STAGING ENVIRONMENT - Test system only. Do not enter real customer, payment, tax or sensitive personal data.
Extractly

Legal

Security and Data Retention Policy

Review the current Extractly Security and Data Retention Policy.

Version v1.0.0 · Published Jun 28, 2026

Extractly Security and Data Retention Policy

Version: 1.0 Effective date: 16 June 2026

This Security and Data Retention Policy explains how Extractly approaches security, backups, logging, account export, account closure and data retention.

Extractly is operated by Utracki Systems Ltd, a private limited company registered in England and Wales under company number 17038660, with its registered office at 124-128 City Road, London EC1V 2NX, United Kingdom.

You can contact us at [email protected]. For security issues, please include [security] in the subject line. For privacy or data retention requests, please include [privacy] in the subject line.

1. About this Policy

This Policy applies to the Extractly website, Extractly application, account area, upload tools, receipt processing features, archive features, export features, support tools, billing features, APIs where applicable, and related services.

This Policy should be read together with our Terms of Service, Privacy Policy, Cookie Policy, Data Processing Agreement, Acceptable Use Policy, Refunds, Cancellation and Billing Policy, Sub-processors Page and MTD / Accounting / Tax Disclaimer.

This Policy is intended to explain our general approach. It does not create a guarantee that Extractly will be completely secure, uninterrupted, error-free or immune from all incidents.

2. Security responsibility model

Security is shared between Extractly and users.

Utracki Systems Ltd is responsible for taking reasonable technical and organisational measures to protect Extractly, its infrastructure, application, accounts and data.

Users are responsible for:

  • using strong and unique passwords;
  • keeping access to their email account secure;
  • keeping their devices secure;
  • not sharing login details with unauthorised persons;
  • ensuring authorised users are trustworthy;
  • checking account activity where available;
  • downloading and storing exports securely;
  • keeping their own appropriate backups where needed;
  • promptly reporting suspected unauthorised access or security issues;
  • complying with our Terms of Service and Acceptable Use Policy.

If you use Extractly on behalf of a business, you are responsible for your internal access controls, staff permissions, adviser access, device security and handling of exported records.

3. Security measures

Extractly may use technical and organisational measures such as:

  • authenticated account access;
  • password hashing;
  • session security;
  • CSRF protection;
  • secure cookie settings in production;
  • HTTPS/TLS in production;
  • private object storage for user files;
  • separation between private user files and public help/media files;
  • access controls;
  • user ownership checks;
  • staff/admin access restrictions;
  • file size limits;
  • file type validation;
  • magic-byte validation;
  • image verification and normalisation;
  • processing error handling;
  • queue-based background processing;
  • structured application logs;
  • login success and failure logs;
  • security event logs;
  • audit logs where implemented;
  • backups and recovery processes;
  • monitoring and alerting where implemented;
  • infrastructure provider security controls;
  • payment processing through approved payment providers;
  • operational controls for production access;
  • incident investigation processes.

Security measures may evolve over time as the service develops.

4. HTTPS and encryption in transit

In production, Extractly should be accessed over HTTPS.

HTTPS helps protect data in transit between your browser or device and Extractly. Some internal service-to-service traffic may also be protected by network, provider or deployment controls, depending on the production architecture.

You should not enter sensitive account information into Extractly if your browser indicates that the connection is insecure.

5. Passwords and authentication

Extractly does not intentionally store user passwords in plain text.

Passwords are stored using password hashing provided by the application framework or an equivalent secure authentication mechanism.

You are responsible for choosing a strong, unique password and protecting access to the email account associated with your Extractly account.

Where multi-factor authentication or two-factor authentication is available, we recommend enabling it. Some administrative or high-risk access may require stronger authentication controls.

6. User files and private storage

User receipt files, invoices, evidence files and archive files are intended to be stored in private storage, not public media storage.

Access to user files should be controlled by authentication, user ownership checks, short-lived links, private storage permissions, download views, signed URLs or other appropriate access controls.

Public help media, documentation images or marketing assets may be stored separately from private user files.

