STAGING ENVIRONMENT - Test system only. Do not enter real customer, payment, tax or sensitive personal data.
Extractly

Legal

Privacy Policy

Review the current Extractly Privacy Policy.

Version v1.0.0 · Published Jun 28, 2026

Extractly Privacy Policy

Version: 1.0 Effective date: 16 June 2026

This Privacy Policy explains how Utracki Systems Ltd collects, uses, stores and shares personal data in connection with Extractly.

Extractly is operated by Utracki Systems Ltd, a private limited company registered in England and Wales under company number 17038660, with its registered office at 124-128 City Road, London EC1V 2NX, United Kingdom.

You can contact us at [email protected]. For privacy or data protection requests, please include [privacy] in the subject line.

1. About this Privacy Policy

This Privacy Policy applies to:

  • the Extractly website;
  • the Extractly application;
  • account registration and login;
  • receipt, invoice and document uploads;
  • AI/OCR processing and extracted data;
  • manual income and expense records;
  • archive and export features;
  • billing and subscriptions;
  • support requests;
  • security logs;
  • analytics and cookies;
  • communications with us.

This Privacy Policy should be read together with our Terms of Service, Cookie Policy, Data Processing Agreement, Security and Data Retention Policy, Sub-processors Page, and other legal documents available through Extractly.

2. Our role under data protection law

Depending on the situation, Utracki Systems Ltd may act as either a controller or a processor.

We usually act as a controller for personal data relating to:

  • your Extractly account;
  • your login and authentication;
  • your subscription and billing status;
  • communications with you;
  • support requests;
  • security logs;
  • website analytics;
  • our legal, tax, accounting and compliance records.

We may act as a processor where you upload, store or process personal data contained in receipts, invoices, business records, supplier records, customer records, employee records, contractor records or other documents, and you determine the purpose and lawful basis for that processing.

Where we act as a processor, our Data Processing Agreement applies.

If you use Extractly on behalf of a business, you are responsible for ensuring that your business has a lawful basis to upload and process personal data through Extractly.

3. Personal data we collect

We may collect and process the following categories of personal data.

3.1 Account data

This may include:

  • name;
  • email address;
  • password hash;
  • account ID;
  • login details;
  • account status;
  • selected plan;
  • feature access;
  • trial status;
  • account settings;
  • communication preferences;
  • date of account creation;
  • legal acceptance records.

We do not store your password in plain text.

3.2 Business profile data

This may include:

  • business name;
  • business address;
  • business type;
  • company number;
  • VAT number;
  • UTR or tax reference information where you provide it;
  • business settings;
  • categories;
  • reference settings;
  • archive preferences;
  • user-defined configuration.

3.3 Uploaded files and business records

This may include:

  • receipts;
  • invoices;
  • expense records;
  • income records;
  • PDFs;
  • images;
  • photographs;
  • file names;
  • file metadata;
  • original uploaded files;
  • processed files;
  • stamped or referenced files;
  • archive files;
  • evidence files attached to manual records.

Uploaded files may contain personal data about you, your business, suppliers, customers, employees, contractors, tenants, clients or other third parties.

3.4 Extracted and generated data

This may include:

  • supplier or merchant names;
  • receipt or invoice dates;
  • totals;
  • VAT amounts;
  • currencies;
  • categories;
  • reference numbers;
  • income or expense type;
  • notes;
  • approval status;
  • review edits;
  • manually corrected fields;
  • generated spreadsheet data;
  • generated archive data;
  • processing status;
  • error messages;
  • duplicate or warning indicators.

3.5 Manual entries

This may include manual income or expense records that you create, including dates, amounts, categories, descriptions, notes, evidence files and approval status.

3.6 Payment and billing data

Payments are processed by our payment provider or another approved payment processor.

We may process:

  • customer ID;
  • subscription ID;
  • plan name;
  • subscription status;
  • invoice metadata;
  • billing email;
  • billing address where provided;
  • payment status;
  • payment failure status;
  • cancellation status;
  • chargeback or dispute metadata.

We do not intentionally store full card numbers.

