Privacy Policy
Effective Date: 7 July 2026
TransferDue ("we", "us") provides document organization and reporting software. This policy explains what personal data we collect, how we use it, and the rights you have. It applies to the TransferDue website and application. The service is operated by TransferDue LLC, a limited liability company registered in Wyoming, United States, which is the data controller for your personal data; contact details and registered address are in §11.
1. Information We Collect
- Account data: your email address, name, and password (stored only as an Argon2id hash — we never store your password in plain text).
- Documents you upload: PDF files, images, forms, agreements, letters, and related uploaded documents submitted for processing and report generation.
- Identity documents: passports and ID cards you upload may contain a passport or national ID number, nationality, date of birth, and a photograph. Thai ID cards and similar documents may also contain sensitive personal data under Thailand's PDPA §26, such as religion, blood type, health information, biometric data, or similar fields. You must redact those sensitive fields before upload. TransferDue does not intentionally collect, extract, store, or report those fields.
- Third-party personal data in transaction documents: documents you upload — for example a title deed (chanote), a Land Office registration record, or a sale-and-purchase agreement — may contain personal data of people other than you, such as the seller's or a co-owner's name, national ID number, and address. We receive this data only because it appears in the documents you upload, and we process it under legitimate interest solely to run the document checks you request (see §9).
- Report data: structured summaries and reports generated from uploaded documents.
- Usage and audit data: sign-in events, actions taken in the app, IP address, and browser/user-agent, kept for security and fraud prevention.
- Payment data: when you buy unlock credits, payment processing is handled by our payment provider. We receive confirmation of completed payments but do not store your full card details.
You retain ownership of documents you upload. TransferDue processes uploaded documents solely for the purpose of delivering the Service.
2. How We Use Your Information
We use your information to:
- create and secure your account;
- process uploaded documents and generate structured reports;
- deliver, store, and let you download generated reports;
- process unlock-credit purchases and apply credits to your account;
- send transactional email (e.g. account, billing, and data-retention notices);
- detect abuse and enforce rate limits.
We do not sell your personal data, and we do not use it for third-party advertising.
3. Automated Processing and Sub-processors
To deliver the service we share the minimum necessary data with sub-processors who act on our instructions:
- Anthropic (United States), via our pipeline provider nrflo — AI processing of uploaded document text to generate your report. We use Anthropic's commercial API under a Data Processing Agreement and zero-retention processing: your document text is not used to train AI models and is not retained by Anthropic after processing.
- Cloudflare R2 (Asia-Pacific region) — object storage for uploaded documents and generated reports.
- Hetzner (Germany, EU) — server hosting and compute for the application and its database.
- Resend — delivery of transactional email.
- Cloudflare — bot protection (Turnstile) and content delivery.
- Google — Google Analytics, only after you accept analytics cookies (see §4), and optional Google Sign-In.
These providers may process data outside your country of residence. We share only what is needed to perform each function. Sub-processors are contractually required to process data only for the purpose of providing their services to TransferDue.
Payments. Unlock-credit purchases are processed by Stripe, whose consumer service Link acts as the merchant of record for the payment transaction — it is the seller of record on your receipt and collects any applicable VAT, GST, or sales tax. Stripe is not a sub-processor: it processes the payment data it collects as an independent controller for its own payment, tax, fraud-prevention, and dispute obligations; see Stripe's privacy policy. We never receive your card details — only payment confirmations and a checkout-session id.
4. Cookies and Analytics
We use a single essential session cookie (dd_session) to keep you signed in. It is required for the service to work. We do not use advertising or cross-site tracking cookies. Bot-protection (Cloudflare Turnstile) and optional Google sign-in may set their own cookies when you use those features.
We also use Google Analytics to understand how visitors use the site (for example, which pages are viewed and which actions are completed). Analytics cookies are not set until you accept them via the consent banner; if you decline, no analytics cookies are stored. We enable IP anonymization, and we do not use this data for advertising. Google acts as a sub-processor and may process this data outside your country of residence; see Google's privacy policy.
Separately, we record first-party usage events to measure our own conversion funnel — for example, arriving on the site, viewing a report's free findings, or starting an unlock. These events are stored only on our own servers, are linked to a random first-party identifier (not your name), and do not include your IP address or browser/user-agent. They set no third-party cookies, are never shared or used for advertising, and are kept for up to 180 days. Because they involve no third-party tracking and no sensitive data, we collect them under our legitimate interest in operating and improving the service, independently of the analytics-cookie banner above.
5. Data Retention
Uploaded documents and generated reports are retained for up to 90 days of inactivity. Activity means creating a case, uploading a document, completing a report, or downloading a report. If your case is inactive for 90 days, we email you a warning 7 days before permanent deletion. Signing in to view or download your report resets the retention clock.
Identity documents — ID cards and passports — are deleted from storage automatically as soon as your report is generated (or within 7 days if you never complete a report). Only the specific identity details your report needs are kept, within the report itself; the original ID-card and passport files are not held for the 90-day window above. We do not intentionally keep religion, blood type, health information, biometric data, or other PDPA §26 sensitive fields in reports.
