Last updated on July 28, 2020
Ledger SAS ("Ledger" or "we") regards as of paramount importance the protection and security of individuals’ data. We encourage you to read this policy carefully.
Who are we?
Ledger SAS, a simplified joint-stock company registered with the Paris Trade and Companies Register under number 529 991 119, with a capital of 1 224 265 € whose registered office is located 1 rue du Mail 75002 Paris, France, is the main controller of your personal data processed throughout the use of the Services, as provided by the French Data Protection Act and the Applicable Laws (as defined below).
What are Applicable Laws?
Our Services and the processing of your personal data and other information are performed in accordance with French Law n°78-17 of 6 January 1978 (the “French Data Protection Act” ), with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR"), as well as with French and European laws regulating personal data and privacy protection in electronic communications, notably the “ePrivacy” Directive 2002/58/EC (together the "Applicable Laws"), as interpreted by the French Data Protection Authority (the “CNIL”) and by the European Court of Justice (the “ECJ”).
What information do we collect?
Information we process may include personal data.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
When you purchase a Ledger product on our website, you may provide information such as your name (first name, last name), your e-mail address, your postmail address, your phone number (together your “Contact Details”).
You may also provide our Payment Service Providers (“PSP”) (e.g. Bitpay, Paypal, Flow), with your credit card number and relevant payment information (your “Payment Details”), when you purchase a Ledger Product.
Your Contact and/or Payment Details are processed so we can ensure the smooth running of our contractual relationship: handling your orders and delivering our products, processing invoices and payments, preventing fraud, managing claims and sending you important notifications.
When you sign up to our newsletters or ask to be contacted for a demo, you express your consent to the use of your email address or other Contact Details by Ledger to keep you up-to-date with our latest news, promotions and Ledger community activities, such as product testing and feedback campaigns.
When you contact our Customer Support team for assistance, we will ask for your email or some other Contact Details and we will record the content of our correspondence with you. We may also request that you send formal identification information. This data allows us to answer your query, monitor service quality and compliance, check accuracy of the information you provide us, prevent fraud or provide training for our staff and customer service representatives.
Ledger provides non-custodial services. That means that we do not store, nor do we have access to your crypto assets nor your private keys at any point in time.
We strongly adhere to the data minimization principle set forth under Applicable Laws and endeavor to only process personal data that is strictly necessary for the following legitimate and specific purposes:
- fix bugs and improving the functionality of Ledger products and services
- facilitate your support requests
- investigate and prevent potential security issues, abuse, fraud and breaches
- understand and evaluate the need for additional services and features
- optimize marketing operations (eg. highlight and educate customers on most used features)
- convey important information to customers (eg. firmware updates, security warnings, legal notices)
- honor our contractual commitments to selected partners and providers
- meet applicable legal obligations and regulatory requirements
We exclusively process, de-identified, aggregate, pseudonymized and anonymized data to support your journey on Ledger Live:
- Usage and bug reporting information such as the version, language, and region registered for your operating system and your Ledger Live app.
- Data related to your activity on Ledger Live such as type of currency, timestamps, transaction amounts and status, page views.
Some services accessible through Ledger Live are partly or fully provided by third parties who may process your information as set forth in their own privacy policies, contractual commitments we have with them or applicable laws.
Some concrete examples:
- In order to gain access to third-party services through Ledger Live, you understand and acknowledge that your location information, including your IP address, may be collected on behalf of and checked by selected partners in order to meet their own AML/KYC requirements.
- When you buy crypto assets via Ledger Live, we or our Payment Service Providers will process your transaction and Payment Data on behalf of our partners in order to complete your trade, facilitate billing and analyze service performance.
- If you are a proof-of stake service validator featured on Ledger Live, we display your name/pseudonym, delegated balances or any relevant information publicly disclosed by you on the application's interface.
Sensitive and Confidential Data
We will not intentionally collect or maintain, do not want you to provide, and will never ask you for any information regarding medical or health conditions, race or ethnic origin, political opinions, religious or philosophical beliefs nor any other confidential information (eg. credentials, private keys, PIN code). Please prevent from disclosing to us or to any third party any sensitive personal data relating to you or any other person.
How long do we keep your information?
In accordance with the storage limitation principle set forth under Applicable Laws, we endeavor retaining data for no longer than the time required to achieve and comply with such legitimate and legal purposes, including satisfying any legal, accounting, tax or other compliance reporting requirements.
We may archive some of your personal data, with restricted access, for an additional period of time when it is strictly necessary for us to comply with our legal and/or regulatory archiving obligations and for the applicable statute of limitation periods. At the end of this additional period, your remaining personal data will be permanently erased or anonymized from our systems.
- Where cookies or other technical tracking technologies are placed on your computer or when we process your Browsing Data, we keep them for as long as necessary to achieve their purposes (e.g. for the duration of a session for session ID cookies) and for a maximum period defined in accordance with Applicable Laws.
- If you contact us as part of an enquiry, we keep your personal data, notably your Contact Details, for as long as necessary to process your enquiry.
- If you purchased a product or a service from us, we may retain some transactional data attached to your Contact Details to comply with our legal, tax or accounting obligations for a maximum 10 years period set forth by French applicable laws, as well as to allow us to manage our rights (for example to assert our claims in Courts) during applicable French statutes of limitations.
Who may we share your information with?
We may also transmit some of your data to third parties such as payment services, infrastructure, logistics, and other services providers.