You should treat downloaded exports, ZIP files, spreadsheets, PDFs and original receipt files as sensitive business records and store them securely.

7. File upload security

Extractly may apply file upload controls such as:

  • maximum file size limits;
  • permitted file extension checks;
  • permitted content type checks;
  • magic-byte validation;
  • PDF/image validation;
  • image verification;
  • image normalisation;
  • file processing restrictions;
  • rejection of unsupported files;
  • quarantine or rejection of suspicious files.

These controls reduce risk, but they are not a guarantee that every malicious or problematic file will be detected.

Unless expressly stated otherwise, Extractly does not guarantee full antivirus or malware scanning of every uploaded file. We may add malware scanning or enhanced file security controls in the future.

You must not upload malware, exploit files, harmful code or files designed to disrupt or compromise systems.

8. AI/OCR and document processing security

Extractly may process uploaded documents using AI, OCR, document analysis, machine learning, rules-based systems, internal tools, third-party providers or a combination of these.

Processing may involve converting documents, generating previews, extracting text, analysing receipt structure, suggesting categories, generating reference numbers, stamping documents, generating exports or creating archive files.

We aim to use provider settings, access controls and processing practices designed to protect user data. However, users should avoid uploading unnecessary sensitive personal data and should only upload documents they are authorised to process.

9. Admin and staff access

Access to production systems, admin tools and user data should be limited to authorised persons who need access for legitimate operational purposes.

Permitted purposes may include:

  • support;
  • troubleshooting;
  • security investigation;
  • billing investigation;
  • legal compliance;
  • account management;
  • infrastructure maintenance;
  • bug fixing;
  • incident response;
  • data export or account closure support;
  • abuse prevention.

Admin or staff access may be logged or audited where implemented.

Staff, contractors and authorised personnel are expected to be subject to confidentiality obligations.

10. Logging and monitoring

Extractly may collect logs and monitoring data to operate, secure and improve the service.

Logs may include:

  • login success and failure events;
  • IP address;
  • user agent;
  • timestamps;
  • request information;
  • processing status;
  • upload status;
  • export status;
  • billing events;
  • security events;
  • application errors;
  • infrastructure events;
  • support and admin actions;
  • audit records where implemented.

Logs are used for:

  • security monitoring;
  • fraud and abuse prevention;
  • troubleshooting;
  • debugging;
  • performance monitoring;
  • billing integrity;
  • legal compliance;
  • incident investigation;
  • service reliability.

We aim to avoid logging unnecessary sensitive content, full payment card details, passwords, secrets or full receipt contents unless technically necessary for a specific support or security purpose.

11. Error monitoring

Extractly may use an error monitoring provider, logging provider or similar technical supplier to identify and fix bugs, crashes and performance problems.

Error reports may include technical information such as stack traces, URLs, account identifiers, browser information, device information, request metadata and limited contextual data.

We aim to configure error monitoring to avoid collecting unnecessary sensitive business records or full document contents.

12. Backups

Extractly may use backups, snapshots, database backups, storage backups or configuration backups to support recovery from technical failure, accidental loss, corruption, deployment problems, security incidents or infrastructure issues.

Backups may be stored with infrastructure providers or other approved providers.

Backup retention may vary, but a typical backup rotation is 30 to 90 days.

Backups are intended for disaster recovery and service continuity. They are not intended to be a user-facing archive or a replacement for your own records.

Deletion from backups may take longer than deletion from active systems because backups rotate over time.

13. User responsibility for records

Extractly helps organise and store business records, but you remain responsible for your own accounting, tax, business and legal record-keeping obligations.

You should:

  • review extracted data before approving it;
  • export records you need;
  • keep your own appropriate copies;
  • check legal retention requirements that apply to your business;
  • consult an accountant, bookkeeper, tax adviser or legal adviser where needed.

Extractly does not guarantee that stored or exported records will satisfy HMRC, a court, regulator, accountant, bank, insurer or other third party.

