Privacy Policy

1. Who we are

ExtractAI ("ExtractAI", "we", "us") operates the extractai.org website — a cloud service that extracts structured data from documents such as invoices, receipts, resumes, bank statements, and ID documents.

This Privacy Policy explains what personal data and document content we process, why we process it, which third parties are involved, and what choices you have. It applies when you visit our marketing pages, create an account, upload documents, or manage billing.

2. Data we collect

We collect only the data needed to run the service, secure accounts, and bill paid plans.

• Account data: email address, optional first and last name, password hash (for email sign-up), Google account identifier when you use Sign in with Google, organization name, your role (owner or member), and account type (personal or organization).
• Security and verification data: IP address recorded at registration, email verification and password-reset token metadata, and Cloudflare Turnstile signals when you register.
• Document data: files you upload (PDF, images, and similar formats), file name and MIME type, processing status, extracted fields and confidence scores, raw text used for extraction, and which team member uploaded or approved each document.
• Usage and billing data: trial status and end date, monthly document limit, documents processed in the current period, pay-as-you-go credit balance, subscription status, Paddle customer and subscription identifiers, billing period dates, and transaction references from our payment provider.
• Organization collaboration data: email addresses you invite to your organization and invite status.
• Technical data: HTTP cookies that keep you signed in and remember your language preference, server logs needed for security and troubleshooting, and audit log entries (for example document approval or export actions).

3. How we use your data

We use the data above to create and manage your account, authenticate you, send transactional emails (verification and password reset), store and process your documents, show extraction results for human review, enforce plan limits, process payments, provide customer support, prevent abuse, and improve reliability of the platform.

We do not sell your personal data and we do not use your uploaded documents to train public AI models. Document content is sent to our AI provider only to perform extraction for your organization.

4. Legal bases (EEA/UK users)

Where GDPR or similar laws apply, we rely on: performance of a contract (providing the service you signed up for); legitimate interests (security, fraud prevention, service improvement, and enforcing our terms); and consent where required (for example optional marketing communications, if we offer them in the future). You may withdraw consent at any time without affecting processing that is required to provide the service.

5. Third-party service providers

We use trusted processors that help us operate ExtractAI. They may process data only on our instructions and for the purposes listed below.

• Paddle — payment processing, subscriptions, invoices, and tax handling. Paddle receives billing contact details and payment information you enter in their checkout. We do not store full card numbers on our servers.
• Amazon Web Services (S3) — private storage of uploaded document files. Files are accessed through time-limited signed URLs, not public links.
• AI API provider (currently OpenAI-compatible API, default model gpt-4.1-mini) — document text and images are transmitted to extract structured fields. Processing is scoped to your request.
• SMTP email provider — delivery of verification, password-reset, and organization invite emails.
• Google — optional Sign in with Google authentication.
• Cloudflare Turnstile — bot protection on registration.
• Google Fonts — web font delivery when you load our site.

6. Document storage, isolation, and deletion

Each customer organization's documents and extracted data are isolated. Other customers cannot access your files or extraction results.

When you delete a document in ExtractAI, we delete the stored file from our object storage and remove the associated database records, including extraction data tied to that document.

If you need account-level deletion or a data export, contact us at the email below. We will respond within a reasonable time. Some billing records may be retained where required for accounting, tax, or dispute resolution.

7. Security

We use industry-standard measures including encrypted connections (HTTPS), hashed passwords, httpOnly authentication cookies, tenant isolation, and private file storage. No security method is perfect; please use a strong unique password and review extracted data before using it in financial or compliance workflows.

8. Retention

We keep account and document data while your account is active and as needed to provide the service. Trial, subscription, and credit usage counters are kept for the current billing or trial period.

Transactional email logs, security logs, and payment records may be kept longer where required by law or legitimate business needs (typically up to several years for financial records).

9. Your rights

Depending on your location, you may have the right to access, correct, delete, restrict, or export personal data, and to object to certain processing. You may also lodge a complaint with your local data protection authority.

To exercise these rights, email us. We may need to verify your identity before fulfilling a request.

10. International transfers

ExtractAI and our providers may process data in countries other than yours (including the United States and the European Union). Where required, we rely on appropriate safeguards such as standard contractual clauses offered by our providers.

11. Children, changes, and contact

ExtractAI is a business service not directed at children under 16. We do not knowingly collect children's data.

We may update this policy. Material changes will be reflected on this page with a new "Last updated" date. Continued use after an update means you accept the revised policy.

For privacy requests and questions, contact us using the email below.