Legal

Privacy Policy

Last updated: May 9, 2026

We respect your privacy. This policy explains what we collect, how we use it, and your rights.

1. Controller

Orlens is owned by Yonatan Halperin, authorized dealer (Osek Murshe) ע.מ. 302671797, Israel ("the Company" / "we"). Privacy & data rights: privacy@orlens.co.il. Security incidents: security@orlens.co.il. No separate Data Protection Officer is appointed; inquiries are handled directly by the proprietor.

2. Data We Collect

Email and name on signup. Onboarding answers. Photos uploaded to AI Review. Course progress. Billing handled by PayPlus — we do not store card numbers. Contact-form submissions (name, email, optional phone, subject, message) — used to reply, never for marketing, never shared. Auto: IP, device, browsing behavior via PostHog (EU, GDPR).

3. How We Use It (and GDPR Lawful Basis)

Account operation, billing, course delivery — Contract (performing the ToS you agreed to).
Essential service emails (password reset, receipts, order confirmations) — Contract.
Learning reminders, weekly digests, product updates, marketing — Explicit consent via the opt-in matrix in /account. Default is OFF (Israeli Spam Law, Amendment 40 to the Telecommunications Law).
Usage analytics (PostHog EU) and product improvement — Consent via the cookie banner. You may decline; the service still works.
Security, fraud prevention, and legal obligations (including 7-year invoice retention) — Legitimate interest + legal obligation.

4. Third Parties

Supabase (DB, EU), PayPlus (payments), Resend (email), Anthropic (AI Review prompts only — not used for training), Spotlightr (video), PostHog EU (analytics), GreenAPI (only if you opt into WhatsApp).

We do not sell data.

5. Retention

Active accounts indefinitely. Deleted accounts — purged within 30 days except for invoices (7-year legal retention). AI-Review images: 14 days free / 90 days monthly / 180 days annual / forever for Pro addon. Technical logs: 90 days.

6. Security

Passwords bcrypt-hashed. TLS in transit. No system is 100% secure; reasonable measures applied.

7. Your Rights (Israeli Privacy Protection Law 5741-1981 + GDPR)

Access & portability — download a JSON copy of your data instantly from /account → Export data.
Rectification — via /profile or by email.
Erasure (right to be forgotten) — via /account → Delete account. Irreversible. Invoices retained 7 years per Israeli VAT Law.
Object to processing and withdraw consent — via the preference matrix in /account.
Other requests — email privacy@orlens.co.il with subject "Data Subject Request" and identity verification. Response within 30 days (complex requests up to 90 days, with interim notice).

8. Security Incidents & Breach Notification

If a security incident may impact your data, we will notify you within 72 hours of confirmation, alongside reporting to the Israeli Privacy Protection Authority where required by law. Report a suspected vulnerability to security@orlens.co.il.

9. Children

Service is 18+. We do not knowingly collect minors' data.

10. Changes

Material changes emailed 14 days in advance. Date shown above.

11. Complaints

Israeli Privacy Protection Authority: gov.il/privacy.

See also: Terms of Service · Media Consent

1. Controller

2. Data We Collect

3. How We Use It (and GDPR Lawful Basis)

Account operation, billing, course delivery — Contract (performing the ToS you agreed to).

Essential service emails (password reset, receipts, order confirmations) — Contract.

Learning reminders, weekly digests, product updates, marketing — Explicit consent via the opt-in matrix in /account. Default is OFF (Israeli Spam Law, Amendment 40 to the Telecommunications Law).

Usage analytics (PostHog EU) and product improvement — Consent via the cookie banner. You may decline; the service still works.

Security, fraud prevention, and legal obligations (including 7-year invoice retention) — Legitimate interest + legal obligation.

7. Your Rights (Israeli Privacy Protection Law 5741-1981 + GDPR)

Access & portability — download a JSON copy of your data instantly from /account → Export data.

Rectification — via /profile or by email.

Erasure (right to be forgotten) — via /account → Delete account. Irreversible. Invoices retained 7 years per Israeli VAT Law.

Object to processing and withdraw consent — via the preference matrix in /account.

Other requests — email privacy@orlens.co.il with subject "Data Subject Request" and identity verification. Response within 30 days (complex requests up to 90 days, with interim notice).