Ledger
← Compliance hub

Data Handling & Retention

What we collect, why we collect it, how long we keep it.

1. What we collect — KYC (individuals)

For an individual application we collect exactly these fields, and nothing else:

Required documents: one identity document (passport, national ID card or driver's license) plus proof of address.

2. What we collect — KYB (businesses)

A business application collects the fields above for the signing officer, plus:

Required documents: one identity document for the signer plus business registration and UBO declaration.

3. Data minimization

Documents are metadata-only.

In this demo, no document file bytes are ever uploaded, stored or served. For each document we keep only its type, a synthetic filename, a size figure, a checksum, its verification status and any reviewer note. There is nothing to view or download because no file contents exist — the checksum stands in for the file in the audit trail.

Beyond documents, we store account data (a masked account number, currency and balances), transaction records (description, counterparty, reference, amount and running balance) and audit events (who did what, when, and which state changed). We collect no marketing data, no device fingerprints, and no data about people who are not party to an application.

4. Retention windows

Records are kept only as long as a regulated institution would be expected to keep them:

Data categoryRetained for
Application and identity data5 years after account closure
Document metadata5 years after account closure
Screening results5 years after the check was run
Audit log7 years, append-only
Session cookies7 days, or until you log out

Demo note: this environment resets every hour, so in practice nothing here outlives the next reset.

5. Erasure

You may request erasure of your data at any time. Identity fields, document metadata and account data are deleted or irreversibly anonymized once their retention windows lapse. Audit events are the exception: they are retained for the full seven-year window because they are the record regulators rely on. When the application they describe is erased, the events are unlinked from it and keep only the neutral actor label they were written with — the trail survives, the person does not.