STAGING ENVIRONMENT - Test system only. Do not enter real customer, payment, tax or sensitive personal data.
Extractly

Legal

Data Processing Agreement

Review the current Extractly Data Processing Agreement.

Version v1.0.0 · Published Jun 28, 2026

Extractly Data Processing Agreement

Version: 1.0 Effective date: 16 June 2026

This Data Processing Agreement forms part of the agreement between Utracki Systems Ltd and the customer using Extractly.

Extractly is operated by Utracki Systems Ltd, a private limited company registered in England and Wales under company number 17038660, with its registered office at 124-128 City Road, London EC1V 2NX, United Kingdom.

You can contact us at [email protected]. For privacy or data processing questions, please include [privacy] in the subject line.

1. Purpose of this Data Processing Agreement

This Data Processing Agreement applies where Utracki Systems Ltd processes personal data on behalf of a customer through Extractly and the customer acts as the controller.

It sets out the terms under which Utracki Systems Ltd processes customer personal data as a processor, including the subject matter, duration, nature, purpose, categories of data, categories of data subjects, security measures, sub-processors, assistance, deletion, audits and international transfers.

This Data Processing Agreement is intended to meet the requirements of UK data protection law, including Article 28 of the UK GDPR.

2. Relationship with other documents

This Data Processing Agreement forms part of and is incorporated into the Extractly Terms of Service or any separate written agreement between the customer and Utracki Systems Ltd.

If there is a conflict between this Data Processing Agreement and the Terms of Service regarding processor obligations, this Data Processing Agreement will take priority for the relevant data processing matter.

The Privacy Policy applies where Utracki Systems Ltd acts as a controller.

3. Definitions

In this Data Processing Agreement:

“Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of personal data under this Data Processing Agreement, including the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations where applicable.

“Controller”, “processor”, “personal data”, “processing”, “data subject”, “personal data breach” and “special category data” have the meanings given in Applicable Data Protection Law.

“Customer” means the person, business, organisation or legal entity that creates or uses an Extractly account and determines the purposes and means of processing customer personal data.

“Customer Personal Data” means personal data processed by Utracki Systems Ltd on behalf of the Customer through Extractly.

“Extractly” means the Extractly website, application, account area, APIs, upload tools, receipt processing features, archive features, export features, billing features, support tools and related services.

“Sub-processor” means another processor engaged by Utracki Systems Ltd to process Customer Personal Data on behalf of the Customer.

“Services” means the services provided through Extractly.

4. Roles of the parties

For Customer Personal Data processed through uploaded receipts, invoices, business records, manual entries, evidence files, approved records, extracted data and related content, the Customer is usually the controller and Utracki Systems Ltd is usually the processor.

The Customer determines:

  • what data is uploaded;
  • why the data is uploaded;
  • whether the data may lawfully be processed;
  • how long the Customer needs the data for business, accounting or tax purposes;
  • whether the data is accurate;
  • whether the data should be corrected, exported or deleted;
  • whether data subjects have been given appropriate privacy information;
  • whether any required consents, notices or lawful bases exist.

Utracki Systems Ltd processes Customer Personal Data only to provide, secure, support, maintain and improve Extractly, unless otherwise required by law or agreed in writing.

Utracki Systems Ltd acts as a controller for some personal data, including account administration, billing, security logs, legal acceptance records, support administration, analytics, compliance and business records. That controller processing is covered by our Privacy Policy, not this Data Processing Agreement.

5. Customer instructions

The Customer instructs Utracki Systems Ltd to process Customer Personal Data as necessary to provide Extractly and related services.

Documented instructions include:

  • the Terms of Service;
  • this Data Processing Agreement;
  • the Customer’s account settings;
  • upload, review, approval, export and deletion actions performed by authorised users;
  • support requests submitted by the Customer;
  • billing and account management actions;
  • any written instructions agreed between the parties.

Utracki Systems Ltd will process Customer Personal Data only on documented instructions from the Customer, unless required to do so by law. If legally permitted, we will notify the Customer before processing required by law.

If Utracki Systems Ltd believes an instruction breaches Applicable Data Protection Law, we may notify the Customer, refuse the instruction, suspend the relevant processing or take other reasonable protective action.

6. Subject matter of processing

The subject matter of processing is the provision of Extractly, including upload, storage, extraction, review, approval, categorisation, manual entry, archive creation, export generation, account management, support, billing integration, security, maintenance and related technical services.

