Privacy Policy

Last updated: 25 March 2026

Email Migration Hub ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services at emailmigrationhub.com.

We are a sole trader based in the United Kingdom and operate as the data controller for the personal data we process. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. What Data We Collect

We collect and process the following types of personal data:

Account information: Your name and email address, provided when you register or use our services.
Technical data: Your IP address, browser type, and device information, collected automatically when you visit our site.
Authentication tokens: OAuth tokens provided when you connect cloud services (Google Drive, Dropbox, OneDrive). These are stored temporarily in Redis for 30 to 60 minutes during the transfer process and are never persisted to permanent storage.
Payment information: Payments are processed entirely by PayPal. We never receive, see, or store your credit or debit card details. We may receive your PayPal email address and transaction ID for order records.
Cookie data: We use essential cookies only (see Section 6 below).

2. What We Do Not Collect or Store

We want to be transparent about data we specifically avoid collecting:

Email passwords: If you provide IMAP or Exchange credentials for a migration, your password is used only during the active migration session and is discarded immediately afterwards. Passwords are never written to disk, logged, or stored in any database.
Third-party analytics: We do not use Google Analytics or any other third-party tracking or analytics service. No data about your visit is shared with advertising networks.
Unnecessary personal data: We do not collect data beyond what is required to provide the service you have requested.

3. How We Use Your Data

We use your personal data for the following purposes:

To provide and operate our email migration, cloud transfer, and file sending services.
To authenticate your access to third-party cloud services during a transfer (via OAuth tokens).
To process payments through PayPal.
To communicate with you about your account or service requests.
To scan uploaded files for viruses and malware using ClamAV, protecting you and other users.
To detect and prevent abuse of our services.

4. Legal Basis for Processing

Under the UK GDPR, we rely on the following legal bases:

Contract: Processing your data is necessary to perform the service you have requested (Article 6(1)(b)).
Legitimate interests: We process technical data (IP addresses, browser information) to maintain the security and integrity of our service (Article 6(1)(f)).
Legal obligation: We may retain certain transaction records as required by UK tax and accounting law (Article 6(1)(c)).

5. How We Handle Your Files and Data During Transfers

Email Migration (IMAP/Exchange)

Emails are transferred directly between the source and destination servers through our system. Email content passes through our server during the migration but is not stored on disk. Once the migration is complete, no copy of your emails remains on our infrastructure.

Cloud-to-Cloud File Transfer

Files transferred between cloud services (Google Drive, Dropbox, OneDrive) are streamed through our server. Files are not stored on our disks at any point during the transfer. OAuth tokens used to access your cloud accounts are held in memory (Redis) for 30 to 60 minutes and then automatically deleted.

Large File Sending (Send Service)

Files uploaded via our Send service are stored temporarily on our servers to allow recipients to download them. All uploaded files are scanned for viruses using ClamAV before being made available. Files are automatically and permanently deleted after their expiry period, which ranges from 7 to 30 days depending on the plan selected. Once deleted, files cannot be recovered.

Virus Scanning

All files uploaded to our Send service are scanned using ClamAV, an open-source antivirus engine. This scanning is performed locally on our servers. File data is not sent to any third-party scanning service.

6. Cookies

We use a minimal number of cookies, all of which are essential for the service to function:

Session cookies: These keep you logged in and maintain your session while using our services. They expire when you close your browser or after a period of inactivity.
Payment cookies: These are set during the PayPal checkout process to ensure your transaction completes correctly.

We do not use any advertising, analytics, or tracking cookies. Because we only use strictly necessary cookies, consent is not required under the Privacy and Electronic Communications Regulations (PECR). However, you can control cookies through your browser settings at any time.

7. Data Retention

Data Type	Retention Period
Account information (name, email)	Until you request deletion or the account is terminated
OAuth tokens	30 to 60 minutes (automatically deleted from Redis)
Email/IMAP passwords	Not stored — used in memory during migration only
Files (Send service)	7 to 30 days, then automatically and permanently deleted
Cloud transfer files	Not stored — streamed through server only
Payment/transaction records	Up to 7 years (UK tax and accounting requirements)
Server logs (IP addresses)	30 days

8. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

PayPal: To process your payments. PayPal acts as an independent data controller. See PayPal's Privacy Policy.
Our hosting provider: Our servers are hosted in a data centre. The hosting provider has access to the physical infrastructure but not to application-level data.

We do not use any third-party analytics, advertising, or tracking services.

9. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

Encrypted connections (HTTPS/TLS) for all data in transit.
OAuth tokens stored in Redis with automatic expiry.
Passwords never written to disk or logs.
Virus scanning of all uploaded files.
Regular server security updates.
Access to servers restricted to authorised personnel only.

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can ask us to correct any inaccurate data.
Right to erasure: You can ask us to delete your personal data (the "right to be forgotten").
Right to restrict processing: You can ask us to limit how we use your data.
Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
Right to object: You can object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@emailmigrationhub.com. We will respond to your request within one month, as required by law.

11. International Transfers

Our servers are located in Europe. We do not intentionally transfer your personal data outside the UK or EEA. If a transfer is ever necessary, we will ensure appropriate safeguards are in place as required by UK GDPR.

12. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns directly first. Please contact us at support@emailmigrationhub.com before escalating to the ICO.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

14. Contact Us

If you have any questions about this Privacy Policy or how we handle your data:

Email: support@emailmigrationhub.com
Website: emailmigrationhub.com