Privacy Policy
Last updated: 2026-05-22
UA — User Accessibility Ltd. is committed to protecting your privacy. This document explains what personal data we collect, how we use it, and your rights under the EU GDPR, California's CCPA/CPRA, and Israel's Privacy Protection Law (1981).
1. Who we are (Data Controller)
- Company: UA — User Accessibility Ltd.
- Address: Neviim 25, Holon, Israel
- Privacy email: [email protected]
- General email: [email protected]
2. What data we collect
a. Data you provide
- Name, email, phone — from contact forms
- Email and website URL — from the Free Scan form
- Message content — from contact forms
- Payment details — via Pelecard (never stored on our servers)
b. Data we collect automatically
- IP address
- User Agent (browser, OS)
- Referrer URL and UTM parameters
- Anonymous visitor UUID in localStorage
- Session ID (sessionStorage)
3. Legal basis for processing (GDPR Art. 6)
| Activity | Legal Basis |
|---|---|
| Free Scan | Contract (to deliver the service you requested) + Consent |
| Contact form | Legitimate Interest (to respond to your inquiry) |
| Analytics (Google Analytics) | Consent (via cookie banner) |
| Marketing (Facebook Pixel, Clarity) | Consent |
| Invoicing and payments | Contract + Legal obligation (tax law) |
4. How long we retain data
| Data type | Retention period |
|---|---|
| Contacts | 24 months from last activity |
| Free scans | 12 months, then anonymized |
| Visit analytics | 6 months |
| Invoices and payments | 7 years (tax law requirement) |
5. International data transfers
All data is stored on servers in Israel. For EU and UK users, Israel benefits from an EU Adequacy Decision — the European Commission has formally recognized Israel's data protection level as essentially equivalent to that of the EU. No additional safeguards are required for transfers to Israel.
6. Your rights under GDPR
EU, UK and EEA residents have the following 8 rights:
- Right of Access: To know what personal data we hold about you
- Rectification: To correct inaccurate data
- Erasure (Right to be Forgotten): To request deletion of your data
- Restriction of Processing: To limit how we use your data
- Data Portability: To receive your data in JSON format for transfer to another provider
- Object to Processing: To object to processing, especially direct marketing
- Withdraw Consent: To withdraw consent at any time (with no retroactive effect)
- Lodge a Complaint: To file a complaint with your local Data Protection Authority
🚀 Exercise a right — automated within 30 days:
Submit a Privacy Request7. California Residents (CCPA / CPRA)
California residents enjoy CCPA, CPRA and related rights. In addition to the rights above, you have the right to:
- Know: What categories of personal information are collected, and why
- Delete: To request deletion of personal information
- Opt-out of "sale" of personal information: CCPA defines "sale" broadly. Our use of Google Analytics and Facebook Pixel may qualify — you can opt out at any time via our cookie banner.
- Limit use of sensitive personal information
- Non-Discrimination: We won't discriminate against you for exercising your rights
8. Cookies
| Name | Purpose | Duration | Type |
|---|---|---|---|
| XSRF-TOKEN | CSRF protection | Session | Essential |
| laravel_session | Session management | 2 hours | Essential |
| cookie_preferences | Remembers your cookie preferences | 1 year | Essential |
| visitor_uuid | Anonymous analytics ID | Persistent | Statistics |
| _ga, _ga_* | Google Analytics 4 | 2 years | Statistics |
| _fbp, fr | Facebook Pixel | 90 days | Marketing |
| _clck, _clsk | Microsoft Clarity | 1 year | Statistics |
You can manage your cookie preferences at any time via the cookie banner shown on your first visit.
9. Third parties (Sub-processors)
- Google LLC — Google Analytics 4 (סטטיסטיקות)
- Meta Platforms — Facebook Pixel (Marketing)
- Microsoft — Clarity (Advanced analytics) + Office 365 (Email)
- Pelecard — Payment processing (Israel, PCI-DSS)
- Green Invoice (Morning) — Invoice generation (Israel)
10. Security
We implement industry-standard security: HTTPS, encrypted DB, hashed passwords, CSRF/XSS protection, encrypted daily backups, and access control. In the event of a security incident affecting your rights, we will notify you and the relevant authority within 72 hours (as required by GDPR Art. 33).
11. Contact & Policy changes
For questions, requests or complaints — contact us at [email protected].
If we update this Privacy Policy, we will update the date at the top of this document. Material changes will also be announced via a site banner and email to all account holders.