Ledger states a commitment to protecting personal data and securing user information, though the policy's assurances must be evaluated in the context of the company's 2020 customer database breach.
This analysis describes what Ledger's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Security assurances in a privacy policy are statements of intent and process, not guarantees; Ledger's 2020 breach, in which over one million customer records including home addresses were leaked, is material context for evaluating these assurances.
Interpretive note: The specific security measures, certifications, and technical controls described in the policy were not visible in the truncated document; the security discussion is based on available context and publicly known breach history.
The updated policy removes explicit language stating that Ledger Recover and Ledger Multisig services are excluded from this privacy policy. Previously, users were directed to separate privacy polici…
Ledger removed language explicitly stating that this privacy policy does not cover Ledger Recover and Ledger Multisig services, and eliminated references to dedicated privacy policies for those servi…
Ledger's stated security commitments are relevant background, but customers should be aware that a prior breach in 2020 exposed names, email addresses, phone numbers, and postal addresses of many customers, and that this data was subsequently circulated publicly and used for phishing attacks targeting cryptocurrency holders.
How other platforms handle this
If you would like to opt out of the disclosure of your personal information for purposes that could be considered "sales" for those third parties' own commercial purposes, or "sharing" or processing for purposes of targeted advertising, please visit the following link, which is also available in the...
Zendesk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. When Zendesk transfers personal data from the EU, UK, or Switzerland to the United ...
Client Deletion Requests. In connection with separate regulatory recordkeeping obligations imposed on Wealthfront, we generally must maintain and cannot delete Personal Information associated with our Clients.
Monitoring
Ledger has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.— Excerpt from Ledger's Ledger Privacy Policy
REGULATORY LANDSCAPE: Data security obligations are imposed by GDPR Article 32 (appropriate technical and organizational measures), and breach notification obligations are set out in GDPR Articles 33-34, requiring notification to the supervisory authority within 72 hours and to affected individuals without undue delay where the breach is likely to result in high risk. The CNIL investigated the 2020 Ledger breach. The FTC Act's reasonable security standard applies to US-facing practices. GOVERNANCE EXPOSURE: High in historical context. The 2020 breach is a documented, publicly known incident. For current due diligence purposes, the question is whether Ledger has implemented material security improvements since 2020 and whether current security practices meet GDPR Article 32 standards. The policy's general security language does not provide sufficient technical specificity to assess current security posture. JURISDICTION FLAGS: EU/EEA users have GDPR breach notification rights and can file complaints with the CNIL if they believe security obligations are not met. California residents may have rights under CCPA and California's data breach notification law. US users in states with breach notification laws (all 50 states have some form of breach notification statute) may have notification rights in the event of future incidents. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams and B2B customers should conduct vendor security assessments before integrating with Ledger's systems. Data processing agreements should specify security standards, audit rights, and breach notification timelines consistent with GDPR Article 28 requirements. COMPLIANCE CONSIDERATIONS: Legal and compliance teams reviewing Ledger as a vendor or partner should request documentation of current security certifications (such as ISO 27001), penetration testing history, and incident response procedures. The adequacy of current security measures relative to the sensitivity of the data held (crypto wallet purchase records linked to home addresses) should be independently assessed rather than relying solely on policy language.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Security assurances in a privacy policy are statements of intent and process, not guarantees; Ledger's 2020 breach, in which over one million customer records including home addresses were leaked, is material context for evaluating these assurances.
Ledger's stated security commitments are relevant background, but customers should be aware that a prior breach in 2020 exposed names, email addresses, phone numbers, and postal addresses of many customers, and that this data was subsequently circulated publicly and used for phishing attacks targeting cryptocurrency holders.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Ledger.