Privacy Policy - Data Protection & GDPR

1. Introduction

Welcome to ExtractBill, operated by monivio s.r.o. (company ID: 57146110, registered at Tomášikova 22, 080 01 Prešov, Slovakia).

We are committed to protecting your personal data and complying with the EU General Data Protection Regulation (GDPR) and Slovak data protection laws. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding your data.

Contact us:
Privacy inquiries: privacy@extractbill.com
Data Protection Officer: dpo@extractbill.com

2. What Data We Collect

2.1 Personal Data (Account Information)

Email address – Required for account authentication and transactional emails.
Login history – IP addresses and timestamps (for security and fraud prevention).
Account creation date – To track account age and usage patterns.

2.2 Billing Information

We do not store your credit card details. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Stripe collects:

Cardholder name
Billing address
Payment method details (handled securely by Stripe)

See Stripe's Privacy Policy for details.

2.3 Document Data

Uploaded files – PDFs, images (JPEG, PNG) containing invoices, receipts, or bills.
Parsed data – Structured JSON output extracted from your documents.
File metadata – Filename, file size, MIME type, upload timestamp.

2.4 Usage Data

API request logs – Endpoint accessed, request method, status code, timestamp.
Webhook delivery logs – Delivery status, retry attempts, HTTP responses.
Token usage – Number of documents parsed, remaining token balance.

2.5 Technical Data

IP address – For security monitoring and fraud prevention.
Browser user agent – To detect compatibility issues.
Cookies – See Section 8 (Cookie Policy).
Analytics data – Page views, session duration, feature usage (via PostHog & Google Analytics, if consented).

3. Why We Collect Data (Legal Basis under GDPR Article 6)

Under GDPR, we must have a lawful basis to process your personal data. Here's why we collect each type of data:

Contract Fulfillment (Art. 6(1)(b)) – Processing your documents, managing your account, and providing the Service.
Legitimate Interest (Art. 6(1)(f)) – Fraud prevention, security monitoring, service improvement, and analytics.
Legal Obligation (Art. 6(1)(c)) – Keeping financial records for tax purposes (7 years as required by Slovak law).
Consent (Art. 6(1)(a)) – Marketing emails (optional), analytics cookies (PostHog & Google Analytics).

4. How We Use Your Data

Document parsing – Using AI models to extract structured data from your uploads.
Billing & payments – Processing token purchases via Stripe.
Transactional emails – Sending OTP codes, payment confirmations, and service notifications via Resend.
API access – Authenticating API requests, tracking usage, and enforcing rate limits.
Webhooks – Delivering parsing results to your configured endpoints.
Security monitoring – Detecting abuse, preventing fraud, and protecting against attacks.
Service improvement – Analyzing usage patterns (anonymized) to improve the Service.
Error tracking – Using Sentry to monitor and fix bugs.

5. Data Sharing (Third-Party Processors)

We share your data with trusted third-party processors only to provide the Service. We do NOT sell your data to advertisers or brokers.

5.1 AI Processing Providers

We use a combination of proprietary algorithms and third-party AI models to parse documents. Your uploaded documents may be processed by:

External AI providers – Third-party models for document analysis (e.g., OpenAI).

These providers process documents temporarily and do not store them beyond the parsing session. See their privacy policies for details.

5.2 Payment Processing (Stripe)

All payments are processed by Stripe. Stripe handles payment methods, billing addresses, and invoices. We store only:

Stripe Customer ID (for linking your account)
Stripe Invoice ID (for purchase history)
Purchase amount and date

5.3 Email Delivery (Resend)

We use Resend to send transactional emails (OTP codes, payment confirmations, etc.). Resend processes your email address only for delivery purposes.

5.4 Error Tracking (Sentry)

We use Sentry to monitor application errors. Sentry may collect IP addresses, browser user agents, and error stack traces to help us fix bugs. No document content is sent to Sentry.

5.5 Analytics (PostHog & Google Analytics)

If you consent to analytics cookies, we use:

PostHog – Product analytics and session recordings to understand user behavior and improve UX
Google Analytics – Website traffic analysis and general usage statistics

You can opt out of analytics tracking via our cookie banner at any time.

6. Data Storage & Retention

6.1 Storage Location

Your data is stored exclusively on servers located in the European Union:

Hetzner – Data centers in Germany
AWS (Amazon Web Services) – eu-central-1 region (Frankfurt, Germany)

We use secure cloud providers with encryption at rest and in transit (TLS/HTTPS). Your data never leaves the European Union.

