Transmute · Legal
Privacy Policy
Version 1.0 · Effective: July 14, 2026 · Last updated: July 14, 2026
This Privacy Policy describes how 403 Finance, Inc., a Delaware corporation with offices at 1111B S Governors Ave, Ste 92573, Dover, DE 19904, USA ("403 Finance," "we," "us," or "our"), collects, uses, discloses, and protects personal data in connection with Transmute, our hosted application programming interface for converting and normalizing financial messages between SWIFT MT and ISO 20022 formats, together with the related dashboard, marketing site, documentation, and supporting services (collectively, the "Service").
Capitalized terms used but not defined in this Privacy Policy — including Service, Message Content, Output, Usage Metadata, Customer, API Credentials, and DPA — have the meanings given to them in our Terms of Service. This Privacy Policy is an informational notice; it is not a contract term and does not amend the Terms of Service, the DPA, or any Order.
1. Who We Are; Scope; Our Two Roles
(a) Who we are. 403 Finance is the provider of the Service. You can reach our privacy team at privacy@403fin.io, or by mail at the address at the end of this Policy.
(b) Our two roles. Data protection law distinguishes the party that decides why and how personal data is processed (the controller) from the party that processes personal data on another's behalf and instructions (the processor). In operating the Service, 403 Finance acts in both capacities, and it is important to understand which role applies to which data:
- (i) 403 Finance is the controller for personal data relating to the administration of the Service and our relationship with our business customers. This includes portal account data, billing and payment records, marketing-site visits, support correspondence, and Usage Metadata. This Privacy Policy explains that processing.
- (ii) 403 Finance is a processor for the personal data contained in Message Content that a Customer submits to the Service for conversion, normalization, or validation. That personal data — such as the names, account identifiers, addresses, and payment details of the Customer's own counterparties — belongs to and is controlled by the Customer. We process it only to provide the Service and only on the Customer's documented instructions, as governed by the DPA incorporated into the Terms of Service, and it is subject to the Customer's own privacy notices, not this one.
(c) What this Policy covers. This Privacy Policy covers our processing described in role (i) — the personal data for which we are the controller. It explains role (ii) only for transparency; the substantive terms of that processing live in the DPA.
(d) If your data appears in Message Content. If you are an individual whose personal data was submitted to the Service by one of our Customers (for example, because you were a party to a payment message the Customer converted), 403 Finance does not control that data and has no direct relationship with you in respect of it. You should direct any privacy request about that data to the Customer that submitted it, which acts as the controller. If you contact us, we will, where we can identify the relevant Customer, refer your request to that Customer and assist them as their processor under the DPA.
(e) Scope. This Policy applies worldwide to the controller-side processing described above. It does not apply to third-party services that a Customer chooses to connect to the Service, or to any website, product, or service that has its own privacy notice.
2. Data We Collect (Controller Side)
We collect the following categories of personal data as controller. We do not collect Message Content or Output as controller; those are addressed in Section 1(b)(ii) and Section 3.
(a) Portal account data. When you create a portal account, we collect your email address and your name. Authentication is passwordless: you sign in through a single-use magic link or code sent to your email address. No passwords exist in the Service, so we never collect, store, or process a password. We store only a hashed representation of the short-lived sign-in token and of session tokens.
(b) Billing identity. Payments are processed by Stripe, Inc. We do not receive or store your full payment card or bank account numbers; Stripe handles that information under its own terms. Within our systems, we store only the Stripe customer and subscription identifiers and related metering counts needed to associate your account with your subscription and to reconcile billing.
(c) Support correspondence. When you contact us for support, sales, security, or legal matters, we collect the contents of your correspondence and the contact details you provide, so that we can respond and keep a record of the exchange.
(d) Usage Metadata. The Service generates operational and metering records about how the Service is used — including message type, byte size, processing duration, response status, warning counts, and timestamps. Usage Metadata is body-free by design: it never contains Message Content or Output. We use Usage Metadata to operate the Service, enforce quotas and rate limits, meter and bill usage, and secure the Service.
