Privacy Policy

This Privacy Policy explains how AppExtractAI processes personal information when organizations use our application to extract structured data from residency and similar applications. This Policy applies to our role as a service provider/processor to our institutional customers ("Customers"). Where we act as a controller (e.g., for our website visitors, prospects, and account administrators), we also describe those practices below.

1) Roles and Scope

• Processor/Service Provider (B2B). For Customer Data we receive from our Customers (e.g., application files, extracted fields, reviewer notes), the Customer is the controller/business and AppExtractAI is the processor/service provider under laws like GDPR and CPRA. We process only per Customer instructions and the contract.
• Controller (Direct Interactions). For our own operations (billing contacts, admin users, marketing site), we act as a controller.

2) Information We Process

Customer‑submitted content (processor role):

• Application materials (e.g., PDFs, forms, letters), metadata, tags, comments.
• Applicant personal information: names, contact details, education/experience, licenses, essays, and any other information included by the Customer.
• Reviewer activity: user IDs, role, timestamps, and actions taken in the product.

Operational data (controller role):

• Account and billing details for Customer admins.
• Product usage and telemetry (e.g., device/browser, IP address, log events) for security and performance.
• Support communications.

We do not intentionally collect information from children under 13, and the Services are not directed to them.

3) How We Use Information

• Provide, operate, secure, and troubleshoot the Services.
• Extract fields and generate Output requested by Customers.
• Measure usage and improve features (including quality assurance, testing, and research) using de‑identified or aggregated data.
• Communicate about service updates, security, and billing.
• Comply with law and enforce our Terms.

Model Training. We do not use Customer Data or Output to train or fine‑tune models. We may use de‑identified or aggregated statistics (e.g., average field‑extraction accuracy across customers) to improve the Services.

4) Legal Bases (EEA/UK/Switzerland)

Where we act as a controller, we rely on: (i) performance of a contract (to provide the Services); (ii) legitimate interests (security, improvement, fraud prevention); and (iii) consent where required (e.g., certain cookies or marketing).

5) Sharing and Disclosures

We share information with:

• Subprocessors/Service Providers: cloud hosting, storage, logging, analytics, and model providers who act on our behalf under confidentiality and security obligations.
• Legal/Compliance: regulators or law enforcement where required.
• Corporate Transactions: in connection with a merger, acquisition, financing, or sale of assets.

We do not sell personal information or share it for cross‑context behavioral advertising as defined by CPRA.

6) International Data Transfers

We may transfer information internationally, including to the United States. Where required, we use lawful transfer mechanisms (e.g., EU Standard Contractual Clauses and the UK Addendum). We implement technical and organizational measures appropriate to the risk.

7) Security

We employ reasonable and appropriate safeguards. No system is 100% secure.

8) Retention

We retain Customer Data only as long as needed to provide the Services, comply with law, resolve disputes, and enforce agreements. By default, we delete Customer Data within 30 days after account termination, subject to backup retention (up to 35 additional days). Customers may request deletion at any time.

9) Your Privacy Rights

Where we are a processor: Individuals should direct rights requests (access, deletion, correction, portability, restriction, objection) to the relevant Customer. We will support Customers in responding, consistent with our contracts.

Where we are a controller: You may contact us at mac@appextractai.com to exercise rights under applicable law. We will not discriminate against you for exercising your rights.

10) Cookies and Analytics

As of the Effective Date, we use only cookies that are strictly necessary to operate the Services (e.g., session, authentication, and security/CSRF). We do not use advertising cookies, and we do not deploy analytics cookies that identify you across sites or over time. You can control cookies via your browser settings, but the Services may not function without essential cookies. If we introduce non‑essential cookies (e.g., analytics) in the future, we will update this Policy and, where required by law, present a consent banner to users in the relevant jurisdictions.

11) No Automated Decision‑Making Without Human Review

Our Services are designed as assistive tools. We do not make decisions about individuals. Customers must implement human review before taking actions based on any Output and remain solely responsible for compliance with anti‑discrimination, equal opportunity, and hiring/admissions laws, as well as any residency match rules.

12) California Privacy Disclosures (CPRA)

• Categories collected: identifiers (name, email, IP), professional/education information, internet activity (usage logs), and in Customer Data, any categories the Customer submits.
• Purposes: provide and secure the Services; maintain/improve quality; support; compliance.
• Sale/Share: We do not sell or share personal information as defined by CPRA.
• Retention: as described in Section 8.
• Rights: access, delete, correct, portability, limit use of sensitive information (where applicable). For Customer Data, contact your program/institution.

13) Children's Privacy

We do not knowingly collect personal information from children under 13.

14) Changes to this Policy

We may update this Policy. If changes materially affect your rights, we will provide reasonable notice. The "Effective Date" tells you when it last changed.

15) Contact Us

Questions or requests: mac@appextractai.com
Security reports: mac@appextractai.com

Appendix A — Data Processing Terms (Short‑Form)

If and to the extent AppExtractAI processes personal data on Customer's behalf, the following apply:

1. Instructions. We process Customer Data only per Customer's documented instructions, including to provide, maintain, and support the Services, and as required by law.
2. Confidentiality. Personnel are bound by confidentiality obligations and trained on data protection.
3. Security. We implement appropriate technical and organizational measures commensurate with risk (see Privacy Policy §7).
4. Subprocessors. Customer authorizes our use of subprocessors subject to written contracts imposing data‑protection obligations. We'll provide notice of material changes and an opportunity to object on reasonable grounds.
5. Assistance. We reasonably assist Customer with data‑subject requests, security, and assessments, considering the nature of processing and information available to us.
6. Incident Notice. We will notify Customer without undue delay upon becoming aware of a Security Incident affecting Customer Data we process and will cooperate consistent with law.
7. Audits. Upon reasonable written request and subject to confidentiality, we will provide audit reports or summaries (e.g., SOC 2) and respond to reasonable security questionnaires. On‑site audits may be conducted no more than annually with reasonable notice and scope.
8. Return/Deletion. Upon termination or at Customer's request, we will return or delete Customer Data as set forth in the Terms and this Appendix, unless retention is required by law.
9. International Transfers. Where required, the EU Standard Contractual Clauses (controller‑to‑processor) and UK Addendum are incorporated by reference.