Data Processing Agreement

Effective: 3 May 2026 · Version: draft.0.1

This DPA describes how data is processed when you use Passport to Wealth Finance Clarity. It applies in addition to the Privacy Policy and Terms of Service. Designed to be readable by humans first; aligns with the framework of GDPR Article 28 where applicable.

1. Roles

The product is structured so the bulk of processing happens on your computer:

You are the controller for your financial data. You decide what to process, how long to keep it, and whether to share it.
Passport to Wealth is a processor only for the narrow data flows described below in §3 (anonymous install counters, opt-in feedback events, opt-in published dashboards). Everything else lives on your machine outside our reach.

2. Scope of processing

This agreement covers only the data we receive. It does not cover:

Data your AI assistant (Claude) processes — that's governed by your Anthropic account terms.
Data the publishing host (here.now) processes when you choose to share — that's governed by here.now's terms (referenced as a sub-processor below).
Data on your local computer that we never receive (which, by default, is everything except the install counter ping).

3. Categories of personal data we process

Category	Source	Purpose	Retention
Install-start event (platform, build_stamp, advisor_id)	Install script POST after consent gate	Counting onboarding volume per platform	90-day TTL on the daily counter
Feedback event (your message + skill version + timestamp + client_id)	Dashboard "I have feedback" widget, opt-in per submission	Triage and respond to product feedback	Until manually closed and deleted from GitHub Issues
Published dashboard (categorized transactions, monthly summaries, CSV exports, your client_id)	Publish flow, opt-in by user choice ("share my dashboard")	Hosting your dashboard for the people you share the URL + passcode with	Until you delete the site (`delete-my-site.command`)

What's deliberately not in this table: IP address, user-agent, name, email, machine identifier. The Cloudflare Worker that receives install pings and feedback events does not read these headers; verified by source code.

4. Categories of data subjects

You (the user installing and running the skill).
Counterparties on your transactions (people or businesses who appear in transaction descriptions you process). The pipeline operates on whatever is in your bank statements; merchant names, payee names, etc. We never see these unless you publish a dashboard.

5. Sub-processors

The infrastructure we operate sits on top of these vendors. Each has their own privacy and processor terms; they apply in addition to ours.

Sub-processor	Role	Data they receive from this product	Region
Cloudflare	Worker runtime + KV storage for install counters and feedback POST routing	Install ping payload, feedback message body. Worker observability is off, so request bodies don't sit in Cloudflare logs.	Global edge (US-headquartered company)
here.now	Publishing host for shared dashboards	Only contacted if you opt-in to publish. Receives the rendered `site/` bundle (HTML + categorized transactions + CSV downloads).	Cloudflare-backed; US-headquartered
GitHub (Microsoft)	Source code hosting + feedback issue creation + Pages backup mirror of the landing page	Feedback message bodies become GitHub issues. Otherwise nothing.	US
Anthropic	Claude (the AI assistant the skill runs on)	You are the customer of Anthropic, not us. We don't see your Claude conversations. When you ask Claude to read a file, the file content goes to Anthropic per your account terms — not to us.	US

6. Security measures

Technical measures applied to the data we do receive:

All transport is HTTPS; no plaintext.
The Cloudflare Worker is bearer-gated. The bearer token is shared (visible in install scripts by design) and is an anti-abuse measure, not a confidentiality boundary.
Cloudflare KV writes are encrypted at rest by Cloudflare.
Worker observability is explicitly disabled ([observability] enabled = false in wrangler.toml) so request bodies don't end up in Cloudflare logs.
Published dashboards are passcode-gated. Content is not served until the passcode is verified at the host.
Source code is open for inspection at github.com/passporttowealth/passporttowealth; the install scripts and Worker code are statically analyzed in CI on every change (public CI runs).

7. Data subject rights

Because most of your data stays on your computer, most rights you can exercise yourself directly:

Access: open your workspace folder; everything is in plain CSV/JSON/HTML.
Erasure: delete the workspace folder. For a published dashboard, run delete-my-site.command. For a feedback issue, ask via the issue thread or contact below.
Portability: the workspace already gives you portable CSVs (transactions_tagged.csv, monthly_actuals.csv) — they're yours to take to any tool.
Object to processing: opt out of install telemetry with FCB_NO_ANALYTICS=1; don't publish if you don't want a hosted copy; don't send feedback if you don't want issues created.

8. Breach notification

If we become aware of a data breach affecting one of the limited categories in §3, we will notify Passport to Wealth, who will notify affected clients without undue delay (and within 72 hours where required by law). Because the data we hold is minimal, the realistic blast radius is the install counter (anonymous, no PII), feedback issues, or published dashboards.

9. International transfers

The sub-processors above are predominantly US-based. If you are a data subject in a region with cross-border transfer requirements (UK GDPR, EU GDPR, etc.), the legal basis for transfer is currently the controller-to-processor relationship between you and these vendors directly (since most processing happens between your machine and theirs). Pending legal review for explicit Standard Contractual Clauses where required.

10. Audit

Source code is public. Install scripts are static-analyzed in CI. Worker code can be inspected at github.com/passporttowealth/passporttowealth/tree/main/cloudflare-worker. Architectural questions: contact via the channel below.

11. Changes

Changes to this DPA will be reflected by an updated effective date above and noted in the CHANGELOG. Adding or removing a sub-processor will be flagged there explicitly.

12. Contact

Privacy / processor inquiries: contact your advisor at Passport to Wealth, or open an issue at github.com/passporttowealth/passporttowealth/issues.