ExtractFox
Legal

Privacy Policy

Last updated: May 2, 2026

The short version

  • • Your documents are processed to extract data and not retained for training.
  • • We don't sell your data, and we don't share it with advertisers.
  • • You can delete your account and request your data at any time.
  • • We use Polar for billing, Google for AI inference, and standard infrastructure providers — listed in section 4.

1. What we collect

Account data. Email, name (optional), hashed password, and Google profile if you sign in with Google.

Documents you upload. Files you submit for extraction — PDFs, images, scans — along with any free-text extraction prompt you provide.

Extraction output. The structured data we return to you.

Usage data. Counts of extractions per account for quota enforcement, plus standard server logs (IP, user agent, timestamps, request paths).

Billing data. If you upgrade to Pro, Polar handles payment information. We never see or store your card details — we only store the Polar customer/subscription IDs needed to manage your plan.

2. How we use it

  • To run extractions and return results to you.
  • To enforce free-tier quotas and prevent abuse.
  • To send transactional email (verification, password reset, billing receipts).
  • To debug issues — typically on your request, scoped to your account.
  • To protect the service from spam, fraud, and security threats.

We do not use your documents or extractions to train AI models — neither ours nor the providers we route through.

3. How long we keep it

Documents: processed in-flight and not stored long-term on our servers. They may pass through provider memory during inference (see section 4) but are not persisted by us.

Extraction output: retained briefly so you can re-download it within your session, then discarded. Save what you need locally.

Account data: kept while your account is active, deleted within 30 days of account deletion (with a small set of records retained longer where law requires — e.g. invoicing for tax purposes).

Server logs: rotated within 30 days unless flagged for an ongoing investigation.

4. Third-party services we use

  • Google (Gemini API)— performs the AI extraction. Files you upload are sent to Google's API. Google's API terms commit to not training on your data when accessed via their paid API tier, which is how we use it.
  • Polar — processes payments and stores card data on its own infrastructure under PCI-DSS.
  • Vercel — hosts the application, serves traffic, and stores standard request logs.
  • Email provider — sends verification, password reset, and billing notification emails.

5. Cookies

We use cookies for authentication sessions only. We don't use advertising cookies, third-party trackers, or analytics that fingerprint visitors.

6. Your rights

Wherever you are, you have the right to:

  • Access the personal data we hold about you.
  • Correct or update it.
  • Delete your account and the data tied to it.
  • Export your data in a portable format.
  • Object to processing or restrict it for specific purposes.

Email privacy@extractfox.com and we'll respond within 30 days.

7. Children

ExtractFox isn't intended for children under 16. We don't knowingly collect data from them. If you believe a child has signed up, email privacy@extractfox.com and we'll delete the account.

8. International transfers

Our infrastructure providers may process data in regions outside your country (typically the US and EU). Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

9. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted and logged. Found a vulnerability? Email security@extractfox.com.

10. Changes

We'll update this page if our practices change. Material changes will be announced by email or in-product notice before they take effect.

11. Contact

Privacy questions: privacy@extractfox.com. General questions: hello@extractfox.com.

Back to extractor