Privacy Policy

Effective 2026-05-03 · Version v1-draft-2026-05-03 · Operator: Forrest Fintech Consulting LLC, Saint Louis, Missouri, USA

1. Scope & who we are

This Privacy Policy explains how Forrest Fintech Consulting LLC ("Forrest Fintech", "we", "us") collects, uses, shares, and protects information when you use the Ranger Compliance Intelligence Platform ("Ranger", the "Service") at workbench.ranger.forrestfintechconsulting.com, ranger.forrestfintechconsulting.com, and related surfaces.

For paying customers, this policy operates alongside the Master Service Agreement and Data Processing Addendum that govern your contractual data-handling rights. Where those documents conflict with this policy, those documents control.

2. What we collect

We collect three categories of information.

A. Information you provide directly

What	Why	Where it lives
Email address	Account identity, account-related notifications, support correspondence, lead capture (ROI, pricing waitlist, trust-page request)	Cloudflare D1 (encrypted at rest)
Company name	Account identity, audit-trail context	Cloudflare D1
Customer Data submitted via the API or workbench	To deliver the Service (KYC records, KYB records, transaction events, screening queries, SAR drafts, counterparty due diligence inputs you submit)	Cloudflare D1, tenant-scoped on every read and write

B. Information collected automatically

What	Why	Form stored
IP address	Abuse detection, rate-limiting, geographic context	SHA-256(salt + IP) → 16 hex chars. Never raw.
User agent	Session fingerprinting for marketing-funnel analytics; abuse detection	SHA-256(salt + UA) → 16 hex chars. Never raw.
Referrer	Marketing-source attribution on public surfaces	Truncated to 512 chars; raw text
UTM parameters	Campaign attribution	Raw text from URL query string
Country (Cloudflare cf-ipcountry)	Coarse geographic analytics	Two-letter ISO code
Audit log of authenticated API actions	Security forensics; compliance evidence; per-tenant usage and quota enforcement	Cloudflare D1; api_key_id + path + status code + duration + hashed IP

C. Information from Google Sign-In (optional)

If you sign in to /demo via Google OAuth, we receive from Google: your email address, your name, your profile picture URL, and your Google Workspace hosted domain (if your account is part of a Workspace org). We use only the openid, email, and profile scopes. We do not request access to Gmail, Drive, Calendar, or any other Google service.

The Google sign-in is optional — you can also access /demo via a shared passphrase that we provide directly. The Google option exists so the operator (Drew Davidson, CCO) has attribution context for who is evaluating Ranger; the passphrase option exists so evaluators who do not want to sign in retain a path.

3. How we use information

We use the information we collect to:

Deliver the Service — process screenings, run transaction monitoring, generate due diligence reports, fire webhooks, etc.
Operate the Service securely — detect and block abuse (per /trust), enforce rate limits and quotas, audit access, respond to incidents.
Communicate with you — service notifications, billing notifications (when paid tiers are live), security disclosures, replies to inquiries you initiate.
Improve the Service — aggregate, de-identified usage data informs roadmap and performance work.
Comply with law — preserve records required by Bank Secrecy Act, FFIEC examination procedures, FinCEN regulations, and other applicable regulations; respond to lawful subpoenas, court orders, and government requests.

We do not use Customer Data submitted via the API or workbench to train AI/ML models. We do not sell, rent, or share Customer Data with advertisers.

4. How we share information

We share information only as follows.

With our infrastructure provider, Cloudflare. Ranger runs on Cloudflare Workers + D1 + R2. Cloudflare is a sub-processor; their SOC 2 Type II covers the underlying infrastructure layer.
With Stripe, when a paid tier is active. When (and only when) you initiate a paid subscription via Stripe Checkout, your payment-method information is collected by Stripe directly — it does not pass through Ranger. We receive from Stripe a customer ID, subscription ID, and subscription status; we do not receive your card number, CVV, or full bank details. Stripe's privacy policy is at stripe.com/privacy.
With Google, if you choose Google Sign-In on /demo. Standard OAuth: Google validates the sign-in; we receive only the scopes listed in §2C. Google's privacy policy applies to your interaction with their consent screen.
With public-data sources we ingest from. We ingest sanctions lists (OFAC SDN, EU consolidated, UN, UK HMT), exclusion lists (SAM, OIG LEIE), CSL, FinCEN 314(a), and similar government registries. These are public-domain feeds; we do not transmit Customer Data back to those sources.
When required by law. Subpoenas, court orders, regulator requests. We will notify the affected Customer when we believe we are legally permitted to do so.
In connection with a business transaction. If Forrest Fintech is acquired, merges, or sells substantially all of its assets, Customer information may be transferred to the acquirer subject to the same privacy commitments.

We do not sell personal information to third parties.

5. Where data is stored, and how long

Storage location. Data is stored on Cloudflare's global edge network. Cloudflare D1 is currently single-region (US) for Ranger; multi-region storage is on the roadmap for Enterprise contracts that require it.

Retention.

Operational telemetry (audit_log entries for non-regulatory actions, public_request_log marketing analytics) — purged daily by the R-16 retention cron after their retention window (typically 90 days).
BSA / FIRREA-regulated records (SAR drafts, regulatory audit_log of compliance actions, KYC/KYB records linked to active monitoring) — retained for the period required by applicable regulation (typically 5 years for SAR-related records under 31 CFR 1010.430).
Customer Data not subject to regulatory retention — kept for the lifetime of the tenant account; deleted within 30 days of account closure unless you instruct us otherwise.
Lead-capture emails (ROI, pricing waitlist, trust-page access requests) — retained until you ask us to delete them. Email contact@forrestfintechconsulting.com with subject "Privacy: delete my lead record."
Google OAuth session records — 30-day rolling expiration; expired sessions are purged.

6. Your rights

Depending on where you live, you may have rights under data-protection law including the right to access, correct, delete, or export your personal information, the right to object to certain processing, and the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, email contact@forrestfintechconsulting.com with the subject line "Privacy request: [your request]" and we will respond within 30 days. We will verify your identity before fulfilling requests that involve personal data.

For paying customers, the Data Processing Addendum sets out the specific data-subject-request workflow we will follow on your end-users' behalf.

7. Security

We publish our security control inventory live at /trust. The control matrix includes (non-exhaustive): fail-closed authentication on every non-public path, tenant isolation enforced at every D1 query, SHA-256 hashing of all stored IP and user-agent values, HMAC-SHA256-signed outbound webhooks, daily retention purge of operational telemetry, OAuth with PKCE for Google sign-in. Security controls are linked to the source code that implements them and the tests that prove them — auditable in real time, not via a six-month-old PDF.

No security program is perfect. If you find a vulnerability, email contact@forrestfintechconsulting.com with subject "Security issue." 30-day disclosure window from initial report; no legal action against good-faith researchers.

8. Children

Ranger is a B2B compliance platform sold to financial institutions and fintechs. It is not intended for use by children. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK).

9. International transfers

Ranger's infrastructure runs on Cloudflare's global edge network. Personal information may be processed in the United States and other countries where Cloudflare operates. For Customers located in the EEA or UK, we will execute Standard Contractual Clauses or rely on other lawful transfer mechanisms as part of the Data Processing Addendum.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting an updated version at /privacy with a new version identifier and effective date, and (for paid tiers) by reasonable notice to the Customer's contact email at least thirty (30) days in advance.

Contact · Forrest Fintech Consulting LLC · Saint Louis, Missouri, USA
Privacy requests, data-subject access, and general inquiries: contact@forrestfintechconsulting.com
Security disclosure: contact@forrestfintechconsulting.com (subject "Security issue")