H
HOIST
Updated 2026-05-22

Privacy Policy

HOIST ("we", "us") provides Shopify migration services to e-commerce brands. This policy explains what data we collect, why, how we store it, and the rights you have over it.

1. What we collect

Account data

  • Your name, email, company name, and bcrypt-hashed password.
  • When you pay, your billing address and a Stripe customer ID.
  • We do not store full card numbers — Stripe does.

Project data

  • The URL of the store you want to migrate, plus any credentials you paste into the project channel for us to do the work.
  • During migration we hold a copy of your product catalog, customer list (including hashed passwords), order history, and theme files for the duration of the project + 30 days hypercare.

Usage data

  • Standard server logs (IP, user agent, URL) for security and abuse prevention.
  • If SENTRY_DSN is configured, we send uncaught exceptions to Sentry. No request bodies or PII are sent.

2. Why we collect it

  • To deliver the migration you bought.
  • To bill you and send receipts (via Stripe + Resend).
  • To support and improve the product.
  • To comply with tax + accounting law.

We do not sell your data, ever. We do not run ads on this app or in the customer portal.

3. Sub-processors we share data with

  • Stripe — payment processing. Stripe receives your email, billing address, and card data directly.
  • Resend — transactional email (receipts, password reset, verification). Sees your email + the email body.
  • Sentry — application error tracking. Sees stack traces; no request bodies.
  • Our hosting provider (Vercel / Fly.io / similar) — runs the application code and database.

4. How long we keep it

  • Project artifacts: kept for the duration of the project plus 90 days after Go-Live, then permanently deleted.
  • Billing records: kept for 7 years for tax/accounting compliance.
  • Account data: kept until you delete your account in Settings → Danger Zone, then purged within 30 days.

5. Your rights

Under GDPR (EU/UK), CCPA (California), and similar laws, you can: (a) request a copy of your data, (b) correct inaccurate data, (c) delete your account and data, (d) object to processing, (e) port your data elsewhere.

Email [email protected] for any of the above and we'll respond within 30 days.

6. Security

  • HTTPS for all traffic in production.
  • bcrypt password hashing (cost 12).
  • Sessions are httpOnly, sameSite=Lax cookies.
  • We do not currently hold SOC 2 — until we do, we won't claim it.

7. Cookies

We use a single session cookie (hoist_session) to keep you signed in. No advertising or analytics cookies. We don't need a cookie banner because we don't set any non-essential cookies.

8. Changes to this policy

If we change this materially we'll email everyone with an account at least 14 days before it takes effect.

9. Contact

Questions: [email protected]. Postal: HOIST, [address pending — set before launch].