Privacy Policy

Last updated: April 3, 2026

ldgr ("we", "us", "our") is a shared expense tracking application. This policy describes what data we collect, how we store it, and your rights regarding that data.

1. Data we collect

When you use ldgr, we collect and process the following information:

• Account information — your name, email address, display avatar, preferred language, and default currency. This is collected during onboarding after authentication.
• Expense data — descriptions, amounts, currencies, categories, split details, items, and dates for expenses you create or participate in.
• Group data — group names, avatars, member lists, and associated settings such as spending limits.
• Settlements — payment records between group members, including linked payment account references.
• Comments — expense comments and @mentions you create.
• File attachments — receipt images and documents you upload to expenses or templates.
• Payment accounts — account identifiers (e.g., PayPal email, IBAN) you optionally add for settlement convenience. We do not process payments directly.
• Device information — push notification tokens, device locale, and app version for delivering notifications and maintaining compatibility.
• API token metadata — token names, scopes, and creation dates for MCP/API integrations. Raw API keys are hashed and never stored in plaintext.

2. How we store your data

All data is stored on servers located in the European Union. Data at rest is encrypted. Database connections use TLS encryption in transit. File attachments are stored in Cloudflare R2 (EU region) with HMAC-signed access tokens.

We use optimistic locking and transactional writes to ensure data integrity. Passwords are never stored — authentication is handled entirely by our identity provider.

3. Third-party services

ldgr uses the following third-party services to operate:

• Google & Apple Sign-In — your email and name are shared during authentication to create your account.
• Push notifications — delivered via Google (Firebase) on Android and Apple (APNs) on iOS. Your device token is processed for notification routing.
• In-app purchases — subscriptions are processed through Apple App Store and Google Play Store. Purchase receipts and subscription status are managed by RevenueCat.
• Receipt scanning — when you scan a receipt, the image is sent to Google's AI for text extraction. Images are not stored beyond the processing request.
• Crash reporting — anonymized crash data and device information are collected in the production app to help us fix bugs. No personal data is included.
• Infrastructure — we use Cloudflare for content delivery, file storage, and DNS. Server monitoring collects performance telemetry with no user-identifiable data.

4. How we use your data

We use your data exclusively to provide and improve the ldgr service:

• Display and calculate expense splits, balances, and settlements
• Send push notifications based on your per-type preferences
• Generate weekly summaries and analytics
• Process AI receipt scanning requests
• Deliver data exports you request

We do not sell your data. We do not serve advertisements. We do not use tracking pixels or third-party analytics in the application.

5. Your rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

• Data export — request a full export of your data at any time from the app. The export includes all expenses with splits and items, comments, API token metadata, accounts, templates, attachments, and subscription information. Exports are generated asynchronously and delivered as a downloadable JSON file.
• Account deletion — close your account from the app settings. This anonymizes your user record (name, email, avatar replaced with generic values) while preserving the integrity of shared group financial records. Pre-condition: all balances must be zero across all groups.
• Data access — view all your data through the application interface or via the data export feature.
• Data correction — edit your profile information, expenses, and other records through the application.

6. Data retention

Your data is retained for as long as your account is active. When you close your account, personal identifiers are anonymized immediately. Shared financial records (expenses, settlements) are retained in anonymized form to maintain accurate group ledgers for other members.

Push notification tokens are cleared on logout. Expired data exports are automatically cleaned up by our background workers.

7. Security

We implement the following security measures:

• TLS encryption for all data in transit
• Encryption at rest for stored data
• HMAC-SHA256 signed tokens for file attachment access
• SHA-256 hashed API keys (raw keys never stored)
• Rate limiting (per-IP and per-user token buckets)
• Idempotency keys on all mutation endpoints
• JWT-based authentication with short-lived tokens

8. Children

ldgr is not directed at children under 16. We do not knowingly collect personal data from children.

9. Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date.

10. Contact

For privacy-related questions or requests, contact us at hello@ldgr.money.