Ledger states a commitment to protecting personal data and securing user information, though the policy's assurances must be evaluated in the context of the company's 2020 customer database breach.
This analysis describes what Ledger's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Security assurances in a privacy policy are statements of intent and process, not guarantees; Ledger's 2020 breach, in which over one million customer records including home addresses were leaked, is material context for evaluating these assurances.
Interpretive note: The specific security measures, certifications, and technical controls described in the policy were not visible in the truncated document; the security discussion is based on available context and publicly known breach history.
The updated policy removes explicit language stating that Ledger Recover and Ledger Multisig services are excluded from this privacy policy. Previously, users were directed to separate privacy policies for those services; that direction is now absent. This creates ambiguity about whether this policy now covers those services or whether separate policies still apply. The dramatic reduction in policy length (from 224 to 36 sentences) suggests substantial content was removed, though the specific implications depend on what other sections were condensed or eliminated. You should review the full updated policy to confirm what data practices and service exclusions remain in effect for all Ledger services you use.
View change record →Ledger removed language explicitly stating that this privacy policy does not cover Ledger Recover and Ledger Multisig services, and eliminated references to dedicated privacy policies for those services. This creates ambiguity about whether those services are now governed by the main privacy policy or whether separate policies exist but are no longer disclosed in this document. If you use Ledger Recover or Ledger Multisig, you should review the privacy disclosures for those specific services directly, as it is no longer clear from the main privacy policy whether separate protections apply.
View change record →Ledger's stated security commitments are relevant background, but customers should be aware that a prior breach in 2020 exposed names, email addresses, phone numbers, and postal addresses of many customers, and that this data was subsequently circulated publicly and used for phishing attacks targeting cryptocurrency holders.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Ledger has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.— Excerpt from Ledger's Ledger Privacy Policy
REGULATORY LANDSCAPE: Data security obligations are imposed by GDPR Article 32 (appropriate technical and organizational measures), and breach notification obligations are set out in GDPR Articles 33-34, requiring notification to the supervisory authority within 72 hours and to affected individuals without undue delay where the breach is likely to result in high risk. The CNIL investigated the 2020 Ledger breach. The FTC Act's reasonable security standard applies to US-facing practices. GOVERNANCE EXPOSURE: High in historical context. The 2020 breach is a documented, publicly known incident. For current due diligence purposes, the question is whether Ledger has implemented material security improvements since 2020 and whether current security practices meet GDPR Article 32 standards. The policy's general security language does not provide sufficient technical specificity to assess current security posture. JURISDICTION FLAGS: EU/EEA users have GDPR breach notification rights and can file complaints with the CNIL if they believe security obligations are not met. California residents may have rights under CCPA and California's data breach notification law. US users in states with breach notification laws (all 50 states have some form of breach notification statute) may have notification rights in the event of future incidents. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams and B2B customers should conduct vendor security assessments before integrating with Ledger's systems. Data processing agreements should specify security standards, audit rights, and breach notification timelines consistent with GDPR Article 28 requirements. COMPLIANCE CONSIDERATIONS: Legal and compliance teams reviewing Ledger as a vendor or partner should request documentation of current security certifications (such as ISO 27001), penetration testing history, and incident response procedures. The adequacy of current security measures relative to the sensitivity of the data held (crypto wallet purchase records linked to home addresses) should be independently assessed rather than relying solely on policy language.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Security assurances in a privacy policy are statements of intent and process, not guarantees; Ledger's 2020 breach, in which over one million customer records including home addresses were leaked, is material context for evaluating these assurances.
Ledger's stated security commitments are relevant background, but customers should be aware that a prior breach in 2020 exposed names, email addresses, phone numbers, and postal addresses of many customers, and that this data was subsequently circulated publicly and used for phishing attacks targeting cryptocurrency holders.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Ledger.