3.7 Support and communications data

This may include:

  • support requests;
  • ticket content;
  • messages you send us;
  • attachments;
  • admin replies;
  • feature requests;
  • bug reports;
  • email correspondence;
  • notes relating to account or support issues.

3.8 Technical, usage and security data

This may include:

  • IP address;
  • user agent;
  • browser and device information;
  • operating system;
  • approximate location based on IP address;
  • login success and failure logs;
  • session data;
  • request logs;
  • audit logs;
  • error logs;
  • processing logs;
  • usage metrics;
  • upload counts;
  • feature usage;
  • export events;
  • account closure events;
  • security events.

3.9 Analytics and cookie data

Where enabled and permitted, we may collect analytics data about website or application usage. Non-essential analytics will only be used where appropriate consent has been obtained.

Essential cookies and similar technologies may be used for login, security, session management, CSRF protection, account functionality and fraud prevention.

More information is available in our Cookie Policy.

4. Special category data and sensitive data

Extractly is not designed for storing special category data, criminal offence data or highly sensitive personal data.

You should not upload unnecessary sensitive data. This includes health information, biometric information, criminal offence information, children’s data, trade union information, political opinions, religious beliefs, sexual orientation or similar sensitive information unless it is strictly necessary for your lawful business purpose and you have a valid lawful basis to process it.

Receipts, invoices and business records may sometimes contain personal data or sensitive details. You are responsible for checking what you upload.

5. How we collect personal data

We collect personal data when:

  • you create an account;
  • you log in;
  • you update your profile or business settings;
  • you upload files;
  • you create manual records;
  • you review, edit or approve records;
  • you generate exports;
  • you use support features;
  • you contact us by email or other means;
  • you start a trial or subscription;
  • our payment provider sends billing events;
  • you interact with cookies or analytics;
  • our systems generate logs, security records or usage metrics.

We may also receive data from approved service providers, such as payment processors, hosting providers, email providers, analytics providers, AI/OCR providers, security providers, error monitoring providers or other technical suppliers.

6. Why we use personal data and our lawful bases

We use personal data for the purposes below.

6.1 To provide Extractly

We use data to create and manage accounts, authenticate users, process uploads, extract data, store records, allow review and approval, generate exports, provide search, manage settings, handle support and deliver the service.

Lawful basis: contract, legitimate interests and, where we act as a processor, processing on behalf of the relevant controller under our Data Processing Agreement.

6.2 To process receipts, invoices and business records

We use uploaded content to extract, analyse, transform, store, categorise, review, approve, stamp and export records.

Lawful basis: contract, legitimate interests and, where applicable, processing on behalf of the relevant controller.

6.3 To manage subscriptions, billing and payments

We use billing data to manage trials, subscriptions, payment status, invoices, cancellations, disputes, chargebacks, taxes and account access.

Lawful basis: contract, legitimate interests and legal obligation.

6.4 To provide support

We use support data to answer questions, investigate issues, fix bugs, improve features, respond to complaints and manage account requests.

Lawful basis: contract and legitimate interests.

6.5 To keep Extractly secure

We use technical and security data to prevent fraud, detect abuse, investigate incidents, protect accounts, monitor unauthorised access, enforce our Terms and maintain service integrity.

Lawful basis: legitimate interests and legal obligation.

6.6 To comply with legal obligations

We may use and retain data where necessary for accounting, tax, company records, data protection compliance, dispute handling, legal claims, law enforcement requests, regulatory obligations or court orders.

Lawful basis: legal obligation and legitimate interests.

6.7 To improve Extractly

We may use usage data, support data, error logs, aggregate metrics and feedback to improve reliability, usability, performance, features, documentation, security and support.

Lawful basis: legitimate interests.

6.8 To communicate with you

We may send service messages, account notices, billing notices, support replies, security alerts, legal updates and important product notices.

Lawful basis: contract, legitimate interests and legal obligation.

Marketing communications, where used, will be handled in accordance with applicable law and consent requirements.

6.9 To use analytics

Where enabled, we may use analytics to understand how users interact with the website or application, improve usability and measure performance.

