Privacy Policy

This Privacy Policy explains how Demetre Gatchava ("Black Ledger," "we," "us," or "our"), an individual operating from Georgia, collects, uses, and protects information when you use the website at theblackledger.app and the services made available through it (the "Service").

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

1. Who We Are

Demetre Gatchava (დემეტრე ღაჭავა), an individual based in Georgia, is the operator and data controller responsible for the personal data processed through the Service.

Contact for privacy-related inquiries: support@theblackledger.app

2. Information We Collect

We collect only what we need to provide the Service. Specifically:

• Account information: your email address, optional display name, and a hashed version of your password (we never store passwords in plain text).
• Authentication state: a session cookie (issued by NextAuth) that keeps you signed in. This cookie contains a signed identifier and your session version number; it does not contain your password or any personal data.
• Purchase information: the email address you provide at checkout, the case file you purchase, and Stripe payment metadata such as the checkout session ID and payment intent. We do not store your card number, expiration date, or CVV — those are handled entirely by Stripe.
• Activity and security data: IP address (used for rate limiting and abuse prevention), browser user-agent, server access logs, theory submissions you make, checkpoint attempts, support messages you send, and timestamps of activations and case progress.
• Optional content: anything you voluntarily submit in support messages, theory submissions, or other forms.

3. How We Use Your Information

We use this information to:

• create and maintain your account;
• deliver the Service you have purchased, including sending activation codes by email and granting access to case files;
• process payments through Stripe and prevent fraudulent transactions;
• operate the Service securely, including rate limiting, detecting abuse, and protecting against automated attacks;
• respond to your support requests and provide customer service;
• send you transactional emails (purchase confirmations, password resets, support replies) — we do not send marketing emails;
• comply with legal obligations under Georgian law, including tax and accounting requirements.

4. Legal Basis for Processing

Our legal bases under Georgia's Law on Personal Data Protection (and equivalent international frameworks) are:

• Contract performance: processing necessary to provide the Service you purchased and to manage your account.
• Legitimate interests: security, fraud prevention, and protecting the integrity of the Service.
• Legal obligation: retention of financial records as required by tax and accounting law.
• Consent: where you have explicitly agreed (for example, when submitting a support form).

5. Third-Party Service Providers

We rely on the following processors to operate the Service. Each is contractually bound by their own privacy obligations and applicable data protection laws:

• Stripe (United States) — payment processing. stripe.com/privacy
• Resend (United States) — transactional email delivery. resend.com/legal/privacy-policy
• Vercel (United States) — application hosting. vercel.com/legal/privacy-policy
• Neon (United States) — managed PostgreSQL database. neon.tech/privacy-policy
• Cloudflare R2 (United States) — image storage. cloudflare.com/privacypolicy
• Upstash (United States) — Redis-based rate limiting. upstash.com/trust/privacy

We do not sell your personal information. We do not share it with third parties except as necessary to operate the Service or as required by law.

6. International Data Transfers

Because all of our processors listed above are based in the United States, your personal data is transferred outside of Georgia in the course of normal Service operation. The legal basis for these transfers is contract necessity (you cannot receive the Service without the data reaching our processors) and, where applicable, your consent. Each processor maintains their own safeguards and certifications for international data handling.

7. Cookies

We use a single functional cookie issued by NextAuth to keep you signed in across pages. This cookie is essential to the operation of the Service. We do not use analytics cookies, advertising cookies, or third-party tracking cookies. You can clear or block this cookie in your browser settings, but doing so will prevent you from signing in.

8. Data Retention

We retain personal data for as long as:

• your account is active (account data, owned cases, theory submissions, support history);
• required by Georgian tax and accounting law (financial records, typically 6 years from the end of the relevant tax period);
• necessary to comply with other legal obligations.

When you request account deletion, we will delete all personal data we hold about you, except where retention is required by law.

9. Your Rights

Under Georgia's Law on Personal Data Protection (and equivalent international frameworks), you have the right to:

• access the personal data we hold about you;
• correct inaccurate data;
• request deletion of your data (subject to legal retention requirements);
• receive a copy of your data in a machine-readable format (data portability);
• object to or restrict certain processing;
• withdraw any consent you have given us;
• lodge a complaint with the Personal Data Protection Service of Georgia (or your local supervisory authority if outside Georgia).

To exercise any of these rights, email support@theblackledger.app. We will respond within 30 days.

10. Children

The Service is not directed at, and we do not knowingly collect personal data from, individuals under the age of 16. If you believe a child has provided us with personal data, contact support@theblackledger.app and we will delete it.

11. Security

We use industry-standard practices to protect your data: passwords are hashed with bcrypt (cost factor 12), session tokens are signed and time-bounded, all traffic is served over HTTPS, and we apply rate limiting and security headers to protect against common attacks. No system is perfectly secure, but we work hard to minimize risk.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact

For any privacy-related question, request, or concern, contact:

Demetre Gatchava
support@theblackledger.app