Privacy Policy.

Ledger Bytes is a group of affiliated companies under common ownership, operating under the collective brand "Ledger Bytes Group". This Privacy Policy applies to the ledgerbytes.com, ledgerbytes.tech and ledgerbytes.ai websites and to personal data the group processes in the course of its business.

Because the group is made up of separate companies, the entity that is the controller of your personal data — the company that decides why and how it is processed — depends on the website you use and the company you engage. The position is as follows:

For general questions, to raise a privacy request, or where you are unsure which company holds your data, you can use a single point of contact: privacy@ledgerbytes.com. We will route your request internally to the correct controller.

Ledger Bytes Ltd (United Kingdom) acts as the group’s contact and handling entity for individuals in the United Kingdom and the European Economic Area (EEA). Ledger Bytes LLC (USA) coordinates privacy governance for the group as a whole.

EU representative. The group does not have an establishment in the European Union. Where the EU General Data Protection Regulation applies to our processing, our EU representative under Article 27 can be contacted at the address published with this policy. [EU representative details to be inserted on appointment.]

We collect and process the following categories of personal data:

• Identity and contact data — name, job title, employer or organisation, business email address and business telephone number.
• Enquiry and engagement data — the content of your enquiry, the commercial intent you select, project context you provide, and records of our correspondence and meetings with you.
• Contract and relationship data — information needed to negotiate, enter into and perform contracts, including billing and point-of-contact details (we are a business-to-business provider and do not knowingly process consumer financial account data through these websites).
• Technical and usage data — IP address, device and browser type, approximate location derived from IP, pages viewed, referring pages and similar analytics data, collected through cookies and similar technologies (see our Cookie Policy).
• Recruitment data — where you apply for a role or express interest in working with us, the information contained in your application and CV.

We do not seek to collect special categories of data (such as health, biometric or political data) through these websites. Please do not submit such information to us unless we have specifically requested it for a defined and lawful purpose.

We collect personal data:

• directly from you — when you complete an enquiry form, email us, speak with our team, enter into a contract, or apply for a role;
• automatically — when you use our websites, through cookies and similar technologies; and
• from third parties and public sources — such as business networking platforms, our professional contacts, referral partners and publicly available company information, where this is relevant to a potential or existing business relationship.

Where the UK GDPR or EU GDPR applies, we rely on the following lawful bases. Where another law applies, we process your data on an equivalent legal basis recognised by that law.

Where we rely on legitimate interests, we have considered and balanced those interests against your rights and freedoms. You may ask us for more information about that assessment using the contact details below. Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.

Our websites use cookies and similar technologies to function, to understand how the sites are used, and — only with your consent — for analytics and marketing. Non-essential cookies are set only after you consent through our cookie banner. Full details, categories and your choices are set out in our separate Cookie Policy.

We do not sell or rent your personal data. We share it only as necessary, with the following categories of recipient:

• Group companies — the affiliated Ledger Bytes companies listed above, where needed to route your enquiry, coordinate a multi-disciplinary engagement, or administer the group, under an intra-group data-sharing arrangement;
• Service providers (processors) acting on our instructions — including cloud hosting and infrastructure providers, customer-relationship-management and email tools, website analytics, communications and productivity tools, and IT security providers;
• Professional advisers — lawyers, accountants, auditors and insurers, where reasonably required;
• Authorities and other parties — regulators, courts, law-enforcement and government bodies where we are required or permitted to disclose, and parties to a corporate transaction (such as a merger, financing or restructuring) under appropriate confidentiality protections.

We require our processors to protect your data and to process it only as instructed, under written contracts that meet applicable data-protection requirements.

We operate across the United States, the United Kingdom and the United Arab Emirates, so your personal data may be transferred to, and processed in, countries other than your own — including by the group companies listed above and by our service providers.

Where we transfer personal data out of the United Kingdom or the EEA to a country that is not the subject of an adequacy decision, we put appropriate safeguards in place — principally the UK International Data Transfer Agreement (or the UK Addendum to the European Commission’s Standard Contractual Clauses) and the EU Standard Contractual Clauses, together with any supplementary measures required following a transfer risk assessment.

You may request a copy of the relevant safeguard, or information about it, using the contact details below.

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting, tax or reporting requirements. In general:

• Enquiries that do not become engagements — retained for a limited period to follow up and for our legitimate business records, then deleted or anonymised;
• Client and contract records — retained for the duration of the relationship and for the period required afterwards to meet legal, tax and limitation-period requirements;
• Marketing data — retained until you opt out or your consent lapses, after which it is suppressed or deleted;
• Website and analytics data — retained for the period set out in our Cookie Policy.

Specific retention periods are set out in our internal retention schedule, which we will summarise on request.

We maintain technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure or loss — including access controls, encryption in transit, segregation of environments and audit logging. No method of transmission or storage is completely secure, but we work to protect your data and to detect and respond to incidents. You can read more about our security posture and assurance status in our Trust Centre.

Subject to the law that applies to you, you have rights in relation to your personal data. Under the UK and EU GDPR these include the right to:

• be informed about how your data is used (this policy);
• access a copy of your personal data;
• have inaccurate data corrected;
• have your data erased in certain circumstances;
• restrict our processing in certain circumstances;
• data portability — receive certain data in a portable format;
• object to processing based on legitimate interests, and to direct marketing at any time;
• withdraw consent where we rely on it; and
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

Equivalent rights apply under the UAE Personal Data Protection Law and under US state privacy laws (see the annexes below).

To exercise any of your rights, contact us at privacy@ledgerbytes.com. We may need to verify your identity before responding. We will respond within the time required by the law that applies to you — under the UK and EU GDPR, normally within one month, which we may extend for complex requests by letting you know.

If you are in the UK or EEA and are unhappy with how we have handled your data, you may complain to a supervisory authority — in the UK, the Information Commissioner’s Office (ico.org.uk); in the EEA, your local data-protection authority. We would, however, appreciate the chance to address your concerns first.

Our websites and services are directed at businesses and professionals, not at children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. The routing indication shown on our enquiry forms is illustrative only; a member of our team reviews and handles every enquiry.

Our websites may link to third-party sites and services that we do not control. This policy does not apply to those sites, and we encourage you to read their privacy notices.

We may update this policy from time to time to reflect changes in our practices or in the law. We will post the updated version on this page and update the effective date and version below. Where changes are significant, we will take reasonable steps to bring them to your attention.

For any question about this policy or your personal data:

• Email: privacy@ledgerbytes.com
• UK and EEA individuals: Ledger Bytes Ltd (United Kingdom), as group contact and handling entity;
• EU representative (Article 27): [details to be inserted on appointment];
• Group privacy coordination: Ledger Bytes LLC (Wyoming, USA).