Privacy Policy
How LedgerLog collects, uses and protects your data.
Effective Date: June 8, 2026 Last Updated: June 8, 2026
Introduction
This Privacy Policy explains how POCKET IMPLEMENTATION S.R.L., a limited liability company organized under the laws of Romania, with its place of business in Bucharest, Romania ("Company", "we", "us", or "our"), collects, uses, discloses, and protects personal data when you use the LedgerLog mobile application for iOS and Android and related services (the "App").
LedgerLog is a cloud-based bookkeeping application. To provide it, we store your account information and the financial documents and data you choose to upload or enter, and we process some of that data using trusted third-party providers. We are committed to protecting your privacy and to complying with applicable data-protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and other US state privacy laws, and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
If you do not agree with this Privacy Policy, please do not use the App. If you have questions, contact us at contact@pocketimplementation.com.
1. Data Controller
POCKET IMPLEMENTATION S.R.L., Bucharest, Romania, is the data controller responsible for the personal data processed as described in this Privacy Policy. For Shared Accounts, please also see Section 8 regarding shared responsibility. You can reach us at contact@pocketimplementation.com.
2. Information We Collect
2.1 Account and Profile Data
When you register and set up the App, we collect:
- Your name and email address;
- Your password, stored only as a salted cryptographic hash (using PBKDF2), or, if you sign in with Google or Apple, the identifier and limited profile information those providers share with us;
- Email-verification status and account creation date; and
- Business profile information you provide, such as company name, company type, tax or business registration identifier, primary currency, an optional accountant email, and an estimate of your invoice volume.
2.2 Financial Documents and Data
The core of the Service. We collect and store:
- Bank statements and invoices or receipts you upload, import, or forward (for example, PDF, image, CSV, or spreadsheet files);
- Information extracted from those documents or entered by you, including transaction dates, amounts, currencies, counterparties (merchant or payer names), transaction types, balances, foreign-exchange information, reference numbers, invoice fields, and assigned categories;
- Reconciliation and matching records between transactions and invoices;
- Merchant aliases, custom expense categories, and similar organizational data; and
- Reports and exports you generate.
2.3 Email-Ingestion Data
If you use the email-ingestion feature, documents you forward to your dedicated ingestion address (at inbox.getledgerlog.com) are received and processed so the attached invoices can be added to your Account. The raw email and related metadata (such as sender, subject, and timestamp) may be retained briefly to enable processing and troubleshooting, then deleted.
2.4 Team-Access Data
If you use Team Access, we process data about memberships, roles (Owner, Editor, Viewer), invitations (including invitee email addresses), data-access windows, and activity logs that record who created, edited, or deleted records and when, including attribution of uploaded documents to the Team Member who uploaded them.
2.5 Device and Technical Data
When you use the App, we automatically collect:
- Device model and operating system, app version and build;
- IP address and approximate (for example, country-level) location derived from it, and device time zone;
- Usage and interaction events processed through our analytics tooling; and
- Error and crash diagnostics. Our Firebase Analytics integration is configured not to collect the device advertising identifier.
2.6 Subscription and Payment Data
If you purchase a Subscription, we receive subscription status and entitlement information through RevenueCat and the Apple App Store or Google Play Store. Actual payment-card processing is handled by the app stores; we do not receive or store your payment-card details.
2.7 Advertising and Attribution Data
We plan to measure how users discover the App using the Meta (Facebook) SDK, the TikTok Business SDK, and Apple's SKAdNetwork. Where these are enabled, and subject to your consent choices described in Section 15, the following may be collected: the Identifier for Advertisers (IDFA, on iOS, only if you grant permission through Apple's App Tracking Transparency prompt), the Identifier for Vendors (IDFV), the Google Advertising ID (on Android), anonymous per-device identifiers generated by the Meta and TikTok SDKs, and campaign and network attribution data. The Meta anonymous device identifier may be forwarded to RevenueCat as the fbAnonId subscriber attribute so that server-side purchase events can be attributed to the correct campaign without relying on the IDFA. Until these SDKs are enabled in the App, no such data is collected. SKAdNetwork conversion events are processed on-device by Apple's privacy-preserving framework, and only aggregated, anonymized data is shared with participating ad networks.
2.8 Communications and Support Data
When you contact us or we contact you, we process the contents of those communications and related metadata to respond and keep records.
3. How We Use Your Information
We use the information described above to:
- Provide, operate, and maintain the App and your Account;
- Extract information from your documents and generate reconciliations, categories, reports, and exports;
- Enable Team Access and shared collaboration;
- Manage Subscriptions and verify entitlements;
- Send service-related notifications and respond to your requests;
- Analyze usage and diagnose and fix errors and crashes to improve performance and reliability;
- Maintain the security of the Service, prevent and detect fraud and abuse, and protect our and others' rights;
- Measure advertising effectiveness and understand acquisition channels (as and when attribution is enabled); and
- Comply with legal obligations and respond to lawful requests.
