We're still building. The app is in closed testing.

Privacy Policy

Last updated: May 18, 2026

This Privacy Policy describes how 403 Finance, Inc., a Delaware corporation, doing business as Forbidden Finance and 403 Finance (collectively, "Forbidden Finance," "403 Finance," "we," "us," or "our") collects, uses, stores, shares, and protects information when you use the Forbidden Finance personal-finance application available on iOS, Android, and the web (the "Service").

This Privacy Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

The Service is currently offered only to residents of the United States and Canada. By creating an account, you represent that you are a resident of the United States or Canada and that you are at least sixteen (16) years of age.

1. Information We Collect

1.1 Personal Information you provide

When you create an account, subscribe to a paid plan, or use the Service, we collect the following information directly from you:

  • Account identifiers — email address, username (3–30 characters), and the given name and family name you provide (synced from your sign-in provider where applicable).
  • Account preferences — base currency, country of residence, and time zone.
  • Age verification — birth month and birth year, retained only to verify the 16-and-over age representation.
  • Manually entered financial data — transactions, budgets, categories, tags, assets, liabilities, goals, and notes.
  • Reflection journal entries — if you choose to use the reflection-journal feature, the freeform text you enter is stored in association with your account. You may delete individual entries at any time, and all entries are deleted on account deletion in accordance with Section 4.2.
  • Investment lot-level detail — when you connect a brokerage or investment account that provides lot-level information through Plaid, we receive and store that information as part of normal account ingestion (we do not control which fields Plaid sends). Lot-level data — including cost basis per lot, lot acquisition date, and the lot accounting method (FIFO, LIFO, average cost, or specific identification) — is stored for all eligible users but is only displayed in the application on the Premium tier.
  • Recurring transaction detection signals — if you enable the recurring-transaction detection feature, we apply algorithmic analysis to your transaction history to identify recurring patterns. The feature is off by default; you can enable or disable it at any time in your settings.
  • Achievements and behavioral processing — the Service includes achievements and transaction-analysis features that surface insights about your spending and savings activity. These features are gated by a single "transaction analysis" preference, which is off by default. If you turn it on, we evaluate your activity (such as budget adherence, savings milestones, and category trends) to award achievements and provide insights. If you turn it off, we cease the behavioral analysis going forward; previously earned achievements remain associated with your account. See Section 11 for our position on automated decision-making.
  • Support chat messages — when you initiate a chat with us (via Charla) on the marketing site, in our help documentation, or within the application, we collect the contents of the chat session, including messages you send, the page or screen you were on when you started the chat, and any contact information you provide.
  • Push-notification token and preferences — when you opt in to push notifications.
  • Consent records — records of consent you give for the Terms of Service, this Privacy Policy, age verification, marketing communications, bank connections, data sharing with other people, and similar matters.

1.2 Information we receive from your bank via Plaid

If you choose to connect a bank account, we receive from Plaid (or any other banking data aggregator we use in the future) the information your financial institution makes available, which typically includes account identifying metadata (such as institution name, account name, account type and subtype, and the last 4 digits of your account number), balance information, and transaction history. The complete set of fields Plaid may share with us is documented in Plaid's End User Privacy Policy.

We do not receive your bank login credentials, full account numbers, or bank routing numbers. Bank credentials are entered into Plaid's secure interface, not into Forbidden Finance.

1.3 Financial Information for subscriptions

If you subscribe to a paid plan, you provide payment information (such as a card number, expiration date, billing address, or platform receipt) to our payment processors — Stripe for web subscriptions, Apple for iOS in-app purchases, and Google for Android in-app purchases. We do not receive or store your card numbers. Our payment processors handle payment data under their own privacy policies.

1.4 Cookies and similar technologies

Within the application (web):

Cookie Purpose Required for Service? Duration
Session cookie (__Secure-sid / sid) Maintains login state Yes (essential) Browser session, subject to inactivity expiry
remember_email Pre-fills your email on the login page No (requires consent) 90 days

Within the mobile application: the mobile application does not set HTTP cookies. Authentication is handled through native OAuth via your sign-in provider.

