Last updated: 31 May 2026
TheMigrator (“we”, “our”, “us”) operates the platform at themigrator.app. We provide Microsoft 365 tenant-to-tenant migration services for businesses.
For questions about this policy, contact us at [email protected].
Account information. When you create an account, we collect your name, email address, and organisation details.
Tenant directory metadata. When you connect a Microsoft 365 tenant, we store a list of user email addresses, display names, and site names from that tenant. This is the minimum information needed to display migration progress. We do not store email content, file contents, calendar events, or any other user-generated content.
OAuth credentials. We store encrypted OAuth application credentials (client ID and client secret) to authenticate with Microsoft Graph on your behalf. These are encrypted with AES-256-GCM before being written to our database.
Usage data. We collect logs of platform actions (job created, job completed, errors) to provide support and improve the service. These logs do not contain the content of migrated data.
Analytics data. We collect anonymised information about how visitors interact with our website using Microsoft Clarity and Google Analytics. This includes pages visited, session duration, clicks, scroll depth, and general device and browser information. This data is used solely to understand how the platform is used and to improve the user experience. It does not include any migration data or personally identifiable account information.
Payment information. Billing is handled by Stripe. We do not store credit card numbers on our systems.
We explicitly do not collect or store:
Migrated data streams directly between your source and destination tenants via Microsoft Graph API and never passes through our servers.
We use the information we collect to: provide and operate the migration service; display migration progress and history; authenticate with Microsoft Graph API on your behalf; send transactional emails (job started, completed, failed); analyse website usage patterns to improve the platform; improve platform reliability through error monitoring; comply with legal obligations.
We do not sell your data to third parties. We do not use your data to train AI or ML models.
Account data is retained for the duration of your account. You may delete your account at any time, which removes all associated data within 30 days.
Job logs are retained for 1 year after job completion (Pro plan) or 30 days (Free plan) and then permanently deleted.
Tenant directory metadata (user lists, site names) is retained while the tenant remains connected and deleted when you disconnect the tenant.
Analytics data collected by Microsoft Clarity and Google Analytics is retained according to their respective data retention policies. You may opt out at any time using a browser opt-out extension or by enabling Do Not Track in your browser.
We share data only with the following sub-processors necessary to operate the service:
A full list of sub-processors is available on request. We will notify customers of any material changes to sub-processors with at least 30 days notice.
You have the right to: access the personal data we hold about you; request correction of inaccurate data; request deletion of your data; object to processing; request data portability; withdraw consent at any time.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
We implement industry-standard security measures including AES-256-GCM encryption of credentials at rest, TLS 1.3 for all data in transit, and annual third-party penetration testing. See our security page for full details.
We use the following cookies and tracking technologies:
We do not use advertising cookies or sell cookie data to third parties.
We may update this policy to reflect changes to our practices or legal requirements. We will notify you by email and post a notice on the platform at least 14 days before material changes take effect.