7. Duration of processing

Processing continues for the duration of the Customer’s use of Extractly and for any additional period required for account closure, export, backup rotation, legal compliance, dispute resolution, security, fraud prevention, billing administration or other lawful retention purposes.

After account closure, Customer Personal Data will be deleted, anonymised, returned or retained as described in the Terms of Service, Privacy Policy, Security and Data Retention Policy and this Data Processing Agreement.

8. Nature and purpose of processing

Utracki Systems Ltd may process Customer Personal Data to:

  • create and manage accounts;
  • authenticate authorised users;
  • receive and store uploaded files;
  • generate file previews or thumbnails;
  • process PDF, image and supported document files;
  • extract data from receipts, invoices and business documents;
  • suggest categories from available category sets;
  • support manual income and expense records;
  • allow users to review, edit and approve records;
  • apply references or stamps;
  • generate spreadsheet exports;
  • generate archive files or ZIP exports where available;
  • provide search and account functionality;
  • provide customer support;
  • troubleshoot bugs and processing errors;
  • monitor usage limits;
  • enforce plan limits and feature access;
  • maintain security and prevent abuse;
  • operate backups and disaster recovery;
  • comply with legal obligations;
  • support future integrations selected or authorised by the Customer.

9. Categories of Customer Personal Data

Customer Personal Data may include:

  • names;
  • email addresses;
  • business names;
  • business addresses;
  • supplier names;
  • customer names;
  • employee or contractor names where included in uploaded documents;
  • tenant, client or third-party details where included in uploaded documents;
  • invoice numbers;
  • receipt details;
  • transaction details;
  • dates;
  • amounts;
  • VAT information;
  • tax reference information where uploaded or entered;
  • company numbers;
  • UTRs;
  • VAT numbers;
  • file names;
  • file metadata;
  • document images;
  • PDF contents;
  • manual entry notes;
  • category data;
  • support request data;
  • technical identifiers related to Customer content;
  • any other personal data included by the Customer in uploaded files, manual entries, support tickets or account configuration.

10. Categories of data subjects

Customer Personal Data may relate to:

  • the Customer;
  • authorised users;
  • business owners;
  • directors;
  • sole traders;
  • landlords;
  • employees;
  • contractors;
  • suppliers;
  • merchants;
  • customers;
  • tenants;
  • clients;
  • accountants;
  • bookkeepers;
  • support contacts;
  • other individuals whose personal data appears in uploaded business records.

11. Special category data and sensitive data

Extractly is not designed for processing special category data, criminal offence data or highly sensitive personal data.

The Customer must not upload unnecessary special category data, criminal offence data, children’s data or other highly sensitive data unless the Customer has a lawful basis, the processing is necessary for the Customer’s legitimate business purpose, and the Customer has complied with Applicable Data Protection Law.

Utracki Systems Ltd does not intentionally require special category data to provide Extractly.

12. Customer obligations

The Customer is responsible for:

  • complying with Applicable Data Protection Law;
  • having a lawful basis for processing Customer Personal Data;
  • providing required privacy notices to data subjects;
  • ensuring uploaded data is relevant, accurate and not excessive;
  • ensuring authorised users are permitted to access the account;
  • keeping login details secure;
  • reviewing and approving extracted data;
  • responding to data subject requests where the Customer is responsible;
  • deciding retention periods for business, tax and accounting records;
  • ensuring that Extractly is suitable for the Customer’s intended processing;
  • ensuring that instructions given to Utracki Systems Ltd are lawful.

The Customer must not use Extractly in a way that causes Utracki Systems Ltd to breach Applicable Data Protection Law.

13. Processor obligations

Utracki Systems Ltd will:

  • process Customer Personal Data only on documented instructions, unless required by law;
  • ensure persons authorised to process Customer Personal Data are subject to confidentiality obligations;
  • implement appropriate technical and organisational measures designed to protect Customer Personal Data;
  • use sub-processors only as described in this Data Processing Agreement;
  • assist the Customer with data subject requests where reasonably possible;
  • assist with security and personal data breach obligations where reasonably possible;
  • delete, anonymise or return Customer Personal Data as described in this Data Processing Agreement;
  • make available information reasonably necessary to demonstrate compliance with processor obligations;
  • notify the Customer if we believe an instruction infringes Applicable Data Protection Law.

