How Extrakt handles account, upload, billing, and workflow data

Extrakt provides a guided spreadsheet import, mapping, review, and handoff workflow for business teams. This Privacy Policy explains how we collect, use, store, and share information when you visit our website, create an account, upload files, run imports, use AI-assisted mapping, or otherwise interact with the service.

For this version of the policy, the service provider and data controller is Extrakt SAS, located at 54 Rue Diderot, Asnieres Sur Seine 92600, France. Privacy questions and requests should be sent to legal@extrakt.app.

The exact information we collect depends on how you use the product, but it may include the following categories:

• Account and profile data, such as your email address, password-based sign-up details, and basic account metadata.
• Optional OAuth identity data when you sign in with supported providers such as Google or GitHub.
• Authentication, session, and device information used to keep you signed in and protect the service.
• Billing and subscription data, including Stripe customer, checkout, subscription, and invoice-related identifiers and status fields.
• Uploaded files, file metadata, parsed headers, import configuration, sample values, row-level records, mapped data, review status, and export-related metadata.
• Usage, diagnostics, and operational data such as page interactions, performance metrics, error reports, background job state, and audit-style workflow history.
• Communications you send to us, including support requests, product feedback, or legal/privacy requests.

We use collected information to operate the current service and to protect the platform. Typical uses include:

• Creating and securing accounts, maintaining authenticated sessions, and supporting sign-in and password recovery flows.
• Receiving uploaded spreadsheets, extracting headers, matching fields, storing import state, validating rows, and generating dataset exports.
• Running AI-assisted column mapping fallback flows when deterministic mapping is insufficient.
• Managing trials, paid plans, Stripe checkout, billing portal access, subscription lifecycle changes, and related account limits.
• Monitoring reliability, investigating failures, preventing abuse, rate limiting requests, and protecting the integrity of the product.
• Understanding product usage and performance so we can improve the website and application.
• Responding to support requests, enforcing our terms, complying with law, and handling disputes or security incidents.

Extrakt includes AI-assisted field mapping as a fallback path for unresolved columns. When that feature is used, limited import context may be sent to OpenAI to generate mapping suggestions.

• Unresolved CSV column names.
• Available project field names and field types.
• A limited set of sample values for a column, when available, to improve mapping quality.

AI-generated suggestions are not final business decisions. Customers remain responsible for reviewing mappings, edits, and exports before relying on them downstream.

We and our service providers use cookies and similar technologies to run the service, maintain session state, understand site usage, and observe performance.

• Supabase session and authentication cookies used to keep signed-in users authenticated.
• Analytics and performance measurement tooling provided through Vercel Analytics and Vercel Speed Insights.
• Operational monitoring and error-reporting tools that may collect device, request, and failure context.

If you block certain cookies or similar technologies, some login or product features may not function correctly.

We use third-party providers that process information on our behalf or as independent service providers for the following purposes:

• Supabase for authentication, application database storage, and private file storage related to imports.
• Stripe for billing, checkout, customer portal, and subscription lifecycle events.
• OpenAI for AI-assisted field mapping fallback.
• Vercel for hosting, website analytics, and performance insights.
• Sentry for error monitoring and diagnostics.

We may also disclose information when required by law, to protect the rights or security of the service, to investigate misuse, or in connection with a merger, financing, acquisition, reorganization, or sale of assets.

We retain information for as long as reasonably necessary to provide the service, maintain account history, run billing, resolve disputes, enforce agreements, and protect the platform.

• Account and billing records may be retained for operational, tax, accounting, legal, and fraud-prevention purposes.
• Import files, parsed data, and workflow records may remain in the product until deleted by a user workflow, removed by us, or no longer needed for service operation.
• Operational logs, monitoring data, and analytics data may be retained according to internal practices and provider retention settings.

Some product copy may describe file-processing workflows as short-lived, but this policy does not promise a fixed automatic deletion window unless we separately state one in a signed agreement or updated public policy.

We use reasonable administrative, technical, and organizational measures suited to the current product, including authenticated access controls, private storage configuration for import files, and hosted monitoring tools. No service can guarantee perfect security, and you should upload only data you are authorized to process.

This page does not promise a certification, a formal uptime SLA, or a separate data processing agreement unless those commitments are expressly stated in writing.

Our providers may process information in countries other than the one where you are located. When required, we rely on contractual commitments or other lawful transfer mechanisms offered by those providers.

Depending on your location, you may have rights to request access, correction, deletion, restriction, objection, portability, or to lodge a complaint with a supervisory authority. These rights are not absolute, and we may need to verify your identity and retain some data where permitted or required by law.

To submit a privacy request or ask a question about this policy, contact legal@extrakt.app or write to Extrakt SAS, 54 Rue Diderot, Asnieres Sur Seine 92600, France.

• Include enough detail for us to identify your account or request.
• Do not send sensitive credentials or payment card data in a general support email.
• If you are submitting a request on behalf of another person or organization, include proof of authority where appropriate.

We may update this Privacy Policy from time to time. When we do, we will update the effective date shown at the top of this page.