Privacy Policy

Account information. When you register, we collect your name, email address, and a hashed password. If you are invited to a company account by another user, we collect the same information at sign-up.

Company and financial data. You may upload or enter invoices, expenses, payroll records, bank transactions, vendor details, and project information. This data belongs to you and is used solely to operate the service on your behalf.

Payment information. Subscription payments are processed by Stripe. We store only the last four digits of your card, expiry date, card brand, and your Stripe customer ID. Your full card number is never transmitted to or stored on our servers.

Usage data. We collect standard server logs (IP address, browser user-agent, pages visited, timestamps) and aggregate product analytics to understand how features are used. No individual browsing profiles are sold or shared with third-party advertisers.

Cookies and local storage.We use a session cookie for authentication and store user preferences (e.g., selected company, sidebar layout) in your browser's local storage. We do not use third-party tracking or advertising cookies.

We use the information we collect to:

• Provide, operate, and maintain the Punch Ledger platform.
• Process subscription payments and send billing receipts.
• Send transactional emails (password resets, team invitations, plan changes).
• Respond to support requests and troubleshoot issues.
• Diagnose bugs, investigate errors, and maintain the reliability and security of the platform. This may involve our engineers reviewing specific account or company data when reproducing a reported issue.
• Improve and develop new features based on aggregate usage patterns.
• Comply with legal obligations and enforce our Terms of Service.

We will not use your financial or business data to train external AI models, sell to data brokers, or share with third parties for advertising purposes.

We share personal information only in the following limited circumstances:

Service providers. We use trusted sub-processors to operate the service, including Stripe (payments), Amazon Web Services (cloud hosting and storage), and email delivery providers. Each sub-processor is contractually bound to protect your data and use it only as directed by us.

Team members you invite.When you add team members to your company account, those members can view the company's data according to their assigned role permissions.

Legal requirements. We may disclose information if required by law, court order, or government authority, or when we believe disclosure is necessary to protect the rights, property, or safety of Punch Ledger, our users, or the public.

Affiliates and business partners. We may share basic account information — such as your name, email address, and subscription tier — with our corporate affiliates and trusted business partners for the purpose of offering you complementary services, product integrations, or co-marketing communications. We will not share your financial records, invoices, payroll data, or other business documents with affiliates without your explicit consent. You may opt out of affiliate communications at any time by emailing privacy@punchledger.com.

We do not sell your personal information. We do not sell personal information to third parties, nor do we share it for cross-context behavioural advertising purposes as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Business transfers. If Punch Ledger is acquired, merged, or sold, your information may be transferred as part of that transaction. You will be notified by email and given the opportunity to delete your account before any transfer occurs.

We retain your account and company data for as long as your account is active. If you cancel your subscription, your data is retained for 90 days to allow for re-activation or export, then permanently deleted. You can request early deletion at any time by emailing privacy@punchledger.com.

Server logs are retained for up to 90 days. Anonymised, aggregated analytics data may be retained indefinitely.

All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Access to production systems is restricted to authorised personnel and protected by multi-factor authentication. We perform regular automated backups retained for 30 days.

No method of transmission over the internet is 100% secure. While we apply industry-standard safeguards, we cannot guarantee absolute security. If you discover a security vulnerability, please disclose it responsibly to privacy@punchledger.com.

In the event of a confirmed security breach that involves Your Data, we will notify affected users by email within 72 hours of our confirmation of the breach, or as soon as reasonably practicable given the circumstances. Where required by applicable law (e.g., GDPR), we will also report the incident to the relevant supervisory authority within the required timeframe.

Our breach notification will describe:

• The nature of the incident and how it occurred (to the extent known).
• The categories and approximate volume of data affected.
• The steps we have taken or plan to take to contain and remediate the incident.
• Recommended actions you can take to protect yourself.
• A contact point for further questions.

If a security incident originates with a third-party sub-processor (e.g., AWS, Stripe), we will cooperate with their investigation and relay available information to you, but we are not liable for damages caused by that provider's failure.

We are not responsible for security incidents caused by your own actions, including sharing login credentials, using weak passwords, or failing to enable multi-factor authentication where offered.

Depending on your location, you may have the following rights regarding your personal information:

• Access. Request a copy of the personal data we hold about you.
• Correction. Request correction of inaccurate or incomplete data.
• Deletion. Request deletion of your personal data (subject to legal retention obligations).
• Portability. Request your data in a machine-readable format.
• Objection / restriction. Object to or restrict certain processing activities.
• Withdraw consent. Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@punchledger.com. We will respond within 30 days. We may need to verify your identity before processing the request.

We use a single, strictly necessary session cookie to keep you logged in. No analytics or advertising cookies are set. You can disable cookies in your browser settings, but doing so will prevent you from logging in.

Punch Ledger is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us at privacy@punchledger.com and we will delete it promptly.

Punch Ledger is based in the United States. If you access our service from outside the US, your information may be transferred to and processed in the United States or other countries where our service providers operate. We rely on standard contractual clauses and other approved transfer mechanisms to protect cross-border data transfers where required.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the effective date at the top of this page. Your continued use of the service after notification constitutes acceptance of the updated policy.

This section applies solely to residents of California and supplements the rest of this Privacy Policy. It is provided pursuant to the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), and CalOPPA (California Business and Professions Code § 22575).

Categories of personal information we collect.

• Identifiers — name, email address, IP address, device identifiers.
• Commercial information — subscription plan, billing history, payment method metadata (last four digits, card brand).
• Internet or other electronic network activity — server logs, pages visited, session timestamps, browser user-agent.
• Professional or employment-related information — company name, employee records, payroll data, and other business documents you enter into the Service.
• Inferences — product-usage patterns derived from the above to improve the Service.

We collect this information for the business purposes described in Section 2. We do not sell personal information and do not share it for cross-context behavioural advertising.

Your rights as a California resident.

• Right to Know. You may request the categories and specific pieces of personal information we have collected about you, the purposes of collection, and the categories of third parties with whom we have shared it.
• Right to Delete. You may request deletion of personal information we hold about you, subject to certain exceptions (e.g., completing a transaction, legal obligations).
• Right to Correct. You may request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing.We do not sell or share personal information for cross-context behavioural advertising, so no opt-out is necessary. Should this practice ever change, we will update this policy and provide a “Do Not Sell or Share My Personal Information” link on our homepage.
• Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information (as defined by CPRA) for purposes beyond operating the Service. No further limitation request is required.
• Right to Non-Discrimination. We will not deny you the Service, charge you a different price, or provide a different quality of service because you exercised any right under the CCPA/CPRA.

How to submit a request. To exercise any of the rights above, email us at privacy@punchledger.comwith the subject line “California Privacy Request”. We will acknowledge your request within 10 business days and respond within 45 days. If we need more time we will notify you and may extend the response period by an additional 45 days.

Authorised agents. You may designate an authorised agent to make a request on your behalf. We will require written proof of authorisation and may verify your identity directly before processing the request.

Shine the Light (Cal. Civ. Code § 1798.83). California residents may request, once per calendar year, a list of the categories of personal information (if any) we disclosed to third parties for their direct marketing purposes and the names and addresses of those third parties. We do not disclose personal information for third-party direct marketing purposes, so no such list exists. To ask, email privacy@punchledger.comwith subject “Shine the Light Request”.

Questions about this Privacy Policy or our data practices? Reach us at: