dataextractor.io

Privacy Policy

Last updated: May 30, 2026

Draft — pending legal counsel review. This document describes our current practices in good faith but is not yet a binding legal agreement. For questions, contact privacy@dataextractor.io.

1. Who we are

dataextractor.io (“we”, “us”) provides an AI-powered document data extraction platform. This policy explains what personal data we process and why.

2. Data we process

  • Account data — email, name, and authentication identifiers.
  • Documents you upload — PDFs, images, spreadsheets, and emails, which may contain personal data of third parties (e.g. names, addresses on invoices). You are the controller of this content; we process it on your behalf.
  • Extracted data — structured fields and line items derived from your documents.
  • Usage & security data — API usage, and an append-only audit log of security-relevant actions.

3. Lawful basis

We process account and usage data to perform our contract with you and for our legitimate interest in operating and securing the service. We process uploaded documents and extracted data solely to provide the extraction service to you.

4. Retention

  • Documents, extracted data, and account data are retained while your account is active and are deletable on request (see “Your rights”).
  • Security audit logs are retained for up to 12 months under our legitimate interest in maintaining an integrity-protected security record, then purged.

5. Sub-processors

We share data with the following processors strictly to operate the service:

  • Supabase — managed PostgreSQL database (hosting account & extracted data).
  • Amazon Web Services (S3) — encrypted object storage for uploaded documents.
  • Anthropic and Google (Gemini / Document AI) — model inference for extraction.
  • LangSmith — extraction tracing/observability.

See the Data Processing Addendum for details.

6. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 server-side encryption on object storage; database encryption at rest via our infrastructure provider). Access is controlled by role-based access control and recorded in an append-only, hash-chained audit log. See our security contact to report a vulnerability.

7. Your rights

Subject to applicable law, you may request access to, correction of, export of, or deletion of your personal data. Account and organization deletion purges your documents and extracted data from our systems; integrity-protected security audit records may be retained as described above. To exercise these rights, email privacy@dataextractor.io.

8. Changes

We will update this page and the “last updated” date when our practices change.