Privacy Policy
ListLedger is designed to do as little with your data as possible. Most of what the app does happens on your phone and never leaves it. This policy explains, in plain English, exactly what is collected, who sees it, and why.
The short version: no accounts, no ads, no trackers, no analytics in the app, no data selling. The only information that ever leaves your phone is the list data you choose to share with your household, barcodes you scan, and receipts you scan with Pro.
1. Who we are
ListLedger is published by Chris Jackson, an individual sole developer based in England, United Kingdom. For the purposes of UK GDPR, Chris Jackson is the data controller.
Contact: listledger@cyber-jack.uk
2. Data stored on your device
All of your shopping data lives in a local SQLite database on your phone. This includes:
- Your shopping lists, list items, categories, notes and quantities
- Price history for items you’ve bought
- Stores you shop at and your preferred aisle order for each
- Recurring item schedules
- App settings and preferences
None of this is transmitted anywhere unless you choose to join or host a household (see below). Uninstalling ListLedger deletes the local database and all of this data.
3. Data sent off your device — only when you opt in
Household sharing (Supabase)
If you create a household or join one, the following data is sent to and stored on Supabase, which hosts the realtime sync backend:
- Household ID and the 4-character join code
- Your chosen display name within the household (e.g. “Chris”)
- A device identifier (random UUID, not your Google Advertising ID or IMEI)
- List events: item names, quantities, prices, checked status, store names, recurring schedules, and the times these events happened
This data is visible to other members of your household so they can see the same list. It is not shared with anyone else, is not used for advertising, and is not sold. Supabase acts as a data processor on our behalf.
Lawful basis: performance of a contract (UK GDPR Article 6(1)(b)) — you’ve asked us to sync your list with your household.
If you leave a household or delete it from the host device, your contribution to the household data can be removed on request by emailing us. Uninstalling the app also stops any further data being sent.
Barcode lookups (OpenFoodFacts)
When you scan a barcode to auto-fill a product name, ListLedger sends the barcode digits to OpenFoodFacts and receives back the product name and category. No personal data is sent — just the barcode. OpenFoodFacts is a public collaborative database licensed under Creative Commons BY-SA 3.0.
Lawful basis: legitimate interest (UK GDPR Article 6(1)(f)) — you’ve pressed the barcode scan button to get a product name, and we use the minimum data needed to return it.
Receipt scanning (OCR.Space, Pro only)
If you have Pro and tap “Scan receipt”, the photo of your receipt is sent to OCR.Space, a third-party OCR service, which extracts the text (including the total) and returns it to the app. Per OCR.Space’s policy, images are processed to extract text and are not retained after processing. ListLedger does not store receipt images itself.
Lawful basis: performance of a contract (UK GDPR Article 6(1)(b)) — you’ve asked the app to read the receipt for you.
Pro purchases (Apple App Store / Google Play Billing)
If you buy Pro, the purchase is handled by the Apple App Store (on iOS) or Google Play Billing (on Android). ListLedger does not see or store your payment details — we only receive a signal from Apple or Google that your purchase succeeded. Your purchase is tied to whichever store account made it. The relevant store’s own privacy policy applies to the billing transaction.
4. Data we don’t collect or use
ListLedger does not use any of the following:
- Advertising SDKs or ad networks
- Analytics SDKs (no Firebase Analytics, no Mixpanel, no Google Analytics inside the app)
- Advertising IDs (Google Advertising ID is never read)
- Location data (neither GPS nor approximate)
- Contacts, SMS, call logs, microphone, or calendar
- Third-party crash reporting SDKs that send stack traces off-device
5. Website analytics
This website (listledger.cyber-jack.uk) uses Google Analytics 4 (measurement ID G-F1XNJSPNDP) to count anonymous page views and geography. GA4 drops its standard cookies when you visit. The app itself does not use Google Analytics.
6. Children
ListLedger is not directed at children under 13 and we do not knowingly collect data from under-13s.
7. How long we keep data
Local data is kept on your device until you delete it or uninstall the app. Household data on Supabase is kept for as long as the household exists. Deleting a household on the host device removes its data from Supabase. Leaving a household removes your future edits from it.
8. Your rights
Under UK GDPR you have the right to:
- Access the data we hold about you — on device, tap Settings → Export to get a JSON file of all your local data. For household data on Supabase, email us.
- Erase your data — uninstall the app to delete local data, leave or delete the household for server data, or email us.
- Export your data — Settings → Export produces a full JSON backup you can import elsewhere.
- Object to processing, restrict processing, or withdraw consent for household sharing — leave the household.
- Complain to a supervisory authority. In the UK that’s the Information Commissioner’s Office: ico.org.uk.
9. Changes to this policy
If this policy changes we’ll update the effective date at the top of the page and, where the change is significant, surface a notice in the app the next time you open it.
10. Contact
Questions, requests, or complaints about this policy or your data: listledger@cyber-jack.uk.