Lawful basis: consent where required for non-essential cookies or similar technologies.

7. AI, OCR and automated processing

Extractly may use AI, OCR, document analysis, machine learning, rules-based systems, internal tools and approved third-party processing providers to process uploaded documents and extract data.

This may involve sending files, images, text, extracted snippets, metadata or processing results to approved providers for the purpose of providing Extractly.

Automated extraction may produce inaccurate or incomplete results. Users must review and approve extracted data before relying on it.

We do not use automated extraction results to make legal, tax, credit, employment, insurance or similarly significant decisions about you.

We may use processing results, logs, errors and aggregate usage information to improve the service, troubleshoot issues and monitor performance. Where possible and appropriate, we use minimisation, access controls and provider settings designed to protect user data.

8. Who we share data with

We may share personal data with the following categories of recipients where necessary:

  • hosting providers;
  • cloud infrastructure providers;
  • object storage providers;
  • database providers;
  • payment processors;
  • transactional email providers;
  • AI/OCR or document processing providers;
  • analytics providers where enabled;
  • error monitoring and logging providers;
  • security providers;
  • professional advisers, such as accountants, lawyers or compliance advisers;
  • HMRC, regulators, courts, law enforcement or public authorities where required by law;
  • business transfer parties if Extractly or Utracki Systems Ltd is involved in a merger, acquisition, restructuring, sale of assets or similar transaction.

We do not sell your personal data.

We do not allow third-party providers to use your data for their own unrelated marketing purposes.

More information about provider categories is available in our Sub-processors Page.

9. International transfers

Your data may be processed in the United Kingdom, the EEA and other countries.

Some of our service providers, their group companies, support teams, infrastructure, subprocessors or technical systems may be located outside the UK or EEA.

Where required, we use appropriate safeguards for international transfers, such as adequacy regulations, approved contractual protections, data processing terms, international data transfer agreements, standard contractual clauses or other lawful transfer mechanisms.

You should not use Extractly if you require a guarantee that data will never be accessed from or transferred outside the UK or EEA.

10. How long we keep data

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, our Terms of Service, our Data Processing Agreement, our legal obligations and our legitimate business needs.

Retention periods may vary depending on the type of data, account status, legal requirements and technical constraints.

10.1 Account data

We generally keep account data while your account is active.

If you close your account, we may deactivate or soft-delete the account for a recovery period, typically 30 days, before deletion or anonymisation begins.

10.2 Uploaded files and approved records

Uploaded files and approved records may be kept while your account is active and your plan allows access to them.

You are responsible for deciding how long you need to keep accounting, tax or business records. Extractly may support storage as part of your active account, but we do not take responsibility for your statutory record-keeping obligations.

10.3 Cancelled or frozen accounts

If your subscription ends, your account may become read-only, frozen or restricted. We may retain your data for a limited period to allow reactivation, export, billing administration, legal compliance or account closure.

10.4 Account closure

After account closure, we may keep the account recoverable for a limited period, typically 30 days. Deletion or anonymisation may then begin.

Full removal from active systems and backups may take longer. Backup deletion follows normal backup rotation, typically 30 to 90 days.

10.5 Billing and legal records

Billing, invoice, payment, accounting, company, tax and legal records may be retained for up to 6 years or longer where required or permitted by law.

10.6 Logs and security records

Technical, security and audit logs are generally retained for 6 to 12 months, unless longer retention is needed for security, fraud prevention, legal claims, regulatory compliance, dispute resolution or service integrity.

10.7 Support records

Support records may be retained while your account is active and for a reasonable period afterwards to resolve disputes, improve support, investigate issues and comply with legal obligations.

11. Your data protection rights

Depending on the circumstances and applicable law, you may have rights to:

  • access your personal data;
  • request correction of inaccurate data;
  • request deletion of personal data;
  • request restriction of processing;
  • object to processing;
  • request data portability;
  • withdraw consent where processing is based on consent;
  • complain to a supervisory authority.

These rights are not absolute. For example, we may need to retain certain records for legal, accounting, tax, fraud prevention, security or dispute resolution reasons.