4. AI Processing of Your Documents
To provide automated data extraction, the contents of the bank statements and invoices you submit are transmitted to and processed by our AI provider, OpenAI, through its application programming interface, solely to extract and structure the information for your Account. Your documents are not used by us to train AI models, and OpenAI states that data submitted through its API is not used to train its models by default; OpenAI applies limited retention for abuse monitoring under its terms. Extraction results are suggestions that you must review and verify. OpenAI's privacy policy is available at https://openai.com/policies/privacy-policy.
5. Legal Bases for Processing (GDPR)
For users in the EEA, the UK, and Switzerland, we rely on the following legal bases:
- Performance of a contract (Article 6(1)(b)): creating and maintaining your Account; storing and processing your documents and data; performing AI extraction, reconciliation, reporting, and Team Access; and managing Subscriptions.
- Legitimate interests (Article 6(1)(f)): analytics and crash reporting to improve and secure the Service, fraud and abuse prevention, operational logging, and advertising attribution. We have assessed that these interests are not overridden by your rights, and you may object as described in Section 12.
- Consent (Article 6(1)(a)): collection of the IDFA via App Tracking Transparency, push notifications, and any optional information you choose to provide. You may withdraw consent at any time.
- Legal obligation (Article 6(1)(c)): retaining certain records to meet accounting, tax, and other legal requirements, and responding to lawful requests.
We do not rely on "consent by continued use." Each processing activity has a specific legal basis as described above.
6. How We Share Information
We do not sell your personal data, and we do not share it for cross-context behavioral advertising. We disclose personal data only as described below.
Service providers and sub-processors, who process data on our behalf under appropriate agreements:
- OpenAI (United States) - AI extraction of your documents. https://openai.com/policies/privacy-policy
- RevenueCat (United States) - subscription management and entitlements. https://www.revenuecat.com/privacy
- Google / Firebase (United States) - analytics, crash reporting, and push delivery (Firebase Cloud Messaging). https://firebase.google.com/support/privacy
- Apple - push delivery (APNs) and App Store payments. https://www.apple.com/legal/privacy
- Meta (United States) and TikTok (United States and Singapore) - advertising attribution, as and when enabled. https://www.facebook.com/policy.php and https://www.tiktok.com/legal/page/row/privacy-policy/en
- Cloud object storage and database hosting providers - to store your documents and records.
- Email/SMTP provider and exchange-rate data provider - to deliver email and convert currencies.
Team Members: within a Shared Account, your data and the documents you upload are visible to other Team Members according to their roles and access windows (see Section 8).
Legal and protection: we may disclose information where required by law or legal process, to respond to lawful requests, or to protect the rights, property, or safety of the Company, our users, or others.
Business transfers: if we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this Privacy Policy.
7. International Data Transfers
We process and store personal data in both the European Union and the United States, and some of our sub-processors operate in the United States and Singapore. Where personal data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK and Swiss addenda where applicable) and, where a recipient is certified, the EU-US Data Privacy Framework. We implement these safeguards in accordance with Chapter V of the GDPR. To request more information about our transfer safeguards, contact contact@pocketimplementation.com.
8. Team Access and Shared Responsibility
When you use Team Access, the Owner of a Shared Account decides who is invited, what role and data-access window each Team Member has, and the purposes for which the shared Financial Data is used within that Account. Within a Shared Account, Team Members can view, and depending on their role contribute to, the shared documents and records, and activity is logged for audit purposes. If you are invited to a Shared Account, the Owner of that Account is responsible for how your data and the data you contribute are used within it. We process shared data to provide the collaboration features and on the instructions of the Owner.
9. Data Retention
We retain personal data only as long as necessary for the purposes described in this Privacy Policy:
- Account and profile data: for the life of your Account, and for a limited period afterward where needed to comply with legal obligations or resolve disputes;
- Financial documents and records: until you delete them or close your Account; because these records may be relevant to accounting and tax obligations, we (or you, as the controller of your own records) may need to retain certain financial data for the period required by applicable law (commonly up to seven years);
- Email-ingestion data: for a short period to enable processing and troubleshooting, then deleted;
- Analytics and crash data: in accordance with our analytics provider's retention settings; and
- Security and operational logs: for as long as needed for security and operational purposes.
When you delete a document or your Account, deletion is processed as described in Section 13.