14. Confidentiality

Utracki Systems Ltd will ensure that employees, contractors and other personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory or professional.

Access to Customer Personal Data is limited to persons who need access for the purpose of providing, securing, supporting, maintaining or improving Extractly, or where required for legal, compliance, security or business continuity purposes.

15. Security measures

Utracki Systems Ltd will implement appropriate technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.

Security measures may include, as appropriate:

  • authenticated user access;
  • password hashing;
  • access controls;
  • private object storage for user files;
  • secure cookie settings in production;
  • CSRF protection;
  • upload validation;
  • file type and size restrictions;
  • processing error handling;
  • separation of public help media and private user files;
  • staff/admin access restrictions;
  • logging and monitoring;
  • backups and recovery processes;
  • infrastructure provider security controls;
  • encryption in transit where supported;
  • provider-level encryption or storage security where available;
  • operational security procedures;
  • incident investigation processes.

No system is completely secure. The Customer remains responsible for account security, user permissions, endpoint security, password hygiene, internal access controls and safe handling of exported files.

16. Personal data breaches

If Utracki Systems Ltd becomes aware of a personal data breach affecting Customer Personal Data, we will notify the Customer without undue delay after becoming aware of it.

The notification may include, where available:

  • the nature of the breach;
  • categories and approximate number of affected data subjects;
  • categories and approximate number of affected records;
  • likely consequences;
  • measures taken or proposed to address the breach;
  • measures to reduce possible adverse effects;
  • contact details for follow-up.

Initial notifications may be incomplete where investigation is ongoing. We may provide further information as it becomes available.

The Customer is responsible for determining whether notification to data subjects, regulators or other parties is required, unless Utracki Systems Ltd is legally required to notify in its own capacity.

17. Assistance with data subject rights

Taking into account the nature of processing, Utracki Systems Ltd will provide reasonable assistance to the Customer in responding to data subject rights requests relating to Customer Personal Data.

This may include assistance with access, correction, deletion, restriction, objection, portability or other rights, where technically possible and where the Customer cannot reasonably fulfil the request through Extractly.

We may charge reasonable fees for excessive, complex or manual assistance, unless prohibited by law or otherwise agreed.

If a data subject contacts us directly about Customer Personal Data for which the Customer is the controller, we may direct the data subject to the Customer unless legally required to do otherwise.

18. Assistance with compliance obligations

Taking into account the nature of processing and information available to us, Utracki Systems Ltd will provide reasonable assistance with:

  • security obligations;
  • personal data breach obligations;
  • data protection impact assessments;
  • prior consultation with a supervisory authority;
  • information required to demonstrate processor compliance.

Assistance is subject to technical feasibility, confidentiality, security, legal restrictions, proportionality and reasonable cost.

19. Sub-processors

The Customer gives Utracki Systems Ltd general written authorisation to engage sub-processors to provide Extractly.

Sub-processors may include providers for:

  • hosting;
  • cloud infrastructure;
  • object storage;
  • database services;
  • payment processing;
  • transactional email;
  • AI/OCR and document processing;
  • analytics where enabled;
  • error monitoring;
  • logging;
  • security;
  • support tools;
  • backup and disaster recovery;
  • professional services.

We will maintain information about key sub-processors in our Sub-processors Page or equivalent notice.

Utracki Systems Ltd will enter into appropriate contractual terms with sub-processors that impose data protection obligations designed to protect Customer Personal Data.

We remain responsible to the Customer for the performance of our sub-processors’ data protection obligations, subject to the limitations of liability in the Terms of Service or applicable agreement.

20. Changes to sub-processors

We may add, replace or remove sub-processors where reasonably necessary for security, reliability, performance, compliance, product development, availability, cost, support or business reasons.

Where required by law, we will provide notice of material sub-processor changes through the application, website, email, Sub-processors Page or other reasonable method.

The Customer may object to a new sub-processor on reasonable data protection grounds by contacting [email protected] with the subject [privacy] Sub-processor objection within the stated objection period, or if no period is stated, within 14 days of notice.

If the objection is reasonable and cannot be resolved, we may offer a workaround, restrict affected features, allow cancellation, or terminate the affected services. The Customer may not object to sub-processors for reasons unrelated to data protection risk.