In certain circumstances and only where required by Applicable Laws, we may disclose some of your data to competent administrative or judicial authorities or any other authorized third party.
What are your rights regarding your personal data?
You can withdraw your consent to receiving our marketing emails by clicking on the “Unsubscribe” link at the bottom of the emails we sent you.
You have the right to request access to the personal data we retain about you, their rectification or erasure, as well as the right to request the restriction of the processing or to object to the processing of your personal data.
You also have the right to request a copy, in an interoperable format (right to your data “portability”), of the personal data that you have provided to us for the performance of a contract with us or under your sole consent.
Finally, French data subjects also have the right to set general or specific guidelines regarding the fate of their personal data in the event of death and to change them at any time. They have the option to register such guidelines with a digital trusted third party certified by the French data protection authority.
If you object to the processing or ask for the erasure of your personal data by Ledger, we shall acknowledge the receipt of your request and, within a maximum one month period, we shall stop processing your personal data or erase it from our IT systems, except where Ledger has legitimate and compelling grounds for processing, or for the purpose of ascertaining, exercising or defending its legal rights in accordance with the Applicable Laws. If necessary, Ledger shall inform you of the legal grounds and reasons why your request could not be satisfied in whole or in part.
To exercise any of the abovementioned rights, please send us a request using the below Contact Information. We will take steps to verify your identity, to ensure, with a reasonable degree of certainty, that you are at the origin of the data subjects’ right request. When feasible, we will match personal data provided by you in submitting a request to exercise your rights, with other information already maintained by Ledger, this could include matching two or more data points you provide us. In some instances, when the matching cannot establish your identity, we can request you to provide a copy of a formal identification document.
If you wish to access, correct, modify or delete the personal information we have about you, object to their processing, exercise your right to portability, file a complaint, exercise any of the above-mentioned rights or simply obtain more information about the use of your personal data, please contact Ledger and its Data Protection Officer.
Ledger will endeavor to find a satisfactory solution to ensure compliance with the Applicable Laws.
In the absence of a response from Ledger or if you are not satisfied by Ledger’s response or proposal or at any moment, you have the ability to lodge a complaint before the CNIL (the French data protection authority) or with the supervisory authority of the Member State of the European Union of your country of residence.
How do we secure personal data?
In order to ensure the integrity and confidentiality of your personal data, we implement appropriate physical, electronic and organizational procedures to safeguard and secure personal data throughout our Services.
In particular, Ledger implements necessary technical and organizational measures, in order to ensure the security and confidentiality of your personal data collected and processed, and particularly, to prevent your personal data from being distorted, damaged or communicated to unauthorized third parties, by ensuring an appropriate level of security with regards to the risks associated with the processing and the nature of the personal data to be protected.
We notably implement the following security measures, among others:
- Payment Data security: If you provide us with credit card information, such information is encrypted using a secure Internet Trade Protocol (TLS) and sent directly to our Payment Service Provider (PSP). This information is never stored on our server.
- Awareness program and employee trainings
- Data encryption in transit and at rest
- Data centers routinely audited
- Data redundancy for resilience in case of disasters
- Role-based authentication
- Two-factor authentication of our authorized employees
- Continuous system monitoring
- Industry-standard security evaluations
- Independent third-party security reviews and penetration tests
While we endeavor to provide best-in-class protection for your personal data when you use our Services, please keep in mind that the transmission of information on the Internet is not fully secure.
You remain responsible for keeping your personal credentials, passwords, PIN codes, Payment Data, recovery phrases confidential and secure as Ledger does not have access to that information.
How do we transfer your personal data outside of the EEA?
Personal data that we collect from you may be stored and processed in, and transferred to, countries outside the European Economic Area (EEA). For example, this could happen if our servers are located in a country outside the EEA or if one of our service providers is located in a country outside the EEA. These countries may not have data protection laws equivalent to those in force in the EEA.
If we transfer personal data outside the EEA this way, we will take the necessary steps to ensure that your personal data continues to be protected in compliance with the Applicable Laws, notably by only transferring your personal data to businesses established in countries recognized by the European Commission as providing an adequate level of protection for your personal data or to organizations with whom we have entered into contractual arrangements to ensure an appropriate protection of your personal data, including the European Commission standard contractual clauses or that commit themselves to applying a code of conduct or a certification mechanism validated by the competent European authorities.
Please note that in light of the “Schrems II” European Court of Justice decision (C-311/18) released on July 16, 2020, invalidating amongst other things the so called “EU-US Privacy Shield arrangement”, Ledger is currently reviewing, analyzing and will apply guidelines of the European Data Protection Board as of July 24, 2020, in order to appropriately keep on ensuring an adequate level of protection of your privacy and your personal data processed by our service providers established in the USA or outside of the European Economic Area and relying on their Privacy Shield certifications as monitored by the US Federal Trade Commission. We are confident that Ledger’s long-standing security and privacy culture will enable us to identify and apply appropriate solutions to continue serving our clients globally and on both sides of the Atlantic with trust and security and without interruption.
For more information on the safeguards put in place, please contact us.
Unless otherwise agreed, no delay, act or omission by a party in exercising a right or remedy will be deemed a waiver of such right, or of another right or remedy.
In the event Ledger is the subject of a corporate transaction such as an acquisition or merger with another company, your information may be transferred to the new owners so that we can continue to provide our Services to you. We will, in any case, take steps to protect your privacy.
Ledger SAS, Paris, France