On the marketing site (403fin.io): we use a consent management platform (Consently) to gate optional cookies and similar tracking technologies. Optional categories include product analytics (PostHog) and support-chat persistence (Charla). Optional tracking is off by default until you affirmatively consent.

Page Shield script-integrity reports (marketing site only). We use Cloudflare Page Shield in report-only mode on the marketing site at 403fin.io. When your browser encounters a Content Security Policy violation, or when a third-party script loaded by the marketing site changes, your browser submits a small report — containing the violating script's URL, a hash of the script, the page URL, your IP address, and your User-Agent — to a Cloudflare-managed reporting endpoint. We use these reports solely to detect supply-chain tampering of third-party scripts. No cookies are set by Page Shield. Page Shield is not enabled on the application (app.403fin.io).

1.5 Information about your activity and device

When you use the Service, we automatically receive and log certain information for security, fraud prevention, and operational diagnostics:

  • IP address (which may be static or dynamic).
  • Browser type and language; operating system and version; type of mobile device.
  • Application version; referring and exit pages or URLs (on the web).
  • Date and time of requests; request and session identifiers.
  • Details of your activity within the Service, such as feature usage, error reports, and crash diagnostics.

We do not collect mobile advertising identifiers (IDFA on iOS, AdID on Android), because we do not display advertising in the Service and do not share data with advertising networks. First-party analytics identifiers used by our error-tracking and product-analytics tools (such as anonymous session identifiers stored on your device by Sentry, Grafana Faro, or PostHog on the marketing site) are not advertising identifiers and are not used for cross-app or cross-site behavioral advertising.

While we do not deliberately collect your mobile network carrier or your network connection type (Wi-Fi, cellular, etc.), this information may be incidentally present in server logs, platform-provided metadata, or third-party SDKs (such as crash reporting). We do not use such information for advertising, profiling, or any purpose other than diagnosing operational issues and protecting the Service.

The lawful basis for the collection described in this Section 1.5 is our legitimate interest in operating, securing, and improving the Service.

Edge security processing. Before requests reach our application servers, our network provider Cloudflare inspects incoming requests at its edge to (i) filter malicious traffic and DDoS attempts (Web Application Firewall), (ii) compare credential-bearing fields submitted to our authentication endpoints against publicly known credential-breach corpora to detect known-leaked credentials (Cloudflare Leaked Credentials Detection), and (iii) compute a bot-likelihood score from TLS fingerprint and behavioral signals (Cloudflare Bot Management, currently monitor-only — no enforcement, scores are recorded but not used to allow or deny requests). Cloudflare processes this data as our processor under the Cloudflare Data Processing Addendum.

Device and network fingerprinting for security. Our edge security provider may compute a TLS-handshake fingerprint (JA3) and aggregate behavioral signals to distinguish automated traffic from human visitors. Any such fingerprint is used only for fraud and bot prevention. It is not used for advertising, individual user profiling, or any automated decision that produces legal or similarly significant effects (see Section 11).

1.6 Authentication and security data

To authenticate you, enforce account security, and respond to incidents, we collect and retain:

  • Session identifiers and metadata — for each active or recently active session: the session identifier, the IP address from which the session was created, the user-agent string of the browser or mobile device, the device identifier and device name (if provided by the platform), and the date/time of session creation and last activity.
  • Multi-factor authentication metadata — for each MFA device or factor you register: the device or factor type (e.g., TOTP, WebAuthn passkey, hardware security key), a user-supplied name for the device, the date the factor was registered, and the date it was last used. TOTP shared secrets are stored encrypted at rest using AES-256-GCM and are decrypted only at the moment of verification. WebAuthn passkey records contain only the public key and credential identifier issued by your device; we do not store passkey private keys, which never leave your device.
  • Consent-action audit data — for each consent grant or withdrawal you make, we retain the IP address and user-agent string of the action, in addition to the consent record itself, to evidence consent under applicable law. For certain consent categories — including email-preference consents, data-sharing consents, and billing-payment consents — we also record the application surface where consent was given (for example: onboarding flow, in-app settings, email-unsubscribe link, account-deletion confirmation, checkout button).

