Privacy Policy and Notice of Information Collection

1. Who we are and controller details

Ora Med ("we", "the service") is a personalized Hebrew-first AI meditation service. The data controller is [OPERATOR_NAME], address [OPERATOR_ADDRESS]. For privacy inquiries: orna@oramed.co.

To exercise your rights under Israel's Privacy Protection Law, the GDPR, or any other applicable law, we may need to verify your identity and locate your account and generated meditation files.

2. What data we collect

We collect the data you voluntarily provide through forms and the studio flow:

• Identifiers: first name, optional English first name or last name.
• Contact details: email address; phone number in some cases.
• Preferences: selected gender, language (Hebrew/English).
• Personal questionnaire content: answers about physical sensations, emotional state, focus areas, empowering messages, and desired next step. These responses may qualify as sensitive data (see section 4).
• Service outputs: personalized scripts, internal prompts, job IDs, generated audio files, and delivery URLs.
• Payment metadata: transaction ID, status, amount, currency, product, invoice number. We do not store full card numbers or CVV codes; these are processed directly by the payment provider (Cardcom).
• Technical data: IP address, request timestamps, browser/device characteristics, session tokens or one-time login links, rate-limit events.
• Email metadata: delivery, open, click, or unsubscribe data from our email provider when available.

3. Purposes and legal bases

We process personal data for the following purposes, on the following legal bases:

• Creating your personalized meditation. Basis: contract performance (GDPR Art. 6(1)(b)) and explicit consent for questionnaire content (Art. 6(1)(a) and where applicable Art. 9(2)(a) — see section 4).
• Payment processing, invoices, and access entitlements. Basis: contract performance (Art. 6(1)(b)) and legal obligation for tax/accounting (Art. 6(1)(c)).
• Operational emails — meditation delivery links, payment confirmation, login links, support replies. Basis: contract (Art. 6(1)(b)) and legitimate interest in operating the service (Art. 6(1)(f)).
• Marketing / nurture content only after you give a separate explicit opt-in. Basis: consent (Art. 6(1)(a)) and Israel's Communications Law §30A.
• Security, fraud prevention, reliability, and improvement. Basis: legitimate interest (Art. 6(1)(f)).
• Legal compliance, terms enforcement, and lawful authority requests. Basis: legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)).

4. Sensitive / health data (Article 9)

Questionnaire answers cover physical sensations, emotional state, pain, or personal challenges. Such data may qualify as health-related or mental-health data under GDPR Article 9 or as "specially sensitive information" under Israel's Privacy Protection Law.

Therefore we process such data on the basis of your explicit consent (GDPR Art. 9(2)(a)), collected via a separate consent checkbox at signup. You may withdraw consent at any time by emailing orna@oramed.co; withdrawal will prevent future meditation generation but will not affect processing already performed.

Important: we recommend you avoid disclosing identifying medical details (diagnoses, medications, insurance information). The service is not a substitute for professional medical or mental-health care.

5. AI and audio generation

To generate the script and audio, parts of your questionnaire content, first name, gender, and language are sent to AI and text-to-speech providers — primarily Google Gemini, and ElevenLabs when activated. We do not transmit your email, phone, or payment data to these models.

We minimize the data sent to each provider (data minimization) but do not classify the processing as "anonymous", because your name and personal description may be indirect identifiers. AI providers are bound by Data Processing Agreements (DPAs) and are not permitted to use your content to train their models.

AI-generated content is provided for calm, focus, and self-reinforcement only. It is not medical, psychological, psychiatric, diagnostic, or emergency advice.

6. Service providers and third parties

We share data with third parties only to the extent needed to operate the service:

• Hosting and infrastructure: Hetzner (EU, Germany/Finland), Supabase (data and file storage).
• AI and TTS: Google Gemini (Google Ireland / Google LLC), ElevenLabs (US) — when activated.
• Email delivery: Brevo (France/EU). Resend (US) used as a fallback when needed.
• Payment processing and invoicing: Cardcom Ltd (Israel).
• Web fonts: Google Fonts (loading the Inter and Frank Ruhl Libre typefaces).
• Advisors, auditors, and legal counsel as required.
• Authorities and third parties when legally required or necessary to protect rights, security, and public health.

We require all data processors to enter a Data Processing Agreement (DPA) covering security, confidentiality, scoped purpose limitation, and deletion. An up-to-date list of DPAs is maintained internally. We do not sell personal data to third parties.

7. International transfers

Data is hosted primarily in EU data centers (Hetzner). Some providers process data in the US or other locations.

