Data Processing Policy

1. Introduction

This policy regulates the processing of personal data by Redbo Ltd. (hereinafter: "the Company," "we," "our") in the operation of the website, admin portal, and embeddable widget. The policy is written in accordance with the Privacy Protection Law, 1981, and its regulations.

2. Definitions

In this policy:

• "Personal Data" – information relating to an identified or identifiable individual.
• "Processing" – any action or set of actions performed on personal data.
• "Data Subject" – the individual to whom the personal data relates.
• "Controller" – the entity that determines the purposes of the processing and its means.
• "Processor" / "Service Provider" – the entity that processes personal data on behalf of the Controller.
• "Sub-Processor" – a third party engaged by the Processor to process personal data in the course of providing the Service.
• "Connected Sources" – websites, knowledge bases, documents, and other content the Customer connects to the Service.

3. Roles: Controller and Processor

For Connected Sources and customer-supplied content provided to the Service, the Customer acts as the Controller and Redbo acts as the Processor / Service Provider, processing the data on behalf of and on the documented instructions of the Customer. For Redbo’s own corporate operations (e.g., handling Customer account information, contact details, and inquiries), Redbo acts as the Controller of those records.

4. Purposes of Data Processing

We process personal data for the following purposes:

• Providing the Service and its AI features
• Communicating with customers and responding to inquiries
• Fulfilling contractual obligations
• Improving our services and products
• Complying with legal and regulatory requirements
• Protecting our rights and property

5. Types of Data We Process

We may process the following types of data:

• Identification details: name, email address, phone number
• Professional information: position, company, field of activity
• Technical information: IP address, browser type, operating system
• Operational information: locale, last page visited, basic usage events
• Customer-supplied content: Connected Sources and conversations conducted with the AI assistant

6. Legal Basis for Processing

We process personal data on one or more of the following legal bases:

• Consent: when you have given explicit consent for the processing of the data
• Performance of a contract: when processing is necessary for fulfilling a contract with you
• Legitimate interest: when we have a legitimate interest in processing the data
• Legal obligation: when we are legally required to process the data

7. PII Redaction Controls

Before customer-supplied content is stored or sent to an external AI model, the Service applies PII redaction controls that detect and mask categories such as ID numbers, payment data, contact details, and other personally identifying information. These controls form part of the architectural boundary between Service-internal storage and external AI providers.

8. Sub-Processors

To deliver the Service we engage trusted sub-processors and infrastructure providers under written confidentiality and data-protection terms. The current categories include:

• AI provider: OpenAI (LLM inference) — requests are sent with store:false; we do not rely on provider-side conversation memory, and multi-turn context is reconstructed from our redacted chat history. Under the provider’s API terms, content submitted through the API is not used to train or fine-tune their models unless explicitly enabled under those terms or organization-level settings — we do not enable such options.
• Infrastructure providers: cloud hosting, managed database, object storage, and CDN providers used to operate the Service.
• Operational providers: email delivery, error monitoring, and similar service-operations utilities.

9. Sharing Data with Third Parties

Beyond the sub-processors above, we may share personal data only with:

• Professional advisors (lawyers, accountants) under confidentiality
• Authorities, when required by law or court order
• Successors, in the event of a merger, acquisition, or sale of assets

10. Data Security

We implement appropriate technical and organizational security measures to protect personal data, including:

• Encryption of sensitive data in transit and, where applicable, at rest
• Restricting access to data to authorized employees only
• Performing regular backups
• Continuously updating security systems
• Providing employee training on data security

11. Data Retention and Manual Review Workflow

We retain personal data for as long as necessary for the purposes for which it was collected, or as required by law. Subscription freeze, suspension, or termination does not, by itself, trigger automatic deletion of customer data. Deletion, anonymization, return, or archival of customer data is handled through a manual review and approval process, with documentation or audit logging where applicable. This approach is intended to prevent accidental loss of data that the Customer may still need to access or recover after a billing or status change. Retention periods are determined based on:

• The purpose of data collection
• Legal and regulatory requirements
• Legitimate business needs
• Rights of data subjects

12. Rights of Data Subjects

In accordance with the Privacy Protection Law, you have the following rights:

• Right of access: to obtain information regarding the processing of your personal data
• Right to rectification: to correct incorrect or inaccurate data
• Right to erasure: to delete data in certain circumstances
• Right to restriction: to restrict the processing of data
• Right to object: to object to the processing of data
• Right to withdraw consent: to revoke previously given consent

13. Transfer of Data Abroad

In certain cases we may transfer personal data outside Israel. In such cases we will ensure that the data is appropriately protected by:

• Transferring to countries with an adequate level of protection
• Signing standard data transfer agreements
• Implementing additional security measures

14. Changes to the Policy

We may update this policy from time to time. Material changes will be published on our website with appropriate notice. Continued use of our services after publication constitutes consent to the updated policy.

15. Contact

For questions, clarifications, or requests regarding this Data Processing Policy or the handling of your personal data, you can contact us via:

• The contact form on our website
• Email or phone (details available on the website)

16. Complaints

If you have a complaint regarding the processing of your personal data, please contact us first. If the complaint is not resolved to your satisfaction, you may contact the Privacy Protection Authority.