Privacy Policy

Version 1.2, Effective May 1, 2026

1. Who We Are

The Ledger Pulse Inc. ("Company," "we," "us"), an Alberta corporation, is the data controller for personal data collected through the CakeLedger application ("Service"). The Company has designated a Privacy Officer who is accountable for compliance with this policy. For privacy inquiries, contact: privacy@cakeledger.com.

2. What We Collect

2.1 Account Data

Name, email address, city, business name, and currency preference.

2.2 Baking Data

Ingredients, purchase entries, recipes, products, orders, customer details, labour entries, equipment records, and tax lines.

2.3 Financial Data

Subscription tier, billing status, and payment history (processed by our payment provider; we never see or store your full card numbers).

2.4 Usage Data

Pages visited, features used, session duration, device type, browser, operating system, and IP address.

2.5 Community Data

If you opt in to community data sharing: ingredient prices, product prices, product attributes (such as size, shape, and flavour), store names, recipe compositions, postal code area, and city.

2.6 AI-Processed Data

If you use AI-powered features, certain data may be sent to external service providers for processing. This may include ingredient names and costs, recipe compositions, product descriptions, order details, and business name. This data is processed solely to provide the requested feature. We do not permit our AI service providers to use your data to train their models.

2.7 Image and Media Data

Photos you upload (order photos, receipts), AI-generated images, and invoice documents. Images are optimized and stored on our database infrastructure in the United States. Images are retained for the duration of your account and deleted when you delete the associated record or your account.

2.8 Referral Data

If you participate in the referral program: your name, email address, and business name are shared with the person you invite via the referral invitation. A tracking identifier is stored for up to 7 days to attribute the referral.

2.9 Marketplace Data

If you list, browse, save, review, report, or otherwise interact with the in-app marketplace: listing content (titles, descriptions, photos, prices, pickup city, availability), messages or questions sent through marketplace messaging, ratings and reviews you publish, reports you submit about other listings, save and view activity, and contact details you choose to expose on a listing. Marketplace listings, ratings, reviews, and questions are visible to other users of the Service. Reports submitted to moderators are not displayed publicly but may be shared with the user being reported in summary form.

2.10 Storefront and Public Pages Data

If you publish a public storefront, gallery page, share card, or other publicly accessible page through the Service: the content you publish (business name, photos, product descriptions, prices, pickup or delivery information, availability, and any other content you elect to include) is publicly visible to anyone who accesses the page or its URL. Public pages may be cached, indexed, archived, or scraped by third parties (including search engines and social platforms), and that content may persist outside the Service after publication or removal. You are solely responsible for the content you publish to public pages and for managing what those pages disclose about you, your business, your customers, or any third party.

2.11 End Customer Data (Storefront Visitors and Buyers)

When a person interacts with a baker's storefront, payment link, or public page operated through the Service (an "End Customer"), the Company may collect: name, email, phone number, delivery or pickup address, order or enquiry details, photos or attachments uploaded to enquiry or order forms, IP address, browser and device information, and analytics data necessary to operate the page and process the request. End Customer data is collected on behalf of the baker (who is the data controller of that data, see Section 4.7), but the Company processes it as a data processor for the baker, and in limited cases as an independent controller for security, fraud prevention, audit logging, and legal compliance.

2.12 Payment Processing Data

When you connect a payment account or accept a payment through the Service, the payment processor (Stripe Inc. and its affiliates) collects and processes information directly from you and from any End Customer paying you, including identity verification documents, bank account or card details, transaction amounts, refund and chargeback records, and risk signals. The Company does not store full card numbers, full bank account numbers, or government identifiers required for payment processor onboarding. The Company receives transaction metadata (amounts, timestamps, last four digits of payment instruments, payout status, fees, dispute status) necessary to display payment status, reconcile orders, and operate the Service. Use of payment features is additionally governed by the payment processor's own terms and privacy policy.

2.13 Partner Data

If you apply for or hold a brand partner, supplier, or affiliate role through the Service: business name, registered legal name, applicant name, business email, business phone, website, country, business category, supporting documents you upload, and any directory or marketing content you publish. Partner directory profiles, when published, are visible to other users of the Service.

3. Why We Collect It

4. Who Sees Your Data

4.1 Infrastructure and Sub-Processors

Your data is processed by third-party providers acting on the Company's instructions, in the following categories: database, authentication, and storage hosting; application hosting and content delivery; payment processing and payout services; identity verification and fraud prevention services connected to payments; transactional and marketing email delivery; analytics; AI text and image generation services; and customer support tooling. Each provider operates under contractual or statutory obligations to safeguard your data and to use it only as required to perform their service to the Company. The Company may add, remove, or replace sub-processors from time to time. A current list of material sub-processors is available on request from privacy@cakeledger.com.

4.2 No Sale of Data

We do not sell, rent, or trade your personal data to any third party. Any material change to this position would constitute a material change to this Privacy Policy and would be subject to the notice and consent provisions described in Section 12.

4.3 Community Pool

If you opt in to community data sharing, anonymized data (ingredient prices, product prices, city) is contributed to a shared pool used to generate community insights. Your identity is never attached to community data. See Section 8 for full details.

4.4 Law Enforcement

We will only disclose your data to law enforcement or government authorities when required by valid legal process (court order, subpoena, or equivalent legal instrument). We will notify you of such requests unless legally prohibited from doing so.

4.5 Business Transfer

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. The successor entity will be bound by the terms of this Privacy Policy with respect to data collected prior to the transfer. We will use commercially reasonable efforts to notify you via email or in-app notification of any such transfer.

4.6 Data Processing Agreement

If you require a Data Processing Agreement for regulatory compliance purposes, contact privacy@cakeledger.com.