Lawful basis for the collection described in this Section 1.6 is our legitimate interest in operating, securing, and authenticating access to the Service, and (for consent-action data) our regulatory obligation to evidence consent.

2. Information We Explicitly Do Not Collect

  • Your full bank account numbers or routing numbers.
  • Your Social Security number or any government-issued identification number.
  • Your bank login credentials (these are entered into Plaid's secure widget and are not visible to us).
  • Your full credit-card or debit-card numbers (these are handled by Stripe, Apple, or Google as the case may be).
  • Your contacts, photos, calendar, microphone, or precise device location.
  • Advertising identifiers (IDFA / AdID).

3. How We Store and Protect Your Data

  • All Service data is stored in PostgreSQL databases hosted on Hetzner servers in Ashburn, Virginia, United States.
  • Encrypted backups are written to Backblaze B2 (US-East region) and retained for thirty-five (35) days.
  • Bank access tokens are encrypted using AES-256-GCM before being written to the database.
  • All data in transit between you, your bank, and our infrastructure is encrypted using TLS 1.2 or higher (TLS 1.3 preferred).
  • Each user's data is isolated at the database level by row-level security (RLS): our system enforces that no user can access another user's data, even in the event of an application bug.
  • All monetary values are stored using fixed-precision decimals (NUMERIC(19,4)) so that calculations are exact and free of floating-point rounding errors.
  • Marketing-site pages at 403fin.io may be served from Cloudflare's edge cache, including a long-term object-storage tier (Cache Reserve) and, if our origin is temporarily unavailable, from cached copies via Cloudflare Always Online. Cache keys strip common marketing query parameters (utm_*, gclid, fbclid) and the cache is bypassed when a logged-in session cookie is present. No application data and no logged-in user data is cached at the edge; application traffic at app.403fin.io is not served from Cache Reserve or Always Online.

We take commercially reasonable steps to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. No security system is impenetrable; we cannot guarantee the security of our databases or those of third parties with which we share information, nor can we guarantee that information transmitted over the internet will not be intercepted.

4. Data Retention and Deletion

4.1 While your account is active

Data category Retention Visible to you
Transaction history (per tier) For the life of your account Free: most recent 6 months. Starter: most recent 12 months. Pro: most recent 24 months. Premium: full history.
Bank connection tokens Until you disconnect the bank account
Net worth history (per-account and aggregate) For the life of your account Free: most recent 6 months. Starter: most recent 12 months. Pro: most recent 24 months. Premium: full history.
Exchange rates and market prices Indefinitely (this is not personal data)
Manually entered budgets, categories, tags, goals For the life of your account All entries
Manually entered assets and liabilities For the life of your account All entries
Consent records Six (6) years (legal obligation)
Audit logs Six (6) years (legal obligation)
Email send and notification logs Twelve (12) months for delivery and bounce diagnostics
Error tracking and performance telemetry (Sentry, Grafana Faro) Up to 365 days
Server application logs (IP, user agent, request identifiers) Up to 90 days for security and incident response
Page Shield CSP / script-integrity reports (Cloudflare) 30 days
Encrypted backups (Backblaze B2) 35 days

Why we retain beyond your display window. We keep the underlying transaction history for the life of your account so that if you upgrade your subscription, the additional history becomes immediately available without requiring you to reconnect your bank or re-import data. If you downgrade, we do not delete the data outside your new tier's display window; it becomes hidden in the application and is restored if you re-upgrade.

4.2 On account deletion

When you request account deletion:

(i) We immediately deactivate your account and block further sign-in.

(ii) We immediately revoke bank-access tokens with Plaid.

