STAGING ENVIRONMENT - Test system only. Do not enter real customer, payment, tax or sensitive personal data.
Extractly

Legal

Sub-processors Page

Review the current Extractly Sub-processors Page.

Version v1.0.0 · Published Jun 28, 2026

Extractly Sub-processors Page

Version: 1.0 Effective date: 16 June 2026

This Sub-processors Page explains the categories of third-party providers that Extractly may use to provide, secure, support, maintain and improve the service.

Extractly is operated by Utracki Systems Ltd, a private limited company registered in England and Wales under company number 17038660, with its registered office at 124-128 City Road, London EC1V 2NX, United Kingdom.

You can contact us at [email protected]. For privacy or sub-processor questions, please include [privacy] in the subject line.

1. About this page

Extractly may use third-party service providers to help operate the service. Some of those providers may process personal data or customer data on our behalf.

This page is intended to give users and business customers clear information about the types of providers we use, the purposes for which they are used, and how changes are handled.

This page should be read together with our Terms of Service, Privacy Policy, Data Processing Agreement, Cookie Policy, Security and Data Retention Policy and other legal documents.

2. What is a sub-processor?

A sub-processor is a third-party processor engaged by Utracki Systems Ltd to process personal data on behalf of a customer where Utracki Systems Ltd acts as a processor.

For example, if a customer uploads receipts containing personal data and Extractly uses a cloud storage provider to store those files, that storage provider may be a sub-processor.

Not every provider is a sub-processor in every context. Some providers may process data as independent controllers, joint controllers or service providers depending on the processing activity and their own legal terms.

3. General authorisation

By using Extractly, the customer gives Utracki Systems Ltd general authorisation to use sub-processors as described in the Extractly Data Processing Agreement.

We may use sub-processors where reasonably necessary to provide, secure, support, maintain, improve, bill for, monitor or develop Extractly.

We aim to use reputable providers and appropriate contractual protections.

4. Current and planned provider categories

Extractly may use providers in the following categories.

Category · Purpose

Cloud hosting and infrastructure · Hosting application servers, APIs, background workers, networking and production infrastructure.

Object storage · Storing uploaded receipts, invoices, evidence files, generated archive files, exports and related user files.

Database infrastructure · Storing account data, business profile data, extracted records, approved records, usage data and application data.

Queue and worker infrastructure · Supporting background processing, AI/OCR jobs, export generation, file conversion and asynchronous tasks.

Payment processing · Processing subscriptions, trials, invoices, payment methods, billing portal, refunds, disputes and payment security.

Transactional email · Sending account emails, support replies, password reset emails, billing notices, security notices and legal notices.

AI/OCR and document processing · Extracting data from receipts, invoices, images and PDFs; document analysis; category suggestions; structured outputs.

Analytics · Understanding website or application usage where analytics is enabled and consent has been obtained where required.

Error monitoring · Detecting application errors, crashes, performance issues and reliability problems.

Logging and monitoring · Collecting technical logs, infrastructure metrics, security events and operational telemetry.

Security tools · Supporting abuse prevention, incident response, vulnerability detection, authentication, rate limiting or account protection.

Support tools · Managing support requests, user communications, attachments and customer service workflows.

Backup and disaster recovery · Supporting recovery from technical failure, accidental loss, corruption, incidents or infrastructure issues.

Professional advisers · Legal, accounting, compliance, tax, security or business advice where necessary.

Business operations providers · Internal administration, document storage, project management or communication tools used to operate the business.

5. Indicative provider list

The specific providers used by Extractly may change over time. The following table describes current, planned or likely provider types and examples.

Provider / type · Purpose · Data processed · Location / transfer notes

DigitalOcean or another cloud infrastructure provider · Hosting application servers, databases, storage, Redis/queue infrastructure and backups. · Account data, application data, uploaded files, extracted records, logs, backups. · Production infrastructure may be hosted in a UK or EEA region where available, such as Frankfurt. Provider group or support access may involve other countries.

DigitalOcean Spaces or another object storage provider · Private storage for uploaded files, evidence files, generated archive files and account exports. · Uploaded receipts, invoices, PDFs, images, generated files, export ZIPs, file metadata. · Storage region may be UK or EEA where available. Provider group or support access may involve other countries.

Stripe or another payment provider · Checkout, subscriptions, invoices, customer portal, payment methods, refunds, disputes and fraud prevention. · Billing contact data, customer IDs, subscription IDs, payment metadata, invoice metadata, dispute data. · Provider may process data in multiple jurisdictions under its own terms and safeguards.