4.7 End Customers and Controllership

Where a baker uses the Service to operate a storefront, send payment links, or otherwise interact with End Customers, the baker is the data controller of the personal information of those End Customers, and the Company processes that information on the baker's instructions and for the purpose of providing the Service. The baker is solely responsible for: providing a lawful basis for collection and use, providing notice to End Customers, responding to End Customer privacy and access requests, and securing any necessary consents. The Company processes End Customer data as an independent controller only for limited purposes including security, fraud prevention, audit logging, abuse investigation, and compliance with applicable law. The payment processor handles End Customer payment data as an independent controller under its own terms and privacy policy.

4.8 Public Content

Information you publish to a marketplace listing, partner directory profile, public storefront, gallery, share card, or any other publicly accessible page is, by design, available to anyone who accesses the page or its URL. The Company does not control downstream access to public content and is not responsible for caching, indexing, archiving, redistribution, or scraping by third parties. Removal of public content from the Service does not retroactively remove copies that may exist outside the Service.

5. Cross-Border Data Transfers

Your data is primarily stored and processed in the United States. If you access the Service from outside the United States, your data will be transferred across international borders. We protect cross-border transfers using the following mechanisms: Standard Contractual Clauses (SCCs) for transfers from the EU/EEA/UK, transfer mechanisms as permitted under Canada's PIPEDA, and contractual protections with all infrastructure providers.

6. Your Rights

6.1 All Users

Regardless of your location, you have the right to: access your data, export your data in a structured, commonly used, machine-readable format, correct inaccurate data, delete your account and associated data, and withdraw consent for optional processing.

6.2 EU/EEA/UK Users (GDPR)

Additional rights include: restriction of processing, data portability in machine-readable format, right to object to processing based on legitimate interest, and the right to lodge a complaint with your supervisory authority.

6.3 California Users (CCPA/CPRA)

Additional rights include: right to know what data is collected and how it is used, right to delete, right to opt out of sale of personal information (we do not sell data), and right to non-discrimination for exercising your rights.

6.4 Canadian Users (PIPEDA)

Additional rights include: right to access your personal information, right to challenge the accuracy of your information, and right to withdraw consent for collection, use, or disclosure.

6.5 Nigerian Users (NDPA)

Additional rights include: right to access, right to rectification, right to deletion, and right to data portability.

6.6 Response Time

We will respond to data rights requests within 30 days. Complex requests may require an additional 30 days, in which case we will notify you of the extension and the reason.

6.7 How to Exercise Your Rights

You can exercise your rights by emailing privacy@cakeledger.com. Account deletion requests should be directed to support@cakeledger.com and will be processed within thirty (30) days.

7. Data Retention

Active accounts: Data is retained for the duration of your account.

Deleted accounts: Production data is deleted within 30 days of account deletion. Database backups containing your data are purged within 90 days.

Community pool: If you opted in, your individual data rows are deleted upon opt-out or account deletion within 30 days. Aggregate statistics that have already been computed from your data may persist, as they cannot be individually disaggregated.

Payment records: Retained for 7 years as required by Canadian tax law.

Legal hold: Data may be retained beyond standard periods if required by legal proceedings, regulatory investigations, or valid legal process.

7A. Data Breach Notification

In the event of a data breach materially affecting your personal data, the Company will use commercially reasonable efforts to notify affected users without undue delay and, where required by applicable law, within the time periods mandated by such law. Notification will generally be provided via email or in-app notification and will include, to the extent then known: the nature of the incident, the categories of data affected, the measures taken in response, and contact information for further inquiries. Provision of notice does not constitute an admission of liability or fault by the Company. Notice may be delayed or withheld where required by law enforcement, regulatory authority, ongoing investigation, or to allow remediation of the underlying vulnerability. The Company's liability arising from any breach is governed by, and limited as set out in, the Terms of Service.

8. Community Data Sharing

8.1 Separate Consent

Community data sharing requires separate, explicit consent. It is not included in the general Terms of Service acceptance. You will be prompted to opt in with a clear explanation of what is shared and what is not.

8.2 What Is Shared

Ingredient prices (per unit), product prices (per product type), product attributes (such as size, shape, and flavour), store names, your postal code area, and city (for regional comparisons).

8.3 What Is Never Shared

Your name, email, business name, customer information, effective hourly rate, labour hours, total costs, revenue, order volume, profit margins, profit amounts, or physical address are never included in community data.

8.4 Anonymity

Community data is pooled and anonymized. Minimum thresholds apply before data is surfaced: at least 5 products and 3 ingredients must be contributed by different users in a category before any community insights are displayed.

8.5 Opt-Out

You can opt out at any time through Settings. Your individual data rows will be removed from the community pool within 30 days. Aggregate statistics already computed may persist.

8.6 Backfill on Opt-In

When you opt in, eligible historical data (ingredient prices, product prices, city) may be contributed to the community pool retroactively. You will be informed of this at the time of opt-in.

9. Cookies

You may change your cookie preferences at any time through the Legal & Privacy section in Settings within the app.

10. Email Communications

10.1 Transactional Emails

We send emails necessary for the operation of the Service, including password resets, billing confirmations, account security alerts, and service announcements. These do not require marketing consent and cannot be unsubscribed from while your account is active.

10.2 Marketing Emails

Marketing emails (tips, feature announcements, promotions) are only sent if you opt in. We comply with CASL (Canada), GDPR (EU/UK), and CAN-SPAM (US) requirements. Every marketing email includes a one-click unsubscribe link. Unsubscribe requests are processed within 10 business days.

11. Children

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete that data promptly. If you believe a minor has provided us with personal data, please contact privacy@cakeledger.com.

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice via in-app notification and email. The current version of this policy, with its effective date, is always available at /legal/privacy. Non-material changes (formatting, clarifications) take effect immediately upon posting.