Privacy Policy
Kaufman.ai ("we") is committed to protecting the privacy of users, business tenants, and their end customers. This policy explains what data we collect, why, and how we use it.
Last updated: April 26, 2026
1. TL;DR
We provide a SaaS service for Israeli businesses to manage customers and connect to WhatsApp Business. We collect minimal data needed to operate the service, store it in secured Israeli + European data centers, and never sell personal data. To exercise your rights (access, correction, deletion, portability), contact dpo@kaufmanai.com.
2. Controller and Contact
Data controller: Kaufman.ai (MINDSET.IO / KAUFMAN DIGITAL). Data Protection Officer: dpo@kaufmanai.com. You can contact us with any question related to data processing, rights enforcement, or to file a complaint.
3. Data We Collect
a. Provided by you:
- Account: full name, email, phone, password (hashed).
- Business: business name, category, address, opening hours, logo.
- End-customer data you enter: names, phones, appointment history, notes, tags.
- Content of WhatsApp conversations and messages sent through the platform.
b. Collected automatically:
- Usage: pages viewed, actions taken, login times.
- Technical: IP address, browser, OS, device fingerprint (for security).
- Cookies: see Cookie Policy.
c. From third parties:
- From Meta (WhatsApp): inbound/outbound message metadata.
- From Stripe: payment status (no card details — those stay with Stripe).
4. Why We Process Your Data (Lawful Basis)
- Contract performance (GDPR Art. 6(1)(b)) — providing the service you signed up for.
- Legitimate interest (GDPR Art. 6(1)(f)) — security, fraud prevention, service improvement.
- Legal obligation (GDPR Art. 6(1)(c)) — keeping payment records for 7 years per Israeli VAT and Income Tax laws.
- Consent (GDPR Art. 6(1)(a)) — marketing emails, marketing cookies, partner sharing. Withdrawable any time.
5. How We Use Data
- Service operation: customer management, reminders, lead screening, automation.
- Support: responding to inquiries, troubleshooting, service communications.
- Billing: subscription processing, invoicing.
- Security: detecting unauthorized access, blocking fraud attempts.
- Improvement: aggregate (anonymized) analytics on usage patterns.
- Compliance: responding to lawful authority requests, regulatory oversight.
6. Where Data is Stored
Our primary databases live on Railway (US default) and Hetzner (European regions — Finland / Germany). Backups are stored on Backblaze B2. For the complete sub-processor list see Sub-processors.
Transfers outside the EEA are carried out under EU Standard Contractual Clauses (SCCs) or under valid adequacy frameworks (such as the EU-US Data Privacy Framework). Israeli Privacy Law cross-border transfer requirements are also satisfied.
7. Data Sharing
We do not sell, rent, or share personal data with third parties, except:
- Sub-processors — infrastructure providers acting on our behalf under a DPA. Full list at Sub-processors.
- Legal obligation — court orders, statutes, or competent authority.
- Rights protection — to identify, prevent, or address fraud, security threats, or breaches of terms.
- Merger / acquisition — if we are acquired or merged, personal data may transfer to the acquirer. We will notify you 30 days in advance.
8. Your Rights
Under GDPR and Israeli Privacy Law, you have the following rights:
- Access — receive a copy of all data held about you.
- Rectification — request correction of inaccurate data.
- Erasure ("right to be forgotten") — delete your account and data.
- Portability — receive your data in a portable format (JSON / CSV).
- Object — object to certain processing, including direct marketing.
- Restriction — request temporary processing restriction.
- Withdraw consent — revoke previously given consent.
To exercise any right, fill out the DSAR form or email dpo@kaufmanai.com. We respond within 30 days (extendable by 60 days for complex cases, with notice).
You retain the right to file a complaint with the Israeli Privacy Protection Authority (Rmi) or your local EU Data Protection Authority.
9. Retention
- Active accounts — for as long as the account is active and up to 90 days after cancellation.
- Deleted accounts — permanently erased within 30 days of deletion request (except for legally required retention — see below).
- Payment records and invoices — 7 years per Israeli Income Tax Ordinance and VAT Law.
- Security logs — 12 months for investigation purposes.
- Backups — purged automatically within 90 days.
10. Security
We implement technical and organizational safeguards:
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Password hashing with scrypt (irreversible).
- Strict tenant isolation (multi-tenant + RLS).
- Role-based access control (RBAC), 2FA for admin accounts.
- Daily automated backups with monthly restore testing.
- 24/7 security monitoring, anomaly alerting.
- Periodic security audits, external pen-tests.
In the event of a personal data breach involving significant risk, we will notify you and the competent authority within 72 hours of discovery, per GDPR Art. 33-34 and Israeli Privacy Law.
11. Children
The service is not directed to minors under 16. If we discover we have collected data about a minor without parental consent, we will erase it immediately. Parents who identify that their child provided data should contact dpo@kaufmanai.com.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be emailed to registered users and posted here at least 30 days before taking effect. The last update date appears at the top of this page.
13. Governing Law
This policy is governed by the Laws of the State of Israel. In case of conflict between Hebrew and English versions, the Hebrew version prevails.