Privacy Policy

Effective Date: 01 June 2026

Introduction

At Extrakt, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, applications, and services (collectively, the "Service").

Extrakt is operated by Extrakt, located in Paris, France. As a company based in the European Union, we are committed to complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Our core privacy principles: We do not show ads. We do not sell your data. Your financial information is yours alone.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Email address, password (encrypted), and optional profile details when you create an account.
  • Financial Data: Income, expenses, investments, and other financial information you choose to enter into the Service.
  • Communication Data: Information you provide when you contact us for support or feedback.

1.2 Information Collected Automatically

  • Usage Data: Information about how you use the Service, including features accessed, pages viewed, and actions taken.
  • Device Information: Device type, operating system, browser type, and general location (country/region level only).
  • Log Data: IP address, access times, and referring URLs for security and diagnostic purposes.

2. How We Use Your Information

We use your information for the following purposes:

  • Provide the Service: Process your financial data to display insights, track progress, and help you achieve your goals.
  • Account Management: Create and manage your account, authenticate your identity, and process subscription payments.
  • Communication: Send you important updates about the Service, respond to your inquiries, and provide customer support.
  • Improve the Service: Analyze usage patterns to improve features, fix bugs, and enhance user experience.
  • Security: Detect and prevent fraud, abuse, and security threats.
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes.

We will never sell your personal data or use it for advertising purposes.

3. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service you have subscribed to.
  • Legitimate Interests: Processing for our legitimate business interests, such as improving the Service and ensuring security, where these interests are not overridden by your rights.
  • Legal Obligations: Processing necessary to comply with applicable laws.
  • Consent: Where required, we will obtain your explicit consent before processing certain types of data.

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is stored on secure servers provided by Supabase, our infrastructure partner. Supabase data centers are located in regions that comply with GDPR requirements for data transfers.

4.2 Security Measures

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure password hashing
  • Regular security audits and monitoring
  • Access controls limiting who can access your data
  • Row Level Security (RLS) ensuring users can only access their own data

While we take extensive precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

5. Your Rights

Under the GDPR and other applicable laws, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
  • Right to Data Portability: Request your data in a structured, commonly used, machine-readable format.
  • Right to Restrict Processing: Request that we limit how we use your data.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at support@extrakt.app. We will respond to your request within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL).

6. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

  • Active Accounts: We retain your data while your account is active.
  • Closed Accounts: After you close your account, we will delete your personal data within 30 days, except where we are required to retain it for legal, tax, or audit purposes.
  • Backup Data: Data in backups may be retained for up to 90 days after deletion from our primary systems.

7. Third-Party Services

We use the following third-party services to operate Extrakt:

  • Supabase: Database hosting, authentication, and backend infrastructure. Supabase processes data in accordance with GDPR requirements.
  • Payment Processor: We use a third-party payment processor to handle subscription payments. We do not store your full credit card details on our servers.
  • Analytics: We may use privacy-focused analytics tools to understand how users interact with the Service. These tools are configured to minimize data collection and respect user privacy.

We carefully select third-party providers that meet our privacy and security standards and enter into data processing agreements where required.

8. Cookies

We use only essential cookies that are necessary for the Service to function properly:

  • Authentication Cookies: To keep you logged in and secure your session.
  • Preference Cookies: To remember your settings and preferences.

We do not use advertising cookies or tracking cookies from third-party advertisers. You can control cookies through your browser settings, but disabling essential cookies may affect the functionality of the Service.

9. International Data Transfers

Your data may be transferred to and processed in countries outside of your country of residence. When we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Transfers to countries with an adequacy decision from the European Commission
  • Other legally recognized transfer mechanisms

10. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Extrakt

Data Protection Inquiries

Paris, France

Email: support@extrakt.app