This Policy explains how 403 Finance, Inc. handles data in connection with the transmute Service. Our defining characteristic is statelessness: message contents are never persisted or logged. TODO-confirmdefinitive language pending counsel review.
1. Controller vs processor
For the message content you submit for conversion, you are the data controller and 403 Finance, Inc. acts as aprocessor — we process it solely to perform the conversion you request, in memory, and return the result. For youraccount and billing data, 403 Finance, Inc. is the controller.
2. What we process, and for how long
- Message payloads (C1): in request-scoped memory only; never persisted or logged, except the two sanctioned exceptions — the idempotency cache (24h TTL) and the encrypted async batch store (results TTL ≤ 24h, inputs purged on completion).
- Account & credentials (C2): email, company name, and API-key hashes (SHA-256). Retained while the account is active.
- Tenant configuration (C3): webhook URLs, allowed CIDRs, mapping overrides. Deleted on instruction.
- Usage & audit metadata (C4): message type, byte size, duration, status, warning counts, request ids, key prefixes — never message content. Retained for billing/audit and statutory periods.
3. Legal bases
Processing of message content is on your instruction under our agreement (processor). Account, billing and security-log processing rests on contract performance and our legitimate interest in operating and securing the Service. TODO-confirm.
4. Data location & transfers
All processing and metadata storage occur in the EU(Frankfurt, Germany), on Cloudflare compute and Neon/AWS managed Postgres. Sub-processors are listed on ourSub-processors page.
5. Your rights & erasure
Statelessness makes payload erasure trivial: for message content there is nothing to erase. For account/configuration data, contact us to access, correct, or delete. Batch data self-destructs within 24 hours and can be purged on demand.
6. Security
Credentials are hashed or sealed; secrets are never logged. See theSecurity page for the full posture and the data classification table.
7. Contact
Privacy enquiries: privacy@403fin.io.TODO-confirm data-controller legal address and any representative/DPO details.