Privacy Policy
Last updated: 4 June 2026
1. Who We Are
Migrayt Enterprise Ltd ("Migrayt", "we", "us", "our") is a company registered in England and Wales. We operate the Migrayt platform at migrayt.ai and any associated sub-domains (the "Service").
Migrayt is the Data Controller in respect of personal data processed in connection with the administration of your account, billing, and communications. In respect of your customers' data processed during a migration job, Migrayt acts as a Data Processor on your instructions.
Our Data Protection contact is: dpo@migrayt.ai
2. Scope of This Policy
This Policy applies to all personal data that Migrayt processes about:
- visitors to our website;
- individuals who register for or use the Service (account holders and their authorised users); and
- individuals whose personal data is contained within customer data migrated through the Service.
This Policy does not apply to third-party websites linked from our site. We encourage you to read those parties' privacy notices.
3. Personal Data We Collect
3.1 Account Data
When you register, we collect: your name, work email address, company name, and password (stored as a salted bcrypt hash — we never store plaintext passwords).
3.2 Authentication Data (SSO)
If you sign in with Microsoft or via SAML 2.0, we receive from your identity provider: your name, work email address, and a unique identifier. We do not receive your password or personal Microsoft account credentials.
3.3 Platform Credentials
To perform migrations, you authorise Migrayt to access your Azure DevOps or Jira Cloud account via OAuth 2.0. The resulting access tokens are stored exclusively in AWS Secrets Manager with AES-256 encryption. They are never written to our database and are never logged.
3.4 Usage and Technical Data
We automatically collect: IP address, browser type and version, operating system, referring URL, pages visited, time and date of access, and session duration. This data is used for security monitoring, debugging, and service improvement.
3.5 Billing Data
Payment card details are processed exclusively by Stripe Inc. and are never transmitted to or stored on Migrayt servers. We retain: payment amount, currency, invoice reference, and date of transaction.
3.6 Customer Migration Data
As part of performing a migration, our systems temporarily process work item content (titles, descriptions, comments, attachments) from your source platform. This data:
- passes through our migration workers in memory only;
- is written to your chosen destination platform and to no other permanent storage;
- is never used for any purpose other than completing the migration you instructed;
- is not retained after the migration is complete, except for attachment files which are staged in AWS S3 for a maximum of 30 days before automatic deletion.
4. How We Use Personal Data
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Providing and operating the Service | Contract (Art. 6(1)(b)) |
| Creating and managing your account | Contract (Art. 6(1)(b)) |
| Processing payments | Contract (Art. 6(1)(b)) |
| Sending transactional emails (migration complete, invoices, security alerts) | Contract (Art. 6(1)(b)) |
| Responding to support requests | Contract (Art. 6(1)(b)) / Legitimate interests |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Service analytics and performance monitoring | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (with consent) | Consent (Art. 6(1)(a)) |
We will never sell your personal data or share it with third parties for their marketing purposes.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after deletion |
| Migration job records and audit trail | Duration of account + 7 years (accounting obligation) |
| Platform credentials (OAuth tokens) | Until you disconnect the platform or delete your account |
| Attachment staging files (S3) | 30 days, then automatically deleted |
| Application and access logs | 90 days |
| Billing records and invoices | 7 years (UK tax law requirement) |
| Support correspondence | 3 years from closure of the ticket |
6. Sub-Processors and Third-Party Sharing
We use the following sub-processors to operate the Service. Each is bound by a Data Processing Agreement and, where applicable, Standard Contractual Clauses for international transfers:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, storage, secrets management, compute | EU (Ireland, eu-west-1) |
| Anthropic PBC | AI mapping suggestions (metadata only — no work item content) | USA (zero retention policy in place) |
| Stripe Inc. | Payment processing | USA / EU |
| AWS SES | Transactional email delivery | EU (Ireland) |
| Microsoft (Cognito OIDC) | Enterprise SSO federation | EU |
Anthropic: We pass only field names, work item type names, and item counts to the AI — never titles, descriptions, comments, or any work item content. Anthropic operates under a zero data retention policy for API calls: prompt data is not used for model training and is not retained after the response is returned.
7. International Data Transfers
Migrayt's primary infrastructure operates in AWS eu-west-1 (Dublin, Ireland), which is within the UK GDPR adequacy framework. Where data is processed outside the UK or EEA (specifically by Anthropic and Stripe in the USA), transfers are protected by Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO).
8. Security
We implement the following security measures:
- Encryption in transit: TLS 1.2 or higher for all data in transit.
- Encryption at rest: AES-256 for all data stored in RDS, S3, and Secrets Manager.
- Credentials: Platform OAuth tokens stored exclusively in AWS Secrets Manager with KMS CMK encryption. Never stored in the database, never logged.
- Access controls: Role-based access control; principle of least privilege; multi-factor authentication required for all internal administrative access.
- Network isolation: Migration workers run in private VPC subnets with no direct internet ingress.
- Vulnerability management: Automated dependency scanning, SAST in CI/CD pipeline, penetration testing on request.
- Breach response: We will notify affected customers and the ICO within 72 hours of becoming aware of a personal data breach, in accordance with UK GDPR Article 33.
Despite these measures, no transmission over the internet is entirely secure. We cannot guarantee the absolute security of data transmitted to us, though we take all reasonable precautions.
9. Your Rights Under UK GDPR
As a data subject, you have the following rights, which you may exercise by contacting us at privacy@migrayt.ai:
- Right of access (Art. 15): Obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Have inaccurate data corrected.
- Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data where there is no overriding legal basis for continued processing.
- Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests or direct marketing.
- Rights related to automated decision-making (Art. 22): We do not make solely automated decisions that produce significant legal effects on individuals.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
We will respond to all verifiable requests within 30 calendar days. Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or decline to respond, providing written reasons.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk, telephone 0303 123 1113.
10. Cookies
We use the following cookies:
- Strictly necessary: Session cookies required for authentication (httpOnly, Secure, SameSite=Lax). These cannot be disabled.
- Analytics: We may use privacy-preserving analytics. We do not use Google Analytics, Facebook Pixel, or any advertising trackers.
No third-party advertising cookies are set on migrayt.ai.
11. Changes to This Policy
We may update this Policy from time to time. We will notify you of material changes by email (to the address on your account) at least 14 days before changes take effect, and by posting a notice on our website. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.
The version history of this Policy is available on request.
12. Contact
For any questions or concerns about this Policy, or to exercise your data subject rights, please contact:
Migrayt Enterprise LtdData Protection Enquiries
Email: dpo@migrayt.ai
Privacy: privacy@migrayt.ai