Last updated: February 2025
This privacy statement explains what personal data myTransferPricing collects, why we collect it, how we protect it, and what rights you have. We aim to be transparent and straightforward.
myTransferPricing is an enterprise SaaS platform that helps multinational companies and advisory firms manage their transfer pricing documentation.
When your organization administrator creates your account, we collect:
Organization administrators provide:
We do not collect or store credit card numbers, bank account details, or payment card data. Payment processing is handled externally.
Users create and manage business data within the platform:
This is your organization's business data. We process it solely to provide the service — we do not use it for any other purpose.
To protect your account and detect unauthorized access, we collect:
All significant actions on the platform are logged for security and compliance:
We use a minimal set of cookies — all essential for the platform to function:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Maintains your authenticated session | Essential, HttpOnly | Session |
| CSRF token | Protects against cross-site request forgery | Essential, HttpOnly, Secure | 24 hours |
| Auth session | Authentication token | Essential, HttpOnly | Managed by provider |
We do not use advertising cookies, marketing trackers, or social media cookies.
We use Vercel Analytics and Vercel Web Vitals to understand platform performance (page load times, error rates). This data is aggregated and not linked to individual user accounts.
| Purpose | Data used | Legal basis |
|---|---|---|
| Provide the service | Account info, organization data, client/project data, files | Performance of contract |
| Authenticate users | Credentials, OTP codes, 2FA data, session tokens | Performance of contract |
| Protect security | IP addresses, login events, failed attempts, user agents | Legitimate interest (security) |
| Maintain audit trail | All audited actions, IP addresses, change history | Legitimate interest (compliance) |
| Send transactional emails | Email address, name, OTP codes, temporary passwords | Performance of contract |
| Enforce rate limits | IP addresses, request counts | Legitimate interest (stability) |
| Billing administration | Organization billing details, contact information | Performance of contract |
We share your data only with service providers that are necessary to operate the platform:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Application data, user credentials (hashed), uploaded files |
| Resend | Transactional emails | Email addresses, user names, OTP codes, organization names |
| Vercel | Application hosting, caching | Request data, CSRF tokens, rate limit counters |
| Upstash | Rate limit enforcement | IP addresses, request metadata |
We do not sell your data. We do not share data with advertisers. We do not use your data for AI/ML model training.
For users in the European Economic Area (EEA): Some of your data may be transferred to and processed in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) and the data processing agreements of our service providers.
We enforce the following HTTP security headers on all responses:
| Data type | Retention period |
|---|---|
| Active account data | As long as the account is active |
| Deactivated user accounts | Soft-deleted (marked inactive); recoverable by organization admin |
| Audit logs | Retained indefinitely for compliance; periodically archived |
| OTP codes | 10 minutes (auto-expire) |
| Magic link tokens | Until used or expired |
| CSRF tokens | 24 hours |
| Account lockout status | 1 hour (auto-expire) |
| Uploaded files | Retained until manually deleted by organization |
| Generated documents | Retained indefinitely as part of audit trail (immutable) |
| Cached data | 5 minutes to 24 hours (auto-expire) |
Depending on your jurisdiction, you may have the following rights:
How to exercise your rights: Contact your organization administrator or email us. We will respond within 30 days.
Account deletion: Organization administrators can deactivate users (soft delete). Platform administrators can permanently delete user accounts, including removing all authentication data. When a user is permanently deleted, their owned data is transferred to a designated administrator account before removal.
myTransferPricing is a business-to-business platform designed for professional use by tax advisors, transfer pricing specialists, and corporate tax departments. The service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child's data has been submitted to our platform, please contact us immediately.
We send the following transactional emails (no marketing emails):
| Email type | When sent | Contains |
|---|---|---|
| OTP verification | When you log in via OTP | 6-digit code, expiration time |
| 2FA enabled | When you enable two-factor auth | Confirmation, timestamp, IP address |
| 2FA disabled | When 2FA is turned off | Security alert, timestamp, IP address |
| Welcome email | When your account is created | Name, email, temporary password, login link |
| Admin welcome | When a platform admin account is created | Name, email, temporary password, login link |
Transactional emails are sent via Resend. You cannot opt out of security-related emails (OTP, 2FA alerts) as they are necessary for account security.
We will update this privacy statement when we make material changes to how we handle personal data. The “Last updated” date at the top will reflect the most recent revision.
When significant changes occur (new data collection, new third-party providers, changes to data retention), we will notify users through the platform.
If you have questions about this privacy statement or how we handle your data, please contact us through your organization administrator or via the platform.
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
© 2025 myTransferPricing. All rights reserved.