⚠️ Legal draft — not yet reviewed by counsel. Do not rely on this content before review.
العربيةעבריתEnglish

Privacy Policy

Effective date: [EFFECTIVE_DATE]

1. Introduction

This platform is operated by [COMPANY_LEGAL_NAME], a company incorporated in Israel under company number [COMPANY_NUMBER], with its registered office at [REGISTERED_ADDRESS] (collectively referred to as "Matajir AI", "the Company", "we", "us", or "our"). You can contact us at: [CONTACT_EMAIL].

This Privacy Policy governs our collection, processing, and use of your personal data in the following circumstances: (a) when you visit the Matajir AI marketing website; (b) when you register on the Platform and manage your merchant account via the dashboard; (c) in the context of the Platform's infrastructure generally.

This Privacy Policy does not apply to the individual online stores that merchants create on the Platform. Each store has its own separate privacy notice set by the merchant who operates it. Please consult the privacy notice displayed on the store you are visiting to understand how your data is processed as a customer of that store.

We operate in accordance with the requirements of Israel's Privacy Protection Law 5741-1981, Amendment No. 13 effective August 2025, and applicable international regulations.

2. Data Controller vs. Data Processor

The distinction between a Data Controller and a Data Processor is a fundamental legal concept in data protection. Below is an explicit clarification of Matajir AI's status in each case:

Matajir AI as independent Data Controller: Matajir AI acts as an independent Data Controller with respect to: marketing website visitor data; merchant account data (name, email, phone, etc.); billing and payment data; and usage analytics data relating to the dashboard and marketing website.

Matajir AI as Data Processor: Matajir AI acts as a Data Processor on behalf of the Merchant with respect to: any customer data that the Merchant enters or collects through their online store (including order data, customer profiles, contact information, and shipping details). The Merchant is the primary Data Controller for such data; this Privacy Policy does not govern it — the Merchant's own privacy notice displayed on their store applies instead.

3. Personal Data We Collect

We collect and process the following types of personal data:

Account Data (Controller):

  • Full name, email address, and phone number.
  • Language preference and store settings.
  • Password (encrypted and managed via Clerk — we do not store passwords in plain text).

Billing Data (Controller — card numbers are NOT stored by us):

  • Selected Plan and subscription date.
  • Billing address and VAT registration number (if applicable).
  • Transaction history (credit card data is processed directly by CardCom, not by us).

Usage / Analytics Data (Controller):

  • Pages visited, features used, and session duration.
  • Errors and exceptions occurring during use.
  • Device type, browser, operating system, and IP address.
  • These data are collected via PostHog hosted on our own server (reverse-proxy via `/api/internal/p/*`) for enhanced privacy protection.

Storefront Customer Data (Processor — controlled by Merchant):

  • Customer names, addresses, phone numbers, and email addresses.
  • Order data and shipping details.
  • These data are not subject to this Privacy Policy — please refer to the specific store's privacy notice.

AI Inputs / Outputs (Processor):

  • Store content that the Merchant sends to AI providers for translation.
  • Chatbot conversations (if enabled).

4. How We Use Your Data and the Legal Basis

We use personal data for the following purposes, with the legal basis for each purpose specified in accordance with Israel's Privacy Protection Law and equivalent international regulations:

  • Providing the Service and operating the Platform — basis: performance of contract.
  • Billing and tax obligations — basis: legal obligation.
  • Improving and developing the Service — basis: legitimate interest.
  • Security and fraud prevention — basis: legitimate interest and legal obligation.
  • Marketing communications — basis: separate explicit consent; revocable at any time via the unsubscribe link in each message.
  • Service notifications (updates, outages, changes to terms) — basis: performance of contract and legitimate interest.

5. Cookies and Tracking

We use cookies and similar tracking technologies. Below is their classification:

Strictly necessary (no consent required):

  • Session cookies and authentication cookies.
  • CSRF protection cookies.
  • Language preference storage cookies.

Analytics (consent required per Israel Privacy Protection Authority 2025 guidance):

  • PostHog: We use PostHog's EU instance with a reverse-proxy via our own domain (`/api/internal/p/*`) to improve privacy and avoid tracker blocking. Session data and usage signals are collected.

Marketing (consent required):

  • We do not currently use marketing tracking cookies. This section will be updated if this changes.

6. Data Sharing (Recipients)

We do not sell or trade your personal data. We may share limited data with the following parties:

  • CardCom (payment gateway): transaction data required for billing. Location: Israel.
  • DigitalOcean (hosting): Platform data hosted on servers in Frankfurt, Germany (EU — adequate level of protection).
  • Brevo (email): email address and name for sending operational messages. Location: EU.
  • ActiveTrail (SMS): phone number for sending SMS messages. Location: Israel.
  • Anthropic / OpenAI (AI): store content sent for translation. Location: USA — transfers conducted under DPAs and Standard Contractual Clauses (SCCs).
  • PostHog (analytics): anonymised usage behaviour data. Location: EU.
  • Legal disclosure: we may disclose data if required by Israeli law or a court order.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, with advance notice to users.

