Privacy Policy

1. Introduction

ScanLedger ("we," "our," or "us") operates an AI-powered business data platform that provides document capture, inventory management, point of sale, bank reconciliation, dataset analytics, and team collaboration services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access our platform via web browser or mobile application (collectively, the "Service").

By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Account Information

When you create an account we collect:

• Full name and email address
• Password (stored only in hashed form using bcrypt)
• Business name (optional)
• Preferred currency and language settings
• Google account information if you sign in via Google OAuth

2.2 Business & Document Data

When you use our features we process:

• Documents and images you upload for AI-powered data extraction (receipts, invoices, inventory logs, attendance sheets, payment slips, and general notes)
• Structured data extracted from those documents
• Corrections and annotations you make to extracted data
• Inventory products, stock movements, and pricing
• Point-of-sale transactions and receipts
• Bank statements uploaded for reconciliation
• Datasets, rows, and fields you create or import via CSV
• Files and folders you store in the file manager
• AI chat conversations with your datasets

2.3 Payment Information

We do not store your full card number or bank details. Payments are processed securely by our third-party payment providers (Paystack for NGN transactions and Stripe for USD, CAD, GBP, and EUR transactions). We store only:

• Transaction references and amounts
• Subscription plan, billing cycle, and status
• Last four digits and card type (for display purposes)

2.4 Automatically Collected Information

• Device type, browser type, and operating system
• IP address and approximate geographic location
• Pages visited and features used within the Service
• Error logs and performance metrics
• Referring URLs and search terms used to find our site

3. How We Use Your Information

• Provide the Service — process documents, manage inventory, execute POS transactions, reconcile bank statements, and deliver AI-powered insights
• Account management — authenticate users, enforce subscription plan limits, and manage team permissions
• Communications — send transactional emails (welcome, password reset, team invitations, subscription receipts, expiry warnings) via SendGrid
• Real-time notifications — deliver in-app and WebSocket push notifications about account activity
• Improve accuracy — use anonymized, aggregated data to improve our OCR and AI extraction models
• Security & fraud prevention — detect abuse, enforce rate limits, and protect the platform
• Legal compliance — comply with applicable laws, regulations, and legal processes

4. AI & Document Processing

ScanLedger uses AI models (including OpenAI GPT-4 Vision and Google Gemini) to extract structured data from your documents. When you upload a document:

• The document image is sent securely to the AI provider for processing
• The AI provider processes the image and returns extracted text and structure
• We have data-processing agreements with our AI providers stipulating that your data is not used to train their models
• Document content is transmitted over encrypted channels (TLS 1.3)
• AI chat queries on your datasets are processed similarly — your dataset content is sent to the AI provider only for the duration of the request

Extracted data receives a confidence score. Items below our confidence threshold (currently 85%) are flagged for your manual review, ensuring you remain in control of your data.

5. Data Sharing & Third Parties

We do not sell your personal information. We share data only in the following circumstances:

• AI Processing Providers — OpenAI and Google for document extraction and chat (under data-processing agreements)
• Payment Processors — Paystack (Nigeria) and Stripe (international) for subscription billing
• Email Delivery — SendGrid for transactional and notification emails
• Cloud Infrastructure — hosting providers for application and database hosting
• Legal Requirements — when required by law, court order, or to protect our rights, safety, or property
• Business Transfers — in connection with a merger, acquisition, or sale of assets (you will be notified)

When you use the team collaboration feature, your workspace data is shared with team members according to the role-based permissions you configure (Owner, Admin, Manager, or Staff).

6. Data Storage & Security

• All data is encrypted in transit using TLS 1.3
• Data at rest is encrypted using AES-256
• Passwords are hashed using bcrypt — we never store plaintext passwords
• Authentication uses JWT tokens delivered via httpOnly cookies
• Access to production systems is restricted, logged, and audited
• Automated backups ensure data durability and rapid recovery
• Rate limiting protects against brute-force and abuse (100 requests/minute general, 5 requests/minute for auth endpoints)

For more detail on our security practices, see our Security page.

7. Data Retention

How long we keep your data depends on your subscription plan and account status:

• Free plan — document data is accessible for 7 days; after that it is archived but retained while your account is active
• Pro & Enterprise plans — unlimited data retention while your subscription is active
• Account deletion — when you delete your account, we remove your personal data within 30 days; some data may be retained longer if required for legal, tax, or audit purposes
• Downgrade — if you downgrade, premium features are locked but your data is preserved (not deleted) so it is accessible if you upgrade again

8. Cookies & Tracking Technologies

We use a limited set of cookies and similar technologies:

• Essential cookies — httpOnly authentication cookies to keep you signed in securely; these cannot be disabled without losing access
• Preference cookies — remember your currency selection, workspace, and display preferences
• Analytics cookies — help us understand how the Service is used so we can improve it (you can opt out via your browser settings)

We do not use third-party advertising cookies or tracking pixels. For more detail, see our Cookie Policy.

9. International Data Transfers

ScanLedger is operated from Nigeria. If you access the Service from outside Nigeria, your information may be transferred to and processed in countries where our infrastructure providers and AI processing partners operate. We ensure appropriate safeguards are in place, including data-processing agreements with our service providers, to protect your data in accordance with applicable privacy laws.

10. Your Rights & Choices

Depending on your location you may have the following rights:

• Access — request a copy of the personal data we hold about you
• Correction — update or correct inaccurate information via your account settings or by contacting us
• Deletion — request deletion of your account and associated data
• Export — download your datasets in CSV format and your documents from the file manager
• Restrict processing — ask us to limit how we use your data in certain circumstances
• Opt out of marketing — unsubscribe from promotional emails at any time (transactional emails will continue)
• Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

11. Children's Privacy

ScanLedger is a business tool and is not directed at anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice on the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices: