Privacy Policy

Legal Requests: We will comply with lawful government requests from Israeli and US authorities

Jurisdictional Scope: Subject to Israeli and US legal processes due to company and server locations

Transparency: We will notify users when legally permitted

Minimization: We will provide only the minimum data required by law# Privacy Policy

Effective Date: [16.04.2025]
Operator: Zan – Zari Group Ltd.
Platform: Book Ahead Now (https://bookaheadnow.com)
Company Registration: 516775384
Address: 10 Tushiya Street, Tel Aviv, Israel

1. Controller Information and Contact Details

Data Controller: Zan – Zari Group Ltd.
Contact: [email protected]
Legal Representative (EU): [To be appointed if required under GDPR Article 27]
Data Protection Officer: [email protected] (if required)

By using our platform, you consent to this Privacy Policy. If you do not agree, you must not use our service.

2. Legal Basis for Data Processing (GDPR Article 13)

We process your personal data based on the following legal grounds:

2.1 Contract Performance (GDPR Article 6(1)(b))

  • Purpose: Providing embassy appointment monitoring and booking services

  • Data: Contact details, embassy credentials, appointment preferences, documents

  • Necessity: Required to deliver the service you purchased

2.2 Legitimate Interests (GDPR Article 6(1)(f))

  • Purpose: Security, fraud prevention, service improvement, technical support

  • Data: IP addresses, usage logs, technical information

  • Balancing Test: Our legitimate business interests do not override your privacy rights

2.3 Legal Obligation (GDPR Article 6(1)(c))

  • Purpose: Compliance with data protection laws, court orders, regulatory requirements

  • Data: All categories as required by applicable law

  • Scope: Limited to legal compliance requirements

2.4 Consent (GDPR Article 6(1)(a))

  • Purpose: Optional marketing communications, cookies (non-essential)

  • Withdrawal: You may withdraw consent at any time via [email protected]

  • Effect: Withdrawal does not affect prior lawful processing

3. Categories of Personal Data Collected

3.1 Identity and Contact Data

  • Data: Full name, email address

  • Source: Directly from you during registration

  • Retention: Duration of service + 12 months for legal compliance

3.2 Embassy Access Credentials

  • Data: Embassy portal usernames, passwords, email addresses

  • Security: AES-256 encryption, access-controlled, audit-logged

  • Retention: Until service completion or account deletion

3.3 Embassy Application Data

  • Data: Data already present in your embassy portal account (accessed but not stored by us)

  • Purpose: Automated appointment booking using your existing embassy account

  • Access: Read-only access through your provided credentials

  • Retention: Not stored - accessed only during booking process

3.4 Supporting Documents

  • Data: Uploaded PDFs, photos, application forms

  • Encryption: AES-256 encryption, zero-knowledge architecture

  • Access: Decrypted only during embassy portal submission

  • Retention: Immediate deletion after submission or booking expiry

3.5 Appointment Preferences

  • Data: Embassy location, visa type, preferred dates/times, service selections

  • Retention: Duration of active service

3.6 Technical Data

  • Data: IP addresses, browser type, device information, usage logs

  • Purpose: Security, fraud prevention, service optimization

  • Retention: 12 months for security logs, 6 months for analytics

3.7 Payment Information

  • Data: Payment method, transaction IDs (no credit card numbers stored)

  • Processing: Via secure third-party payment processors

  • Retention: 7 years for tax and accounting compliance

4. How We Use Your Personal Data

4.1 Service Delivery

  • Monitor embassy portals for appointment availability

  • Submit booking requests using your credentials and preferences

  • Auto-submit required documents to embassy systems

  • Send notifications about booking status and service updates

4.2 Security and Account Protection

  • Monitor for unauthorized access attempts to user accounts

  • Detect unusual booking patterns or suspicious activity

  • Maintain basic security logs for service integrity

  • Protect user credentials with encryption and secure storage

4.3 Legal Compliance

  • Respond to lawful requests from authorities

  • Comply with data protection and privacy regulations

  • Maintain records for regulatory compliance

  • Cooperate with law enforcement when legally required

4.4 Service Improvement

  • Analyze usage patterns to improve functionality

  • Optimize embassy portal compatibility

  • Enhance user experience and success rates

  • Develop new features and services

WE DO NOT:

