1. Introduction

We take your privacy very seriously. Please read this Privacy Notice and any other privacy notice or fair processing notice we may provide on specific occasions carefully, as it will help you understand what information we collect, why we collect it, and how in certain circumstances you can update, correct, and delete your information. 

This Privacy Notice has been drafted in accordance with the relevant laws of the United Kingdom but may be applied to personal information processing activities globally. The processing activities may be more limited in some jurisdictions due to the restrictions of their laws. For example, the laws of a particular country may limit the types of personal information we can collect or the way we process that personal information. In those instances, we may adjust our internal policies and/or practices to adapt to the requirements of local law. This Privacy Notice supplements other notices and is not intended to override them.

2. Who Are We

The website extrac.ai is provided by ExTrac AI Limited, a company registered in England and Wales under number 14532778, whose registered office is at 27 Old Gloucester Street, London, England, WC1N 3AX.

3. Contact Details

Name:  Please contact us via the ExTrac Privacy Team  
By email: privacy@extrac.ai
By mail:  27 Old Gloucester Street, London, England, WC1N 3AX

4. What is meant by personal or sensitive personal data

Personal data is anything which may identify you for example your name, address, bank account details, internet protocol (IP) address, username or another identifier. Some personal data is unique to you and therefore requires greater protection. This data is referred to as sensitive or special category data which includes information regarding your health, religious or philosophical beliefs, race, or ethnicity to provide a few examples.

5. How we get information about you

In order for us to operate effectively, we collect personal data from you directly, when you enter or send us information, such as when you register with us, contact us (including via email or customer contact forms), subscribe to our newsletters or other communications, apply for a vacancy or send us feedback. This notice serves as our commitment to Article 13 of the GDPR.

This notice also illustrates our commitment to Article 14 of the GDPR.  As part of our ongoing business, we may also collect personal data about you indirectly. This data is processed in accordance with and under Article 6 (1)(f) GDPR which defines our legitimate interest.

6. The data we collect about you

We collect personal information from the visitors to our website, our subscribers and candidates who apply to our vacancies. We may collect, use, store and transfer different kinds of personal information about you depending on our relationship with you:

– Identity data: may include name, job title and any other identity data that you may include in your CV or communication with us.

– Contact data: we usually only intend to collect your email address, but other contact details such as telephone number(s) and addresses may be collected from you when you provide them in our contact forms, your communications with us, or in your CV.

– Usage data: includes information about how you use our website.

– We do not knowingly collect children’s data.

7. Sensitive or Special Category Data

The GDPR defines Special Category data (Sensitive data) as: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation  in the normal course of the provision of our services  we do not intentional  collect this type of personal data.

Where you choose to provide us with this information in your communication with us or in your CV, we will only process that sensitive personal information in accordance with our lawful basis.

8. How we process and use your information

We need your personal information to conduct our business and provide you with our website and services. Most commonly we will use your personal information in the following circumstances:

– Where you have consented before the processing.

– Where we need to perform a contract we are about to enter or have entered with you.

– Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

– Where we need to comply with a legal or regulatory obligation.


We will only collect, process and/or use the personal information where we are satisfied that we have an appropriate legal basis to do so.

10. Safeguarding your personal information

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We will review, monitor and update these security measures to meet our business needs, changes in technology and regulatory requirements. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties that have a business requirement to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal information, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information.

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally or morally required to do so.

11. Keeping your personal information

We will keep your personal information in line with our retention policy and applicable law and for no longer than is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

12. Information Sharing

Insofar as is reasonably necessary for us in delivering our products and services and for the purposes set out in this Privacy Notice, we may share your personal information with the third parties below that help us manage our business and deliver our products.

We only allow those organisations to handle your personal information if we are satisfied, they take appropriate measures to protect your information. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.We or the third parties mentioned above occasionally also share personal data with:

– our and their external auditors, e.g., in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations.

– our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations.

– law enforcement agencies, courts, tribunals, and regulatory bodies to comply with our legal and regulatory obligations.

– other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised, but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

– The nature of our business means that in accordance with our Legitimate Interest Assessment (Article 6(1)(f) GDPR) we may share personal data with our clients.


The specific kind of information we share will depend on your activities with us and in accordance with Article 13 & 14 GDPR and only to the extent as required or permitted by law.

Please note however that this Privacy Notice does not apply to sharing of personal information by third party providers who may collect personal information from you and may share it with us. In these situations, we strongly advise you to review the applicable third-party provider’s privacy notice before submitting your personal information.

13. Transferring your information outside the UK

The EEA, UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.

It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases, we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.

Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:

– In the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. A list of countries the UK currently has adequacy regulations in relation to is available here.

– In the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR. A list of countries the European Commission has currently made adequacy decisions in relation to is available here.

– There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or

– a specific exception applies under relevant data protection law.


Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) legally approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

14. Third-party websites and plugins

You should be aware that information about your use of our website (including your IP address) may be retained by your ISP (Internet Service Provider), the hosting provider and any third party that has access to your Internet traffic.

Our website contains links to third-party websites and plugins, for instance a social media login plugin. If you choose to use these websites, plugins, or services, you may disclose your information to those third parties.

We are not responsible for the content or practices of those websites, plugins, or services. The collection, use and disclosure of your personal information will be subject to the privacy notices of these third parties and not this Privacy Notice. We urge you to read the privacy and cookie notices of the relevant third parties.

15. What happens if you don’t provide your personal information?

You may always choose what personal information (if any) you wish to provide to us. Please note, however, some of our products and services to you may be affected if you choose not to provide certain details, for example, we cannot reply to you without a name or contact details.

We also need your personal information to be able to assess your application for our vacant job roles.

16. What are your rights?

Within the GDPR, you have rights that allow you control of and access to your personal information.

These rights may include the right:

– To request and obtain a copy of your personal information

– To request rectification and/or erasure

– To restrict processing of your personal information

– Data portability (if applicable)


In certain circumstances, you may also have the right to object to the processing of your personal data. You can make a request to exercise your rights by contacting us at privacy@extrac.ai.

We will consider and act upon any requests in accordance with applicable data protection laws.

17. Our lawful basis for processing your personal data

The sections below describes the ways we plan to use your Personal Data, and which Lawful Basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Lawful Basis | Contract

We use your personal information on the basis that it is necessary for us evaluate applications and candidates for a vacant role prior to entering into an employment contract for that role with the most suitable candidate.

Purpose Examples
Recruitment of candidates (contractors, employees and providers)
We will use the personal information we collect about you to assess your skills, qualifications, and suitability  for the role for which you applied. We may use the following personal data: identity  data, contact data, location data, and candidate data.  

Lawful Basis | Legitimate Interest
When we rely on this, we will carry out a Legitimate Interests Assessment to ensure we consider and balance any potential impact on you (both positive and negative),and your rights under Data Protection Law.  

Our legitimate business interests do no automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law.

Purpose Examples
Managing our business
We process Personal Data for our own legitimate business interests. This relates to us managing our business to enable us to maintain and monitor the performance of our website and other services to constantly look to improve the website and the services it offers to our users, including when we respond to your queries and complaints, where you are not a client or supplier, or a potential client or supplier. We may use the following personal data: identity data, contact data, technical data, and communications data.  

Provide and maintain our websites and services
To provide and maintain our website and other services, including to monitor the usage of these, troubleshooting, data analysis, network security and system testing necessary for our legitimate interests in maintaining the useability, security and integrity of our website. We may use the following personal data: identity data, location data, transaction data, and technical data.

Rights and claims to enforce or apply our website terms of use, our policy terms and conditions, or other contracts
To exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with, we may use the following personal data: identity data, contact data, technical data, profile data, and usage data.

Data subject rights
When verifying your identity when you exercise your data subject rights and fulfilling data subject rights requests, we may use the following personal data: identity data, contact data, location data, technical data, usage data, candidate data, which are necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise).

Lawful Basis | Legal Obligations
We may use your Personal Data to comply with laws (for example, if we are required to cooperate with a police investigation after a court order orders us to).

Purpose Examples
Legal requirement
We may process Personal Data where the processing is necessary for compliance with legal obligations, such as but not limited to security requirements, and to comply with applicable law, for example in response to a request from a court or regulatory body, where such request is made in accordance with the law. Criminal activity. We may process Personal Data to detect fraudulent or criminal activity, and may share information with law enforcement agencies.

18. Complaints

We hope that we can resolve any query or concern you raise about our use of your information. Please contact us at privacy@extrac.ai first and title your email 'Complaint'. All complaints will be treated in a confidential manner, and we will try our best to deal with your concerns.

You have the right to lodge a complaint with a supervisory authority in the EEA member state where you work or normally live, or where any alleged infringement of Data Protection Law occurred.

The details of European supervisory authorities can be found here: Our Members | European Data Protection Board (europa.eu)

The supervisory authority in the UK is the ICO, which may be contacted at ico.org.uk/concerns or by telephone on 0303 123 1113.

The details of the supervisory authority in Switzerland can be found here: Startseite (admin.ch)

19. Questions or Concerns

If you have any questions, concerns, or complaints about this Privacy Notice, or our privacy practices in general, please email us at privacy@extrac.ai.

20. Changes to this Privacy Notice

We reserve the right  to update this policy at any time. We may make changes as required to comply with changes in applicable laws or regulatory requirement and we encourage you to review this policy periodically to be informed of how we use your personal information.

This version dated 18 April 2024
Review date, 17 April 2025