Ledger and Global-e’s handling of customer data reflects a lack of accountability and raises serious concerns

I write in response to your recent communication concerning the January 2026 data security incident involving Global-e and your position regarding Ledger’s lack of responsibility. After careful review, I respectfully dispute your assertions and provide the following formal rebuttal.

1. Lack of Informed and Meaningful Consent

You assert that I expressly consented to transact with Global-e as the merchant of record during the checkout process. However, any such purported consent fails to meet the legal standard of being informed, clear, and conspicuous.

The disclosure referenced appears to have been embedded within the checkout flow as a bundled condition of purchase, rather than presented in a manner that would reasonably alert a consumer to the material implications of transferring personal data to an independent third party. A reasonable consumer purchasing directly from Ledger would not anticipate that their personal information would be shared with and controlled by an unrelated entity, nor that such transfer would materially alter their data security risk.

Accordingly, any alleged consent obtained under these circumstances is legally insufficient and may constitute a deceptive or unfair practice under applicable consumer protection laws.

1. Ledger’s Responsibility in Selecting and Utilizing Global-e

While you characterize Global-e and Ledger as “separate and independent data controllers,” this distinction does not absolve Ledger of responsibility.

Ledger selected, integrated, and required the use of Global-e to complete transactions on its platform. In doing so, Ledger initiated and facilitated the transfer of my personal data to a third party. This establishes, at minimum, a shared responsibility framework arising from:

Vendor selection and oversight obligations

The foreseeable risks associated with transferring sensitive customer data

The direct commercial benefit Ledger derived from the transaction

It is a well-established legal principle that an entity cannot fully disclaim liability for the acts or omissions of a third-party vendor where that vendor was engaged as part of its own commercial operations. The data exposure in question is a direct consequence of that relationship.

1. Insufficiency of Breach Notification

You further state that affected individuals were notified via email on January 5, 2026. However, a single automated email—particularly one that may be filtered into spam or otherwise overlooked—does not constitute reasonable or effective notice for a breach involving sensitive personal information.

Effective notification requires measures reasonably calculated to ensure actual awareness, particularly where the consequences of exposure may include targeted fraud or physical risk. Absent confirmation of receipt or additional notification efforts, such communication is inadequate to satisfy applicable legal standards.

1. Reasonable Consumer Expectations

Your position presumes that I should have been aware of Global-e’s role and the associated implications. This assumption is not aligned with the standard of a reasonable consumer.

When purchasing directly from Ledger’s official website, the expectation is that Ledger is the responsible entity for both the transaction and the protection of personal data. Consumers are not reasonably expected to investigate backend merchant-of-record structures or anticipate additional layers of data exposure not clearly and prominently disclosed.

1. Conclusion and Position

In summary, Ledger facilitated and required the transfer of my personal data to a third-party vendor it selected. The disclosure of this relationship was insufficient to establish informed consent, and Ledger cannot disclaim responsibility for a breach arising from that vendor.

As the originating party in the transaction and the entity that enabled the data transfer, Ledger shares responsibility for the exposure of my personal information and any resulting harm.

I request that you reconsider your position and provide a substantive response addressing Ledger’s role in vendor selection, data transfer practices, and consumer protection obligations. I also request that you outline any remediation or compensation measures available in light of this incident.

I reserve all rights and remedies available to me under applicable law.