14. Data retention overview

We retain data only for as long as reasonably necessary for the purposes described in our legal documents, including providing Extractly, managing accounts, supporting users, complying with law, maintaining security, handling billing, resolving disputes and protecting our rights.

Retention periods may vary based on:

  • account status;
  • subscription status;
  • plan type;
  • data type;
  • whether data is active, frozen, exported or deleted;
  • legal requirements;
  • tax/accounting requirements;
  • dispute or chargeback risk;
  • security and fraud prevention needs;
  • backup rotation;
  • technical feasibility;
  • user instructions where applicable.

15. Retention schedule

The following schedule describes typical retention periods. Actual retention may vary where required or permitted by law.

Data type · Typical retention

Account data · While the account is active, then during account closure/recovery and any lawful retention period.

Business profile data · While the account is active, then during account closure/recovery and any lawful retention period.

Uploaded receipts, invoices and evidence files · While the account is active and the relevant plan/service permits storage, unless account closure/deletion applies.

Approved extracted records · While the account is active and the relevant plan/service permits storage, unless account closure/deletion applies.

Manual income/expense records · While the account is active and the relevant plan/service permits storage, unless account closure/deletion applies.

Generated exports · Available for a limited period where generated on demand; user should download and store securely.

Account export ZIP files · Usually available for a short period, for example 24 to 72 hours, then deleted or expired.

Trial data · May be deleted, frozen or restricted if the user does not upgrade, subject to lawful retention and technical limits.

Cancelled subscription data · May be retained in read-only/frozen form for reactivation, export, closure, billing, legal or security purposes.

Billing and invoice records · Up to 6 years or longer where required or permitted for tax, accounting, legal or dispute purposes.

Payment metadata · Retained as needed for billing, disputes, fraud prevention, accounting and legal compliance.

Support tickets and messages · While the account is active and for a reasonable period afterwards for support, dispute, security and legal purposes.

Technical logs · Typically 6 to 12 months unless longer retention is needed.

Security logs and audit logs · Typically 6 to 12 months or longer where needed for security, fraud prevention, legal claims or compliance.

Legal acceptance records · Retained as long as needed to prove acceptance and enforce legal terms.

Cookie consent records · Typically up to 12 months or until refreshed, unless longer retention is needed to demonstrate compliance.

Backups · Typically 30 to 90 days rolling retention.

Aggregated or anonymised data · May be retained indefinitely where individuals are no longer identifiable.

16. Active accounts

For active accounts, we generally retain account data, business profile data, uploaded files, approved records, manual records, support records, usage data and related records as needed to provide Extractly.

You are responsible for deciding whether Extractly’s storage features are sufficient for your own legal, tax, accounting or business needs.

17. Trials

Trial accounts may have limited storage, limited exports, limited receipt processing and limited retention.

If a trial expires and no paid plan is purchased, we may freeze, restrict or delete trial data after a reasonable period, subject to legal, security, billing, fraud prevention and technical requirements.

18. Cancelled subscriptions

Cancelling a subscription does not automatically delete your account or data.

After cancellation, you may retain access until the end of the current paid billing period. After that, your account may become read-only, frozen, downgraded or restricted.

New uploads, AI/OCR processing, archive generation, exports or other paid features may be disabled until you reactivate or purchase a new plan.

You should export any data you need before cancellation, downgrade, account closure or loss of access to features.

19. Account export

Where available, you may request an account export.

An export may include:

  • account profile data;
  • business profile data;
  • user settings;
  • category and reference settings;
  • approved record data;
  • spreadsheet exports;
  • original uploaded files;
  • generated/stamped/archive files where available;
  • support request summaries;
  • billing metadata.

Export contents may depend on your plan, account status, available features, stored data and technical limitations.

Exports may be generated asynchronously and provided as downloadable ZIP files. Export links may expire after a limited period, for example 24 to 72 hours.

You are responsible for securely storing downloaded exports.

20. Account closure

If you request account closure, we may:

  • verify your identity;
  • require password confirmation;
  • recommend or require account export first;
  • cancel or direct you to cancel your subscription;
  • freeze or restrict account access;
  • prevent new uploads and processing;
  • keep the account recoverable for a limited period;
  • delete or anonymise data after the recovery period;
  • retain limited records where required or permitted.

