XtractBot Legal
Effective date: February 7, 2026
This Privacy Policy explains how XtractBot collects, uses, stores, and protects information in connection with the service.
XtractBot collects only data necessary to provide and operate the service. This may include account identifiers, tenant configuration, mailbox message data, attachments, extracted document data, audit and operation logs, billing references, and security telemetry.
XtractBot does not intentionally collect information that is not related to service functionality.
XtractBot uses information solely to provide, secure, maintain, and improve the service for your tenant, including processing workflows, authentication, support, and reliability monitoring.
XtractBot does not sell customer data and does not use customer data for advertising.
XtractBot does not share your information with third parties except where required to deliver the service (for example, cloud hosting, payment, identity, and integration providers), to comply with law, or to protect rights and security.
XtractBot takes reasonable technical and organizational measures to protect information from unauthorized access, disclosure, alteration, or destruction, including access controls, tenant separation, and monitored infrastructure.
No system can guarantee absolute security. You are responsible for your own account security settings and credential hygiene.
XtractBot retains data only for as long as required for service operation, legal obligations, and legitimate security or audit needs.
User and tenant settings govern applicable retention windows where configurable within the product.
XtractBot permanently deletes data routinely according to fixed schedules and pre-defined retention policies.
Once deletion is completed, it is permanent and cannot be reversed.
Depending on your configuration and integrations, data may be processed in multiple regions. By using the service, you authorize such processing as needed to operate the platform.
You can manage tenant users, integration access, and some data lifecycle behavior through application settings and administrative controls. You may also contact XtractBot for assistance with privacy requests where applicable.
If you disable a third-party connection in XtractBot, ingestion from that service is suspended immediately.
You should also review and, if needed, revoke the related OAuth app authorization directly in the third-party provider account to confirm discontinuation at the source.
The table below lists the current connection surfaces used by XtractBot. Select "Removal steps" for detailed instructions to view active authorization and disable or revoke access.
| Service | Purpose | Scopes required | Removal steps |
|---|---|---|---|
| Google Login (SSO) | Authenticate users into XtractBot. | openidemailprofile | |
| Microsoft Login (SSO) | Authenticate users into XtractBot. | openidemailprofile | |
| Google Email Ingestion | Read Gmail messages/attachments for document ingestion. | https://www.googleapis.com/auth/gmail.readonlyhttps://www.googleapis.com/auth/userinfo.email | |
| Microsoft Email Ingestion | Read Microsoft mailbox data for document ingestion (when enabled). | Mail.ReadUser.Readoffline_accessExact Microsoft Graph scopes may vary by tenant setup and deployment stage. | |
| Xero Finance Integration | Create and sync accounting records in Xero. | accounting.transactionsaccounting.contactsaccounting.settingsoffline_access |
XtractBot may update this Privacy Policy from time to time. Updated versions are effective when posted, and continued use of the service after posting means you accept the revised policy.
Privacy questions can be sent to privacy@xtract.bot.