Privacy Policy
The short version: Ledgester is a zero-knowledge app. Your invoices, customers, quotations, drafts, GSTINs and line items are encrypted in your browser with a key derived from your vault password. We cannot read this data: not on our servers, not in our logs, not under court order. Our database holds only your account identity (your Google email and name if you sign in with Google, or the phone number you sign in with) and your billing plan. None of your business data ever reaches our servers. If you connect Google Drive, the encrypted blob is stored in your own Google account, which we also cannot read.
This Privacy Policy describes how Ledgester ("we", "us", "our") collects, uses, and protects information when you use our website at ledgester.in and the Ledgester web application (collectively, the "Service").
1. What we collect: full inventory
Per signed-in user we hold exactly the following fields on our servers (Firebase Firestore, gst-pro-toolkit project, multi-region):
| Field | Why we hold it | Required? |
|---|---|---|
| Google email & display name (if you sign in with Google) | Account identifier and login | One login method required |
| Phone number (E.164) (if you sign in with a pre-registered phone) | Account identifier and login | One login method required |
| Firebase Auth UID | Internal account key | Yes |
| Subscription tier, status, trial-end / paid-until dates | To know which features to enable for your account and when to bill you | Yes |
| Account created-at timestamp | Account aging, support context | Yes |
| Last-active-at timestamp | To clean up dormant accounts after long inactivity | Yes |
Everything else stays on your device, encrypted. Specifically:
- All invoices, quotations, sales receipts, drafts
- All customer / vendor / seller profiles, GSTINs, contact details
- Product catalog entries
- Your business profile (name, GSTIN, address, bank details, signature)
- Tally imports, reminders, notes
2. How the encryption works
When you set up your vault, your browser:
- Generates a random 256-bit data key.
- Derives an encryption key from the password you choose, using Argon2id (a memory-hard key derivation function designed to be slow against brute-force attacks).
- Encrypts the data key with your password-derived key and stores it on your device (in your browser's local storage).
- Also encrypts the data key with a key derived from a 12-word recovery phrase, shown to you once. We do not see this phrase.
- Encrypts every document you create with AES-256-GCM using the data key. The encrypted blobs live in your browser's IndexedDB.
If you choose to back up to Google Drive, the same encrypted blobs are uploaded to a hidden folder in your own Google account using the drive.appdata scope. This folder is invisible in your normal Drive UI and is only accessible by Ledgester. We never receive a copy.
Ledgester's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We request only the drive.appdata scope, use it solely to store and retrieve your own encrypted backup in your Google account's hidden App Data folder, never transfer this data to third parties, and never use it for advertising or any purpose other than the backup and restore feature you explicitly enable.
The plaintext data key only exists in your browser's RAM, only while you are signed in and unlocked. When you close the tab, lock the vault, or sign out, the key is wiped. The next session requires you to re-enter your password (or recovery phrase) to derive it again.
3. What this means in practice
- If we get hacked: the attacker gets a list of phone numbers and billing tiers. They do not get your invoices, customer names, or any business data.
- If we receive a subpoena: we can hand over your phone number, billing record, and your encrypted blob from Drive (if you've connected Drive). We cannot decrypt the blob and we have no key to give the requesting authority.
- If you forget your password and your recovery phrase: we cannot help you. Your data is mathematically inaccessible. This is the cost of zero-knowledge.
- If you stop using Ledgester: deleting your account erases the server record (phone, billing). To remove your data from your device, clear your browser's site data for ledgester.in. To remove your Drive backup, revoke Ledgester's access in your Google account.
4. Analytics, cookies, and tracking
We use Google Analytics 4 on the public landing pages (ledgester.in and the tool reference pages) to understand which articles get traffic. GA records anonymous page views and aggregate sessions. We do not run analytics inside the encrypted app at /app/; anything you do after sign-in is invisible to us by design.
The only cookies / browser storage we use:
- Google Analytics consent and ID (landing pages only)
- Firebase Auth session token (so you stay signed in)
- Your encrypted vault metadata in
localStorage(salts and wrapped keys; nothing readable) - Your encrypted documents in IndexedDB
- Your Google Drive OAuth token, if you connected Drive (scoped to
drive.appdataonly) - Dark-mode preference and other UI settings
No advertising cookies. No third-party trackers inside the app.
5. Sub-processors
| Provider | What they handle | What they can see |
|---|---|---|
| Google Firebase | Auth, Firestore, Hosting | Account identity (Google email + name, or phone), plan, last-active timestamp |
| Google Sign-In (OAuth) | Verifies your identity when you choose "Continue with Google" | Your Google email, name, and profile photo URL |
| Google Analytics 4 | Landing-page traffic only | Anonymous page views on /, /tools/, /privacy.html etc. |
| Razorpay (when you upgrade to a paid plan) | Payment processing | Your card / UPI details and the plan you bought. We do not store card data ourselves. |
| Google Drive (if you opt in) | Encrypted backup storage in your Google account | An opaque encrypted blob in a hidden folder; no plaintext |
6. Data we do NOT collect
- If you sign in with Google, we store your Google email and display name as your account identity (these are your login, so they are not encrypted). We do not collect your address, GSTIN, bank details, or any business data on our servers; those stay encrypted on your device. Any name/GSTIN/address you enter inside the app is encrypted on your device.
- We do not sell, rent, or share data with third parties outside the sub-processors above.
- We do not use your invoice content for advertising, profiling, or machine-learning training.
- We do not run trackers, pixels, or session replay tools inside the app.
7. Your rights (DPDP Act, 2023, India)
Under India's Digital Personal Data Protection Act, 2023, you have the right to:
- Know what personal data we hold about you (this page is the full list, see §1).
- Correct or update your personal data (you can update phone via the in-app account page once that flow is live; for now, email us).
- Have your data erased. Email us and we will delete your server-side record within 30 days. To erase the encrypted data on your device, clear browser storage for ledgester.in.
- Withdraw consent at any time.
- File a complaint with the Data Protection Board of India.
For EU/UK residents: equivalent rights under GDPR / UK GDPR apply.
8. Children
The Service is for businesses and tax professionals. It is not directed at children under 18. We do not knowingly collect data from minors.
9. Data retention
- Server-side account record (phone, plan): retained while your account is active and for 90 days after account deletion (for billing audit).
- Encrypted data on your device: retained until you clear it.
- Encrypted Drive backup: retained in your Google account until you remove it or revoke Ledgester's access.
- Anonymous Google Analytics data: 14 months (GA4 default).
10. Changes to this policy
Material changes will update the "Last updated" date above and be announced in-app. We will not retroactively reduce your privacy protections.
11. Contact
For privacy questions, data requests, or to report a security issue, email [email protected].