(e) Signup anti-abuse data. To detect and prevent abusive or automated account signups, we compute and store a salted-and-peppered SHA-256 hash of the IP address used at signup. We do not store the raw IP address.
(f) Marketing-site analytics. On our marketing site, analytics are consent-gated: they are off by default and load only after you affirmatively consent through our consent management platform (Consently). Where enabled, we use Rybbit (a cookieless analytics service that sets no cookies and stores no identifiers on your device) and Google Analytics (which sets first-party _ga cookies scoped only to the site you are visiting). This Policy governs the marketing-site visit; the dashboard does not load third-party product analytics.
3. Data We Deliberately Do Not Keep
The statelessness of the Service is a headline product feature and a core design commitment. We architect the Service so that we do not retain the financial messages you send through it.
(a) No persistence or logging of message bodies. We process Message Content in memory to serve your request. We do not persist or log message bodies. Postgres stores metadata only. Our logging is provably body-free: a continuous-integration test enforces that our logging code cannot emit message bodies before any change ships.
(b) The only two exceptions. There are exactly two places where content-derived data is stored, each tightly bounded:
- (i) Idempotency response cache. So that a safely-retried request returns the same result, we cache responses keyed by a hash of the request body — raw bodies are never stored — with a 24-hour maximum time-to-live, on an encrypted volume in production.
- (ii) Asynchronous batch job store. For asynchronous batch processing, inputs and results are stored only as AES-256-GCM ciphertext. Inputs are purged at completion of the batch item. Results are retained for a default of one hour, subject to a customer-configurable maximum of one minute to 24 hours, and can be purged on demand.
(c) No derived analytics from content. We do not compute content hashes for analytics, and we derive no analytics, profiles, or training data from Message Content. Our metrics and traces are body-free, and distributed tracing is off unless explicitly enabled.
4. Purposes and Legal Bases (GDPR Article 6)
Where the EU or UK General Data Protection Regulation applies to our controller-side processing, we rely on the following legal bases:
(a) To provide the Service (contract). We process portal account data, Stripe identifiers, and Usage Metadata to create and administer your account, authenticate you, provide the Service, enforce quotas and rate limits, and provide support. The legal basis is performance of a contract with you (Article 6(1)(b)), or our legitimate interest in serving the organization that has contracted with us where you act on its behalf (Article 6(1)(f)).
(b) To bill and keep records (legal obligation and contract). We process billing identifiers, metering counts, and invoice records to charge for the Service and to meet our tax, accounting, and bookkeeping obligations. The legal basis is compliance with a legal obligation (Article 6(1)(c)) and performance of a contract (Article 6(1)(b)).
(c) To secure the Service and prevent abuse (legitimate interests). We process Usage Metadata, hashed signup IP addresses, hashed credentials, and session metadata to keep the Service secure, prevent fraud and abusive signups, investigate incidents, and enforce our terms. The legal basis is our legitimate interests (Article 6(1)(f)) in protecting the Service, our customers, and third parties. We have weighed these interests against your rights and freedoms: the data used is minimized and largely pseudonymized (for example, we hash IP addresses rather than storing them), it is not used to build marketing profiles, and its use is limited to security and integrity purposes — so we consider it does not override your interests.
(d) To communicate with you (legitimate interests / consent). We send transactional messages (such as magic links, receipts, and usage or security alerts) as necessary to provide the Service and administer your account. We may send business-to-business communications about the Service and related offerings to organizational contacts on the basis of our legitimate interest in promoting our business (Article 6(1)(f)), and we obtain consent where the applicable law requires it (Article 6(1)(a)). You can opt out of non-transactional messages at any time; transactional messages are not opt-outable because they are needed to operate your account.
5. Disclosure and Recipients
We disclose personal data only as described below. We do not sell personal data, and we do not share it for advertising, ever.
(a) Sub-processors. We engage service providers that process personal data on our behalf to operate the Service — for infrastructure, database hosting, email delivery, and signup validation. Each is bound by a written contract to protect the data and to process it only on our instructions. Our current sub-processors are listed on our Sub-Processor List, which we update as our processor relationships change; the sub-processor governance for Message Content is maintained under the DPA.
