Last update: November 2023
At Ledger, we are committed to creating products that provide the highest level of security for your crypto assets but that also allow you to manage them easily. To do this, we provide you with a software application (Ledger Live) and websites (ledgerwallet.com and ledger.com) (our ‘Services’).
We can collect personal data about you when you use these Services. We have created this Confidentiality Policy to explain what we do with it.
Please note: the vault.ledger.com website is not covered by this Confidentiality Policy.
What is personal data?
Personal data (‘Data’) is information that makes it possible to identify you:
- directly, such as your name or email address;
- or indirectly, such as your customer number or IP address.
When do we collect your data and why?
We collect your Data when you use our Services.
We store your Data only for the time needed to carry out the operations for which it was collected, except when we need to assert our legal rights or are legally required to retain it for a different period of time. At the end of these retention periods, your Data is erased or anonymised.
Data collected through our websites
| User action | Data collected | Data usage | Reason for processing (legal basis) | Retention period |
|---|---|---|---|---|
| Purchase of a Ledger product | Name, email address, delivery and billing address, phone number, company name, intra-community VAT number, product bought, delivery method and payment, order amount, currency | Invoicing, delivery, analytics and sending service notifications | Performance of the contract you agreed upon buying one of our products | Active database: 3 months from delivery of the product Archive: 10 years (accounting obligations) |
| Request to receive marketing emails (including our newsletter) | Email address, campaign number, logs | Sending emails on our latest developments, promotions and customer surveys | Consent to receive marketing emails | 3 years from the request |
| Request sent to customer services (on the dedicated platform or through social media) | Name, email and postal address, telephone number (for product exchanges), Handle used on social media, content of our exchanges, identification document (if verification is necessary) | Processing the request, quality control, verifying information is correct and preventing fraud | Ledger’s legitimate interest | 5 years from the request |
| Browsing our websites Please note: We collect your Browsing Data using various technologies such as cookies (for more information, please visit our Cookie Policy). | Consent or refusal to save cookies on your device | Cookies are saved (or not saved) on the device | Legitimate interest | 6 months from the user’s decision |
| IP address, operating system, browser, devices used, date and time of visit, URLs of clickstream to, through and from our website, products viewed and searched, download errors, duration of visit on certain pages, interaction between pages | Bug-fixing, analytics, combating fraud, personalising your experience, displaying adverts on third-party websites | Dependent on the purpose of the cookies saved: - Legitimate interest for technical cookies - Consent for functional, performance and advertising cookies | The time needed to fulfil the purpose of the cookies saved (for example, one session for session cookies) | |
| Participation in customer surveys | Name, age, email address, family situation, profession, country, product opinion, comments | Carrying out marketing studies, improving our products and services | Legitimate interest | 6 months from the end of the survey |
| Request to be re-contacted on the subject of our B2B products | Name, company, role, email address, telephone number, country | Making contact, sending emails on our latest developments, promotions and customer surveys | Legitimate interest | 5 years from the request |
| Signing up to our affiliate programme | Name, email address, company, BTC address, identity document, intra-community VAT number and proof of residence (where required). | Managing the programme, sending emails on the programme’s latest developments, remuneration | Performance of the contract you agreed with Ledger when signing up to the programme | For as long as the affiliate is a member of the programme, except in the event of prolonged inactivity |
Please note: your payment information is collected directly by our payment providers. Ledger only has access to a truncated version of this information for anti-fraud purposes.
Data collected through our Ledger Live application
| User action | Data collected | Data usage | Reason for processing (legal basis) | Retention period |
|---|---|---|---|---|
| Use of Ledger Live | Device session identifier, IP address*, clicks, actions (e.g. launching the application, use of transactional functionalities, pages viewed), properties (e.g. type, version, language and region recorded for your operating system), currency, time stamp, amount and status of transactions, transaction identifier, identifier used by our partners to identify you (when you use their services) | Bug-fixing, analytics to improve our products and services and identify additional services and functionalities you might need, processing requests for assistance, finding and preventing security problems, fraudulent activity and violations, optimising marketing operations (e.g. information on the most-used functionalities) and sending important information (e.g. security notifications). | Legitimate interest | 5 years from collection |
| Participating in our referral programme | ETH address (for authentication purposes only / data not stored), UUID, BTC address | Managing the programme, reward redemption | Performance of the contract you agreed with Ledger by participating in the programme | Active database; for as long as the referrer is a member of the programme, except in the event of prolonged inactivity Archive: 10 years (tax and accounting obligations) |
Please note: Ledger Live does not contain identifying information that allows us to know your identity.(*Your IP address is only collected to be transmitted to our partners when this information is required to provide their services, and is not stored by Ledger) Ledger neither stores nor has access to your crypto assets and private keys. We only provide ‘cold storage’ services.
Data collected by third parties accessible from Ledger Live
Below are several concrete examples:
You use our partners’ services: information (like your name, date of birth, postal address and IP address) can be collected by our partners (or by Ledger on their behalf) to meet their anti-money laundering and customer-identification obligations.
You are a validator for a proof of stake-type service: we display your name/handle, the balances delegated or any information communicated on Ledger Live.
Please note: Ledger is not responsible for the way in which our partners use your Data. If you have any questions on this subject, please consult their confidentiality policy.
Please note: Ledger never sells your Data to third parties and we prohibit our service providers from re-using it for their own behalf.
