Privacy Policy
Last updated: 4 July 2026
Shop-2-Shop Migrator ("the app", "we", "us") is a Shopify application that migrates data from one Shopify store to another Shopify store at the explicit instruction of the merchant who installs it. This policy explains what we access, why, how long we keep it, and how we protect and delete it.
Who controls the data
The merchant is the data controller of their store data. We act as a data processor, moving the merchant's own data from a source store they control to a destination store they control. We do not sell data, use it for advertising, or use it to train models.
What we access
- Store data you ask us to migrate — products, collections, inventory, content, discounts, gift cards, metafields, markets, themes, and related records.
- Customer records and order history (which may include names, email addresses, phone numbers and shipping addresses) — this is protected customer data and is only accessed to recreate those records in your new store, at your instruction.
- An offline Admin API access token for each connected store, granted by you through Shopify's standard OAuth consent screen.
How we use it
We use the access token to read your source store and write to your destination store, solely to perform the migration you requested. We do not access data for any other purpose.
How we protect it
- Access tokens are encrypted at rest using AES-256-GCM; the encryption key is a server-side secret held separately from the database.
- All Shopify OAuth callbacks and webhooks are verified with HMAC signatures.
- Data is transmitted over HTTPS/TLS only.
Data retention & deletion
- Store data is processed transiently to perform the migration and is not retained beyond what is needed to complete and verify it.
- We honour Shopify's mandatory compliance webhooks:
customers/data_request,customers/redact, andshop/redact. We do not store customer PII beyond the migration itself, so redaction requests are satisfied accordingly;shop/redactdeletes the store's stored connection and access token. - Uninstalling the app or contacting us at support@shop-2-shop.com will remove your stored connection.
Sub-processors
The app runs on Cloudflare (compute, storage and DNS). Email is delivered through Cloudflare. No other third parties receive your store data.
Your rights
You may request access to, correction of, or deletion of your data at any time by emailing support@shop-2-shop.com. We respond to GDPR/CCPA requests within the timeframes required by law.
Contact
Questions about this policy: support@shop-2-shop.com.