21. International transfers

Customer Personal Data may be processed in the United Kingdom, the EEA and other countries by Utracki Systems Ltd, its providers, group companies, sub-processors, support teams or technical systems.

Where a restricted transfer occurs under Applicable Data Protection Law, Utracki Systems Ltd will use appropriate safeguards where required. These may include adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, EU Standard Contractual Clauses where relevant, contractual protections, transfer risk assessments or other lawful transfer mechanisms.

The Customer acknowledges that some providers may be headquartered outside the UK or EEA and that support, security, processing or infrastructure access may involve international transfers.

The Customer must not use Extractly if the Customer requires a guarantee that Customer Personal Data will never be accessed from or transferred outside the UK or EEA.

22. Return and deletion of Customer Personal Data

Upon account closure or termination of the services, Utracki Systems Ltd will delete, anonymise or return Customer Personal Data in accordance with the Terms of Service, Privacy Policy, Security and Data Retention Policy and this Data Processing Agreement.

Where available, the Customer may request or download an export before account closure.

Deletion may not be immediate because of:

  • account recovery periods;
  • backup rotation;
  • security logs;
  • billing records;
  • legal obligations;
  • dispute resolution;
  • fraud prevention;
  • tax or accounting retention;
  • technical constraints;
  • archival systems.

We may retain limited data where required or permitted by law, including billing records, legal acceptance records, security logs, audit logs and records necessary to establish, exercise or defend legal claims.

23. Audits and information

Utracki Systems Ltd will make available information reasonably necessary to demonstrate compliance with processor obligations under this Data Processing Agreement.

Where required by Applicable Data Protection Law, the Customer may request an audit or inspection. Audits must be:

  • reasonable;
  • limited to relevant processor obligations;
  • subject to confidentiality;
  • scheduled with reasonable notice;
  • conducted during normal business hours;
  • designed to avoid disruption, security risk or access to other customers’ data;
  • limited to no more than once per year unless required because of a confirmed personal data breach or legal obligation.

Where appropriate, we may satisfy audit requirements by providing security documentation, policies, summaries, certifications, provider documentation, written responses or third-party reports rather than allowing direct access to systems.

The Customer is responsible for its own audit costs. We may charge reasonable fees for audit support unless prohibited by law.

24. Records of processing

Utracki Systems Ltd will maintain records of processing where required by Applicable Data Protection Law.

The Customer is responsible for maintaining its own records of processing as controller.

25. Use of aggregated or anonymised data

Utracki Systems Ltd may use aggregated, statistical or anonymised data for analytics, performance monitoring, product development, benchmarking, security, troubleshooting and business planning, provided such data does not identify the Customer or any data subject.

Anonymised data is not personal data where individuals are no longer identifiable.

26. AI/OCR providers and document processing

The Customer authorises Utracki Systems Ltd to use AI, OCR, document analysis, machine learning, rules-based systems and approved third-party providers to process Customer Personal Data for the purpose of providing Extractly.

This may include processing uploaded files, images, extracted text, receipt data, invoice data, metadata, prompts, structured outputs, processing errors and related technical information.

Utracki Systems Ltd will take reasonable steps to configure AI/OCR processing in a way designed to protect Customer Personal Data, taking into account available provider controls, data minimisation, access controls, retention settings and security practices.

The Customer remains responsible for ensuring that uploaded documents are suitable for AI/OCR processing and that the Customer has a lawful basis to process any personal data contained in them.

27. Government, regulator and legal requests

If Utracki Systems Ltd receives a legally binding request for Customer Personal Data from a court, regulator, law enforcement body, HMRC or other public authority, we may disclose data where legally required.

Where legally permitted and reasonably practicable, we will notify the Customer before disclosure.

We may refuse, narrow or challenge requests where appropriate and legally permitted.

28. Limitation of liability

Liability under this Data Processing Agreement is subject to the limitations and exclusions in the Terms of Service or other written agreement between the parties, unless Applicable Data Protection Law requires otherwise.

Nothing in this Data Processing Agreement limits liability that cannot legally be limited.

29. Termination

This Data Processing Agreement remains in force while Utracki Systems Ltd processes Customer Personal Data on behalf of the Customer.

Termination of the Terms of Service or closure of the Customer’s account does not affect provisions that need to continue, including confidentiality, deletion, retained records, audits, liability, international transfers and legal compliance.

