TransferDesk is a salon-grade software product that moves customer data between phones locally, never letting customer content leave the premises. This document describes how privacy-by-design principles are implemented in the product.
1. What "stays out of the cloud" means
Customer content (photos, videos, contacts, calendar events, files) is processed strictly on the salon’s local network:
- The old phone connects to the salon’s Wi-Fi and uploads to the salon agent PC over a local HTTPS socket.
- The new phone downloads from the same PC — also over the local network.
- Traffic does not leave the salon’s L2 segment. The agent PC opens no outbound TCP connections that carry customer content.
The TransferDesk backend receives only: per-type counters (photos / videos / contacts / etc.), session UUID, duration and agent version. No filenames, thumbnails, contact records or EXIF.
2. Data lifecycle in the agent
- The operator starts a session with a one-time PIN. Upload and pickup endpoints require that PIN.
- Session files live in
%LOCALAPPDATA%\TransferDesk\sessions\<id>, accessible only to the local Windows user. - On "End session", session files are immediately wiped (overwrite + delete) and the local session history is reduced to counters.
- The agent’s server only binds to local-network interfaces and refuses connections from public addresses.
3. Network model
- Client ↔ agent transport: HTTP/1.1 (default) or HTTPS with a self-signed certificate generated once per host.
- Authorization is the per-session PIN encoded into the QR code; PIN lifetime is the session lifetime.
- Agent ↔ backend: outbound HTTPS only, to
api.transferdesk.tech. The agent PC does not accept inbound connections from the public Internet.
4. Authentication and identity
- The agent registers with a one-time license code and a stable workstation fingerprint (SHA-256 of computer name, OS and MAC). The fingerprint is not PII and cannot identify a person.
- The backend issues a JWT to the agent and verifies it periodically (heartbeat); on license revocation the agent refuses to start new sessions.
- The salon dashboard uses a separate cookie-based JWT, unrelated to agent tokens.
5. What the backend stores
- Salon account: email, password hash (Argon2id), name, country.
- Agents: fingerprint, label, version, last seen.
- Sessions: id, time, duration, per-type counters, success flag.
- Billing: plan, validity, invoices from the payment provider.
The backend never stores and never receives: photos, videos, files, contacts, calendar events, filenames, thumbnails or EXIF.
6. Hosting and jurisdiction
The backend (API, dashboard) is hosted on infrastructure physically located in the Russian Federation. The billing provider is selected per customer (YuKassa for RF, Stripe for international).
7. Compliance with 152-FZ (RF) and GDPR
Because customer content never leaves the salon premises and is not transferred to TransferDesk, no third-party processing of personal data takes place. The salon remains the data controller during a transfer; TransferDesk is the software vendor.
Metadata sent to the backend (counters, tokens, licenses) does not constitute personal data under 152-FZ or GDPR.
8. Incident response
- An agent token can be revoked from the dashboard instantly — the agent stops accepting new sessions.
- Session logs are available for audit in the dashboard.
- Security contact:
security@transferdesk.tech.
This document describes the TransferDesk architecture at publication time. The current version is at transferdesk.tech/whitepaper.