Hey @johng1981,
During the migration, data will only be copied from the source site to the destination site. No data will be deleted from either environment. If any specific data already exists on the destination site, it will be overwritten with the corresponding data from the source site.
Sorry, but your reply is very misleading, indicating a direct transfer of files from source server to destination server. Which is simply not the case. Evaluating your code, it is clear that the data flows as below;
Source Site → Migrate Guru Servers → Destination Site
↑ ↑ ↑
Export Process & Import
Data Orchestrate Data
Hey @johng1981.
Thank you for pointing this out, and I sincerely apologize for the confusion in my earlier response. The misunderstanding arose because your question was interpreted as being about whether data would be deleted from your site during migration, rather than whether it would be deleted from our servers. That’s why my initial explanation focused on how data is copied between the source and destination sites, instead of addressing your actual concern.
To clarify, the migration process does not involve a direct server-to-server transfer. The data temporarily flows through our systems and is automatically deleted within 48 hours. While this is already our standard practice, it is not yet explicitly mentioned in our privacy policy. We will be updating the policy soon to make this completely clear and transparent.
Thank you for bringing this to our attention
Thank you for the reply.
What is the reason for keeping the data for 48 hours? Surely a simple dump command or similar cleanup could be run immediately once the site has been migrated successfully. While 48 hours may not sound long, it still leaves a window of exposure open for potential misuse, breaches, or other unintended consequences.
This also raises significant compliance concerns. Under frameworks such as the GDPR, CCPA, POPIA, and other regional data protection laws, strict rules govern how client data is stored, processed, and transferred. In many cases, businesses are required to know exactly where the data resides at all times and to ensure that third party processors adhere to the same level of compliance.
For example, if I migrate a site that specifically serves clients in a jurisdiction with stringent data protection laws, I am legally obliged to guarantee that any handling of personal data (user details, passwords, transaction information, etc.) is fully compliant with those laws. Having this data temporarily housed on your servers, outside of my control, creates a potential compliance gap. In the event of a breach, liability may not stop at your company, but could also extend to us as the data controllers, which would put us at considerable legal and financial risk.
Can you therefore explain why 48 hours is deemed necessary, and whether you are able to provide:
- Explicit guarantees of compliance with GDPR, POPIA, CCPA, and similar laws,
- Clear information on where (geographically) this data is stored during the 48 hours,
- A way for customers to opt-out of this retention or enforce immediate deletion upon migration completion.
Without these assurances, it becomes very difficult to justify the use of your plugin in environments where regulatory compliance is non negotiable.
Hey @johng1981,
- Why 48 hours is necessary:
We retain the data for 48 hours after migration as an optimization measure. This allows us to avoid reprocessing everything from scratch if the migration is retried within that timeframe, significantly reducing sync times. Additionally, this brief retention period helps us identify and debug any issues, which in turn improves the reliability and performance of our service.
- Data storage location:
All data is stored securely within the European Union (EU) during this 48-hour window.
- Compliance with data protection regulations:
We are committed to full compliance with relevant data protection laws. Our data handling practices, security controls, and retention policies are designed to align with the requirements of the GDPR -> https://migrateguru.com/gdpr/.
- Opt-out and data deletion:
If you’d prefer not to have your data retained for the 48-hour period, or if you wish to have it deleted immediately after the migration is complete, please raise a support ticket with us. We’re happy to accommodate such requests and can scrub the data upon completion as needed.
Please let us know if you have any further questions or concerns.
