Privacy Policy
Effective date: 16 June 2025
This Privacy Policy explains how Savelist SL (trading as “Extractbase”, “we”, “our” or “us”) collects, uses, shares and protects personal data when you (“you” or “your”) interact with extractbase.com, its sub‑domains, the Extractbase API and any related services (collectively, the “Service”).
We process personal data in accordance with Regulation (EU) 2016/679 (“GDPR”), Spanish Organic Law 3/2018 (LOPDGDD) and other applicable EU/EEA laws.
1. Who is the Data Controller?
Savelist SL
Calle Padilla 41, 2F
28006 Madrid, Spain
VAT ESB87747499
Email: support@extractbase.com
2. What data do we collect?
| Category | Examples | Source |
|---|---|---|
| Account Data | Name, email address, password hash, phone number, postal address | Provided by you when registering or updating your profile |
| Billing Data | Company name, VAT/Tax ID, invoice address, subscription plan, payment tokens (processed by Stripe acting as merchant‑of‑record; we never store full card numbers) | Provided by you or generated during checkout |
| Usage & Log Data | IP address, user‑agent, timestamps, API request/response metadata, error traces | Collected automatically when you use the Service |
| Marketing Preferences | Newsletter opt‑in status, marketing email interactions | Provided by you (opt‑in) and our email provider |
| Extracted Web Data | Web‑page content you programmatically capture via our platform (which may incidentally contain personal data about third parties) | Submitted by you via the API/UI |
We do not knowingly collect personal data from anyone under 18 years old or the corresponding age of digital consent in their jurisdiction.
3. For what purposes and on which legal bases do we process your data?
3.1 Perform our contract with you (GDPR Art. 6 (1)(b))
- Create and manage your account and subscription
- Provide the Service and deliver extracted data
- Process payments and provide invoices
3.2 Comply with legal obligations (GDPR Art. 6 (1)(c))
- Keep accounting records and comply with tax, anti‑fraud and know‑your‑customer (“KYC”) requirements
3.3 Our legitimate interests (GDPR Art. 6 (1)(f))
- Monitor, secure and maintain the Service (e.g., logs, abuse prevention)
- Analyse anonymised or aggregated usage metrics to improve performance and reliability using privacy‑friendly, cookie‑less analytics with no profiling or behavioural tracking cookies.
3.4 Your consent (GDPR Art. 6 (1)(a))
- Send product updates and promotional messages only if you have opted in (you may withdraw consent at any time)
- Enable change‑tracking storage of extracted web data (disabled by default)
We do not use customer data to train AI or machine‑learning models.
4. Cookies and similar technologies
We use only strictly necessary cookies (e.g., session tokens) essential for the Service to function. We do not deploy advertising, analytics or third‑party tracking cookies, so no cookie‑consent banner is required under the ePrivacy Directive.
5. With whom do we share personal data?
We never sell your personal data. We disclose it only to:
| Sub‑processor | Purpose | Location & Safeguards |
|---|---|---|
| Google Cloud Platform | Hosting of servers and browsers in EU, US East/West and Asia‑Pacific regions | Data centres certified to ISO 27001; EU Standard Contractual Clauses (“SCCs”) for transfers outside EEA |
| Cloudflare | DNS, content delivery network (CDN), Web Application Firewall, privacy‑friendly analytics | Global network; SCCs and EU‑US Data Privacy Framework where applicable |
| Supabase | Managed relational database and authentication | EU and US regions; SCCs |
| Stripe Payments Europe, Ltd. | Merchant‑of‑record for subscriptions and credit purchases | EU‑based entity with intra‑group SCCs for any onward transfers |
| Resend | Transactional and opt‑in marketing emails | EU or US; SCCs |
We conduct due‑diligence and sign data‑processing agreements with each provider listed above.
We may also disclose data when required by law, court order or to defend legal claims.
6. International data transfers
When you call our API, you may select the region (EU, US, or Asia) where the headless browsers run; your data will transit through and may be processed in that region. Where personal data leaves the EEA/UK/Switzerland, we rely on one or more of:
- European Commission adequacy decisions;
- SCCs approved under GDPR Art. 46;
- EU‑US Data Privacy Framework (for certified US entities);
- Your explicit instructions (GDPR Art. 49 (1)(b)).
7. Data retention
| Data type | Retention period |
|---|---|
| Account & Billing Data | While the account is active plus six (6) full financial years to satisfy Spanish tax & accounting obligations |
| Usage & Log Data | 90 days from creation, unless extended to investigate security incidents |
| Extracted Web Data | Not stored by default; if change‑tracking is enabled, retained only for the duration you configure, then deleted automatically |
| Marketing Preferences | Until you withdraw consent or your account is deleted |
Back‑ups containing deleted data are automatically purged within 30 days.
8. Security measures
We employ industry‑standard safeguards, including:
- TLS 1.2+ encryption in transit and AES‑256 encryption at rest
- Least‑privilege, role‑based access controls (RBAC) and multi‑factor authentication for staff
- Continuous vulnerability scanning, penetration tests and automated security alerts
- Segregated production and development environments
Despite these measures, no system is 100 % secure; you are responsible for safeguarding your credentials.
9. Your GDPR rights
You may, at no cost and at any time, exercise:
- Access – obtain a copy of personal data we hold about you
- Rectification – correct incomplete or inaccurate data
- Erasure (“Right to be forgotten”)
- Restriction – limit our processing in certain cases
- Portability – receive data in a machine‑readable format
- Objection – to processing based on legitimate interest or for direct marketing
- Withdraw consent – without affecting prior lawful processing
Send your request to support@extractbase.com. We will respond within 30 days (extendable by 60 days for complex requests, in which case we will notify you).
If you believe your rights were infringed, you may lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es or Calle Jorge Juan 6, 28001 Madrid.
10. Children
The Service is not directed to persons under 18 years old, or any higher age mandated by their local jurisdiction. We do not knowingly collect their data. If you believe a minor has provided personal data, please contact us and we will delete it.
11. Changes to this Privacy Policy
We may update this Policy to reflect legal, technical or business changes. Material changes will be notified via email or dashboard at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.