Privacy Policy
Effective May 3, 2026 · Last updated May 3, 2026
This is the privacy policy for Ledge, a mobile personal finance tracker for iOS and Android, published by Tej Orugonda (sole developer). When this policy says "we", it means Tej Orugonda.
The hosted version of this policy lives at https://tejorugonda.com/ledge/privacy.
Summary
Ledge stores all your financial data on your device. We have no servers, no user accounts, no analytics, no advertising SDKs, and no tracking. The app makes one routine network call (currency exchange rates) and a second one only if you make a purchase (the in-app purchase flow). The rest of this document is the detail behind those claims.
What we collect on our servers
Nothing. We do not operate any servers.
Your transactions, accounts, currencies, exchange rates, categories, and app settings are stored only in a SQLite database file inside the app's private storage on your device. Nothing about this database is sent anywhere as part of normal app use.
We have no user accounts, no logins, no email collection, no signup. The app is usable the moment you install it.
What stays on your device
The app stores the following locally, in its private app storage:
- Accounts (name, type, currency, balance)
- Transactions (amounts, dates, categories, descriptions, accounts involved, exchange rate snapshots)
- Currencies and any custom or named exchange rates (e.g. Blue Dollar, CCL, MEP)
- Categories (default and custom)
- App settings (theme, master currency, onboarding flag, etc.)
- A diagnostic log file (
ledge.log, capped at 1 MB), described below
If you uninstall the app, your operating system deletes this data with it. We cannot recover it because we never had it.
What leaves your device
Three things can leave the device, only in the situations below.
1. Currency exchange rates (ExchangeRate-API)
When the app refreshes exchange rates, it makes an HTTPS GET request to
open.er-api.com, operated by ExchangeRate-API. The URL contains your master
currency code (for example USD, INR, ARS). It contains
no identifiers, no user data, and no app-set headers.
As with any HTTPS request, your IP address is visible to the provider as a standard part of the network protocol. ExchangeRate-API's terms and privacy information are at https://www.exchangerate-api.com/terms.
This is the only routine network call the app makes. It happens periodically while the app is open if your rates are stale.
2. In-app purchases (RevenueCat + Apple App Store / Google Play)
If you tap "Upgrade to Pro" and complete a purchase, the in-app purchase is processed by Apple App Store or Google Play (the platform you bought it on) and routed through RevenueCat, our IAP infrastructure provider.
To process and restore purchases, RevenueCat's SDK receives:
- An anonymous app user ID generated on your device by RevenueCat (a string that looks like
$RCAnonymousID:...). We do not associate any personal information with it. - Platform-level device identifiers used by Apple and Google for IAP (for example iOS Identifier for Vendor, Android app-set ID).
- Store transaction details (purchase token or transaction ID, product, timestamp, country, currency, price).
- Basic device and app metadata that RevenueCat's SDK collects (operating system and version, device model, app version).
RevenueCat uses this data to validate purchases, support "Restore Purchases", and report entitlement status back to the app. Apple App Store or Google Play receive whatever they normally receive for any in-app purchase made on their platform.
We do not pass your name, email address, or any other contact information to RevenueCat. We do not have those things.
RevenueCat's privacy policy is at https://www.revenuecat.com/privacy. Apple's is at https://www.apple.com/legal/privacy/. Google's is at https://policies.google.com/privacy.
If you never make a purchase, none of this happens.
3. Diagnostic log (only if you choose to share it)
The app keeps a small local log file at the app's private storage path. It is named
ledge.log, capped at 1 MB, with single-file rotation (the previous log becomes
ledge.log.1 when the cap is hit). It records warnings and errors as one-line
entries with a timestamp, level, and short tag (for example, an exchange-rate fetch that
timed out, or a database migration error). It exists so we can help you diagnose a problem
if you choose to share it.