(iii) We initiate deletion of your financial data within thirty (30) days. Some records may persist longer due to upstream provider revocation requirements (for example, where a financial institution has not yet confirmed revocation of an access token issued through Plaid), in which case deletion completes once revocation is confirmed.

(iv) We email you a secure, time-limited link to export your data in CSV and JSON formats, valid for thirty (30) days, and the same link is also displayed on the deletion confirmation screen so you can copy it in case email delivery fails.

(v) Consent records and audit logs are retained for six (6) years as required by law, with personal identifiers minimized.

(vi) Aggregated, pseudonymized statistics that cannot reasonably be re-associated with you may be retained indefinitely.

Account deletion is irreversible. You will not be able to recover your account or your data after submitting a deletion request, except by using the export link during the 30-day window.

4.3 When you disconnect a bank account

The bank-disconnection lifecycle is designed to revoke access to your bank as quickly as possible and to handle the rare case where a token appears to be revoked but is not yet fully removed on the financial institution's side.

(a) Immediately on disconnect. We call Plaid's /item/remove endpoint to revoke the access token. As soon as Plaid confirms revocation, your accounts and their data are hidden in the application — you will no longer see balances, transactions, or holdings from that connection.

(b) Verification window (Days 1–30). Despite Plaid's success response, we perform five subsequent verifications, scheduled at approximately Day 1, Day 4, Day 11, Day 20, and Day 30, to confirm that the token is in fact no longer active. Each verification queries Plaid for the item; we expect the item to be reported as not found. If during this window we discover the token is still live (for example, due to a transmission failure or partial revocation), we automatically re-issue the revocation request, restart the 30-day verification timer, and log the event.

(c) Deletion (Day 30). Once verification completes, the encrypted access token, the verification record, and the transaction and balance data from the disconnected connection are all permanently deleted from our database.

(d) Reconnecting after disconnect. Disconnection is final. If you wish to track the same bank again, you must re-connect through Plaid; we will import transaction history from your bank fresh, subject to whatever history your financial institution makes available at the time of the new connection.

4.4 On subscription downgrade

Subscription downgrades you request take effect at the end of your current billing period; until then, your existing tier remains active.

(a) At the end of your billing period. When the downgrade takes effect, if you have more bank connections than your new tier allows, the Service disconnects the excess. You may choose in advance which connections to disconnect using the downgrade-preview screen inside the application. If you do not make a selection, the Service automatically disconnects the most-recently-connected accounts first and preserves your longest-running connections, until the count fits within your new tier's allowance.

(b) Lifecycle of a disconnected connection. Disconnected connections follow the lifecycle described in Section 4.3 — token revocation, the 30-day verification window, and deletion at Day 30. We notify you of which connections were disconnected.

(c) Tier-gated views. Where a feature or data view is limited by tier (for example, the transaction-history window or net-worth-history view in Section 4.1), the in-app view contracts to the new tier's window after downgrade. The underlying data we already hold is not deleted on downgrade; if you upgrade again, the previously hidden window becomes visible without requiring re-import.

(d) Frozen or suspended states. The Service does not maintain a "frozen" or "suspended" connection state. A connection is either active (syncing) or disconnected (no further sync). There is no in-between state in which a connection sits idle but reattachable.

5. How We Use Your Information

We use the information we collect for the following purposes:

(a) To provide, operate, and maintain the Service — including authenticating you, syncing your bank data, computing budgets and net worth, generating reports, and delivering support chat responses.

(b) To process payments and manage your subscription.

(c) To send you transactional communications (account notices, security alerts, receipts, and support replies).

(d) With your consent, to send you marketing communications about Forbidden Finance products and features. You can opt out at any time via the unsubscribe link in any marketing email or in your in-app preferences. You cannot opt out of transactional communications.

(e) To prevent fraud and abuse, detect security incidents, and protect the rights, property, and safety of Forbidden Finance, our users, and the public.