Postmark, SendGrid or another transactional email provider · Sending transactional emails, support emails, account notices, password resets, billing notices and legal notices. · Email address, name where provided, email content, delivery metadata, bounce data. · Provider may process data in multiple jurisdictions depending on its infrastructure and terms.

OpenAI, Anthropic, Google Gemini or another AI/OCR/document processing provider · AI/OCR processing, document analysis, receipt extraction, categorisation suggestions, structured outputs. · Uploaded file content, extracted text, document metadata, prompts, outputs, processing data. · Provider may process data in multiple jurisdictions depending on selected service, region and terms.

Google Analytics or another analytics provider · Website/app analytics where enabled and consented to where required. · Cookie identifiers, device/browser information, approximate location, usage events, page views. · Provider may process data in multiple jurisdictions.

Sentry or another error monitoring provider · Error tracking, debugging, reliability monitoring and performance investigation. · Technical logs, errors, stack traces, request metadata, account identifiers where configured. · Provider may process data in multiple jurisdictions depending on configuration and terms.

Logging/monitoring provider, such as DigitalOcean monitoring, Better Stack, Grafana/Loki or similar · Application and infrastructure logs, monitoring, security event review and operational troubleshooting. · Technical logs, system events, request metadata, security events, limited account identifiers. · Provider may process data in multiple jurisdictions depending on configuration and terms.

Google Workspace, Microsoft 365 or another business productivity provider · Internal business email, documents, admin records and operational communication. · Business communications, support/admin notes, legal/admin documents where used. · Provider may process data in multiple jurisdictions depending on configuration and terms.

Professional advisers · Legal, accounting, tax, compliance, security or business advice. · Limited data relevant to the advice or matter. · Usually UK-based where possible; may vary by adviser.

This list is designed to be transparent but flexible. It may include providers currently used, planned providers, replacement providers or provider categories used as the product develops.

6. AI/OCR providers

Extractly may use AI, OCR, document analysis or machine learning providers to process receipts, invoices, images, PDFs and other business documents.

This processing may involve sending one or more of the following to a provider:

  • uploaded files;
  • rendered images;
  • extracted text;
  • receipt or invoice snippets;
  • supplier details;
  • dates;
  • totals;
  • VAT amounts;
  • categories;
  • prompts;
  • structured outputs;
  • processing metadata;
  • error information.

AI/OCR processing is used to provide Extractly features. It is not used to make legal, tax, credit, employment, insurance or similarly significant decisions about users.

Users must review and approve extracted data before relying on it.

7. Payment providers

Payment providers may process data as independent controllers or processors depending on the payment activity and their own legal terms.

Payment provider data may include:

  • customer IDs;
  • subscription IDs;
  • billing email;
  • payment status;
  • invoice data;
  • billing address where provided;
  • payment method metadata;
  • refund data;
  • dispute or chargeback data;
  • fraud prevention data.

Extractly does not intentionally store full card numbers.

8. Email providers

Transactional email providers may process:

  • email addresses;
  • names where provided;
  • email content;
  • delivery status;
  • bounce data;
  • open/click/delivery metadata where enabled;
  • suppression or unsubscribe data where applicable.

Transactional emails may include account notices, password reset emails, support replies, billing notices, legal notices, security alerts and system notifications.

9. Analytics providers

Analytics providers may be used to understand how users interact with the Extractly website or application.

Where analytics uses non-essential cookies or similar technologies, analytics should only be loaded where required consent has been obtained.

Analytics providers may process:

  • page views;
  • event data;
  • device and browser information;
  • approximate location;
  • referral information;
  • cookie or analytics identifiers;
  • usage patterns.

10. Error monitoring and logging providers

Error monitoring and logging providers may be used to improve reliability and investigate issues.

They may process:

  • error messages;
  • stack traces;
  • request metadata;
  • timestamps;
  • device/browser data;
  • account identifiers where configured;
  • performance metrics;
  • security or operational logs.

We aim to avoid sending unnecessary document contents, passwords, secrets, full payment card details or sensitive business records to monitoring providers.

11. Support and business operations providers

Support and business operations providers may process data needed to respond to users and operate the business.

This may include:

  • account email;
  • business name;
  • support messages;
  • attachments;
  • bug reports;
  • screenshots;
  • billing questions;
  • privacy requests;
  • legal notices;
  • security reports.

Users should avoid sending unnecessary sensitive data through support channels.

12. Professional advisers

We may share limited data with professional advisers where necessary, including accountants, lawyers, tax advisers, compliance advisers, insurance advisers, security consultants or technical consultants.

This may be necessary for:

  • legal advice;
  • accounting and tax compliance;
  • company records;
  • disputes;
  • claims;
  • security reviews;
  • regulatory compliance;
  • business planning.

Professional advisers are expected to be subject to confidentiality obligations.

13. Provider selection and safeguards

When selecting providers, we may consider:

  • security measures;
  • reliability;
  • data protection terms;
  • infrastructure region;
  • support and availability;
  • product quality;
  • cost;
  • compatibility with Extractly;
  • contractual protections;
  • compliance documentation;
  • business continuity;
  • ability to support user rights and deletion.

We aim to use appropriate contractual protections with providers that process personal data.

14. International transfers

Some providers may be based outside the UK or EEA, may have group companies outside the UK or EEA, or may allow support, security or operational access from outside the UK or EEA.

Where required, we use appropriate safeguards for restricted transfers, which may include adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, EU Standard Contractual Clauses where relevant, contractual protections, transfer risk assessments or other lawful transfer mechanisms.

Users should not use Extractly if they require a guarantee that data will never be accessed from or transferred outside the UK or EEA.

15. Changes to sub-processors

We may add, replace or remove providers or sub-processors where reasonably necessary for:

  • security;
  • reliability;
  • performance;
  • compliance;
  • cost management;
  • product development;
  • feature delivery;
  • support;
  • business continuity;
  • availability;
  • provider risk management.

Where required by law or contract, we will provide notice of material changes through the application, website, email, account notice, updated Sub-processors Page or another reasonable method.

16. Objections to new sub-processors

Where a customer has a right to object to a new sub-processor under the Data Processing Agreement, the objection must be made on reasonable data protection grounds.

To object, contact [email protected] with the subject [privacy] Sub-processor objection.

Unless a different period is stated in the notice, objections should be made within 14 days of notice.

If the objection is reasonable and cannot be resolved, we may:

  • provide more information;
  • offer a workaround;
  • restrict affected features;
  • allow cancellation of affected services;
  • terminate the affected service;
  • take another reasonable step.

The customer may not object to a provider for reasons unrelated to data protection risk.

17. Emergency provider changes

We may make urgent provider or sub-processor changes without advance notice where necessary to address:

  • security incidents;
  • provider outages;
  • legal requirements;
  • infrastructure failure;
  • data loss risk;
  • payment provider requirements;
  • abuse prevention;
  • service continuity;
  • urgent compliance issues.

Where appropriate, we will update this page or notify affected users after the change.

18. Provider availability and third-party responsibility

Extractly depends on third-party providers. Provider outages, maintenance, security incidents, API changes, pricing changes, legal restrictions or service changes may affect Extractly.

We are not responsible for third-party provider failures except to the extent required by law or expressly stated in a written agreement.

We may change, suspend or remove features where a provider becomes unavailable, unsuitable, too risky, unlawful, commercially unreasonable or technically incompatible.

19. Data minimisation

We aim to share with providers only the data reasonably necessary for the relevant purpose.

For example:

  • payment providers should receive billing data, not full receipt archives;
  • email providers should receive email content needed to deliver messages;
  • AI/OCR providers should receive document content needed to process receipts;
  • analytics providers should receive usage data, not full uploaded files;
  • monitoring providers should receive technical diagnostics, not unnecessary document contents.

Exact data flows may vary depending on the feature used and the technical configuration.

20. User responsibility

Users and customers are responsible for deciding whether Extractly and its provider model are suitable for their own business, legal, tax, accounting, data protection and confidentiality requirements.

If your business requires specific provider restrictions, UK-only processing, EEA-only processing, no AI/OCR processing, no international transfers, bespoke data processing terms, bespoke security terms or custom contractual controls, you should contact us before using Extractly or request a Custom plan.

21. Updates to this page

We may update this Sub-processors Page from time to time.

Updates may reflect:

  • new providers;
  • removed providers;
  • replacement providers;
  • changed provider categories;
  • new features;
  • infrastructure changes;
  • international transfer changes;
  • legal or security updates;
  • product development.

The latest version will be available through Extractly and/or the Extractly website.

22. Contact

For questions about sub-processors, contact:

Utracki Systems Ltd 124-128 City Road London EC1V 2NX United Kingdom

Email: [email protected] Suggested subject: [privacy] Sub-processors