indicates when the current version took effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact Us
We're here to help. For privacy-related questions, requests, or concerns:
- Email: privacy@ledgerbeaver.com
- Security: security@ledgerbeaver.com
- Support: support@ledgerbeaver.com
- Mail: LedgerBeaver, Inc., 251 Little Falls Drive, Wilmington, DE 19808
If you have a privacy complaint that we haven't resolved to your satisfaction, you may contact your local data protection authority.
This Privacy Policy is effective as of June 4, 2026, and supersedes all prior versions.