  • Use your data for advertising or marketing to third parties

  • Sell, rent, or trade your personal information

  • Profile you for commercial purposes

  • Make automated decisions with legal effects

5. Data Security and Protection Measures

5.1 Technical Safeguards

  • Encryption: AES-256 encryption for all sensitive data at rest

  • Transmission: TLS 1.3+ encryption for all data in transit

  • Access Controls: Role-based access with multi-factor authentication

  • Infrastructure: SOC 2 Type II certified hosting providers

  • Monitoring: 24/7 security monitoring and intrusion detection

5.2 Organizational Measures

  • Limited Team: Single-person operation with strict data access controls

  • Data protection impact assessments for new processing activities

  • Incident response procedures and breach notification protocols

  • Regular security updates and system maintenance

  • Privacy by design implementation in all systems

5.3 Document Security (Zero-Knowledge Architecture)

  • Documents encrypted immediately upon upload

  • Decryption keys never stored on our servers

  • Files decrypted only in memory during embassy submission

  • Automatic purging after successful submission

  • No human access to document contents possible

6. Data Sharing and International Transfers

6.1 No Third-Party Sharing

WE DO NOT SHARE YOUR PERSONAL DATA WITH THIRD PARTIES except:

6.2 Necessary Service Providers

  • Embassy Portals: Your data submitted only to complete requested bookings

  • Payment Processors: Secure payment processing (PCI DSS compliant)

  • US Hosting Providers: AWS or similar US-based cloud infrastructure (encrypted data storage)

  • Support Tools: Customer service platforms (privacy-compliant)

6.3 Legal Disclosures

  • Compliance with lawful government requests

  • Court orders and legal processes

  • Protection of our rights and property

  • Prevention of fraud or illegal activity

6.4 International Data Transfers

  • Company Location: Israel (adequate protection under GDPR)

  • Server Location: United States (Standard Contractual Clauses implemented)

  • Data Flow: Israel → US servers for processing and storage

  • Safeguards: AES-256 encryption, access controls, contractual protections with US hosting provider

  • GDPR Compliance: Appropriate safeguards implemented for EU user data

  • Your Rights: You may object to US transfers; this may limit service availability

7. Data Retention Periods

Data Category

Retention Period

Legal Basis

Account Information

Active service + 12 months

Contract + Legal Obligation

Embassy Credentials

Until service completion

Contract Performance

Uploaded Documents

Immediate deletion after submission

Data Minimization

Embassy Account Data

Not stored - accessed only during booking

Data Minimization

Payment Records

7 years

Tax/Accounting Legal Obligation

Security Logs

12 months

Legitimate Interests (Security)

Usage Analytics

6 months anonymized

Legitimate Interests (Improvement)

Marketing Communications

Until consent withdrawn

Consent

7.1 Retention Principles

  • Data Minimization: We retain only what is necessary

  • Automatic Deletion: Systems automatically purge expired data

  • Secure Disposal: All deleted data is cryptographically wiped

  • Legal Holds: Retention extended only when legally required

8. Your Privacy Rights (GDPR Articles 15-22)

8.1 Right of Access (Article 15)

  • Request: Copy of all personal data we hold about you

  • Response Time: 30 days (may extend to 60 days for complex requests)

  • Format: Structured, commonly used, machine-readable format

  • Fee: Free for first request; reasonable fee for additional copies

8.2 Right to Rectification (Article 16)

  • Correction: Inaccurate personal data will be corrected without delay

  • Completion: Incomplete data will be completed upon request

  • Notification: We will inform third parties of corrections where possible

8.3 Right to Erasure "Right to be Forgotten" (Article 17)

  • Grounds: Data no longer necessary, consent withdrawn, unlawful processing

  • Exceptions: Legal compliance, freedom of expression, legitimate interests

  • Implementation: Secure deletion within 30 days where legally possible

8.4 Right to Restrict Processing (Article 18)

  • Circumstances: Disputed accuracy, unlawful processing, objected processing

  • Effect: Data held but not processed (except storage)

  • Duration: Until restriction grounds are resolved

8.5 Right to Data Portability (Article 20)

  • Scope: Data provided by you, processed by consent or contract

  • Format: Structured, commonly used, machine-readable

  • Direct Transfer: To another controller where technically feasible

8.6 Right to Object (Article 21)

  • Legitimate Interests Processing: You may object; we must demonstrate compelling grounds

  • Direct Marketing: Absolute right to object (we don't currently engage in this)

  • Automated Decision-Making: Right to human review (not applicable to our service)

8.7 Rights Related to Automated Decision-Making (Article 22)

  • Current Status: We do not make automated decisions with legal effects

  • If Implemented: You would have rights to explanation and human review

8.8 Right to Lodge Complaints

  • Israeli Users: Israeli Privacy Protection Authority

  • EU Users: Your local supervisory authority or lead authority

  • Our Commitment: We will cooperate fully with regulatory investigations

9. Exercising Your Rights

9.1 How to Make Requests

Contact: [email protected]
Include:

  • Full name and contact information

  • Specific right you wish to exercise

  • Details of your request

  • Proof of identity (government-issued ID)

9.2 Identity Verification

We will verify your identity before processing requests to prevent unauthorized access to your personal data.