Files we cannot recognise are also removed. If a document you upload does not match any of the condo document types we process, our system does not analyse it — and we delete the uploaded file from storage once it has been classified (or within 7 days if you never complete a report), keeping only a record that it was uploaded and removed.
6. Your Rights
You may access and update your account information at any time. You can review a record of recent security and access events on your account — sign-ins, document and report downloads, share-link views, and purchases — under Account → Activity. You may request erasure of your personal data and all associated documents by deleting your account in the app (Account → Delete account). Erasure requests are processed promptly and are irreversible once completed. Depending on your jurisdiction you may also have rights to access, correct, or port your data, or to object to certain processing — see §10 if you are in the EU/EEA or UK, and contact us (§11) to exercise them.
7. Security
Data is transmitted over encrypted connections (HTTPS) and stored encrypted at rest (AES-256) by our storage provider, with access controls. No method of transmission or storage is completely secure, but we take reasonable measures to protect your information.
8. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated through the app or by email. Continued use of the service after changes become effective constitutes acceptance of the revised policy.
9. Legal Basis and Your Consent (PDPA)
Because we process personal data of individuals in Thailand, Thailand's Personal Data Protection Act (PDPA) applies. We rely on these legal bases:
- Performance of the service (contract): handling your account data and the documents you upload to organize them and generate your report.
- Document-upload consent: identity documents are optional and may contain sensitive PDPA §26 fields if they are not redacted. We require you to redact those fields before upload. We process identity documents — including transferring the necessary document text to an AI processing provider located outside Thailand (see §3) — only to produce your report and only with the consent you give at the document-upload step. Where a §26 sensitive field incidentally remains despite redaction, that upload-step consent is your explicit consent to its incidental processing; we do not intentionally extract, store, or report it. You may decline by not uploading identity documents (identity-matching findings will then be limited), and you may withdraw consent by deleting the documents or your account.
- Legitimate interest: sign-in and audit logs used to secure the service and prevent abuse; and first-party, no-cookie usage analytics (no IP or user-agent stored) used to measure and improve the conversion funnel.
- Legitimate interest (third parties named in your documents): transaction documents you upload may contain personal data of individuals who are not our users — typically the seller or a co-owner named in a title deed, registration record, or sale agreement (see §1). You cannot consent on their behalf, and we do not ask you to. We process this data under our and your legitimate interest in carrying out the document checks you request (for example, confirming that the seller named in your agreement matches the registered owner on the title deed). We extract and include in your report only what those checks require, we never use it for any other purpose or to contact those individuals, and it is deleted together with your documents and reports under the retention rules in §5. If you are such a third party, you may contact us (§10) to exercise your rights over this data.
- Consent (analytics): analytics cookies are set only if you accept them (see §4).
Using the service involves transferring your data to providers outside Thailand, including the United States. These transfers are made under appropriate safeguards — our AI provider processes your document text under the Standard Contractual Clauses incorporated in its commercial Data Processing Agreement — together with the informed upload-step consent and disclosures above.
Our PDPA status. The data controller, TransferDue LLC, is registered in the United States. Because it does not carry out large-scale processing and does not intentionally process the sensitive categories of personal data described in PDPA §26 (you are required to redact those before upload), it falls within the §38 exemption from the requirement to appoint a local representative in Thailand under PDPA §37(5). The PDPA continues to apply in full to our processing of the personal data of individuals in Thailand.
10. If You Are in the EU/EEA or UK (GDPR)
If you use the service from the European Economic Area or the United Kingdom, the EU/UK General Data Protection Regulation (GDPR) may also apply to our processing of your data. For that processing:
- Legal bases mirror §9: performance of a contract (Art. 6(1)(b)) for your account and the documents you upload; your explicit consent (Art. 9(2)(a)) only for any special-category data that appears despite the redaction requirement; and our legitimate interests (Art. 6(1)(f)) for security logging, abuse prevention, first-party usage analytics, and the third-party personal data appearing in your transaction documents.
- International transfers: TransferDue LLC is registered in the United States; processing involves transfers to sub-processors in the United States and elsewhere (§3). Neither Thailand nor the United States holds an EU adequacy decision; these transfers are made under appropriate safeguards (Art. 46) — our AI provider (Anthropic) processes your data under the EU Standard Contractual Clauses incorporated in its Data Processing Agreement, and other sub-processors under their own SCCs/DPAs where offered — supplemented by the explicit, informed consent you give at the upload step (Art. 49(1)(a)). They may not provide the same protections as processing inside the EEA/UK.
- Your GDPR rights: access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent at any time (without affecting processing already carried out). You can exercise most of them directly in-app (Account → Activity, Account → Delete account) or by contacting us (§11). You also have the right to lodge a complaint with your local supervisory authority.
- We are not established in the EU/UK and have not appointed an EU/UK representative; the service is not specifically directed at EU/UK residents. This section is provided for transparency to buyers who choose to use the service from there.
11. Contact
For any privacy questions, consent withdrawals, or data requests, contact us at [email protected].
TransferDue LLC, 30 N Gould St Ste N, Sheridan, WY 82801, United States.
12. Language
This Privacy Policy is published in English, which is its sole authoritative and governing version. Any translation into another language is provided for your convenience only. In the event of any conflict, ambiguity, or inconsistency between the English version and a translation, the English version prevails.