ExtraltExtralt

GDPR Compliance

Last modified: February 2026

Extralt is committed to privacy, security, and transparency. This includes supporting our customers' compliance with EU data protection requirements, including those set out in the General Data Protection Regulation ("GDPR").

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission strengthen and unify data protection for all individuals within the European Union (EU).

Is Extralt GDPR compliant?

Yes, Extralt is fully compliant with the GDPR. This document outlines the measures we take to ensure compliance with the regulation.

Information we hold

Registration and contact information. We collect information about you when you register to use our services. This may include your name and email address. This information is handled by our authentication provider.

Payment information. When you purchase our services, transaction information including company name and billing details are collected. Payment processing is handled by our payment provider. We never store your full credit card information.

Technical and usage information. We automatically collect information on how you interact with our service, such as IP address, date and time of access, and usage patterns.

Customer data. Data that you extract using our service ("Customer Data") belongs to you. We process this data on your behalf as a data processor, not as a data controller. When you use enrichment features, your extracted data is processed using AI to translate, classify, and match products. You can only access enriched product data for products you have extracted. Your extraction data, including the specific URLs you extract and your pricing and availability data, remains private to your organization.

International data transfers

Some of our service providers are located outside the European Union. When transferring personal data outside the EU, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives adequate protection.

Data security

We take data protection and security seriously. We continuously monitor for security vulnerabilities and unauthorized access. In the unlikely event of a data breach, we will notify affected customers within 72 hours of detection.

Preventive measures we take include:

  • Encrypted HTTPS communication for all data transfers
  • Regular encrypted backups
  • Secure credential storage with industry-standard hashing
  • Access controls and authentication safeguards

Data retention

We retain your data only as long as necessary to provide our services:

  • Active accounts: Data is retained while your account is active.
  • Cancelled subscriptions or expired trials: Data is retained for 1 year to allow reactivation, after which it is permanently deleted.
  • Account deletion requests: Data is permanently deleted within 90 days of your request. This includes all extraction data, URLs, pricing, and availability data associated with your organization.

Data subject rights

Under GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at support@extralt.com.

  • Right to be informed: We inform you about what we do with your data through this page and our Privacy Policy.
  • Right to access: You can request a copy of all personal data we hold about you.
  • Right to rectification: You can request correction of inaccurate personal data.
  • Right to erasure: You can request deletion of your personal data.
  • Right to restrict processing: You can request that we limit how we use your data.
  • Right to data portability: You can request your data in a portable format.
  • Right to object: You can object to certain types of processing, such as direct marketing.

Lawful basis for processing

Under GDPR Article 6, we process your personal data based on the following lawful bases:

  • Contract performance: Processing your registration, account, and payment information is necessary to provide you with the Extralt Service.
  • Legitimate interests: We process usage data to improve our service, ensure security, and prevent fraud. We balance these interests against your privacy rights.
  • Legal obligations: We may process data to comply with applicable laws, such as tax and accounting requirements.

Sub-processors

We use the following third-party service providers to operate our service. All sub-processors are contractually obligated to protect your data in accordance with GDPR requirements.

  • Clerk - Authentication and user management
  • Polar - Payment processing
  • Convex - Database and backend infrastructure
  • Cloudflare - Content delivery and hosting
  • Sentry - Error monitoring
  • Google Cloud - AI/ML processing for product enrichment

Questions?

If you have any questions about our GDPR compliance or wish to exercise your data rights, contact us at support@extralt.com.