9.3 Response Times

  • Standard: 30 days from verified request

  • Complex Requests: Up to 60 days (with notification)

  • Urgent Security Issues: Immediate response

9.4 Fees

  • First Request: Free of charge

  • Additional/Excessive Requests: Reasonable administrative fee

  • Manifestly Unfounded Requests: May be refused

10. Cookies and Tracking Technologies

10.1 Essential Cookies (No Consent Required)

  • Session Management: Maintain your login status

  • Security: Prevent fraud and unauthorized access

  • Functionality: Remember your preferences and settings

10.2 Analytics Cookies (Consent-Based)

  • Purpose: Understand usage patterns and improve service

  • Data: Anonymized usage statistics, page views, error rates

  • Retention: 6 months maximum

  • Opt-Out: Available in cookie settings

10.3 No Third-Party Tracking

  • No Advertising Cookies: We do not use advertising or marketing cookies

  • No Social Media Pixels: We do not use social media tracking

  • No Behavioral Profiling: We do not track users across websites

10.4 Cookie Management

You can control cookies through:

  • Browser settings (block all cookies)

  • Our cookie preference center

  • Privacy-focused browser extensions

11. Service Age Requirements

11.1 Age Restrictions

  • Minimum Age: 18 years (service not intended for minors)

  • No Age Verification: We do not actively verify ages but require users to confirm they are 18+ in Terms of Service

  • Assumption: We assume all users meet age requirements based on Terms acceptance

11.2 Parental Concerns

If you believe a minor has used our service:

  • Contact: [email protected] immediately

  • Action: We will investigate and delete any account data within 48 hours

  • Prevention: Age requirement clearly stated in Terms of Service

12. Business Transfers and Mergers

12.1 Corporate Transactions

In the event of merger, acquisition, or sale of assets:

  • Notice: You will be notified before transfer

  • Rights: Your privacy rights will be maintained

  • Standards: Acquiring party must commit to equivalent privacy protections

  • Opt-Out: You may request data deletion before transfer

13. Data Breach Notification

13.1 Our Obligations

  • Authority Notification: Within 72 hours to relevant supervisory authority

  • User Notification: Without delay if high risk to your rights and freedoms

  • Documentation: All breaches documented and reported as required

13.2 User Actions

If you suspect unauthorized access to your account:

  • Change Passwords: Immediately update all embassy portal passwords

  • Contact Us: Report suspected breaches to [email protected]

  • Monitor: Check embassy accounts for unauthorized appointment changes

14. Privacy Policy Updates

14.1 Notification of Changes

  • Material Changes: Email notification + prominent website notice

  • Minor Updates: Website notification only

  • Effective Date: Always displayed at the top of this policy

14.2 Your Options

  • Acceptance: Continued use constitutes acceptance of changes

  • Objection: You may terminate your account if you disagree with changes

  • Rights: Changes do not affect your existing privacy rights

15. Regulatory Compliance Framework

15.1 Applicable Laws

This policy ensures compliance with:

  • GDPR (EU General Data Protection Regulation)

  • Israeli Privacy Protection Law, 5741-1981

  • California Consumer Privacy Act (CCPA) where applicable

  • Other applicable data protection regulations

15.2 Cross-Border Data Protection

  • Adequacy Decisions: We rely on EU adequacy decisions where available

  • Standard Contractual Clauses: Implemented for transfers without adequacy

  • Additional Safeguards: Encryption, access controls, audit requirements

15.3 MVP Service Notice

  • Development Stage: This service is in MVP (Minimum Viable Product) soft launch phase

  • Limited Availability: Service may have limited capacity or temporary restrictions

  • Continuous Improvement: Features and privacy practices may be enhanced during development

  • User Feedback: We welcome feedback to improve our privacy and security measures

16. Contact Information and Complaints

16.1 Privacy Inquiries

Primary Contact: [email protected]
Response Time: 48 hours for acknowledgment, 30 days for resolution
Mailing Address: Zan – Zari Group Ltd., 10 Tushiya Street, Tel Aviv, Israel

16.2 Data Protection Authorities

Israeli Users:
Israeli Privacy Protection Authority
Website: gov.il/privacy

EU Users:
Your local Data Protection Authority
EU DPA List: edpb.europa.eu/about-edpb/board/members_en

16.3 Emergency Contact

Security Incidents: [email protected]

This Privacy Policy was last updated on [16.04.2025]. We are committed to protecting your privacy and will continue to enhance our practices as technology and regulations evolve.

BY USING OUR SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND CONSENT TO OUR PRIVACY PRACTICES AS DESCRIBED IN THIS POLICY.