The log is written only on your device. It is never uploaded, never sent to us, and never accessed remotely. The only way it leaves your device is if you tap Settings → Export diagnostic log, which opens your operating system's share sheet so you can send the file yourself (email, Files, AirDrop, etc.). You choose the destination. We do not.
By design, the log does not contain transaction amounts, account names, transaction descriptions, or other personal financial content. It records only short technical messages. If you want to inspect it before sharing, open the exported file in any plain-text editor.
Third parties
This is the complete list of third parties involved:
| Service | What they receive | When | Why |
|---|---|---|---|
ExchangeRate-API (open.er-api.com) |
Your IP address and a base currency code | On rate refresh | Provides daily exchange rates |
| RevenueCat | Anonymous purchase and device metadata (see section 2) | Only if you make or restore an in-app purchase | In-app purchase validation and restore |
| Apple App Store or Google Play | Whatever they collect for any IAP on their platform | Only if you make or restore an in-app purchase | Payment processing |
| Your chosen recipient | Whatever you decide to send | Only if you export the diagnostic log or CSV | Your choice |
We do not use any analytics, crash-reporting, attribution, advertising, or tracking SDK. To be specific, the app does not include Google Analytics or Firebase Analytics, Sentry, Crashlytics, Bugsnag, Mixpanel, Amplitude, AppsFlyer, Adjust, Branch, the Meta SDK, the TikTok SDK, or any equivalent.
We do not sell, rent, or share data for advertising. The app does not show ads.
What the app does not collect
The app does not request, transmit, or use:
- Your name, email address, phone number, or any contact information
- Your location (the app does not request location permission)
- Your contacts, photos, files outside its own storage, microphone, or camera
- The advertising identifier (IDFA on iOS, AAID on Android). The app does not show the App Tracking Transparency prompt.
- Your browsing history, search history, or any other network activity beyond the calls described above
Children's privacy
Ledge is not directed to children under 13 (or under 16 in the European Union and United Kingdom, depending on the standard in your country). We do not knowingly collect personal data from children. If you believe a child has used the app and you have a concern, contact us at the address below.
Data retention and your rights
Because your data is on your device and not on our servers, the standard data rights work as follows:
- Access: open the app. That is the data.
- Export: Settings → Export CSV (a Pro feature) produces a portable file of all your transactions. Settings → Export diagnostic log exports the local log file.
- Correction: edit any account, transaction, currency, rate, or category directly in the app.
- Delete: delete individual records inside the app, or uninstall the app to remove the entire database from your device.
Where local laws (such as the GDPR in the EU/UK, the CCPA in California, or India's DPDP Act) give you rights to request access, correction, or deletion of personal data held by a controller, we do not hold any personal data about you on our infrastructure. There is nothing for us to look up or delete on your behalf.
Requests about data held by RevenueCat, Apple, or Google should be made to those companies under their respective privacy policies.
Security
Your data lives in the app's private storage, which iOS and Android isolate from other apps. We rely on the operating system's standard sandboxing for at-rest protection. Network calls (exchange-rate fetch and in-app purchase) use HTTPS.
We do not add a separate encryption key on top of the SQLite database file. Operating-system device encryption is what protects it at rest. If you want stronger protection, enable a device passcode and full-disk encryption (default on modern iOS and Android).
International users
Ledge is built for users in any country, including users with accounts in multiple countries (for example, INR savings in India, ARS cash in Argentina, USD investments anywhere). The app functions identically regardless of where you are. The data flows described above are the same in every region.
Changes to this policy
If we change this policy, we will update the "Last updated" date at the top of this page and publish the new version at the same URL. Substantive changes (a new third party, new data leaving the device, a change in what is collected) will be called out in the app release notes for the version that introduces the change.
Contact
Ledge is built and maintained by Tej Orugonda (sole developer).
- Email: tejdeepsai@gmail.com
- Website: https://tejorugonda.com
For privacy questions, write to the email above. For purchase support, you can also use the standard refund flow on Apple App Store or Google Play.