Privacy Policy for ledgercloud.io

This Privacy Policy explains how we collect and process personal data when you use Ledgercloud to reconcile payments and orders (e.g. from Stripe, PayPal and Shopify) and to export accounting data (e.g. DATEV exports).

You can print this policy at any time by using your browser’s print feature.

---

Data Controller and Owner

ACE Holdings GmbH
Vorderdeich 9
21037 Hamburg, Deutschland
Email: service@ledgercloud.io

---

What Data We Collect

We process the following categories of data, provided by you or by systems you connect to Ledgercloud (e.g. Stripe, PayPal, Shopify):

• Account and profile data: name, email address, company, user role.
• Payment account metadata: connected account IDs, provider identifiers (e.g. Stripe Account ID, PayPal Merchant ID), settings required for reconciliation. We do not store card PANs or CVV.
• Transaction and order data: order IDs, transaction IDs, timestamps, amounts, currencies, fees, refunds, chargebacks, payouts and payout schedules.
• Accounting and export data: chart‑of‑accounts mappings (e.g. SKR03/SKR04), booking keys, VAT rates, export files (e.g. CSV/XML for DATEV) and related documents (e.g. invoices, credit notes).
• Support communications: messages, meeting notes, attachments you share with us.
• Technical data: IP address, device and browser information, log files and usage events necessary to provide the service and ensure security.

Each category is processed only for the purposes outlined below or where specifically explained before data is gathered.

Users may voluntarily provide data; certain technical data is collected automatically when interacting with the service.

Unless otherwise noted, the requested data is necessary to provide the service. Without it, some features may not work.

Where optional data is indicated, users can choose not to provide it without affecting service quality.

If unsure about what information is required, users are encouraged to contact the Owner directly.

Cookies and similar tracking tools may be used to deliver services and fulfill purposes outlined in this policy.

Users are solely responsible for any third-party personal data shared through this Application.

---

How and Where Data Is Processed

Processing Methods

We implement suitable technical and organizational measures to prevent unauthorized access, alteration, disclosure, or destruction of personal data.

Data is processed using IT systems according to procedures closely aligned with stated purposes. Authorized personnel (e.g., operations, support, engineering) or commissioned processors (e.g., hosting providers, email and support tools) may access data when needed. These parties are bound by contracts and confidentiality obligations. An up‑to‑date list is available on request.

Processing Location

We primarily process data in the European Union. Where providers outside the EU/EEA are used or data is accessed from third countries, appropriate safeguards are applied (e.g., EU Standard Contractual Clauses).

---

Data Retention

Unless otherwise stated, data is retained only as long as required for the purpose it was collected. We may keep it longer if required by law (e.g., commercial and tax retention obligations under German law – typically 6 to 10 years) or with user consent. Technical logs are usually kept for a shorter period for security and troubleshooting.

---

Why We Process Data

We collect personal data for the following reasons:

• To deliver and maintain the Ledgercloud service (reconciling payments and orders, matching transactions, generating accounting exports like DATEV CSV/XML)
• To provide onboarding, support and troubleshooting (including personal web meetings)
• To operate, secure and improve the platform (monitoring, debugging, analytics in aggregated or pseudonymized form)
• To comply with legal obligations and respond to lawful requests
• To defend our rights and those of our users and third parties
• To detect and prevent fraudulent or abusive activity

Examples of Processing (Non‑exhaustive)

1. Contacting Users

When users fill out a contact form, we use the provided data to respond to inquiries.
Collected data: name, surname, email address

2. Hosting and Infrastructure

We use services that help us host and deliver this Application and its features.

We may use EU‑based hosting and content delivery providers, and where non‑EU providers are used, we implement appropriate safeguards (e.g., SCCs). Details can be provided on request.

3. Payment Reconciliation and Exports

When users connect payment and commerce systems (e.g., Stripe, PayPal, Shopify):

• We process transaction, order and payout metadata necessary for reconciliation
• We process and generate export files and booking information (e.g., DATEV CSV/XML, booking keys, accounts)
• We may process and attach supporting documents (e.g., invoices, credit notes) if you upload or enable syncing
• We do not store full card PANs or CVV and rely on provider tokens/IDs

---

Legal Basis for Processing

We may process personal data when:

• It is necessary for contract performance or pre‑contractual steps (Art. 6(1)(b) GDPR)
• It is required to comply with legal obligations (Art. 6(1)(c) GDPR)
• We pursue legitimate interests in operating and improving the service, preventing abuse and ensuring security (Art. 6(1)(f) GDPR)
• You have given consent for specific purposes (Art. 6(1)(a) GDPR)

For help determining the legal basis, please contact the Owner.

---

More on Data Retention

• Data linked to contracts is kept as long as the contract exists and for applicable retention periods
• Data processed under legitimate interest is stored as long as necessary
• If consent was given, data is kept until consent is withdrawn
• Legal obligations may require longer retention (e.g., tax and commercial law)

Once the retention period ends, data is deleted and access/portability rights no longer apply.

---

GDPR Rights for Users

Under the GDPR, users have the right to:

• Withdraw previously given consent
• Object to data processing for specific reasons
• Request access to their data
• Verify or correct their data
• Restrict processing
• Have data deleted
• Receive data and transfer it to another provider
• File complaints with a data protection authority

Users can also inquire about how data is protected when transferred abroad.

Objecting to Data Processing

If we process data under public interest or legitimate interest, users may object by explaining their specific situation.

Users may always object to direct marketing use without giving a reason. If objected, data will no longer be used for that purpose.

---

How to Use These Rights

To exercise these rights, users can contact the Owner using the contact details above. Requests are free and will be processed within a month.

If personal data has been shared with others, the Owner will attempt to notify them of any corrections or deletions, unless it’s impossible or overly difficult.

---

Additional Info

Legal Use

We may use personal data in legal proceedings or in preparation for legal action related to misuse of our Application or services.

Extra Information

Additional details about specific services or data handling may be provided on request.

System Logs and Maintenance

For maintenance and operational purposes, we or third parties may log interactions and collect information such as IP addresses.

Unlisted Information

Users can request further details about data practices by contacting the Owner.

---

Privacy Policy Updates

We may revise this privacy policy at any time. Users will be informed on this page or elsewhere in the Application. We may also notify users by email if possible.

Users should check this page regularly for updates. If consent is required for any changes, we will request it again as needed.

---

Legal Note

Unless otherwise mentioned, this privacy policy applies solely to this Application.

---

Definitions

• Personal Data: Information identifying a natural person, directly or indirectly.
• Usage Data: Automatically collected info like IP addresses, browser details, and time spent on pages.
• User: The person using this site and/or the Ledgercloud service.
• Data Subject: The individual to whom personal data refers.
• Processor: Entity processing data on behalf of the Controller.
• Controller: The party that determines how and why data is processed — in this case, the Owner.
• Service: The payment/order reconciliation and export services provided via this Application.
• EU: References in this policy to the “EU” include both EU and EEA member states.