Document bind-mount permissions and ignore runtime data tree

.gitignore

@@ -20,9 +20,7 @@ build/
 !.env.example
 
 # Data and generated artifacts (runtime only)
-data/postgres/
-data/redis/
-data/storage/
+data/
 
 # OS / IDE
 .DS_Store

README.md

@@ -120,6 +120,8 @@ LedgerDock stores data in Docker volumes so it survives container restarts:
 - `dcm-storage` for uploaded files and app storage
 - `typesense-data` for the search index
 
+If you switch to host bind mounts (for example under `./data/`), create those directories and grant write access to container runtime user `uid=10001` for backend storage paths.
+
 To remove everything, including data:
 
 ```bash

doc/operations-and-configuration.md

@@ -42,6 +42,22 @@ Tail logs:
 docker compose logs -f
 ```
 
+## Host Bind Mounts
+
+If you replace Docker named volumes with host bind mounts (for example `./data/storage:/data/storage`), ensure host directories exist and are writable by the backend runtime user.
+
+Backend and worker run as non-root user `uid=10001` inside containers. For host-mounted storage paths:
+
+```bash
+mkdir -p ./data/storage
+sudo chown -R 10001:10001 ./data/storage
+sudo chmod -R u+rwX,g+rwX ./data/storage
+```
+
+If permissions are incorrect, API startup fails with errors similar to:
+- `PermissionError: [Errno 13] Permission denied: '/data/storage'`
+- `FileNotFoundError` for `/data/storage/originals`
+
 ## Frontend Build Baseline
 
 The frontend Dockerfile uses `node:22-slim` with a standard `npm ci --no-audit` install step and no npm-specific build tuning flags.