What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR as the primary framework given Ledger SAS's French incorporation, with the CNIL (Commission Nationale de l'Informatique et des Libertes) as the lead supervisory authority for EU matters. For California residents, the CCPA applies and the policy is expected to include rights to know, delete, and opt out of sale. UK GDPR applies to UK residents following Brexit. Cross-border data transfers outside the EEA are disclosed as occurring, with Standard Con…

How does Ledger's Ledger Privacy Policy affect users?

The policy establishes that customers' identifying information, including postal address and purchase history, are collected and retained in linked form within Ledger's systems. The terms authorize data sharing with third-party service providers (logistics, analytics, and payment services) and permit transfers to jurisdictions outside the EEA under Standard Contractual Clauses. Customers may submit requests to Ledger's data protection officer to access, correct, or request deletion of personal …

How often is Ledger's Ledger Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Ledger updates this document?

Yes. Watcher subscribers ($9.99/month) can add Ledger to their watchlist and receive same-day email alerts whenever this document or any other Ledger document changes.

CA-D-000278

Ledger Privacy Policy

Ledger

Last change detected April 19, 2026 Privacy policy

SHA-256: 696c14707cb7e4712e4… 6 versions captured 3 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Ledger ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

7 Total

0 High severity

6 Medium severity

1 Low severity

Summary

This document establishes Ledger's data collection, processing, and retention practices for customers purchasing hardware wallets or using Ledger Live software. The policy specifies that personal data collected includes name, email address, postal address, and device usage information, which are linked within Ledger's systems and shared with logistics providers, analytics vendors, and payment processors. The policy authorizes international data transfers outside the EEA and establishes procedures for data subject requests regarding access, correction, and deletion of personal data.

Technical / Legal Breakdown

This document is Ledger's privacy policy governing the collection, use, and sharing of personal data across Ledger's hardware wallet products, the Ledger Live application, and associated services, with Ledger SAS (a French company) acting as data controller under GDPR as the stated legal basis for EU-facing operations. The policy states that Ledger collects identifiers (name, email, postal address, IP address), purchase and transaction data, device usage data, and technical diagnostics, and the terms authorize sharing this data with service providers, logistics partners, and third-party analytics providers for purposes including order fulfillment, fraud prevention, and marketing. A notable operational characteristic is that the policy applies to a company whose customers are cryptocurrency hardware wallet users, meaning the intersection of purchase data, shipping addresses, and device usage data carries elevated sensitivity given that such data could indicate ownership of significant digital assets, creating a risk profile that may exceed that of a typical e-commerce privacy policy. The policy engages GDPR (Ledger SAS is headquartered in Paris, France, making the CNIL the primary supervisory authority), the California Consumer Privacy Act for US residents, and potentially the UK GDPR post-Brexit for UK customers; the policy discloses data transfers outside the EEA and states that appropriate safeguards such as Standard Contractual Clauses are used. Compliance teams should note that Ledger experienced a significant customer data breach in 2020 in which names, email addresses, phone numbers, and postal addresses of over one million customers were leaked, making the adequacy of the security measures described in this policy a material due diligence consideration.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

3 important changes detected

6 versions captured · Last updated: April 2026

April 19, 2026

high

What changed Ledger substantially rewrote its privacy policy on April 19, 2026, removing 188 sentences while adding only 11 new ones. The updated policy is shorter and restructured, with the opening section reorganized and language about policy updates and service exclusions removed. Notably, the policy no longer explicitly mentions that Ledger Recover and Ledger Multisig services are not covered by this privacy policy, and no longer directs users to separate privacy policies for those services.

Why this matters The updated policy removes explicit language stating that Ledger Recover and Ledger Multisig services are excluded from this privacy policy. Previously, users were directed to separate privacy policies for those services; that direction is now absent. This creates ambiguity about whether this policy now covers those services or whether separate policies still apply. The dramatic reduction in policy length (from 224 to 36 sentences) suggests substantial content was removed, though the specific implications depend on what other sections were condensed or eliminated. You should review the full updated policy to confirm what data practices and service exclusions remain in effect for all Ledger services you use.

View full change record →

April 3, 2026

low

What changed Ledger's privacy policy was updated on April 3, 2026 with a minor formatting change to the section heading 'With whom do we share your data?' The word 'Discover' was added before the heading, changing it to 'Discover With whom do we share your data?' This appears to be a stylistic or navigational enhancement rather than a substantive change to what data Ledger shares or with whom.

Why this matters This change is a formatting or stylistic update to a privacy policy section header and does not alter what data Ledger shares, with whom it shares that data, or your rights to control your information. The underlying data-sharing policies and practices remain unchanged.

View full change record →

April 2, 2026 medium

Ledger significantly restructured its privacy policy on April 2, 2026, removing 188 sentences and adding 11 new ones. The policy now opens with 'Your privacy, our priority' instead of a …

View change record →

Medium — 6 provisions

Personal Data Collection Scope Compare →

Ledger collects personal information including your name, email address, postal address, purchase history, device usage data, and technical diagnostics when you buy products or use Ledger Live.

Added May 10, 2026 Standard Seen across 251 platforms
Third-Party Data Sharing Compare →

Ledger shares your personal data with third-party service providers including logistics companies, payment processors, and analytics platforms to fulfill orders and improve its services.

Added May 10, 2026 Standard Seen across 246 platforms
International Data Transfers Compare →

Ledger transfers personal data outside the European Economic Area to countries that may not have equivalent data protection laws, using Standard Contractual Clauses as the stated legal mechanism to protect those transfers.

Added April 3, 2026 Standard Seen across 246 platforms
User Rights Under GDPR and CCPA Compare →

Ledger states that users have rights to access, correct, delete, and port their personal data, and EU users can object to or restrict processing; these rights can be exercised by contacting Ledger's data protection team.

Added May 10, 2026 Standard Seen across 262 platforms
Data Security and Breach History Context Compare →

Ledger states a commitment to protecting personal data and securing user information, though the policy's assurances must be evaluated in the context of the company's 2020 customer database breach.

Added May 10, 2026 Standard Seen across 262 platforms
Legal Basis for Processing Under GDPR Compare →

Ledger relies on multiple legal bases for processing personal data under GDPR, including contract performance for order fulfillment, legitimate interests for fraud prevention and analytics, and consent for marketing communications and non-essential cookies.

Added May 10, 2026 Standard Seen across 262 platforms

Low — 1 provision

Cookie and Analytics Tracking Compare →

Ledger uses cookies and analytics tools (including via OneTrust consent management) to track user behavior on its website and in Ledger Live, with some tracking subject to user consent.

Added May 10, 2026 Standard Seen across 251 platforms

Monitoring

Ledger has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle 2020 Data Breach Disclosure and similar clauses.

Compare across platforms →