Privacy Statement
Last updated: February 2025
This privacy statement explains what personal data myTransferPricing collects, why we collect it, how we protect it, and what rights you have. We aim to be transparent and straightforward.
1. Who We Are
myTransferPricing is an enterprise SaaS platform that helps multinational companies and advisory firms manage their transfer pricing documentation.
2. What Data We Collect
2.1 Account Information
When your organization administrator creates your account, we collect:
- Identity data: First name, last name, email address
- Contact data: Phone number, phone country code (optional)
- Profile data: Avatar image (optional), timezone, currency, country, and date format preferences
- Credentials: Password (hashed and managed by our authentication provider — we never store plaintext passwords)
2.2 Organization & Billing Information
Organization administrators provide:
- Organization profile: Legal name, address, postal code, state/province, country
- Billing contact: Billing name, billing address, billing email, contact person details, purchase order number
- Subscription details: Selected plan, user/client limits, feature entitlements
We do not collect or store credit card numbers, bank account details, or payment card data. Payment processing is handled externally.
2.3 Client & Project Data
Users create and manage business data within the platform:
- Client records: Client name, client code, industry classification, country, address, contact information
- Fiscal year data: Year, date ranges, status
- Transfer pricing projects: Project names, document templates, generated documents, variable values used in document generation
- Files: Uploaded document templates (Word, Excel, PDF) and generated output documents, stored in cloud storage with version history
This is your organization's business data. We process it solely to provide the service — we do not use it for any other purpose.
2.4 Security & Authentication Data
To protect your account and detect unauthorized access, we collect:
- Login events: Timestamp, authentication method (password, OTP, magic link, 2FA), success/failure status
- IP addresses: Captured during login, OTP requests, magic link requests, and security-relevant actions
- User agent strings: Browser and device information captured during authentication and audited actions
- Two-factor authentication: Whether 2FA is enabled on your account (TOTP secrets are managed by our authentication provider)
- Failed login tracking: Number of failed attempts (used to trigger temporary account lockouts for your protection)
- OTP codes: One-time passwords generated for login verification (automatically expire after 10 minutes)
- Magic link tokens: Stored as cryptographic hashes (not plaintext), with expiration timestamps
2.5 Audit Trail Data
All significant actions on the platform are logged for security and compliance:
- What is logged: The action performed, which record was affected, who performed it, when it happened, from which IP address, and with which browser/device
- Change tracking: For updates, we store the before and after values of changed fields
- Automatic redaction: Sensitive values (passwords, tokens, API keys, secrets) are automatically replaced with [REDACTED] before being stored
2.6 Cookies & Session Data
We use a minimal set of cookies — all essential for the platform to function:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Maintains your authenticated session | Essential, HttpOnly | Session |
| CSRF token | Protects against cross-site request forgery | Essential, HttpOnly, Secure | 24 hours |
| Auth session | Authentication token | Essential, HttpOnly | Managed by provider |
We do not use advertising cookies, marketing trackers, or social media cookies.
2.7 Analytics Data
We use Vercel Analytics and Vercel Web Vitals to understand platform performance (page load times, error rates). This data is aggregated and not linked to individual user accounts.
3. Why We Collect This Data (Legal Basis)
| Purpose | Data used | Legal basis |
|---|---|---|
| Provide the service | Account info, organization data, client/project data, files | Performance of contract |
| Authenticate users | Credentials, OTP codes, 2FA data, session tokens | Performance of contract |
| Protect security | IP addresses, login events, failed attempts, user agents | Legitimate interest (security) |
| Maintain audit trail | All audited actions, IP addresses, change history | Legitimate interest (compliance) |
| Send transactional emails | Email address, name, OTP codes, temporary passwords | Performance of contract |
| Enforce rate limits | IP addresses, request counts | Legitimate interest (stability) |
| Billing administration | Organization billing details, contact information | Performance of contract |
4. Who We Share Data With
We share your data only with service providers that are necessary to operate the platform:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Application data, user credentials (hashed), uploaded files |
| Resend | Transactional emails | Email addresses, user names, OTP codes, organization names |
| Vercel | Application hosting, caching | Request data, CSRF tokens, rate limit counters |
| Upstash | Rate limit enforcement | IP addresses, request metadata |
We do not sell your data. We do not share data with advertisers. We do not use your data for AI/ML model training.
