Privacy Policy TransferGuard
Version v1.5, June 1, 2026
At TransferGuard, privacy is not an "add-on" but the core of our existence. We maintain an EU Privacy-First approach, going beyond standard GDPR requirements to guarantee full data sovereignty.
1. Our "100% EU-Owned Core" Guarantee
Unlike many competitors, TransferGuard guarantees that your data and that of your clients never fall under the jurisdiction of non-EU governments (such as the US Cloud Act).
• All data storage takes place on European servers (Hetzner S3, Germany).
• Our critical infrastructure, including the hardware-based TSA sealing, is managed in-house in the Netherlands.
• We exclusively use European sub-processors for payments and identification.
2. Encryption (end-to-end, optional zero-knowledge)
Files are always encrypted on the sender's device (AES-256) before they reach our servers. For the key, the sender has two modes:
• Standard mode: the encryption key is stored by us in encrypted form (protected with a server secret) so we can release it to the verified recipient after successful verification. In this mode TransferGuard can technically access the content (for example to generate a secure preview for Open Detection), but this happens solely in an automated way to operate the service, never for viewing by staff.
• Optional zero-knowledge mode: the sender sets an access code that is shared with the recipient outside of TransferGuard. The key is encrypted with it and never reaches our servers. In this mode TransferGuard cannot access the content; Open Detection is then unavailable.
• We also process only the metadata necessary to ensure the evidentiary value of the transfer.
3. What data do we process?
We limit data processing to what is strictly necessary for the execution of our service.
A. User Data (Sender):
• Name and professional contact details for account management.
• Payment information via Mollie (we do not store credit card or bank details ourselves).
B. Recipient Data & Metadata (Audit Trail):
• Recipient's email address.
• IP address and location data (at city level) for the audit trail in the Certificate of Receipt.
• Device and browser information to verify the technical footprint.
C. Identification Data (Verified Identity Plan):
• When using the Verified Identity Plan, biometric data and ID documents are processed via our partner Veriff (based in the EU).
• This data serves exclusively to establish a one-time, reliable match with the recipient.
4. Retention Policy and "Deletion Proof"
We believe that data that no longer exists cannot be stolen.
• Transferred files are irreversibly deleted after the standard retention period of 30 days.
• Deletion Proof: Once a file is deleted, our system automatically generates a certificate of deletion in the audit trail to comply with GDPR legislation regarding data minimization.
5. Log file retention periods
We keep technical log files in order to detect abuse, answer audit requests, and meet compliance obligations. Retention periods:
• Login events: 24 months (for security monitoring and fraud detection).
• Download logs: 7 years (statutory retention period for business records, Dutch Tax Act art. 52 sec. 4).
• Verification page visit logs: 12 months (used to assemble the 'Statement of Attempts' evidence document).
• Identity verifications (Veriff sessions): 12 months of audit access, after which only the session ID is archived.
• KYC client data (identity checks): 90 days, then automatically erased (data minimisation).
• CDD certificate (KYC evidence): 5 years, in line with the Wwft retention obligation for customer due diligence; permanently deleted thereafter.
After these periods data is automatically deleted by a weekly/monthly purge process. Business customers can request their own logs via the Audit Export function in the admin panel (GDPR art. 15).
Identification and processing on suspicion of abuse: in line with our Terms and Conditions, we may ask you to provide identification and may process identification and IP data to prevent, detect, and investigate abuse, fraud, money laundering, or improper use of the service (in particular the free plan). Legal basis (GDPR art. 6(1)(f)): legitimate interest in securing the service and preventing criminal use; and, where applicable, art. 6(1)(c) (legal obligation). This data is not used for any other purpose and is kept no longer than necessary.
6. Our Sub-processors
We only collaborate with partners who meet our strict EU privacy requirements:
• Hetzner Online GmbH: Cloud infrastructure (Germany).
• Mollie B.V.: Payment processing (Netherlands).
• Veriff: Biometric identity verification (Estonia).
• Sectigo: RFC 3161 timestamps (independent TSA).
7. Affiliate cookies
When you click a personal referral link of a TransferGuard partner (e.g. transferguard.eu/a/XYZ), we set a first-party cookie tg_ref that lasts up to 30 days. Purpose: attribute you to the partner so they receive a commission if you become a customer within that period.
We store no readable IP address in our database, only an irreversible SHA-256 hash for fraud detection. No personal profile is built and no data is shared with third parties for advertising.
Partners only see a truncated internal ID of your account (8 characters) in their statement, never your email address or company name.
You can delete the cookie at any time via your browser; this removes the attribution.
8. Open Detection (proof of opening)
When a sender shares a file with you via Certified Delivery or Verified Identity, the file does not open as a direct download but in a secure in-browser viewer. The download button only unlocks once the viewer has rendered. This produces stronger evidence of receipt than a manual "I confirm" click.
We record only interaction metadata about your viewer session: time of first render, active reading time, scroll depth, tab visibility and interaction count. We do not analyse the content of the file.
What we do NOT store: your IP address in readable form (only an irreversible SHA-256 hash with a server-side salt), no canvas/WebGL/audio fingerprint, no 3rd-party trackers, no keystroke logging. The device fingerprint is a hash of your browser + screen + timezone + language, not traceable to you as a person.
Legal basis (GDPR art. 6(1)(f)): legitimate interest. Senders have a right to verifiable proof that their document was actually read, for example in legal proceedings (summons, termination notices, demand letters).
Retention: the same 7 years as other verifiable logs, after which the records are automatically deleted by our cleanup cron. Even before that, the records cannot be linked to your person due to the hash architecture.
9. Your Rights
You have the right to access, correct, or delete your personal data at any time. For transfers sent in zero-knowledge mode we cannot provide access to the file content, as we cannot decrypt it ourselves. In standard mode the files are moreover irreversibly deleted after the retention period.
10. Contact & Governing Law
This Privacy Policy is governed by the laws of the Netherlands. For questions regarding your privacy, please contact our Data Protection Officer. Any disputes shall be submitted to the competent court in Amsterdam.
TransferGuard
A brand of PVG Technologies B.V.
Data Protection Officer
Email: info@transferguard.eu
Address: Amsterdam, The Netherlands
