Ledger by Post AI
Ledger · Legal

Privacy Policy

Last updated April 25, 2026 · Effective April 25, 2026

Post AI Marketing, LLC ("Post AI," "we," "us") operates the Ledger by Post AI service ("Ledger" or the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Scope

This policy covers the Ledger website (postailedger.com), the Ledger application (app.postailedger.com), and any associated tooling we operate. It applies to information about our customers, their authorized users, and visitors to our site. It does not cover third-party services we integrate with — those are governed by their own privacy policies.

2. Information we collect

2.1 Information you provide

  • Account information: name, business name, work email, phone number, and authentication credentials.
  • Demo & support requests: anything you choose to send us through forms or email.
  • Billing information: handled by our payment processor; we store the last four digits, card brand, and billing address.

2.2 Information from QuickBooks Online

When you connect your QuickBooks Online account through Intuit's OAuth, we receive access to the data scopes you authorize, which may include:

  • Chart of accounts, journal entries, transactions, invoices, bills, and payments.
  • Vendor and customer records (names, addresses, tax IDs where present).
  • Attachments you have uploaded to QuickBooks (e.g. receipts, bills).
  • Company-level metadata (legal name, tax ID, fiscal year).

We never receive your Intuit username or password. The OAuth token issued to us is stored encrypted and scoped to your specific QuickBooks company.

2.3 Information collected automatically

  • Usage data: pages visited, features used, agent actions taken, timestamps, and aggregate performance metrics.
  • Device data: IP address, browser type, OS, screen size, and approximate location derived from IP.
  • Cookies: we use first-party cookies for authentication and a small number of third-party cookies for product analytics. We do not use advertising or cross-site tracking cookies.

3. How we use information

  • To provide the Service — categorize transactions, generate digests, run forecasts, and produce reports.
  • To send service-related communications (digests, alerts, security notices, billing).
  • To improve the Service — monitor performance, debug, prioritize roadmap.
  • To prevent fraud and abuse, and to comply with legal obligations.

We do not sell your information. We do not use your QuickBooks data for advertising. We do not use your QuickBooks data to train any machine-learning model, ours or anyone else's.

4. Sub-processors

We use the following sub-processors. Each is bound by a written data processing agreement.

  • Anthropic, PBC — provides the Claude language model used by the Ledger agent. Data is sent only as needed to perform agent reasoning. Anthropic does not train on Ledger API requests; zero-day retention for prompts and responses.
  • Intuit, Inc. (QuickBooks Online) — origin and destination of your accounting data. Governed by your Intuit account agreement.
  • Supabase, Inc. — primary database, authentication, and encrypted storage. Data residency: United States.
  • Vercel, Inc. — application hosting and edge delivery. Data residency: United States.
  • Stripe, Inc. — payment processing.
  • Postmark (ActiveCampaign, LLC) — transactional email (digests, security alerts).
  • Sentry (Functional Software, Inc.) — application error monitoring; PII scrubbed from event payloads.

We will give you reasonable notice before adding a sub-processor that has material access to your data.

5. Retention

We retain your QuickBooks-derived data while your account is active and for up to 90 days after termination, after which it is deleted from primary systems and purged from backups within 35 days. You may request earlier deletion through our Data Deletion page.

Account, billing, and audit-log records may be retained longer where required by law (typically 7 years for financial records).

6. Your rights

Subject to applicable law, you have the right to access, correct, delete, or export your personal information, and to object to certain processing. To exercise any of these rights, write to privacy@postailedger.com or use the Data Deletion form.

7. California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect about you, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of your personal information. We do not sell or share personal information for cross-context behavioral advertising. To make a request, see the Data Deletion page or write to privacy@postailedger.com.

8. Visitors from the European Economic Area

Although Ledger primarily serves U.S. small businesses, we offer EEA visitors GDPR-equivalent protections. Our legal bases for processing are: performance of a contract, legitimate interests (product improvement, security), consent (where solicited), and legal obligation. EEA visitors may also lodge a complaint with their local supervisory authority.

9. Security

Encryption in transit (TLS 1.3) and at rest (AES-256). OAuth tokens stored in isolated per-tenant vaults. Production access is limited to a small on-call group, gated by SSO and hardware MFA, and logged. See the Security Overview for details.

10. Children

Ledger is not directed to children under 16, and we do not knowingly collect personal information from them.

11. Changes to this policy

If we make material changes, we will notify customers by email at least 14 days before the change takes effect, and we will revise the "Last updated" date above.

12. Contact us

Privacy questions: privacy@postailedger.com
Mailing address: Post AI Marketing, LLC, [Mailing address], [City, ST ZIP], United States.