5. Where Your Data Is Stored
- Application hosting: Vercel (globally distributed CDN with primary processing in the United States)
- Database & file storage: Supabase (region depends on project configuration — typically US or EU)
- Cache & rate limiting: Vercel KV / Redis (region configured to match deployment)
- Email delivery: Resend (United States)
For users in the European Economic Area (EEA): Some of your data may be transferred to and processed in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) and the data processing agreements of our service providers.
6. How We Protect Your Data
Technical Measures
- Encryption in transit: All connections use HTTPS/TLS. HTTP Strict Transport Security (HSTS) is enforced.
- Encryption at rest: Database encryption provided by Supabase. Sensitive fields redacted in audit logs.
- Authentication security: Passwords hashed (bcrypt). Magic link tokens stored as SHA-256 hashes. OTP codes expire after 10 minutes.
- Account protection: Automatic account lockout after repeated failed login attempts. Optional two-factor authentication (TOTP). Organization-level MFA enforcement.
- Access control: Row Level Security (RLS) on all database tables ensures strict organization-based data isolation. Role-based access control (RBAC) with granular permissions.
- Input validation: All user input validated with schemas at API boundaries.
- Rate limiting: Redis-backed rate limiting on all endpoints to prevent abuse.
- CSRF protection: Double-submit cookie pattern with constant-time comparison.
Security Headers
We enforce the following HTTP security headers on all responses:
- Strict-Transport-Security (HSTS with preload)
- X-Frame-Options: DENY (prevents clickjacking)
- X-Content-Type-Options: nosniff
- Content-Security-Policy (restricts script sources, prevents injection)
- Permissions-Policy (disables camera, microphone, geolocation)
- Referrer-Policy: origin-when-cross-origin
Organizational Measures
- Multi-tenant architecture with strict organization-level data isolation
- Comprehensive audit logging of all data access and modifications
- Automatic redaction of sensitive data in logs
- Principle of least privilege in role-based access
7. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Active account data | As long as the account is active |
| Deactivated user accounts | Soft-deleted (marked inactive); recoverable by organization admin |
| Audit logs | Retained indefinitely for compliance; periodically archived |
| OTP codes | 10 minutes (auto-expire) |
| Magic link tokens | Until used or expired |
| CSRF tokens | 24 hours |
| Account lockout status | 1 hour (auto-expire) |
| Uploaded files | Retained until manually deleted by organization |
| Generated documents | Retained indefinitely as part of audit trail (immutable) |
| Cached data | 5 minutes to 24 hours (auto-expire) |
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data (subject to legal retention requirements)
- Portability: Request your data in a machine-readable format
- Restriction: Request that we limit processing of your data
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Where processing is based on consent, withdraw at any time
How to exercise your rights: Contact your organization administrator or email us. We will respond within 30 days.
Account deletion: Organization administrators can deactivate users (soft delete). Platform administrators can permanently delete user accounts, including removing all authentication data. When a user is permanently deleted, their owned data is transferred to a designated administrator account before removal.
9. Children's Privacy
myTransferPricing is a business-to-business platform designed for professional use by tax advisors, transfer pricing specialists, and corporate tax departments. The service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child's data has been submitted to our platform, please contact us immediately.
10. Email Communications
We send the following transactional emails (no marketing emails):
| Email type | When sent | Contains |
|---|---|---|
| OTP verification | When you log in via OTP | 6-digit code, expiration time |
| 2FA enabled | When you enable two-factor auth | Confirmation, timestamp, IP address |
| 2FA disabled | When 2FA is turned off | Security alert, timestamp, IP address |
| Welcome email | When your account is created | Name, email, temporary password, login link |
| Admin welcome | When a platform admin account is created | Name, email, temporary password, login link |
Transactional emails are sent via Resend. You cannot opt out of security-related emails (OTP, 2FA alerts) as they are necessary for account security.
11. Changes to This Statement
We will update this privacy statement when we make material changes to how we handle personal data. The “Last updated” date at the top will reflect the most recent revision.
When significant changes occur (new data collection, new third-party providers, changes to data retention), we will notify users through the platform.
12. Contact Us
If you have questions about this privacy statement or how we handle your data, please contact us through your organization administrator or via the platform.
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
© 2025 myTransferPricing. All rights reserved.
