AI-Assisted Translation Notice: This document is an AI-assisted translation provided for convenience. The Hebrew version at /he/legal/privacy is the legally binding version. In case of discrepancy between the Hebrew original and this translation, the Hebrew version controls. For clarification in your language: legal@shahar-teamim.co.il
Translation Precedence Clause: In case of discrepancy between the Hebrew original and a translation, the Hebrew version controls. "במקרה של סתירה בין הגרסה העברית המקורית לתרגום, הגרסה העברית גוברת." "في حالة وجود تعارض بين النسخة العبرية الأصلية والترجمة، تسود النسخة العبرية." "В случае расхождений между оригиналом на иврите и переводом, версия на иврите имеет преимущественную силу."
Privacy Policy — Shahar: Flavors from the Heart
Last updated: 2026-04-18 Status: DRAFT — requires attorney review before publication Jurisdiction: Israel (Protection of Privacy Law, 5741-1981, including Amendment 13 effective 14/08/2025) Legal status of operator: "Database Owner" (Controller) under Section 1 of the Law Legal priority: Israeli law. GDPR applies only to EU/UK users who have submitted their data — addressed separately in Section 12.
1. Data Controller Details
- Business name: Shahar: Flavors from the Heart
- Operator name: [CLIENT INPUT NEEDED: Full name]
- ID/Sole Proprietor/Company No.: [CLIENT INPUT NEEDED — official identifier required under Amendment 13]
- Address: [CLIENT INPUT NEEDED: city, street — Haifa]
- Privacy contact email: privacy@shahar-teamim.co.il
- Phone: [CLIENT INPUT NEEDED]
- Data Protection Officer (DPO): Not currently required (database under 100,000 sensitive records); however, you may contact us at the email above for any inquiry.
2. Scope
This policy applies to the website shahar-teamim.co.il in all four languages (he/en/ar/ru) and to all related services (orders, payment, notifications, customer support). It is binding on the business toward all users regardless of location or language of use.
3. Information We Collect
3.1 Information You Provide Directly
| Data type | Purpose | Israeli legal basis | GDPR basis (EU/UK) | Retention |
|---|---|---|---|---|
| Full name | Order identification | Consent + Contract | Contract | Until account deletion + 90 days |
| Order confirmations, communications | Consent + Contract | Contract | Until account deletion + 90 days | |
| Phone | WhatsApp/SMS updates, delivery identification | Consent + Contract | Contract | Until account deletion + 90 days |
| Delivery address | Order fulfillment | Contract | Contract | 7 years (statutory bookkeeping obligation — Bookkeeping Regulations Section 25) |
| Credit card numbers | Payment — processed directly by Invoice4U (PCI DSS) | — not collected by us | — not collected by us | Never stored on our servers |
| Reviews/feedback | Display on site | Consent | Consent | Until deleted by user or account closure |
| Menu preferences/allergies | Order customization | Consent | Consent | Until account deletion |
3.2 Automatically Collected Information
| Type | Purpose | Legal basis | Retention |
|---|---|---|---|
| IP address | Security, fraud prevention | Legitimate interest | 12 months |
| Browser type, device | Technical compatibility | Legitimate interest | 12 months |
| Pages visited, clicks | Product improvement | Consent (for analytics cookies) | 12 months |
| Shopping cart (localStorage) | Continuing purchase between sessions | Contract | Until browser cleared |
3.3 Information We Do Not Collect
- Sensitive data under Section 7 of the Law: We do not collect medical information, political opinions, religious beliefs, origin, sexual habits, or criminal convictions.
- Allergies/dietary preferences: Treated as non-sensitive preferences for order customization; not shared with third parties.
- Minors' data: The service is not intended for users under age 16. See Section 9.