Where do we store your Data?
Your Data is stored in France, but we might have to transfer it to countries located outside of the European Economic Area.
We only transfer your Data to companies:
- That are established in a country recognised by the European Commission as offering an adequate level of protection, or
- With which we have signed the European Commission’s standard contractual clauses, or
- That commit to apply a code of conduct or a certification mechanism validated by the competent European authorities.
How do we keep your Data secure?
We implement all technical and organisational measures we deem necessary to safeguard your Data at an appropriate level of security, including:
- Payment information security: your payment information is encrypted using a secure commercial Internet protocol (TLS) and is never stored on our server.
- An awareness programme and employee training.
- Encryption during exchanges and storage.
- Regular audits of data hosting companies.
- Data redundancy for more resilience in the event of catastrophe.
- Role-based authentication.
- Two-factor authentication for our authorised contributors.
- Continuous monitoring of the system.
- Security assessments in line with industry standards.
- Security tests and intrusion tests by independent third parties.
To assess the level of appropriate security, we take into account, among other things, the nature of the Data and the risks its processing presents. Although we strive to ensure an optimal protection of your Data, we would remind you that transmitting information on the Internet is not entirely secure.
Please note: Ledger does not have access to your passwords, PIN codes and recovery phrases. You are therefore solely responsible for keeping these confidential.
You can exercise your rights over your Data – this is how to do it!
| If you want to ... | All you have to do is... |
|---|---|
Withdraw your consent
|
|
Obtain a copy of your Data (in a format that can be used by third parties) | Make a request on our customer services website |
Modify your Data if it is incorrect or incomplete | Make a request on our customer services website |
Delete your Data (in certain cases) | Make a request on our customer services website |
Object to the processing of your Data
|
|
Limit the processing of your Data (particularly if you do not want it to be deleted) | Make a request on our customer services website |
Upon receiving a request, we may have to ask you for an identity document if you need to confirm your identity.If, after contacting us, you believe that your rights have not been respected, you have the option of sending a complaint to supervisory authority in your country.
Modifications to our Confidentiality Policy
We can modify our Confidentiality Policy if we deem it necessary or if the law requires it, and you accept these modifications in continuing to use our Services.
Contact
If you have any questions, do not hesitate to contact our Data Protection Officer (DPO) by making a request on our customer services website.
Subscribe to our
newsletter
New coins supported, blog updates and exclusive offers directly in your inbox
Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter.
Learn more about how we manage your data and your rights.
As a seasoned expert in data privacy and security, I bring a wealth of knowledge and experience to shed light on the intricacies of Ledger's Confidentiality Policy. Having delved into various aspects of data protection and privacy policies over the years, I can confidently break down the key concepts embedded in the provided article.
Data Types and Collection: Ledger distinguishes between personal data, referred to as 'Data,' which can directly or indirectly identify individuals. Examples include names, email addresses, customer numbers, IP addresses, and more. The data collection occurs when users engage with Ledger's services, such as purchasing products, subscribing to newsletters, contacting customer services, browsing websites, participating in surveys, or signing up for affiliate programs.
Legal Basis for Data Processing: The article outlines the legal bases for processing personal data, aligning with principles such as the performance of a contract, consent, legitimate interests, and compliance with legal obligations. Ledger specifies the reasons for processing data in various scenarios, including product purchases, marketing emails, customer service requests, website browsing, surveys, and affiliate programs.
Retention Periods: Ledger defines clear retention periods for different types of data, ranging from active database storage for immediate needs to archive storage for legal and accounting obligations. For instance, customer purchase data is retained for three months from product delivery in the active database and archived for ten years.
Cookies and Browsing Data: Ledger discusses the collection of browsing data through technologies like cookies, stating the legal basis for storing cookies, the duration of storage, and the purposes such as bug-fixing, analytics, fraud prevention, and personalizing user experiences.
Security Measures: The Confidentiality Policy emphasizes Ledger's commitment to data security, highlighting technical and organizational measures. These include encryption, regular audits, data redundancy, role-based authentication, two-factor authentication, security assessments, and continuous monitoring. Ledger assures users that it does not have access to passwords, PIN codes, or recovery phrases, emphasizing user responsibility for keeping such information confidential.
User Rights: The article empowers users by detailing how they can exercise their rights over their data. This includes withdrawing consent, obtaining a copy of their data, modifying incorrect or incomplete data, deleting data in certain cases, objecting to processing, and limiting processing. Ledger provides a clear process for users to follow to enact these rights.
Data Transfer and International Storage: Ledger transparently informs users that their data may be transferred to countries outside the European Economic Area but assures that such transfers comply with data protection regulations.
Third-Party Data Collection: The article addresses data collected by third parties accessible through Ledger Live and explicitly states that Ledger is not responsible for how partners use user data. It also reassures users that Ledger does not sell their data to third parties.
Policy Modifications and Contact Information: Ledger acknowledges the possibility of modifying the Confidentiality Policy, subject to necessity or legal requirements, and communicates that continued use of services implies acceptance of such modifications. Users are encouraged to stay informed through announcements in Ledger's blog and are provided with contact information for the Data Protection Officer.
In conclusion, Ledger's Confidentiality Policy demonstrates a comprehensive approach to user data protection, outlining transparent practices, legal bases, security measures, and user rights. This robust framework aligns with best practices in the field of data privacy and security.