6.2 Encryption

In transit: All data is transmitted over HTTPS (TLS 1.2+).
At rest: Files are stored with encryption (AES-256).
API tokens: Hashed using SHA-256 before storage.

6.3 Retention Periods (GDPR Data Minimization)

We retain your data only as long as necessary for the purposes outlined in this policy:

Data Type	Retention Period	Reason
Account data	Until account deletion	Required for service
Documents (files)	30 days after parsing	GDPR minimization
Parsed data (JSON)	30 days after parsing	GDPR minimization
API logs	30 days	Security & debugging
Webhook logs	30 days	Debugging
Purchase records	7 years (anonymized)	Legal requirement (tax law)
OTP codes	10 minutes	Security

After the retention period expires, data is automatically deleted by our cleanup system.

7. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

7.1 Right to Access (Art. 15)

You can request a copy of all personal data we hold about you. How to exercise: Go to Settings → Profile → Export Data. You'll receive a ZIP file with all your data within 48 hours.

7.2 Right to Rectification (Art. 16)

You can update incorrect or incomplete personal data. How to exercise: Update your email address in Settings → Profile.

7.3 Right to Erasure ("Right to be Forgotten", Art. 17)

You can request deletion of your personal data. How to exercise: Go to Settings → Profile → Delete Account. Your data will be permanently deleted within 30 days (grace period).

Exception: Purchase records are anonymized and retained for 7 years (legal requirement for tax compliance).

7.4 Right to Data Portability (Art. 20)

You can export your data in a machine-readable format (JSON + original files). How to exercise: Use the "Export Data" feature in Settings.

7.5 Right to Object (Art. 21)

You can object to processing based on legitimate interests (e.g., analytics). How to exercise: Disable analytics cookies via our cookie banner, or contact privacy@extractbill.com.

7.6 Right to Lodge a Complaint

If you believe we are not complying with GDPR, you can file a complaint with your local data protection authority:

Slovakia: Úrad na ochranu osobných údajov
EU: European Data Protection Board

8. Cookies & Tracking

We use cookies to provide and improve the Service. When you first visit ExtractBill, you'll see a cookie consent banner.

8.1 Essential Cookies (No Consent Required)

These cookies are necessary for the Service to function:

laravel_session – User authentication (2 hours)
XSRF-TOKEN – CSRF protection (session)
cookie_consent – Stores your cookie preference (1 year)

8.2 Analytics Cookies (Consent Required)

If you accept analytics cookies, we use PostHog and Google Analytics to understand how users interact with the Service:

PostHog cookies – User identification, session tracking, feature usage (1 year)
_ga – Google Analytics user identification (2 years)
_gid – Google Analytics session identification (24 hours)

You can withdraw consent at any time via Settings → Profile → Revoke Cookie Consent.

8.3 How to Disable Cookies

You can disable cookies in your browser settings. However, disabling essential cookies will prevent you from using the Service.

9. Security Measures

We take security seriously and implement industry-standard measures to protect your data:

HTTPS encryption – All traffic is encrypted (TLS 1.2+).
API token hashing – Tokens are hashed (SHA-256) before storage.
Rate limiting – Prevents brute-force attacks and abuse.
Regular security audits – We review code and infrastructure for vulnerabilities.
Incident response plan – In case of a data breach, we will notify affected users within 72 hours (GDPR Art. 33).

10. Children's Privacy

ExtractBill is not intended for users under 16 years of age (GDPR age of consent). We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us at privacy@extractbill.com and we will delete it promptly.

11. International Data Transfers

Some of our third-party processors (e.g., OpenAI, Stripe) may transfer data outside the EU/EEA. These transfers are protected by:

Standard Contractual Clauses (SCCs) – EU-approved data transfer agreements.
Adequacy decisions – Some countries (e.g., UK, Switzerland) are recognized by the EU as having adequate data protection laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. When we make material changes, we will notify you via email at least 7 days in advance.

The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Company: monivio s.r.o.
Address: Tomášikova 22, 080 01 Prešov, Slovakia
Company ID: 57146110
Privacy Email: privacy@extractbill.com
Data Protection Officer: dpo@extractbill.com
Support: support@extractbill.com