Data & Compliance
Last updated: 19 May 2026
India — DPDP Act 2023
Ledger complies with the Digital Personal Data Protection Act, 2023 (India). As a Data Fiduciary, we:
- Collect only the personal data necessary to provide the service (data minimisation)
- Obtain explicit consent before processing personal data
- Allow users to access, correct, and erase their data on request
- Appoint a Data Protection Officer reachable at hello@studyledger.in
- Notify affected users within 72 hours of any confirmed data breach
- Do not process personal data of children under 13 without verifiable parental consent
GDPR (European Users)
If you are located in the European Economic Area (EEA) or UK, the following applies in addition to our standard privacy policy.
Legal basis for processing
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Contract performance |
| Syncing study data across devices | Contract performance |
| AI interaction history | Legitimate interest (product improvement) |
| Analytics (PostHog) | Legitimate interest (product analytics) |
| Error reporting (Sentry) | Legitimate interest (system reliability) |
| Transactional emails (Resend) | Contract performance |
International transfers
Some processors (Anthropic, Sentry, Resend) are based in the US. Transfers are covered by Standard Contractual Clauses (SCCs) or adequacy decisions where applicable.
EEA user rights
You have rights to access, rectification, erasure, restriction, portability, and to object to processing. You may also lodge a complaint with your national data protection authority. Contact hello@studyledger.in to exercise these rights.
What We Store & Where
| Data type | Storage | Retention |
|---|---|---|
| Account profile | Supabase (PostgreSQL) | Until account deleted |
| Study data blob | Supabase (PostgreSQL) | Until account deleted |
| AI interaction history | Supabase (PostgreSQL) | 90 days rolling |
| Page events | Supabase (PostgreSQL) | 12 months |
| Error reports | Sentry | 90 days |
| Analytics events | PostHog | 12 months |
| UI preferences | Browser localStorage | Until browser cleared |
Security Measures
- Encryption in transit: TLS 1.3 on all connections
- Encryption at rest: AES-256 on Supabase storage
- Row Level Security (RLS): database policies ensure each user only accesses their own data
- Service role isolation: the public client has anon-key access only; privileged operations use a server-side service role key never exposed to the browser
- Rate limiting: IP-based limits on AI endpoints prevent abuse
- Content moderation: AI inputs are scanned for harmful content before reaching the model
- Dependency auditing: automated vulnerability scanning on every deploy
Cookies & Tracking
Ledger uses no tracking cookies. We use browser localStorage for UI state (palette, density, mode) that never leaves your device.
PostHog analytics runs with autocapture disabled. We record deliberate user actions (page views, tool opens) without tracking mouse movements, scroll depth, or keystrokes.
Data Breach Response
In the event of a confirmed data breach affecting personal data:
- We will notify affected users within 72 hours of becoming aware
- We will notify relevant supervisory authorities as required by law
- We will publish a post-incident report within 30 days
To report a security vulnerability: hello@studyledger.in
Data Portability & Deletion
You can export your full study data as a JSON file from your profile settings at any time. This includes your planner, marks, goals, and preferences.
To delete your account and all associated data, go to Settings → Account → Delete Account. Deletion is processed within 30 days. AI history and analytics events are purged within 90 days.