10. Data Security
We implement technical and organizational measures appropriate to the sensitivity of the data, including encryption of data in transit using TLS, encryption at rest, access controls on a need-to-know basis, passwords stored only as salted hashes (PBKDF2), and time-limited (presigned) access to stored documents. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials and device secure (see the Terms and Conditions).
11. Children's Privacy
The App is intended for professionals and businesses and is not directed to children. We do not knowingly collect personal data from anyone under 18 years of age. If we learn that we have collected personal data from a person under 18, we will take steps to delete it. If you believe a minor has provided us personal data, contact contact@pocketimplementation.com.
12. Your Rights
How to exercise any of the rights below, see Section 12.6.
12.1 EEA (GDPR)
You have the rights to access, rectification, erasure, restriction of processing, data portability, and to object to processing based on legitimate interests, as well as the right to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your supervisory authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP), https://www.dataprotection.ro. We do not carry out automated decision-making that produces legal or similarly significant effects on you.
12.2 United Kingdom and Switzerland
You have rights equivalent to those above under the UK GDPR and the Swiss FADP, and you may complain to the UK Information Commissioner's Office (ICO) or the Swiss Federal Data Protection and Information Commissioner (FDPIC).
12.3 California (CCPA/CPRA)
California residents have the rights to know what personal information we collect and how we use and disclose it, to request deletion, to request correction, to opt out of the sale or sharing of personal information (we do neither), and not to be discriminated against for exercising these rights.
- Categories of personal information collected: identifiers (such as name, email, device identifiers, IP address); commercial information (subscription status); internet or other electronic network activity (usage and diagnostic data); geolocation (approximate, from IP); professional or business information; and the financial documents and data you provide.
- Sources: directly from you, automatically from your device, and from service providers and (where attribution is enabled) advertising partners.
- Purposes: as described in Section 3.
12.4 Other US States
Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) have rights to access, delete, correct, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, and certain profiling, together with the right to appeal a decision on a request.
12.5 Canada (PIPEDA)
If you are in Canada, you have the right to access and request correction of your personal information and to withdraw consent (subject to legal or contractual restrictions). You may complain to the Office of the Privacy Commissioner of Canada (OPC). We are accountable for personal information under our control, including information processed by our service providers.
12.6 How to Exercise Your Rights
You can manage much of your data directly in the App, including editing your profile, deleting documents, and deleting your Account. To make any other request, email contact@pocketimplementation.com. We may need to verify your identity before acting on a request. We aim to respond within the time required by applicable law (generally within 30 days, extendable for complex requests, with notice).
13. Account Deletion and Erasure
You can delete your Account from within the App. Deletion runs a cascade that removes the Accounts you own, the documents stored for those Accounts in our object storage, and the associated records in our database (including transactions, invoices, statements, reconciliations, categories, reports, device tokens, and activity logs), as well as your memberships and any invitations you sent or that were addressed to your email. Team Members of any Shared Account you owned lose access, and affected members may be notified. We send a confirmation to your email when deletion completes. We may retain limited information where required to meet legal obligations or resolve disputes, after which it is deleted.
14. Cookies, Do Not Track, and Global Privacy Control
The App is a mobile application and does not use cross-site advertising cookies. Because there is no common industry standard for "Do Not Track" signals on mobile applications, we do not respond to them; you can control tracking using the platform mechanisms described in Section 15. Where required by applicable law, we honor recognized opt-out preference signals such as Global Privacy Control.
15. Advertising and Tracking Technologies
Where advertising attribution is enabled (see Section 2.7), you can control it as follows:
- iOS: when prompted, you may allow or deny tracking through Apple's App Tracking Transparency framework, and you can change your choice at any time in Settings, Privacy and Security, Tracking. If you deny tracking, the IDFA is not collected.
- Android: you can reset your advertising identifier or opt out of personalized advertising in your device settings.
- SKAdNetwork processes conversion data on-device; no personal data is shared with ad networks through it. The Meta and TikTok SDKs honor your App Tracking Transparency choice on iOS and your advertising-identifier setting on Android. For residents of US states with applicable privacy laws, TikTok offers a "Limited Data Use" mode; to request that it be applied, contact contact@pocketimplementation.com.
16. Third-Party Links and Services
The App may link to or rely on third-party services. We are not responsible for the privacy practices of third parties, and their own privacy policies govern the information they collect. Please review those policies.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will indicate changes by updating the "Last Updated" date above, and for material changes we will make reasonable efforts to notify you through the App or by other appropriate means. Your continued use of the App after changes become effective constitutes acceptance of the updated Privacy Policy.
18. Contact Us
For privacy questions, data-subject requests, or complaints, contact:
POCKET IMPLEMENTATION S.R.L. Bucharest, Romania Email: contact@pocketimplementation.com