30. Updates to this Data Processing Agreement

We may update this Data Processing Agreement from time to time to reflect changes in law, providers, infrastructure, features, security measures, international transfer mechanisms or business operations.

If changes are material, we may notify the Customer by email, in-app notice, account notice or by requiring acceptance of updated legal documents.

If the Customer continues to use Extractly after the effective date of the updated Data Processing Agreement, the updated version will apply.

31. Governing law and jurisdiction

This Data Processing Agreement is governed by the laws of England and Wales.

The courts of England and Wales will have exclusive jurisdiction over disputes arising from or relating to this Data Processing Agreement, unless mandatory applicable law requires otherwise.

32. Contact

For data processing questions, contact:

Utracki Systems Ltd 124-128 City Road London EC1V 2NX United Kingdom

Email: [email protected] Suggested subject: [privacy] Data Processing Agreement

---

Schedule 1: Processing details

1. Subject matter

Provision of Extractly, including upload, storage, extraction, AI/OCR processing, review, approval, categorisation, manual record creation, archive generation, export generation, support, account management, billing integration, security, maintenance and related technical services.

2. Duration

For the duration of the Customer’s use of Extractly and any additional period required for account closure, export, backup rotation, legal compliance, billing, dispute resolution, security, fraud prevention or other lawful retention purposes.

3. Nature of processing

Collection, receipt, upload, storage, hosting, access, viewing, extraction, analysis, transformation, conversion, categorisation, review, editing, approval, stamping, export, download, backup, deletion, anonymisation, support, troubleshooting, security monitoring and related processing.

4. Purpose of processing

To provide, secure, support, maintain and improve Extractly and to enable the Customer to manage receipts, invoices, income records, expense records, manual records, approved data, spreadsheet exports and archive outputs.

5. Categories of personal data

Names, email addresses, business details, supplier details, customer details, employee or contractor details where included in uploaded documents, invoice and receipt data, transaction details, dates, amounts, VAT information, company numbers, tax references, UTRs, VAT numbers, file names, file metadata, document images, PDFs, manual entry data, support data, technical identifiers and other personal data included by the Customer.

6. Categories of data subjects

Customers, authorised users, business owners, directors, sole traders, landlords, employees, contractors, suppliers, merchants, customers, tenants, clients, accountants, bookkeepers, support contacts and other individuals whose data appears in uploaded or entered records.

7. Special category data

Not intentionally required. The Customer must not upload special category data, criminal offence data, children’s data or highly sensitive personal data unless lawful, necessary and compliant with Applicable Data Protection Law.

8. Processing frequency

Continuous or as needed when the Customer uses Extractly.

9. Retention

As described in the Terms of Service, Privacy Policy, Security and Data Retention Policy and this Data Processing Agreement. Typical periods include active account duration, account recovery period, backup rotation of approximately 30 to 90 days, technical/security log retention of approximately 6 to 12 months, and billing/legal record retention where required.

---

Schedule 2: Indicative technical and organisational measures

Utracki Systems Ltd may use the following measures, as appropriate and as available in the relevant production environment:

  • authenticated account access;
  • password hashing;
  • staff/admin access controls;
  • private storage for user files;
  • secure production cookie settings;
  • HTTPS/TLS in production;
  • CSRF protection;
  • upload validation and file restrictions;
  • file size limits;
  • separation of private user files and public help media;
  • structured logging;
  • security and login logs;
  • audit logs where implemented;
  • backups and recovery processes;
  • provider-level infrastructure security;
  • access restriction to production systems;
  • payment processing through approved payment providers;
  • monitoring and error tracking where implemented;
  • incident investigation processes;
  • data export and account closure controls where implemented;
  • least-privilege access practices where practical;
  • confidential personnel access obligations.

---

Schedule 3: Authorised sub-processor categories

The Customer authorises Utracki Systems Ltd to use sub-processors in the following categories:

  • cloud hosting and infrastructure;
  • object storage;
  • managed database or database infrastructure;
  • Redis, queue or worker infrastructure;
  • payment processing;
  • transactional email;
  • AI/OCR and document processing;
  • analytics where enabled;
  • error monitoring;
  • logging and monitoring;
  • backup and disaster recovery;
  • security tools;
  • support tools;
  • professional advisers;
  • other technical providers reasonably necessary to provide Extractly.

Specific providers may be listed in the Extractly Sub-processors Page.