(b) Stripe as independent controller for payments. Stripe, Inc. processes your payment information to take payment. For that payment processing, Stripe acts as an independent controller under its own privacy policy, not as our processor.
(c) Professional advisers. We may disclose personal data to our lawyers, accountants, auditors, insurers, and similar professional advisers where reasonably necessary and under duties of confidentiality.
(d) Legal compulsion. We may disclose personal data where required by applicable law, court order, subpoena, or other lawful governmental or regulatory request, or to establish, exercise, or defend legal claims. Where lawful and reasonable to do so, we will notify the affected party and will challenge requests that we consider overbroad, unlawful, or improper before disclosing.
(e) Corporate transactions. If 403 Finance is involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of its assets, personal data may be transferred as part of that transaction, subject to the protections of this Policy.
(f) No sale; no advertising sharing. We do not sell personal data, and we do not disclose or share personal data to third-party advertising networks, data brokers, or marketing partners for their own or for cross-context behavioral advertising purposes. We receive no consideration in exchange for personal data.
6. International Transfers
(a) Where the Service is hosted. The Service is hosted in the European Union. Our production compute and edge run on Cloudflare in the Western Europe region (Frankfurt), and our metadata database and encrypted batch ciphertext run on Neon Postgres on AWS in the eu-central-1 (Frankfurt) region. EU-based processing is a product commitment.
(b) Administrative access from the United Kingdom. Our personnel administer and support the Service, and day-to-day administrative access to our systems takes place from the United Kingdom. For personal data transferred from the European Union to the United Kingdom, that transfer is covered by the EU–UK adequacy decision, under which the UK is recognized as providing an adequate level of data protection; no additional transfer mechanism is required for that access.
(c) Safeguards for any residual US access. 403 Finance is a United States company, and limited residual administrative access from the United States may occur. Any such transfer is safeguarded by the EU Standard Contractual Clauses incorporated into the DPA, together with the UK International Data Transfer Addendum and the Swiss adaptations where those regimes apply, and by supplementary technical measures (including encryption in transit and at rest, and our body-free architecture). We do not claim that data never leaves the EU; we disclose and safeguard these administrative-access transfers.
7. Retention
We keep personal data only for as long as we need it for the purposes described in this Policy, and then delete or de-identify it. The following table mirrors our internal retention schedule.
| Data class | Retention |
|---|---|
| Synchronous request payloads (Message Content in transit) | Request-scoped memory only; not persisted. |
| Idempotency response cache (body hash + response) | 24 hours maximum, then purged. |
| Asynchronous batch inputs (encrypted) | Purged at completion of the batch item. |
| Asynchronous batch results (encrypted) | Default 1 hour; customer-configurable maximum of 1 minute to 24 hours; purge on demand. |
| Portal account data (email, name) | Life of the account; deleted on operator-assisted deletion request. |
| Session and sign-in token hashes | Sessions expire at 30 days absolute / 15 minutes idle; single-use sign-in tokens expire in 15 minutes. |
| Signup anti-abuse data (hashed IP) | Retained for a limited anti-abuse window, then purged. |
| Usage Metadata and billing/audit records | Life of the business relationship plus statutory bookkeeping and tax-record periods; reviewed annually. |
| Support correspondence | Life of the business relationship, then a reasonable archival period. |
(a) Usage Metadata and records. Because Usage Metadata is the system of record for metering, billing, quota enforcement, and audit, we retain it for the life of the business relationship and for the additional periods we are required to keep financial records under applicable bookkeeping and tax law, after which it is deleted or de-identified. In all cases, Usage Metadata is retained no longer than seven (7) years after the end of our business relationship with the Customer, and is deleted or irreversibly de-identified at or before that outer bound.
(b) Account deletion. We do not currently offer a self-service account-deletion endpoint. Account deletion is operator-assisted: on a verified request to support@403fin.io, we delete your account data in accordance with this Policy and applicable law, subject to records we are required or permitted to retain (such as billing records and security logs).