Israel has been recognized by the European Commission as providing an adequate level of data protection under Decision 2011/61/EU. For transfers to the US and other non-adequate jurisdictions, we rely on Standard Contractual Clauses (SCCs) or another lawful transfer mechanism, as documented in our DPAs with the providers.

8. Retention

We retain personal data only as long as necessary for the purposes described in this policy. The default operational retention is up to 180 days from your last activity, after which data is deleted on request or via scheduled cleanup.

Operational note: at the time of this update, the scheduled auto-deletion job is set to off in the administrative configuration, and deletion is performed manually upon request. We are working to enable full automatic cleanup.

Payment records, invoices, and tax-related documents are retained for the periods required by applicable law (typically 7 years in Israel). Encrypted backups are deleted on the backup-rotation schedule.

9. Your rights

Under Israel's Privacy Protection Law (sections 13-14) and the GDPR (Articles 15-22), you have:

• Right of access: to know what data we hold about you.
• Right to rectification: to correct or update inaccurate data.
• Right to erasure ("right to be forgotten"): subject to legally required retention.
• Right to restrict and object to processing in certain circumstances.
• Right to data portability: to receive a structured copy of your data.
• Right to withdraw consent at any time, for any consent-based processing.
• Right to object to direct marketing at any time, without justification.
• Right to lodge a complaint with the Israeli Privacy Protection Authority or the data-protection authority in your country.

How to exercise: these rights are currently fulfilled manually by contacting orna@oramed.co. We aim to respond within 30 days of identity verification, in line with GDPR Art. 12(3) and Israel's Privacy Protection Law sections 13-14. We are developing self-service access, export, and deletion tools.

Generated audio is included in export and deletion. Audio-to-user linkage may currently rely on server-side metadata; the engineering team is working to ensure full coverage of all stored assets.

10. Marketing communications

We send operational emails required to deliver the service (meditation links, payment confirmations, login links, support replies). These do not require separate marketing consent and are sent on a contract basis.

Marketing, nurture, and content-update emails are sent only after your explicit opt-in via a dedicated checkbox, in line with Israel's Communications Law §30A. Every marketing email includes a one-click unsubscribe link. Unsubscribing from marketing does not affect operational emails required to deliver your purchases.

11. Cookies and local storage

The site currently uses browser localStorage only, and does not set first-party server cookies. Stored keys:

• oramed_a11y_v1 — accessibility preferences (functional / essential).
• oramed_admin_token, oramed_admin_token_exp, oramed_api_base — admin-area authentication (essential).
• cookie_consent — your storage preference (essential).

The site contains no advertising trackers, pixels, or analytics tools as of this update. If we add such tools in the future, we will request your consent first via the consent banner. You can reopen the consent banner via the "Privacy preferences" button in the footer. Third parties you transact with (Cardcom on the payment page, Google Fonts when loading typefaces) may set their own storage according to their own privacy notices.

12. Access links and session tokens

Some flows (payment-success, studio entry, B2B claim links) carry an access token in the URL. We recommend you do not share these links with anyone else. We are working to replace this mechanism with a more secure one (short-lived HttpOnly cookies or immediate token exchange on entry) following our internal security review.

13. Payments

Payment for the "three-meditation pack" at USD 10 is processed directly by Cardcom Ltd. We do not see, receive, or store full card numbers or CVV codes. Transaction metadata (status, amount, authorization number) is retained for proof-of-purchase and accounting compliance.

Purchase, refund, and warranty terms are defined in the Terms of Service.

14. Security

We apply reasonable technical and organizational safeguards: HTTPS for all traffic, role-based access control, two-factor authentication for the admin area, secret-protected internal endpoints, at-rest encryption in storage, encrypted backups, log management, and environment separation.

No online service is fully secure. In the event of a material security incident affecting your rights, we will notify the Israeli Privacy Protection Authority and inform you as required by law (Israeli Data Security Regulations 2017 and GDPR Art. 33-34).

15. Database registration

The database is operated under Israel's Privacy Protection Law, 1981. Database controller: [OPERATOR_NAME]. Database registration with the Israeli Privacy Protection Authority — [in progress / to be completed within 60 days of public launch, per statutory registration duties].

With respect to the disclosure, audit, and notification duties under Amendment 13 (effective August 2025), we are working towards full compliance. Inquiries to the regulator: www.gov.il/en/departments/the_privacy_protection_authority.

16. Changes to this policy

We may update this policy from time to time. For material changes we will state a new effective date at the top, and where required by law we will notify you by email. Continued use of the service after the update constitutes acceptance, unless renewed consent is required by law.

17. Contact

For any privacy, security, or rights-related question, request, or complaint: orna@oramed.co. We aim to respond within 30 days.