(f) To comply with applicable law, court order, or other governmental or regulatory request.

(g) To improve the Service through pseudonymized usage analytics and aggregated statistical analysis.

6. How We Share Your Information

We share personal information only as described below:

(a) With sub-processors who act on our behalf. We engage third-party service providers to operate parts of the Service (such as bank-data aggregation, payment processing, identity and authentication, push notifications, email delivery, error tracking, support chat, and infrastructure hosting). These providers have access to information only as necessary to perform their functions and are contractually required to protect it. The current list of sub-processors is published at 403fin.io/legal/subprocessors and is updated as our processor relationships change. Under the California Consumer Privacy Act, the entities described in this paragraph are "service providers" as defined in §1798.140(ag); they process your personal information only on our behalf, for the purposes we direct, and under contractual restrictions that prohibit them from selling or sharing your personal information or from using it for their own commercial purposes.

(b) With people you authorize. If you grant a Shared Partner or Shared Viewer access to your data through the Service's sharing features (as described in our Terms of Service), they may view (and a Shared Partner may edit within the Service) the data you have authorized them to access. You can revoke this access at any time.

(c) When required by law. We may disclose information when required by law, court order, subpoena, or other governmental or regulatory request, or when we believe in good faith that disclosure is necessary to protect rights, property, or safety.

(d) In the event of a corporate transaction. If Forbidden Finance is involved in a merger, acquisition, financing, reorganization, or sale of substantially all of its assets, information about you may be part of the transferred assets, subject to the protections of this Privacy Policy.

We do not share information with third-party advertising networks, data brokers, or marketing partners outside of our subscription billing and direct sub-processor relationships described above.

7. No Sale or Sharing of Personal Information for Cross-Context Behavioral Advertising

Forbidden Finance does not sell personal information, and does not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and similar laws. We do not display advertising in the Service. We do not work with advertising networks. We do not transfer personal information to data brokers.

Forbidden Finance receives no monetary payment, no in-kind consideration, and no other valuable consideration of any kind in exchange for personal information about you. We pay our sub-processors for the services they provide to us; we do not receive payment or any other value from any party in exchange for transferring personal information.

8. Sub-Processors

A list of sub-processors that process personal information on our behalf, along with vendors we use that do not receive personally identifiable user data, is published at 403fin.io/legal/subprocessors and updated when our processor relationships change.

9. Your California Privacy Rights

If you are a resident of California, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act (collectively, "CCPA"):

  • Right to know. You may request that we disclose the categories of personal information we have collected about you, the sources from which we collected it, the business or commercial purposes for collecting it, the categories of third parties with whom we shared it, and the specific pieces of personal information we have collected about you, going back twelve (12) months (or longer if you request).
  • Right to data portability. When you exercise the Right to Know, you may also request that the personal information be delivered in a portable, readily usable format. We provide all data exports in CSV and JSON formats, which can be imported into spreadsheet, accounting, and personal-finance applications without modification.
  • Right to delete. You may request that we delete the personal information we have collected from you, subject to exceptions permitted by law (such as records we are required to retain for security, fraud prevention, or legal compliance).
  • Right to correct. You may request that we correct inaccurate personal information we have about you.
  • Right to opt out of sale or sharing. As noted in Section 7, we do not sell or share personal information for cross-context behavioral advertising. There is nothing for you to opt out of, but you may submit a confirmation request at any time.
  • Right to limit use of sensitive personal information. As noted in Section 2, we do not collect categories of sensitive personal information (such as Social Security numbers or government IDs) for which a limit-use right applies.
  • Right to non-discrimination. We will not deny service, charge different prices, or provide different quality of service because you exercise any of these rights.