8. Your Rights (GDPR / UK GDPR)
Where the EU or UK GDPR applies to our controller-side processing, you have the following rights in respect of your personal data:
(a) Your rights. The rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing carried out on the basis of our legitimate interests. Where we rely on consent, you may withdraw that consent at any time without affecting processing already carried out.
(b) No automated decision-making. We do not use your personal data to make solely automated decisions that produce legal effects concerning you or similarly significantly affect you.
(c) How to exercise your rights. Email us at privacy@403fin.io. To protect your data, we may need to verify your identity before acting on a request, and we will collect only the information reasonably necessary to do so. We will respond within one month of receiving a verifiable request, and we may extend that period by up to two further months for complex or numerous requests, in which case we will tell you within the first month.
(d) Complaints. You have the right to lodge a complaint with a supervisory authority, in particular in the EU or UK country of your habitual residence, place of work, or the place of the alleged infringement. We would appreciate the chance to address your concern first.
(e) Account deletion is operator-assisted. As stated in Section 7(b), account deletion is currently handled by our team on request to support@403fin.io rather than through a self-service control. We honor erasure rights for the personal data we control on that basis, subject to lawful retention exceptions.
9. California Privacy (CCPA/CPRA)
(a) B2B contact information. The controller-side personal data we handle about our Customers and their personnel is business contact information and information about business representatives, collected and used to provide a business-to-business service, not information about individuals acting in a personal, family, or household capacity.
(b) Service provider for Customer data. With respect to the personal data contained in Message Content, 403 Finance acts as a service provider (as defined in California Civil Code §1798.140(ag)) to the Customer: we process that data only on the Customer's behalf and for the purposes the Customer directs, under contractual restrictions in the DPA that prohibit us from selling or sharing it or using it for our own purposes.
(c) No sale or sharing. We do not sell personal information and do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We receive no consideration in exchange for personal information.
(d) Rights and contact. To the extent the CCPA/CPRA affords you rights (such as to know, delete, correct, or opt out) with respect to personal information we control, you may exercise them by emailing privacy@403fin.io, and we will not discriminate against you for doing so.
10. Other Jurisdictions
Where the data-protection law of another jurisdiction applies to our controller-side processing — for example, Brazil's LGPD, Canada's PIPEDA, or Japan's APPI — we honor the verified rights that law affords you (such as access, correction, and deletion) through the same contact channel at privacy@403fin.io, subject to identity verification and lawful exceptions. For personal data contained in Message Content, the Customer remains responsible for its own controller-side compliance, and requests about that data should be directed to the Customer, as described in Section 1(d).
11. Security
We maintain administrative, technical, and organizational measures designed to protect personal data, including passwordless authentication, encryption in transit and at rest, hashing of credentials and session tokens, tenant isolation, least-privilege administrative access, and our body-free logging and metrics architecture. A fuller description is available in our Security Overview and, for personal data we process on a Customer's behalf, in Annex II of the DPA. No system can be guaranteed to be perfectly secure, and we do not promise that the Service will be immune from every threat; we work to protect your data using measures appropriate to the risk.
12. Business Use Only; No Children
The Service is offered solely for business use and is not directed to consumers or to anyone acting for personal, family, or household purposes. The Service is not directed to, and may not be used by, anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@403fin.io and we will take reasonable steps to delete it.
13. EU and UK Representative
An EU representative (and, where required, a UK representative) are being arranged as part of our launch preparations. Their contact details will be published here upon appointment.
14. Changes; Contact
(a) Changes to this Policy. We may update this Privacy Policy from time to time. Each version carries a version number, a "Last updated" date, and a changelog maintained with the published document. For material changes, we will provide reasonable advance notice — for example, by email to your account address or through the dashboard — before the change takes effect. The most current version is always the one published at our legal URL.
(b) Contact. For any question or request about this Privacy Policy or your personal data, contact our privacy team:
- Email: privacy@403fin.io
- Mail: 403 Finance, Inc., 1111B S Governors Ave, Ste 92573, Dover, DE 19904, USA
For personal data contained in Message Content, please contact the Customer that submitted it, as described in Section 1(d).
Change History
| Version | Date | Summary |
|---|---|---|
| 1.0 | July 14, 2026 | Initial release |