Privacy Policy
Effective Date: April 10, 2026 | Last Updated: April 10, 2026
1. Introduction
Welcome to CaptureLedger LLC ("Company," "we," "our," or "us"). We operate CaptureLedger (the "Service"), a cash-basis accounting and invoicing platform designed for small service business owners.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please discontinue use of the Service immediately.
This Privacy Policy applies to all users of the Service, including subscribers on our Basic and Pro plans and any end users whose data is processed through the Service (such as your customers who receive invoices).
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Name, email address, optional business name, and password credentials managed through our authentication provider (Clerk).
- Profile Information: Business name, phone number, and other optional profile details you choose to provide.
- Financial Data: Income transactions, expense transactions, vendor names, expense categories, line item descriptions, and amounts you enter into the Service.
- Invoice Data: Client names, client email addresses, client phone numbers, invoice line items, amounts, and due dates.
- Receipt Images: Photographs or scans of receipts you upload to document expenses, stored in Cloudflare R2 cloud storage.
- Payment Information: Billing details for your subscription are collected and processed directly by Stripe. We do not store full payment card numbers on our servers.
- Communications: Any messages, support requests, or correspondence you send to us.
2.2 Information Collected Automatically
- Usage Data: Pages visited, features used, clicks, session duration, and other interaction data collected to understand how users engage with the Service.
- Device Information: Browser type, operating system, device type, screen resolution, and IP address.
- Log Data: Server logs including access times, error logs, and referring URLs.
- Cookies and Similar Technologies: Session cookies required for authentication and functionality. We do not use tracking or advertising cookies.
2.3 Information from Third Parties
- Clerk (Authentication): We receive account identifiers and basic profile data from Clerk when you authenticate.
- Stripe (Payments): We receive subscription status, payment confirmation events, and Stripe customer and account identifiers. For Pro plan users utilizing Stripe Connect, we also receive your Stripe Connect account status and onboarding completion data.
- Third-Party Integrations: If you connect additional third-party services in the future, we may receive data from those services as described at the time of connection.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service: Processing your transactions, generating reports, creating and sending invoices, and delivering all core features of the platform.
- Account Management: Creating and maintaining your account, verifying your identity, and managing your subscription.
- Payment Processing: Facilitating your subscription payments and, for Pro users, processing payments from your customers through Stripe Connect.
- Communications: Sending transactional emails via AWS Simple Email Service (SES), including invoice delivery to your customers, account notifications, and service-related announcements.
- Customer Support: Responding to your inquiries, diagnosing technical issues, and resolving disputes.
- Security and Fraud Prevention: Monitoring for unauthorized access, detecting and preventing fraudulent activity, and protecting the integrity of the Service.
- Service Improvement: Analyzing usage patterns to improve features, fix bugs, and enhance user experience.
- Legal Compliance: Complying with applicable laws, regulations, and legal obligations, including responding to lawful requests from authorities.
- Business Operations: Enforcing our Terms of Service, protecting our rights, and managing our business relationships.
We do not sell, rent, or share your personal information with third parties for their own marketing or advertising purposes.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal information under the following legal bases as defined in Article 6 of the UK/EU General Data Protection Regulation:
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Contract — Art. 6(1)(b) |
| Providing core Service features (transactions, reports, invoices) | Contract — Art. 6(1)(b) |
| Processing subscription billing and payments | Contract — Art. 6(1)(b) |
| Sending transactional emails (invoices, account notices) | Contract — Art. 6(1)(b) |
| Security monitoring and fraud prevention | Legitimate interests — Art. 6(1)(f) |
| Service improvement and usage analytics | Legitimate interests — Art. 6(1)(f) |
| Complying with legal obligations | Legal obligation — Art. 6(1)(c) |
| Retaining log and diagnostic data (up to 12 months) | Legitimate interests — Art. 6(1)(f) |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests at any time by contacting us at support@captureledger.com.
5. How We Share Your Information
5.1 Service Providers and Subprocessors
We engage trusted third-party service providers who process data on our behalf under contractual data protection obligations:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication and user identity management | United States |
| Stripe | Subscription billing and payment processing | United States |
| Neon | PostgreSQL database hosting | United States |
| Cloudflare | CDN delivery and R2 receipt image storage | United States / Global Edge |
| Amazon Web Services (SES) | Transactional email delivery | United States |
| Vercel | Application hosting and deployment | United States |
5.2 Your Customers
When you send an invoice through the Service, your business name (or full name if no business name is provided), invoice details, and payment link are shared with the customer email address you specify. You are responsible for having appropriate authority to share the contact information of your customers with the Service.
5.3 Legal Requirements
We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a government request.
5.4 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service of any such change in ownership.
5.5 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
6. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:
- Account and transaction data is retained for the duration of your subscription and is permanently deleted within 30 days of account closure.
- Receipt images stored in Cloudflare R2 are retained until you delete them or close your account, after which they are permanently deleted within 30 days.
- Log and usage data is retained for up to 12 months for security and diagnostic purposes.
- Stripe payment records are governed by Stripe's own data retention policies.
Upon account closure, we will delete your personal data and all associated financial records within 30 days. If you need to retain your financial records for tax or legal purposes, we recommend exporting your data before closing your account.
7. Data Security
We implement industry-standard technical and organizational measures to protect your information, including:
- Encrypted data transmission using TLS/HTTPS across all connections
- Encrypted data storage at rest for database and file storage
- Role-based access controls limiting employee access to user data
- Row-level security patterns ensuring users can only access their own data
- Secure credential management using environment variables and secrets management
- Regular security reviews of our application and infrastructure
However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information using commercially acceptable means, we cannot guarantee absolute security. In the event of a data breach affecting your information, we will notify you in accordance with applicable law.
8. Your Rights and Choices
8.1 Access and Portability
You have the right to request a copy of the personal information we hold about you in a structured, machine-readable format.
8.2 Correction
You have the right to request correction of inaccurate or incomplete personal information.
8.3 Deletion
You have the right to request deletion of your personal information, subject to our legal retention obligations described in Section 6.
8.4 Restriction of Processing
You have the right to request that we restrict processing of your personal information in certain circumstances.
8.5 Objection
You have the right to object to our processing of your personal information where we rely on legitimate interests as the legal basis.
8.6 Withdrawal of Consent
Where we rely on your consent to process information, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
8.7 Right to Lodge a Complaint
If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have processed your personal information in a manner inconsistent with applicable data protection law. EEA residents can find their relevant authority via the European Data Protection Board. UK residents may contact the Information Commissioner's Office (ICO). We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority.
8.8 California Residents (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know what personal information is collected, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising privacy rights.
8.9 Exercising Your Rights
To exercise any of these rights, contact us at support@captureledger.com. We will respond to verified requests within 30 days. We may require identity verification before processing your request.
9. Cookies and Tracking Technologies
We use only essential session cookies necessary to authenticate your session and maintain your login state. We do not use advertising cookies, third-party tracking cookies, or behavioral profiling technologies. You may configure your browser to refuse cookies, but doing so may prevent you from using core features of the Service.
10. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child has provided us with their information, please contact us at support@captureledger.com.
11. International Data Transfers
Our Service is operated primarily in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. Data protection laws in these countries may differ from those in your home country. By using the Service, you consent to the transfer of your information to these countries. Where required by law, we rely on appropriate safeguards for international transfers including Standard Contractual Clauses.
12. Third-Party Links
The Service may contain links to third-party websites or services, including Stripe-hosted payment pages. We are not responsible for the privacy practices of these third parties and encourage you to review their privacy policies.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or by posting a prominent notice in the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at:
CaptureLedger LLC
Email: support@captureledger.com