Categories of personal information we collect, and our business purposes:

Category (CCPA §1798.140(o)) Examples we collect Business purposes
Identifiers Email, username, name, IP address, device identifiers Authentication, account management, security, fraud prevention
Customer records Account preferences, support chat history Service delivery, support
Commercial information Subscription tier, billing history (via payment processors) Billing, subscription management
Internet or network activity Server logs, application usage telemetry Security, operational diagnostics, product improvement
Geolocation data Approximate country (from country preference and IP-derived region) Tier eligibility, fraud prevention, regulatory compliance
Inferences Aggregated usage patterns Product improvement; not used for individualized decisions
Financial information Bank balances, transactions, investments (via Plaid) Core Service delivery

We do not collect categories of "sensitive personal information" under §1798.140(ae) other than financial-account information, which is used solely to provide the Service you have requested and is never used for inferring characteristics about you.

Authorized agents. You may authorize an agent to submit a privacy request on your behalf. Please email us at [email protected] with proof of authorization (such as a signed power of attorney or a notarized authorization).

10. Your Other State Privacy Rights

We extend privacy rights — including the rights to know, delete, correct, and opt out — to residents of all U.S. states that have enacted comprehensive consumer privacy laws, including (as of the effective date of this Policy) Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Florida (FDBR), Montana (MCDPA), Tennessee (TIPA), Indiana (ICDPA), and other states whose laws take effect during the period this Policy is in force.

You may exercise the equivalent rights described in Section 9 using the contact methods in Section 12. We will respond within the period required by your state's law.

11. Automated Decision-Making

We do not use automated decision-making algorithms to make decisions about you that produce legal effects or similarly significant effects without human involvement.

Forbidden Finance is built to help you take control of your own finances. We do not provide financial, investment, tax, or legal advice (see Section 14 of our Terms of Service). Where the Service generates suggestions, projections, or summaries — such as budget templates, debt payoff schedules, retirement projections, AI-generated summaries of your own data, or other tools we may describe as "AI features" — these are presented as options for you to consider, not recommendations or advice. They are derived from data you provided and from market data we have aggregated, and they are not used to make automated decisions that produce legal or similarly significant effects concerning you. You may modify, ignore, disable, or override any such suggestion at any time. Any future AI capability we introduce will be scoped to summarizing your own data rather than directing your financial choices.

If we change this practice in the future, we will update this Privacy Policy and provide you with the opportunity to object or opt out as required by applicable law.

12. How to Submit a Privacy Request

To submit a privacy request — including requests to know, delete, correct, or opt out of sale or sharing — you may contact us through any of the following channels:

  1. Email: [email protected]
  2. In-app chat: open the chat icon in Settings → Support within the Forbidden Finance application
  3. Authorized agents: please email [email protected] with proof of authorization

We will acknowledge receipt of your request within ten (10) business days and respond substantively within forty-five (45) days, as required by applicable law. If your request requires additional time, we will notify you of the extension before the initial period expires. We may need to verify your identity before fulfilling certain requests; we will use information already in our possession where possible and will collect only the additional information reasonably necessary to confirm that you are the person whose data is the subject of the request.

13. Global Privacy Control, Do Not Track, and Cross-Property Behavior

(a) Global Privacy Control. Forbidden Finance honors the Global Privacy Control ("GPC") browser signal as a valid opt-out of any sale or sharing of personal information for residents of California and other states whose laws recognize GPC. Our consent management platform (Consently) detects GPC signals automatically and applies them to optional tracking categories on our marketing site at 403fin.io, our help documentation at help.403fin.io, and the web build of our application at app.403fin.io. Our native mobile applications (iOS and Android) do not receive GPC signals from the operating system; users on mobile manage their consent through the in-app settings.

(b) No cross-context behavioral advertising. The Forbidden Finance application does not display advertising and does not engage in cross-context behavioral advertising; we do not sell or share personal information for advertising purposes under any browser, device, or operating-system setting.

(c) Do Not Track. Because there is no industry standard for response to the "Do Not Track" ("DNT") browser header, we do not separately modify behavior based on DNT, but our default posture is to load no optional tracking absent affirmative consent — which is functionally equivalent to honoring DNT.

