ExtraltExtralt

GDPR Compliance

Last modified: April 2026

Extralt is a French company subject to GDPR. This page describes how we protect your data and support your rights under the regulation.

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission strengthen and unify data protection for all individuals within the European Union (EU).

Is Extralt GDPR compliant?

Yes. This page describes the specific measures we take and your rights under the regulation.

Information we hold

Registration and contact information. We collect information about you when you register to use our services. This may include your name and email address. This information is handled by our authentication provider.

Payment information. When you purchase our services, transaction information including company name and billing details are collected. Payment processing is handled by our payment provider. We never store your full credit card information.

Technical and usage information. We automatically collect information on how you interact with our service, such as IP address, date and time of access, and usage patterns.

Customer data. Data that you extract using our service ("Customer Data") belongs to you. We process this data on your behalf as a data processor, not as a data controller. When you use enrichment features, your extracted data is processed using AI to translate, classify, and match products. You can only access enriched product data for products you have extracted. Your extraction data, including the specific URLs you extract and your pricing and availability data, remains private to your organization.

International data transfers

Some of our service providers are located outside the European Union. When transferring personal data outside the EU, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives adequate protection.

Data security

We monitor for security vulnerabilities and unauthorized access. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay.

Preventive measures we take include:

  • Encrypted HTTPS communication for all data transfers
  • Regular encrypted backups
  • Secure credential storage with industry-standard hashing
  • Access controls and authentication safeguards

Data retention

We retain your data only as long as necessary to provide our services. We commit to deleting your data within the following timelines:

  • Active accounts: Data is retained while your account is active.
  • Subscription lapse: If your subscription is cancelled or expires, your organization is suspended and your data is retained for 180 days. You may restore access at any time during this period by subscribing to a new plan. After 180 days, the organization is permanently deactivated and all Customer Data (captures, robots, runs, schedules, exports) is deleted within 30 days.
  • Organization deletion: When you delete an organization, all associated Customer Data is permanently deleted within 30 days. This includes all extraction data, URLs, pricing, and availability data.
  • User account deletion: Deleting your user account triggers the deletion of all organizations you own. Customer Data for each organization is permanently deleted within 30 days.
  • Data deletion requests (GDPR Article 17): Requests for erasure of personal data are processed within 30 days.
  • Billing and financial records: Transaction records and billing information may be retained beyond the above timelines as required by applicable law, including French tax regulations (up to 10 years for financial records).

Data subject rights

Under GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at support@extralt.com.

  • Right to be informed: We inform you about what we do with your data through this page and our Privacy Policy.
  • Right to access: You can request a copy of all personal data we hold about you.
  • Right to rectification: You can request correction of inaccurate personal data.
  • Right to erasure: You can request deletion of your personal data.
  • Right to restrict processing: You can request that we limit how we use your data.
  • Right to data portability: You can request your data in a portable format.
  • Right to object: You can object to certain types of processing, such as direct marketing.

Lawful basis for processing

Under GDPR Article 6, we process your personal data based on the following lawful bases:

  • Contract performance: Processing your registration, account, and payment information is necessary to provide you with the Extralt Service.
  • Legitimate interests: We process usage data to improve our service, ensure security, and prevent fraud. We balance these interests against your privacy rights.
  • Legal obligations: We may process data to comply with applicable laws, such as tax and accounting requirements.

Sub-processors

We use the following third-party service providers. Each is contractually bound to GDPR-compliant data handling.

  • Clerk - Authentication and user management
  • Stripe - Payment processing
  • Convex - Database and backend infrastructure
  • Cloudflare - Content delivery and hosting
  • ClickHouse - Data storage and analytics
  • Sentry - Error monitoring
  • PostHog - Product analytics
  • Google Cloud - AI/ML processing for product enrichment

Data Protection Officer

Given the nature and scale of our data processing activities, Extralt is not required to appoint a Data Protection Officer under GDPR Article 37. For any data protection inquiries, please contact us at support@extralt.com.

Questions?

If you have any questions about our GDPR compliance or wish to exercise your data rights, contact us at support@extralt.com.