7. International Data Transfers

The Platform's infrastructure is hosted primarily on DigitalOcean servers in Frankfurt, Germany, located within the EU/EEA (adequate level of protection under Israeli law).

Translation and AI data may be processed on servers of US-based providers (Anthropic, OpenAI). These transfers are conducted pursuant to: (a) Data Processing Agreements (DPAs); (b) European Standard Contractual Clauses (SCCs) under Article 46 of the GDPR.

Brevo (email service) operates within the EU. ActiveTrail (SMS service) operates from Israel, which is recognised as an adequate country under an EU adequacy decision.

8. Data Retention

We retain personal data for the following periods:

  • Account data: throughout the active subscription period, and thereafter for seven (7) years to comply with tax record requirements under the Israeli Income Tax Ordinance.
  • Usage / analytics data: twenty-six (26) months from the date of collection.
  • Backups: thirty (30) days from the date of creation.
  • Storefront customer data: governed by the Merchant's policy as Data Controller; deleted upon their request.
  • Data may be retained for longer if required by law or if necessary to protect legitimate legal interests.

9. Data Security

We implement appropriate technical and organisational security measures to protect your personal data, including:

  • Encryption in transit using TLS version 1.2 or higher.
  • Encryption at rest for all sensitive data.
  • User authentication and identity management via Clerk with two-factor authentication support.
  • Strict internal access controls on a least-privilege basis.
  • Log monitoring and vulnerability detection.
  • An incident response plan, including breach notification pursuant to Section 11A of Israel's Privacy Protection Law.

10. Your Rights

Under Israel's Privacy Protection Law 5741-1981 and Amendment No. 13 effective August 2025, as well as equivalent international regulations, you have the following rights:

  • Access: the right to review the personal data we hold about you.
  • Rectification: the right to correct inaccurate or misleading data.
  • Erasure: the right to request deletion of your data, subject to legal retention obligations.
  • Restriction of processing: the right to request restriction of processing of your data in certain cases.
  • Data portability: the right to receive your data in a structured, machine-readable format.
  • Objection: the right to object to the processing of your data for direct marketing purposes at any time.
  • Withdraw consent: you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint: the right to approach the Privacy Protection Authority (see Section 15 below).
  • To exercise any of these rights, please contact the Data Protection Officer at: [DPO_EMAIL].

11. Children's Privacy

The Matajir AI service is not directed at children under the age of sixteen (16). We do not knowingly collect personal data about children.

If we discover that we have unknowingly collected personal data about a child under 16, we will delete such data immediately. If you believe a child has provided us with personal data, please contact us at [CONTACT_EMAIL].

12. AI-Specific Notice

Content that the Merchant provides to translation services or the chatbot is sent to AI providers (Anthropic, OpenAI) for processing. This transfer is conducted pursuant to data processing agreements established with those providers.

Such content is not used to train the underlying AI models at third-party providers without explicit agreement.

Aggregated and anonymised signals derived from translation output may be used to improve the quality of Matajir AI's internal translation service. These signals will not include data that enables identification of the Merchant or Customer.

13. Changes to this Policy

We may update this Privacy Policy from time to time. In the event of material changes, we will send advance notice of thirty (30) days via email or a dashboard banner.

For non-material changes (such as stylistic corrections or changes that do not affect user rights), we will update the policy without advance notice, updating the 'last updated' date.

14. Contact and Data Protection Officer

Responsible Data Controller: [COMPANY_LEGAL_NAME], company number [COMPANY_NUMBER], [REGISTERED_ADDRESS].

Data Protection Officer (DPO): [DPO_EMAIL].

Note: DPO appointment is voluntary at our current scale — we are below the mandatory threshold set in Amendment No. 13 (10,000 data subjects in cases of third-party sharing as a primary purpose or large-scale sensitive data processing). Nevertheless, we appoint a DPO voluntarily as a matter of good corporate governance.

15. Complaints to Supervisory Authorities

Israel: Privacy Protection Authority (PPA). Contact at: https://www.gov.il/en/departments/privacy_protection_authority

EU: You have the right to file a complaint with the local data protection authority in your Member State.

United Kingdom: Information Commissioner's Office (ICO) — https://ico.org.uk

For complaints relating to our data processing, we encourage you to contact us first directly at [DPO_EMAIL] for an amicable resolution.

16. Effective Date

This policy takes effect on [EFFECTIVE_DATE].

Last updated: [EFFECTIVE_DATE].

Back to home
سياسة الخصوصية — Matajir AI | Matajir AI — متاجر