(d) Charla support-chat scope. Our support-chat provider Charla is embedded on the marketing site at 403fin.io and, when you initiate a live-chat session, inside the application. Charla is not embedded on the help documentation site at help.403fin.io; the help site is used only as training input for Charla's answers. Chat sessions are scoped per property: a chat you start on the marketing site does not carry over to the application, and vice versa. We do not bridge Charla sessions across properties.

(e) Consent at chat open inside the application. When you initiate a Charla live-chat session from inside the application, we record the date, time, IP address, and user-agent string of the action as a charla_support_chat consent record in our consent audit log, so that we can evidence the consent under applicable law. You may decline the chat at the consent prompt, in which case no message content is collected.

14. Children Under 16

The Service is not directed to and may not be used by anyone under the age of sixteen (16). By creating an account, you represent that you are at least sixteen years of age. We do not knowingly collect personal information from anyone under 16. If we learn we have collected personal information from a person under 16, we will delete it. A parent or guardian who believes their child has provided us with personal information may contact us at [email protected] and we will take reasonable steps to delete it promptly.

15. Data Breach Notification

In the event of a security breach affecting your personal data that is likely to result in harm to you, we will notify you by email to the address associated with your account without undue delay after becoming aware of the breach. Where required by applicable law, we will also notify the relevant supervisory authorities and law enforcement. Our notification will include, to the extent known: the nature of the breach, the categories and approximate number of users affected, the likely consequences, and the measures we have taken or propose to take.

16. Geographic Scope and Cross-Border Notice

Forbidden Finance offers the Service only to residents of the United States and Canada. We use geographic-based controls (including country-of-residence attestation at signup and network-edge restrictions) to prevent registrations from other regions, and we do not market or actively offer the Service to residents of the European Economic Area, the United Kingdom, or any other jurisdiction outside the United States and Canada.

If, despite these controls, you access the Service from outside the United States or Canada — for example, through a virtual private network or proxy — you acknowledge that your personal information will be transferred to, stored on, and processed using infrastructure located in the United States, and that the privacy laws of the United States may differ from those of your jurisdiction. We do not currently provide a representative under Article 27 of the EU or UK General Data Protection Regulations. If you believe the protections described in this Privacy Policy are insufficient under the laws of your jurisdiction, you should discontinue use of the Service.

17. App Stores and External Links

Your app store (such as the Apple App Store or Google Play) may collect information in connection with your installation, use, or in-app purchases relating to the Service. We have no control over such collection by a third-party app store, and that collection is governed by the store operator's own privacy practices. We publish App Privacy Labels on the Apple App Store and a Data Safety form on Google Play; these disclosures are reviewed at each release.

The Service may contain links to third-party websites or resources. We have no control over the privacy practices or content of those third parties. You should review the applicable privacy policies and terms before providing information to any third party.

18. Changes to This Privacy Policy

We may modify this Privacy Policy from time to time. For material changes, we will notify you by email at the address associated with your account at least thirty (30) days before the change takes effect. The most current version is always available at 403fin.io/legal/privacy. If you do not agree to a change, you may terminate your account before the effective date and request a refund of any prepaid Fees as described in our Terms of Service. Continued use of the Service after a change becomes effective constitutes acceptance of the change.

19. Contact Us

You may contact Forbidden Finance using the email address appropriate to your inquiry:

Reason Email
Privacy requests (data access, deletion, correction) [email protected]
General questions about this Privacy Policy or our Terms; legal notices; copyright concerns [email protected]
Security incidents or vulnerability reports [email protected]
Billing and subscription questions [email protected]
All other support [email protected]

Mailing address:
403 Finance, Inc.
1111B S Governors Ave, Ste 92573
Dover, DE 19904

20. Relationship to the Terms of Service

This Privacy Policy is incorporated by reference into the Forbidden Finance Terms of Service available at 403fin.io/legal/terms. If there is any conflict between this Privacy Policy and the Terms of Service with respect to how we handle personal information, this Privacy Policy controls.