4. Processing Purposes and Legal Basis
Under Amendment 13 to the Protection of Privacy Law, full transparency is required on purpose, recipients, and the consequence of non-disclosure:
| Purpose | Israeli legal basis | Consequence of non-disclosure |
|---|---|---|
| Account creation and order processing | Contract + Consent | Cannot place an order |
| Payment processing (Invoice4U) | Contractual obligation | Cannot pay |
| Order updates (WhatsApp/SMS/transactional email) | Contract | Cannot receive order status updates |
| Marketing communications | Explicit consent (Opt-in, unchecked checkbox per Amendment 13) | No impact on service |
| Analytics (Google Analytics/PostHog) | Consent via cookie banner | No impact on service |
| Fraud prevention and security | Legitimate interest + security obligation under Information Security Regulations 2017 | — |
5. Third Parties and Data Transfer
Only the following entities receive personal data. Each is bound by a Data Processing Agreement (DPA) or equivalent:
| Third party | Data transferred | Purpose | Storage location | Cross-border transfer mechanism |
|---|---|---|---|---|
| Invoice4U | Name, email, address, amount, payment details | Billing, invoicing | Israel | None — no cross-border transfer |
| Supabase (DB + Auth) | All account and order data | Storage infrastructure | EU (Frankfurt) | SCCs + Israel's EU adequacy decision does not apply to reverse flow; Supabase is signed on SCCs |
| ActiveTrail | Name, email, phone | Email/SMS delivery | Israel | None |
| WhatsApp Business API (Meta) | Name, phone, order number | Order updates | USA | SCCs — Meta provides Binding Corporate Rules |
| Vercel | Server logs (IP, URL) | Hosting | Global (Edge) | SCCs |
| Google Analytics 4 | Cookie ID, usage events, truncated IP | Analytics | USA | SCCs + Data Privacy Framework |
| PostHog (if active) | Session ID, events | Analytics | EU | SCCs |
We do not sell personal data to third parties for external marketing.
Full sub-processor list: /en/legal/subprocessors (dedicated page — [CLIENT INPUT NEEDED: publish page]).
6. Retention and Deletion
- Account data: Until deleted by user + 90-day buffer for payment disputes.
- Order history: 7 years (statutory bookkeeping obligation).
- Security logs: 12 months.
- Marketing communications: Until consent withdrawal (unsubscribe) + 30-day buffer.
- Cookies: See separate Cookies Policy (/en/legal/cookies).
7. User Rights
Under Amendment 13 to the Protection of Privacy Law, users have the following rights (free of charge, within 30 days):
- Access: View your personal data in our system.
- Correction: Correct inaccurate or outdated data.
- Deletion: Delete your account (except data required to be retained under other laws, such as invoices).
- Portability: Receive a portable copy of your data (CSV/JSON).
- Objection to processing: Refuse processing based on legitimate interest (e.g., analytics).
- Withdrawal of consent: Cancel marketing consent at any time.
- Filing a complaint with the Israeli Privacy Protection Authority (הרשות להגנת הפרטיות): https://www.gov.il/en/departments/the_privacy_protection_authority
How to exercise:
- Email: privacy@shahar-teamim.co.il (subject: "Access Request" / "Deletion Request" / "Portability")
- Online form: /en/legal/dsr-request [CLIENT INPUT NEEDED — build form]
- Identity verification: We may request email/phone verification against the registered account.
- SLA: 30 days (Israel + GDPR), 45 days for complex cases with advance notice.
8. Information Security
Under the Privacy Protection Regulations (Information Security), 5777-2017, the database is classified at medium security level (record volume + data type). Controls:
- HTTPS on all traffic (TLS 1.3).
- Encryption at rest (Supabase AES-256).
- RLS (Row Level Security) on all database tables — users see only their own data.
- bcrypt password hashing, MFA for system administrators.
- Logs and audit trails for 12 months.
- Daily backup, recovery tested quarterly.
- Annual security review (mandatory under the regulations for medium security level).
9. Minors
The service is not intended for users under age 16. If it is discovered that data was collected from a minor without parental/guardian consent, it will be deleted immediately. Parents who identify such use — please contact privacy@shahar-teamim.co.il.
10. Security Incident Reporting (Breach)
Under Amendment 13 to the Protection of Privacy Law, a serious security incident (affecting more than 100 records or involving sensitive data) is reported:
- To the Israeli Privacy Protection Authority: As soon as possible, and no later than 72 hours.
- To affected individuals: Personal notification without undue delay if there is risk to their rights.
11. Cookies
See the separate Cookies Policy: /en/legal/cookies. It includes a full list of cookies, vendors, lifetimes, and consent management instructions.
12. EU/UK Users — Additional GDPR
If you are a resident of the European Union or the United Kingdom:
- Legal basis (Article 6): See table in Section 4.
- Additional rights: Restriction of processing (Art. 18), no solely automated decision-making (Art. 22).
- Default supervisory authority: Your local authority (ICO for UK, CNIL for France, etc.).
- EU Representative (Art. 27): Not appointed — the business is a "micro-enterprise" (<250 employees) whose processing is not "regular and systematic" of EU residents' data. If this changes, a representative will be appointed.
- Cross-border transfers: See table in Section 5.
13. Policy Changes
We will notify of material changes via email to registered users and an on-site banner at least 30 days in advance.
14. Contact
Privacy email: privacy@shahar-teamim.co.il Address: [CLIENT INPUT NEEDED] Israeli Privacy Protection Authority: https://www.gov.il/en/departments/the_privacy_protection_authority
DRAFT NOTE: This document was created from templates and research data. Attorney review by an Israeli privacy law specialist is required before publication.