Home / Privacy Policy

Privacy Policy

How we handle your data — spoiler: we barely have any.

Last updated: May 9, 2026

1. Introduction

Practical Sense Labs is a solo software company registered in France ("we", "us", "our"). We develop and distribute Bunker Ledger, a desktop wealth-tracking application.

This Privacy Policy explains what personal data we collect, why we collect it, how we process it, and what rights you have under the General Data Protection Regulation (GDPR) and applicable French data-protection law.

By using the Bunker Ledger website or application, you acknowledge that you have read and understood this policy.

2. Data Controller

The data controller for all processing described in this policy is:

3. Data We Collect

3.1 Bunker Ledger Desktop Application

The Bunker Ledger desktop application stores all financial data locally on your machine only. We have no access to your portfolios, transactions, balances, or any other financial information you enter into the app. There is no cloud storage, no telemetry, and no tracking of any kind built into the application.

The only data transmitted from the application is during license activation (see Section 3.3).

3.2 Website — Purchase and Account Data

When you purchase a license through our website, we collect:

  • Email address — used to deliver your license key and to send purchase-related communications (receipts, activation instructions).

All payment processing is handled by Stripe. We do not receive, store, or have access to your credit card number, CVV, or full card details. Stripe provides us only with a transaction identifier and a truncated card reference (last four digits and card brand) for record-keeping purposes.

3.3 License Activation — Machine Fingerprint

When you activate your license, the application generates a machine fingerprint: a SHA-256 hash derived from hardware identifiers on your device. This hash is a one-way, irreversible value — it cannot be used to reconstruct your hardware details. It is used solely to bind your license key to a specific machine and prevent unauthorized redistribution.

We store:

  • The SHA-256 machine fingerprint hash
  • The associated license key
  • The date and time of activation

3.4 Website — Contact Form

If you contact us through the website contact form, we collect:

  • Name
  • Email address
  • Subject
  • Message content

This data is used exclusively to respond to your inquiry.

3.5 Website — Cookies

Our website uses only strictly essential cookies required for the website to function (such as session management and security tokens). We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

Because we use only essential cookies, no cookie consent banner is required under GDPR. Essential cookies are exempt from the consent requirement as they are necessary for the service you have explicitly requested.

4. Legal Basis for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — Processing your email address to deliver your license key, processing machine fingerprints for license activation, and processing payment data through Stripe are all necessary for the performance of the purchase contract between you and Practical Sense Labs.
  • Legitimate interest (Art. 6(1)(f)) — Responding to inquiries submitted through the contact form. Our legitimate interest is to provide customer support. This processing is minimal and proportionate, and does not override your fundamental rights.
  • Legal obligation (Art. 6(1)(c)) — Retaining transaction records as required by French commercial and tax law.

5. Data Retention

We retain personal data only as long as necessary for the purposes described above:

  • Email address and license data — Retained for the duration of your license validity, plus 3 years after expiration to handle any reactivation or support requests.
  • Machine fingerprint — Retained for the duration of your license validity. Deleted within 30 days of license expiration or upon a valid erasure request.
  • Transaction records — Retained for 10 years as required by French commercial law (Code de commerce, Art. L123-22).
  • Contact form submissions — Retained for up to 12 months after the inquiry has been resolved, then permanently deleted.

6. Third-Party Data Processors

We share personal data with the following third-party processors, each bound by a Data Processing Agreement (DPA) in compliance with GDPR:

  • Stripe, Inc. — Payment processing. Stripe receives your payment details directly; we never handle your full card information. Stripe acts as both a data processor (on our behalf) and an independent data controller (for fraud prevention and regulatory compliance). See Stripe's Privacy Policy.
  • Email service provider — We use a third-party email provider to deliver transactional emails (license keys, purchase receipts). This provider processes your email address solely for the purpose of message delivery on our behalf.

We do not sell, rent, or trade your personal data to any third party. We do not share data with advertisers or data brokers.

7. International Data Transfers

Practical Sense Labs is based in France, and your data is primarily processed within the European Economic Area (EEA).

Some of our third-party processors (notably Stripe) may transfer data to the United States or other countries outside the EEA. Where such transfers occur, they are safeguarded by:

  • The European Commission's adequacy decisions, where applicable;
  • Standard Contractual Clauses (SCCs) approved by the European Commission; or
  • The processor's certification under an applicable framework recognized by the European Commission.

You may request a copy of the relevant safeguards by contacting our DPO at dpo@practicalsense.dev.

8. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. You may exercise any of these rights by contacting our DPO at dpo@practicalsense.dev.

  • Right of access (Art. 15) — You may request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — You may request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17) — You may request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — You may request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — You may request your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to all rights requests within 30 days. If a request is particularly complex, we may extend this period by an additional 60 days, and we will inform you of such extension.

9. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. As Practical Sense Labs is registered in France, the competent authority is:

  • CNIL (Commission Nationale de l'Informatique et des Libertes)
    3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
    Website: www.cnil.fr

We encourage you to contact us first at dpo@practicalsense.dev so we can attempt to resolve your concern before you escalate to the supervisory authority.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS) for all website communications;
  • Use of one-way hashing (SHA-256) for machine fingerprints, ensuring hardware identifiers cannot be reconstructed;
  • Delegation of payment data handling entirely to PCI DSS-compliant processors (Stripe);
  • Access controls limiting personal data access to authorized personnel only;
  • Regular review of security practices and processor compliance.

11. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected data from a child under 16, please contact us at dpo@practicalsense.dev and we will promptly delete the data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we will make reasonable efforts to notify you (for example, via email if we have your address on file).

We encourage you to review this page periodically.

13. Contact Us

For any questions or concerns about this Privacy Policy or our data practices: