Privacy policy

We collect the minimum we need to keep your account working and to enforce the monthly quota. We don't share your personal details with anyone. We don't run advertising trackers, we don't sell your data, and we don't send marketing emails unless you've explicitly subscribed.

When you sign in, your chosen identity provider (GitHub, GitLab, etc.) sends us:

• your provider account ID (an opaque number),
• your username and display name,
• your primary email address,
• your avatar URL.

While you use the service we also keep:

• API keys you create — only the SHA-256 hash of the secret is stored; we can never recover the key itself. We keep the human-readable name you gave it and the last-used timestamp.
• Usage counts — how many cost units you've used this month, broken down by tool and by category. Used solely for enforcing your quota and showing you a breakdown on the usage page.
• Cached conversion outputs — when you call a tool, the result is cached by a hash of the request bytes so identical inputs return instantly worldwide. Cache entries expire (usually within 24 hours) and are not tied to your account.

We log every request to our service so we can keep it running, spot abuse, and understand which tools people actually use. Each log entry records:

• timestamp, the URL path you requested, the HTTP method, the response status, and how long the request took;
• your browser or client identification (the User-Agent string), language preference, and accept-encoding;
• approximate location (country, region, city) and your network provider (ASN), derived once at request time from your IP address;
• the referring website if you arrived from a link, plus a few standard browser hints (sec-fetch-*, sec-ch-ua);
• your account ID when you call the API with credentials, so we can enforce your monthly quota correctly.

We do not store your IP address. We use it momentarily to derive the location and network info above, and to compute the daily-rotating visitor identifier described below — then it's gone. We don't use cookies, localStorage, or any client-side tracking; all logging is server-side.

For unauthenticated requests we generate a pseudonymous identifier by hashing your IP address together with your User-Agent and language preference, salted with a random secret that we rotate every 24 hours and then permanently delete.

What this means in practice:

• Within a single UTC day, repeated requests from the same device produce the same identifier (so we can see, for example, that one visitor browsed several pages in one session).
• Across days, the identifier changes and cannot be linked back to previous days.
• We cannot reverse the identifier to recover your IP, and after the daily salt is deleted no one can — including us.

For authenticated requests we identify you by your account ID, which you provided when signing up.

For unauthenticated requests we rely on legitimate interest (Article 6(1)(f) GDPR) in operating, securing, and improving the service. We've assessed this interest against your privacy rights and concluded the impact is minimal because of the pseudonymisation, daily salt rotation, and lack of cross-day tracking described above.

For authenticated requests, processing is necessary for performance of our contract with you (Article 6(1)(b) GDPR) — we cannot enforce API quotas or bill you accurately without recording your usage.

• To recognise you on subsequent visits without making you sign in repeatedly.
• To enforce the monthly cost-unit quota fairly across users.
• To send transactional emails — for example, a notification if your quota is about to run out, or a security alert if a new API key is created. We do not send anything else without your consent.
• To improve the service via aggregate, anonymised statistics — never tied back to individual users.

• Sell or share your personal details with advertisers, data brokers, or any third party for marketing.
• Send marketing emails unless you've subscribed.If we ever introduce a newsletter or product-update email, it will be opt-in with a one-click unsubscribe.
• Run third-party analytics or ad-tracking scriptson the site. The pages you load don't beacon out to Google Analytics, Facebook Pixel, or similar.
• Read or store the file contents you uploadbeyond the short-lived edge cache described above. We don't train models on your inputs and we don't keep a per-user history of what you've converted.

We set two cookies, both first-party:

• session — an HTTP-only cookie that keeps you signed in between visits. Strictly necessary; can't be turned off without signing out.
• csrf_token — a short-lived double-submit token used on state-changing form submissions (creating a key, signing out). Strictly necessary.

We do not set any tracking, advertising, or analytics cookies.

The minimum data passes through these parties so the service can work:

• Your chosen identity provider (GitHub, GitLab, …) handles the sign-in handshake. They learn that you signed in to xtract.bot; they don't learn what you do here afterwards.
• Our hosting and database providers process the data necessary to deliver responses to you. They are bound by standard processor agreements and don't use your data for any purpose other than running the service on our behalf.

• Account data — kept while your account is active; deleted on request (see below).
• API keys — kept until you revoke them or delete your account. Revoking is immediate.
• Usage counts — reset at the start of each UTC month.
• Edge-cached conversion outputs — TTL is per-tool, typically 24 hours; entries are evicted when their TTL expires.
• Request logs — retained for 24 months, then automatically deleted by our storage lifecycle rule.
• Daily visitor-hash salt — deleted after approximately 25 hours; once it's gone, no one can re-derive yesterday's hashes.

All data is processed and stored on edge infrastructure provided by our hosting partner, who acts as our data processor under a Data Processing Agreement. Data may be processed in any region where that infrastructure operates.

• Access — your account data is visible at /account.
• Revoke API keys — at /account/keys; revocation is immediate.
• Delete your account — email us (see Contact below) and we will delete your record and all associated API keys within seven days. Edge-cached outputs are not tied to your identity and expire on their own schedule.
• Export — request a copy of the data we hold about you and we'll send it as JSON.

If we make a material change — anything that broadens what we collect or share — we'll notify you by in-app banner or email (using the address on your account, transactionally) at least two weeks before the change takes effect. Minor wording fixes and clarifications may be made without notice; the effective date at the top of this page tells you the last update.

Privacy questions, deletion requests, or anything else covered here: privacy@xtract.bot. We aim to reply within three business days.