A lot of people do not actually know the answer to this question. Very often people say “I am storing my ADA offline in my hardware wallet” or something similar. But this is actually not accurate. The ADA is stored in the Cardano blockchain, not on your wallet (software or hardware).
When you create a wallet, you create a master key. The master key is obtained from the 12, 15 or 24 words seed that the wallet forces you to securely save. You need the seed to restore your wallet in case you don’t have access to it anymore, or in case you want to access your ADA from different devices or software wallets (like Daedalus and Yoroi software). Save it securely, not on your computer (and if you decide to still store it on a computer, use a password manager to save it, never save it in an unencrypted file), and never take pictures of it.
From this master key, the wallet generates (derives) pairs of private keys and public keys, to be used for the payment addresses and for the stake address. The payment addresses (where you can receive ADA) are generated from the public keys, and you use the private keys to transfer the ADA from the payment addresses to other addresses. Each payment address is associated with the staking key of the wallet, and someone interested could search the payment addresses in the blockchain records and see which addresses belong to the same wallet.
Your wallet doesn’t need to be online to receive payments to one of its payment addresses (because the payments are just records on the blockchain). The records in the blockchain are replicated to all the nodes of the blockchain. The nodes are the Stake Pools Nodes and the Daedalus wallets. There are probably dozens of thousands nodes for the moment in the Cardano blockchain. Anyone knowing an address (which is public) can check its balance, and anyone can explore the blockchain records and see payments and addresses. You only need the wallet (the private keys) when you want to spend the ADA.
The private keys are encrypted with the spending password on the computers where they are stored. If someone has access to your computer, he might be able to copy your private keys. If he also manages to decrypt them, he can use them to spend the ADA (to send them to their own addresses). This is why a Hardware Wallet is more secure: the private keys never leave the Hardware Wallet. You only need the Hardware Wallet when you need to sign a transaction.
There are also payment addresses which are not associated with a staking address. They are called “enterprise addresses” and are meant to be used by exchanges, which are not the rightful owners of the ADA (and other crypto). But they are not forced to do this (and they don’t do this, the exchanges are controlling a big part of the staked ADA). To support the decentralization of the blockchain, people should move their ADA from Exchanges to “their wallets” (to addresses generated by the private keys in their wallets) and delegate their ADA to smaller pools, not to the pools belonging the Exchanges or to the groups of pools belonging to the same people.