Data Protection & Security

Last updated: 4 July 2026

Protected customer data. This app accesses customer records and order history only to recreate them in the merchant's new store, at the merchant's explicit instruction. It is never used for advertising, profiling, resale, or model training.

Data minimisation

We read only the fields required to recreate your records in the destination store. We do not export data to third parties and we do not retain customer PII beyond the migration itself.

Encryption

Request authentication

Every OAuth callback is verified with Shopify's HMAC signature and an anti-CSRF signed state value. Every compliance webhook is verified with its X-Shopify-Hmac-Sha256 signature before it is processed.

GDPR / CCPA compliance webhooks

We implement Shopify's three mandatory compliance webhooks:

Retention & deletion

Store data is processed transiently. Uninstalling the app, or a shop/redact webhook, removes the stored connection. You can request deletion at any time via support@shop-2-shop.com.

Infrastructure

The app runs entirely on Cloudflare (edge compute, encrypted D1 storage, DNS). No other sub-processors receive store data.