A typical recovery period is 30 days from account closure request.

After the recovery period, deletion or anonymisation may begin. Full removal from backups may take longer due to backup rotation.

21. Deletion and anonymisation

Deletion may involve removing active records, deleting files, anonymising user identifiers, detaching records, disabling accounts or marking records as deleted.

Some data may be retained where necessary for:

  • legal compliance;
  • billing and accounting records;
  • tax records;
  • fraud prevention;
  • security investigation;
  • dispute resolution;
  • chargebacks;
  • enforcement of legal terms;
  • audit logs;
  • backup rotation;
  • compliance with court, regulator or public authority requirements;
  • establishment, exercise or defence of legal claims.

Where data is anonymised so individuals are no longer identifiable, it may be retained for analytics, performance, business planning, security and product improvement.

22. Individual file deletion

Extractly may not initially allow users to delete individual approved receipt files or records directly.

This is because approved records may be linked to references, exports, archive files, billing usage, audit history, accounting workflows or future MTD-related workflows.

Where individual deletion becomes available, it may be subject to:

  • user ownership checks;
  • audit logs;
  • restrictions on approved records;
  • confirmation steps;
  • retention of metadata where required;
  • impact warnings;
  • plan limitations;
  • legal or accounting considerations.

Users who need broad deletion should use account export and account closure processes where available.

23. Legal holds and disputes

We may retain data beyond normal retention periods if needed for:

  • legal claims;
  • disputes;
  • chargebacks;
  • fraud investigations;
  • security incidents;
  • regulatory requests;
  • court orders;
  • HMRC or tax-related enquiries;
  • breach investigations;
  • enforcement of our Terms;
  • protection of Extractly, users or third parties.

Where a legal hold applies, deletion may be delayed until the hold is no longer needed.

24. Incident response

If we become aware of a suspected security incident or personal data breach, we may take steps such as:

  • investigating the incident;
  • restricting affected accounts;
  • disabling vulnerable features;
  • rotating credentials or tokens;
  • preserving relevant logs;
  • contacting affected users where appropriate;
  • notifying regulators where legally required;
  • working with providers;
  • applying fixes or mitigations;
  • reviewing security controls.

Initial information may be incomplete while investigation is ongoing.

25. Reporting security issues

If you discover or suspect a security vulnerability, data leak, unauthorised access, exposed file, account compromise or other security issue, contact:

[email protected]

Suggested subject: [security] Security issue

Please include:

  • a clear description of the issue;
  • affected URL or feature;
  • steps to reproduce, if safe;
  • screenshots where helpful;
  • your contact details;
  • whether any data may have been accessed.

Do not publicly disclose vulnerabilities or access, modify, delete, copy or exfiltrate data that does not belong to you.

26. Sub-processors and provider security

Extractly may rely on approved third-party providers for hosting, storage, database infrastructure, payments, email, AI/OCR processing, analytics, logging, monitoring, security, support and related services.

Provider security practices may differ. We aim to use reputable providers and appropriate contractual protections.

More information is available in our Sub-processors Page.

27. International access and transfers

Data may be processed in the United Kingdom, the EEA and other countries by Utracki Systems Ltd, its providers, sub-processors, support teams or technical systems.

Where required, appropriate safeguards are used for international transfers.

You should not use Extractly if you require a guarantee that data will never be accessed from or transferred outside the UK or EEA.

28. Changes to this Policy

We may update this Policy from time to time to reflect changes in law, technology, infrastructure, providers, security measures, features, retention periods or business operations.

If changes are material, we may notify users by email, in-app notice, account notice, website notice or by requiring acceptance of updated legal documents.

29. Contact

For questions about this Security and Data Retention Policy, contact:

Utracki Systems Ltd 124-128 City Road London EC1V 2NX United Kingdom

Email: [email protected] Suggested subject: [security] Security and Data Retention Policy