Privacy Policy

1. Data controller

• Controller: STERLING ORIGIN LIMITED
• Contact: ledgersupport@sterlingorigin.com

2. Data we collect

We collect only the data needed to run the service and support accountable evidence workflows:

• Identity and account data, such as name, work email, organisation, and role.
• Operational evidence data, such as records, photos, timestamps, signatures, and project context.
• Billing contact and payment-provider reference data needed to manage package purchases.
• Device and security data, such as IP address, browser version, app build, and session metadata.
• Service diagnostics, such as crash and error telemetry needed for support and reliability.

3. Why we process data

We process personal data to:

• Authenticate users and enforce role-based access boundaries.
• Create, review, and store project records and related evidence.
• Support invitation flows, organisation membership, and project assignment.
• Manage package checkout, recurring billing, receipts, invoices, and payment recovery.
• Operate the platform securely, investigate incidents, and prevent misuse.
• Meet contractual, legal, and regulatory obligations where they apply.

Our legal bases are contract performance, legitimate interests, legal obligation, and consent where consent is explicitly requested.

4. How data is shared

We share data on a need-to-know basis:

• With authorised users inside the same customer organisation.
• With infrastructure and delivery processors used to operate the service, including Microsoft Azure, Auth0, SendGrid, and Sentry.
• With Stripe where payment processing, hosted invoices, receipts, and billing portal access are used.
• With integration partners only when a customer enables that integration.
• With authorities where disclosure is required by law or valid legal process.

5. UK residency and international transfers

LedgerCapture is operated on UK-hosted Azure infrastructure for the current service environments. Any production residency commitment is confirmed through the applicable customer agreement and deployment handoff. Some supporting processors may handle limited identity, delivery, billing, or telemetry data outside the UK. Where that happens, we use contractual and operational safeguards appropriate to UK GDPR requirements.

6. Retention and deletion

We retain data only as long as needed for service delivery, contractual requirements, legal obligations, and defensible audit history. Retention windows are set by customer agreements and operational policy.

Where deletion is requested and legally permitted, we remove or anonymise data in line with active retention and legal-hold constraints.

7. Your rights

Subject to applicable law, you may request:

• Access to your personal data.
• Correction of inaccurate data.
• Deletion or restriction in permitted circumstances.
• Data portability where applicable.
• Objection to processing based on legitimate interests.

Submit requests to ledgersupport@sterlingorigin.com with the subject line Privacy request.

8. Security posture

We use layered controls such as encryption in transit, managed access controls, and audit logging. Security, privacy, and resilience controls continue to mature as part of the platform roadmap. This page does not claim certifications, residency guarantees, or controls that are not yet operationally complete.

9. Cookies and telemetry

LedgerCapture uses essential session cookies and operational telemetry needed to keep the service running. If optional analytics or non-essential cookies are introduced, we will update this policy and provide clear user controls.

10. Policy updates

We may update this policy as the service evolves. Material changes will be published on this page with a revised last-updated date.

11. Complaints

If you have a concern, contact us first at ledgersupport@sterlingorigin.com. You can also raise a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.