Skip to content
Menu
How it works Developers Use cases Pricing Security Docs Login Get API access

Privacy

Privacy Policy

This policy explains how exdata handles personal data across the public site, accounts, API usage, document extraction, billing, support, security, and service operations.

1. Scope

This Privacy Policy applies to exdata’s public website, API documentation, account workspace, document extraction API, billing flows, support interactions, and operational communications.

For customer-uploaded documents and extracted content, the customer decides what is uploaded, why it is processed, and how long it should be retained. For account administration, billing, security, product operations, support, and legal records, exdata may act as an independent controller where necessary to run and protect the service.

The controller for account, billing, support, website, and service-administration data is the exdata contracting entity identified in the applicable account, order, checkout, or onboarding record. Privacy requests can be sent to support@exdata.app.

2. Data We Process

  • Account data: name, email address, password hash, account membership, role, invitation status, authentication metadata, and workspace settings.
  • API and integration data: API token metadata, token prefix, scopes, request IDs, idempotency keys, requester labels, webhook endpoints, webhook delivery metadata, and API logs.
  • Document data: uploaded files, extracted text, normalized fields, previews, thumbnails, file metadata, processing state, extraction run versions, feedback, and review notes.
  • Billing data: billing contact details, VAT or tax IDs, credit balance, ledger entries, top-up history, invoices, receipts, payment status, and Stripe customer references.
  • Support and operations data: support messages, issue context, audit records, abuse-prevention signals, operational logs, error traces, and incident communications.
  • Website data: technical request information such as IP address, browser details, pages requested, timestamps, and security logs.

3. Why We Process Data

exdata processes data to provide document extraction, authenticate users and API requests, manage account access, return structured fields, generate previews, deliver webhooks, process credits and billing, provide support, prevent abuse, improve reliability, comply with legal obligations, and protect the service.

Where exdata acts as controller, the legal bases may include performance of a contract for account, service, and billing operations; legitimate interests in security, support, abuse prevention, and service reliability; compliance with legal, tax, accounting, and regulatory obligations; and consent where a specific communication, setting, or workflow requires it. Where exdata acts as processor, processing is governed by the customer’s documented instructions and the Data Processing Addendum.

4. AI Processing And Subprocessors

exdata uses AI-assisted extraction as part of the service. Uploaded document content, extracted text, or document snippets may be sent to AI subprocessors where needed to extract, interpret, and normalize fields.

exdata also uses infrastructure, billing, email, monitoring, and support providers to operate the service. These providers receive data only for defined service functions. The current provider categories, processing purposes, and location notes are listed on the Subprocessor List.

exdata does not use document extraction output to make legal, financial, employment, credit, or similarly significant decisions about individuals on its own behalf. Customers remain responsible for reviewing extraction output before using it in downstream workflows.

5. Retention And Deletion

Account owners and admins can configure retention for source files, previews, extracted metadata, and operational logs in account settings. Deletion jobs remove configured document data according to those settings. Customers can also delete documents through the API or workspace where supported.

Some records may be retained longer where necessary for billing, tax, accounting, fraud prevention, dispute handling, security, audit, legal obligations, or backup integrity. Backup copies are removed according to backup rotation and restore procedures.

6. Security

exdata uses technical and organizational measures to protect personal data, including account-scoped access controls, role-based permissions, hashed API tokens, reveal-once webhook secrets, TLS, file intake validation, audit logs, retention controls, and restricted support access. The current measures are described in the Technical and Organizational Measures.

7. International Transfers

Some subprocessors may process data outside the customer’s country or the European Economic Area. Where a transfer mechanism is required, exdata relies on appropriate safeguards such as adequacy decisions, standard contractual clauses, subprocessor data processing terms, and supplementary measures where applicable.

8. Data Subject Rights

Depending on the applicable law and the processing role, individuals may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data. For data inside customer-uploaded documents or customer-controlled accounts, exdata may direct the requester to the relevant customer or assist the customer in responding.

Individuals may also have the right to withdraw consent where processing is based on consent, and to lodge a complaint with their local data protection authority. Where exdata receives personal data from a customer rather than directly from the individual, the source is usually the customer account, the customer user who uploaded the document, or the customer’s connected system.

9. Contact

For privacy, deletion, security, or support requests, contact support@exdata.app. Customers should include the account name, request ID, document ID, or billing reference where relevant so exdata can locate the correct records.