๐ Privacy Policy
What we collect, why, and what your rights are.
๐ Platform owner and data controller
This page is the privacy policy of the Smart-World platform. This Kingdom, Adi Haim, is operated by its owner โ but the technical infrastructure described below (the chatbot, analytics, cookies, and processing of visitor data) is operated and managed by the Smart-World operations team, which is the data controller for the data described in this document.
The Kingdom owner is responsible for the content they publish in their Kingdom; the platform is responsible for the infrastructure and operational data processing. Privacy enquiries should be sent to smartaccess.mgmt@gmail.com.
Jurisdiction: Israel. The applicable laws are the Israeli Privacy Protection Law (5741-1981) as amended by Amendment 13 (in force August 2025) and the Privacy Protection (Data Security) Regulations 5777-2017. EU/EEA visitors also benefit from GDPR protections (Israel has an EU adequacy decision).
๐ What we collect, why, and how long we keep it
| Data | Purpose | Retention |
|---|---|---|
| Messages you send to the chatbot | Generate a reply via an external AI model (Gemini / Groq) | Stored locally in your browser until you reset. Server logs: up to 30 days. |
| Your IP address (chat path only) | Per-IP daily rate limit to prevent abuse | Up to next business day (rolling 24h) |
| Current page name and book/video identifier (only when you chat about a specific item) | Provide context to the chatbot | Sent only during the request; not stored in our DB |
| Name and email on the "Suggest a follow" public form (both optional) | Reply to your suggestion if you'd like one | Up to 12 months, then deleted |
| Language preference cookie (he/en) | Remember your language choice across pages | Up to one year |
| Cookie-consent decision | So we don't show the banner again; gates analytics loading until you accept | Until you clear your browser storage |
| Google Analytics 4 โ anonymized visit data (only if you accept) | Understand site traffic patterns | 14 months, with truncated IP |
| In-platform activity events: event type, page path, and a daily-rotating HMAC of your IP (cannot be linked back to you across days) | Show aggregate analytics to each Kingdom owner about their own page; let an internal platform-watchdog role see overall platform usage trends | 90 days, then deleted |
| Session cookie (JSESSIONID) | Used only when the site owner is logged into the admin panel | Up to 4 hours of inactivity |
We do not collect: account passwords, payment details, government identifiers, precise location, or your browsing history outside this site.
๐ Third parties that receive data
Some interactions on the Site require sending data to external providers. The full list:
| Provider | Data sent | Role |
|---|---|---|
| Google Gemini (AI) | Chat message content, page name, book/video metadata when chatting about an item | Generates the AI reply |
| Groq (AI) | Same as above โ used as a fallback when Gemini is unavailable | Fallback AI reply generation |
| Google Books API | Search keywords / ISBNs you enter (only when adding books) | Book metadata lookup |
| YouTube (embedded videos) | Video request when you press play; YouTube may set its own cookies subject to your consent with Google | Video playback on the study pages |
| Google Analytics 4 (optional) | Loads only if you accept the cookie banner. Sends page-view events with truncated IP | Anonymous traffic analytics |
| Open Library / archive.org | Book-cover image fetches. Requests originate from our server (not your browser) | Book cover delivery |
| Hetzner Cloud (Germany) | Hosts the server itself | Hosting infrastructure (sub-processor) |
Google and Groq may process data outside the EEA. For EU/EEA visitors, transfers occur under each provider's Standard Contractual Clauses.
โ๏ธ Legal basis for processing
- Consent (GDPR Art 6(1)(a)): Google Analytics โ loaded only after you click "Accept".
- Legitimate interests (Art 6(1)(f)): chat rate limiting (interest: keeping the service available for everyone).
- Performance of a request (Art 6(1)(b)): forwarding your message to the AI provider โ there's no way to answer the chat without processing it.
๐ก Your rights
Under Israeli privacy law and the GDPR you have the right to:
- Access: ask what data we hold about you.
- Rectify: ask us to correct or delete inaccurate data.
- Erase ("right to be forgotten"): request deletion of data you submitted (e.g. a follow suggestion).
- Restrict processing in certain circumstances.
- Withdraw consent: you can decline analytics at any time by clearing your browser's localStorage (the banner will reappear on the next visit).
- Lodge a complaint with the regulator: in Israel, the Privacy Protection Authority (gov.il/en/departments/the_privacy_protection_authority); in the EU/EEA, your country's supervisory authority.
To exercise any right, email smartaccess.mgmt@gmail.com. We respond within 30 days (the standard GDPR window).
๐ Especially-sensitive information & how it's accessed
The Wallet (financial), Food-Plan (health) and Travel (location) areas hold "information of especially sensitive nature" as defined by the Privacy Protection Law following Amendment 13. We treat it accordingly:
- Encryption at rest โ all Wallet financial data is AES-GCM-256 encrypted in the database; plaintext is not retained. A database breach would expose only ciphertext.
- Gated access โ for now, access to the sensitive areas is granted only to users the platform operator has personally approved, which bounds and controls the set of people whose sensitive data we hold.
- Used only on your request โ this data is entered or uploaded by you for the service you asked for; we never sell or rent it.
- When we extract data from a document you upload, identifying details are redacted before any AI model sees it.
Behavioural signals: the platform learns what you engage with (views, dwell time, scrolling, clicks) to rank relevance for you. Anonymous visitor identifiers are hashed and rotate daily.
Data Protection Officer / privacy contact: smartaccess.mgmt@gmail.com.
๐ How we secure your data
The Site went through a security hardening sprint (May 2026) against industry baselines. Current controls include:
- TLS 1.3 in transit via Caddy.
- Admin access via Google OAuth with multi-factor auth.
- Database user with DML-only privileges (no DDL).
- Enforced Content Security Policy.
- Per-token API rate limits.
- CSRF tokens on every state-changing form.
That said, no system is 100% safe. If we discover a security incident affecting your personal data, we will notify the Israeli Privacy Protection Authority within 72 hours (per the 2017 Regulations) and affected users as soon as practicable.
๐ช Cookies
The Site uses these cookies:
- smartaccess_lang โ remembers your language preference (essential).
- JSESSIONID โ site-owner admin session (essential for the operator only; not present for regular visitors).
- smartaccess_cookie_consent in localStorage โ remembers your decision about the cookie banner.
- _ga, _gid, etc. โ Google Analytics (only if you accept).
๐ Changes to this policy
We will update this page when the service materially changes (for instance when the Site grows into a multi-user platform). The last-updated date appears at the bottom of the page. For material changes, we will display a visible notice on the Site.