Sub-Processors
Last updated: May 18, 2026
Forbidden Finance engages a small number of third-party companies — sub-processors — to help us operate the Service. The lists below identify each company, what we use it for, and where it processes data. Detailed categories of personal information we collect, and the purposes for which we process them, are described in our Privacy Policy (see Section 9).
Sub-processors that handle personal data on our behalf
| Vendor | Purpose | Location |
|---|---|---|
| Backblaze B2 | Encrypted off-site backup storage | US |
| Charla | Live-chat support widget on the marketing site and inside the application | US |
| Cloudflare | DNS; CDN and edge caching (including Cache Reserve and Always Online stale-cache serving for the marketing site); DDoS mitigation; Web Application Firewall; Bot Management (currently monitor-only, no enforcement); Page Shield script-integrity monitoring on the marketing site; Leaked Credentials Detection at authentication endpoints; Cloudflare Tunnel for public ingress to our application; Health Check probes of our public endpoints; Cloudflare Workers running at the network edge — including the data-export-edge Worker that serves your post-deletion data-export archive on a single-use signed URL, plus operational Workers for cache purging, cache-tag injection, and redirect routing; Cloudflare Web Analytics (anonymized request-level analytics on the application web frontend); and Cloudflare R2 object storage for the 30-day post-deletion data-export archive (encrypted at rest, 30-day lifecycle) | Global |
| Consently | Consent management platform — cookie banner, consent record, GPC handling | Global |
| documentation.ai | Hosted help-documentation platform at help.403fin.io | US |
| emailit | Transactional and notification email delivery | US |
| Firebase (Google Cloud) | Mobile push notifications and app-integrity attestation | Global |
| Ghost (Pro) | Marketing site CMS and newsletter delivery for 403fin.io | EU |
| Google Analytics 4 | Anonymized web analytics on marketing and help-documentation sites | Global |
| Hetzner Cloud | Primary application hosting — servers and databases | EU |
| Plaid | Bank-account connection and transaction sync for U.S. users | US |
| PostHog | Product analytics and feature usage telemetry | US |
| Sentry | Error monitoring and crash reporting | US |
| Stripe | Subscription billing and payment processing | Global |
| Tally | Embedded forms (newsletter signup, waitlist) on the marketing site | EU |
| ZITADEL (self-hosted) | User authentication and session management — software we run on our own infrastructure | Self-hosted |
Vendors that do not receive personal data
The vendors below support Service operations but do not receive any personally identifying information about you. They receive public market data, currency identifiers, or anonymous monitoring signals only.
| Vendor | Purpose | Location |
|---|---|---|
| CoinGecko | Cryptocurrency price reference | Global |
| European Central Bank | Authoritative EUR reference rates | EU |
| ExchangeRate-API | Foreign-exchange rate provider (fallback) | US |
| Healthchecks.io | Cron-heartbeat monitoring (dead-man-switch) | US |
| Open Exchange Rates | Foreign-exchange rate provider (primary) | US |
Change management
We may add, remove, or replace sub-processors as the Service evolves. When we do, we update this page. If you would like to be notified by email when this page changes, contact us at [email protected] and we will add you to a notification list maintained for that purpose.
For questions about a specific sub-processor's privacy practices, please refer to that vendor's own privacy policy. Some of our sub-processors publish their own sub-processor lists for downstream transparency; we encourage you to consult those lists if you are interested in the full chain of processors.