To make a request, contact [email protected] with the subject [privacy].

We may need to verify your identity before responding.

12. Data exports

Where available, Extractly may allow you to request an account export.

Export contents may include account information, business profile data, approved records, spreadsheet exports, original uploaded files, generated archive files where available, support data and billing metadata.

Exports may be generated asynchronously, provided as ZIP files, stored in private storage and made available for a limited period before expiry.

You are responsible for securely downloading and storing exported files.

13. Account deletion and closure

You may request account closure through available account settings or by contacting us at [email protected] with the subject [privacy] or [support].

Before closing your account, you should export any records you need.

When you request closure, we may:

  • confirm your identity;
  • ask for password confirmation;
  • recommend data export;
  • restrict new uploads and processing;
  • freeze or deactivate the account;
  • keep the account recoverable for a limited period;
  • cancel or require cancellation of billing access;
  • delete or anonymise data after the recovery period;
  • retain limited records where required for legal, accounting, tax, billing, security, fraud prevention, dispute resolution or compliance purposes.

Deletion from backups may take longer due to normal backup rotation.

14. Security

We use technical and organisational measures designed to protect personal data. These may include authentication, access controls, private file storage, secure cookie settings, file validation, logging, backups, monitoring, admin controls, encryption provided by infrastructure providers, and operational security practices.

No online service is completely secure. You should use a strong password, protect access to your email account, keep your devices secure and notify us promptly if you suspect unauthorised access.

For suspected security issues, contact [email protected] with the subject [security].

15. Cookies and similar technologies

Extractly uses cookies and similar technologies for essential functions such as login, sessions, security, CSRF protection and account functionality.

Where analytics or marketing cookies are used, they will be controlled through consent mechanisms where required.

More information is available in our Cookie Policy.

16. Children

Extractly is not intended for children or anyone under 18\. You must not create an account if you are under 18\.

You should not upload children’s personal data unless it is strictly necessary for a lawful business purpose and you have the right to do so.

17. Marketing

We may send service-related messages, legal notices, security alerts, billing notices and product notices that are necessary for the operation of your account.

We will only send direct marketing where permitted by law. Where consent is required, you can withdraw consent at any time.

18. Professional advisers, authorities and legal requests

We may disclose data where reasonably necessary to:

  • comply with law;
  • respond to lawful requests;
  • protect our legal rights;
  • enforce our Terms;
  • prevent fraud or abuse;
  • protect users or third parties;
  • obtain professional advice;
  • cooperate with regulators, courts, HMRC, law enforcement or public authorities.

We will review requests before disclosure where legally and practically possible.

19. Business transfers

If Utracki Systems Ltd or Extractly is involved in a merger, acquisition, investment, restructuring, sale of assets, transfer of business, insolvency process or similar transaction, personal data may be shared with relevant parties as part of that process.

Where appropriate, we will require recipients to protect the data and use it only for relevant transaction or business continuity purposes.

20. Your responsibilities when uploading third-party data

If you upload documents or data containing personal data about other people, you are responsible for ensuring that:

  • you have a lawful basis to process it;
  • you have provided any required privacy notices;
  • the data is accurate and relevant;
  • the data is not excessive;
  • you do not upload unnecessary sensitive data;
  • your use of Extractly complies with data protection law;
  • you comply with any request or objection from those individuals where you are responsible for doing so.

Where you act as a controller and we act as your processor, our Data Processing Agreement applies.

21. Complaints

If you have concerns about how we handle your personal data, please contact us first at [email protected] with the subject [privacy] so we can try to resolve the issue.

You also have the right to complain to the UK Information Commissioner’s Office.

22. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we may notify you by email, in-app notice, account notice or by requiring acceptance of updated legal documents.

The latest version will be made available through Extractly and/or the Extractly website.

23. Contact

For privacy questions, data protection requests or complaints, contact:

Utracki Systems Ltd 124-128 City Road London EC1V 2NX United Kingdom

Email: [email protected] Suggested subject: [privacy] Privacy request