Now live: BigCommerce → Shopify migration is available — see the platform deep-dive. See the deep-dive
Privacy

What we collect. What we don't.

Plain-English summary of our privacy practices. The full legal version is below — no hidden clauses, no dark patterns.

Last updated: 14 January 2026

ShiftItNow Inc. ("ShiftItNow", "we") is a Shopify migration platform. This policy explains what personal data we process, why, for how long, and the rights you have. We are the data controller for our own marketing/account data and a data processor for the store data you migrate through us.

1. The short version

  • We never sell your data. Ever.
  • We only process the data you (or your source platform) explicitly share with us.
  • Source store credentials are encrypted at rest and revoked the moment your migration completes.
  • Migration data is deleted from our systems within 30 days of project completion (sooner on request).
  • We're SOC 2 Type II certified, GDPR compliant, and CCPA compliant.

2. What we collect

Account data

  • Name, work email, company name
  • Billing address and Shopify shop domain
  • Communication preferences

Migration data (processed on your behalf)

  • Source store credentials (encrypted, short-lived)
  • Product, customer and order records during transfer only
  • Content (blog posts, pages, redirects) during transfer only

Telemetry

  • Anonymous app usage (which features are clicked, error reports)
  • IP address and device type for fraud prevention
  • Cookies for session management — no third-party trackers on our marketing site

3. How we use it

We process personal data to: provide and improve the migration service; communicate about your account and migrations; meet legal obligations (tax, fraud prevention); and — only with explicit opt-in — send product updates.

4. Who we share it with

We share data with sub-processors who help us run the service: AWS (hosting), Stripe (billing), Sentry (error tracking), Postmark (transactional email). All are bound by data-processing agreements and are GDPR-compliant. A current list is available on request.

We do not share, sell or rent your data to advertisers, data brokers, or AI training providers.

5. Where it lives

Account data is stored in EU-West-1 (Ireland) by default; US customers may opt into US-East-1 (Virginia). Migration data is processed in the region nearest your Shopify shop's primary location and deleted within 30 days.

6. Security

  • TLS 1.3 in transit, AES-256 at rest
  • SOC 2 Type II audit completed annually
  • Least-privilege access; all production access is MFA-gated and audit-logged
  • Bug bounty program — see contact to participate

7. Your rights

Under GDPR, CCPA and similar laws, you can:

  • Access the personal data we hold on you
  • Correct or delete it
  • Export it in a portable format
  • Object to processing or withdraw consent
  • Lodge a complaint with your local data protection authority

Email privacy@shiftitnow.app with any request — we respond within 14 days.

8. Cookies

We use one first-party session cookie (required to log in). We do not use third-party analytics, advertising cookies, or fingerprinting. There is no cookie banner because there is nothing to consent to.

9. Children

ShiftItNow is a B2B product. We don't knowingly process data from anyone under 16.

10. Changes

If we make a material change, we'll email account holders at least 30 days before it takes effect. Minor edits are reflected in the "Last updated" date above.

11. Contact

Data Protection Officer
ShiftItNow Inc.
privacy@shiftitnow.app