Privacy Policy

The Short Version

Leo Ledger is a privacy-first personal finance app. Your financial data never leaves your device. We don't run servers, we don't collect analytics, we don't track you, and we never see your data. There is no account to create and no data to breach.

Data We Do Not Collect

We want to be explicit about what we never collect:

• Bank account numbers, credentials, or login information
• Account balances, net worth, income, or any financial figures
• Names, email addresses, phone numbers, or other personal identifiers
• Location data, device identifiers, or advertising IDs
• Usage analytics, crash reports, or telemetry of any kind
• Biometric data (Face ID / Touch ID authentication is handled entirely by your device's secure enclave)

Data Stored On Your Device

All data you enter into Leo Ledger is stored locally on your device using Apple's SwiftData framework. This includes:

• Financial data: Account names, balances, snapshots (check-in history), income entries, recurring expenses, event budgets, and goals
• Credit score entries: Self-reported credit scores you choose to track
• App preferences: Check-in cadence, appearance settings, notification preferences, achievement progress, and XP level
• Draft data: Temporary check-in drafts preserved for up to 24 hours if you leave mid-flow

This data exists only on your device. There is no cloud database, no server backup, and no sync service. If you delete the app, your data is permanently removed.

Encrypted File Sharing

Leo Ledger allows you to export your data as an encrypted .ledger file for sharing with a partner or for personal backup. These files are:

• Encrypted with AES-256-GCM via Apple's CryptoKit framework
• Key derived using PBKDF2-SHA256 with 100,000 iterations and a random salt
• Protected by a password you choose — we never see or store this password
• Shared only when you explicitly choose to export and send the file

The contents of exported files include your account names, balances, and snapshot history. We have no ability to decrypt these files.

In-App Purchases

Leo Ledger offers optional paid modules via Apple's StoreKit framework. When you make a purchase:

• The transaction is processed entirely by Apple
• We receive a cryptographic receipt confirming your purchase — not your payment details
• Apple's own privacy policy governs how they handle payment data

We do not operate our own payment system and have no access to your credit card, Apple ID, or billing information.

Notifications

Leo Ledger uses local notifications only to remind you about upcoming check-ins and payment due dates. These notifications are scheduled on your device and do not involve any server. We do not use push notification services or send any data to external notification providers.

Biometric Authentication

If you enable Face ID or Touch ID to lock the app, authentication is handled entirely by Apple's LocalAuthentication framework and your device's secure enclave. Leo Ledger never accesses, processes, or stores biometric data. We only store a boolean preference indicating whether you've enabled the lock.

Third-Party Services

Leo Ledger contains no third-party SDKs, analytics frameworks, advertising networks, or tracking tools. The app is built entirely with Apple's native frameworks: SwiftUI, SwiftData, CryptoKit, StoreKit, LocalAuthentication, and UserNotifications. There are no network calls to any server — ours or anyone else's.

iCloud Sync

iCloud sync is currently disabled. All data is stored locally on your device only. If iCloud sync is added in a future update, it will be opt-in, use Apple's CloudKit framework with end-to-end encryption where available, and will be clearly disclosed in an updated version of this policy.

Children's Privacy

Leo Ledger is not directed at children under 13. Since we do not collect any personal information, there is no data to manage under COPPA or similar regulations. The app does not require an account or any identifying information to use.

Changes to This Policy

If we make material changes to this privacy policy, we will update the "Last updated" date at the top and, where appropriate, notify users through the app. Since we do not collect email addresses or contact information, in-app notice is the primary method of communication.