🔒 Privacy Policy
What we collect, why, and what your rights are.
📌 Platform owner and data controller
This page is the privacy policy of the Smart-World platform. This Kingdom, Tom Keynan, is operated by its owner — but the technical infrastructure described below (the chatbot, analytics, cookies, and processing of visitor data) is operated and managed by the Smart-World operations team, which is the data controller for the data described in this document.
The Kingdom owner is responsible for the content they publish in their Kingdom; the platform is responsible for the infrastructure and operational data processing. Privacy enquiries should be sent to smartaccess.mgmt@gmail.com.
Jurisdiction: Israel. The applicable laws are the Israeli Privacy Protection Law (5741-1981) and the Privacy Protection (Data Security) Regulations 5777-2017. EU/EEA visitors also benefit from GDPR protections (Israel has an EU adequacy decision).
📋 What we collect, why, and how long we keep it
| Data | Purpose | Retention |
|---|---|---|
| Messages you send to the chatbot | Generate a reply via an external AI model (Gemini / Groq) | Stored locally in your browser until you reset. Server logs: up to 30 days. |
| Your IP address (chat path only) | Per-IP daily rate limit to prevent abuse | Up to next business day (rolling 24h) |
| Current page name and book/video identifier (only when you chat about a specific item) | Provide context to the chatbot | Sent only during the request; not stored in our DB |
| Name and email on the "Suggest a follow" public form (both optional) | Reply to your suggestion if you'd like one | Up to 12 months, then deleted |
| Language preference cookie (he/en) | Remember your language choice across pages | Up to one year |
| Cookie-consent decision | So we don't show the banner again; gates analytics loading until you accept | Until you clear your browser storage |
| Google Analytics 4 — anonymized visit data (only if you accept) | Understand site traffic patterns | 14 months, with truncated IP |
| In-platform activity events: event type, page path, and a daily-rotating HMAC of your IP (cannot be linked back to you across days) | Show aggregate analytics to each Kingdom owner about their own page; let an internal platform-watchdog role see overall platform usage trends | 90 days, then deleted |
| Session cookie (JSESSIONID) | Used only when the site owner is logged into the admin panel | Up to 4 hours of inactivity |
We do not collect: account passwords, payment details, government identifiers, precise location, or your browsing history outside this site.
🌐 Third parties that receive data
Some interactions on the Site require sending data to external providers. The full list:
| Provider | Data sent | Role |
|---|---|---|
| Google Gemini (AI) | Chat message content, page name, book/video metadata when chatting about an item | Generates the AI reply |
| Groq (AI) | Same as above — used as a fallback when Gemini is unavailable | Fallback AI reply generation |
| Google Books API | Search keywords / ISBNs you enter (only when adding books) | Book metadata lookup |
| YouTube (embedded videos) | Video request when you press play; YouTube may set its own cookies subject to your consent with Google | Video playback on the study pages |
| Google Analytics 4 (optional) | Loads only if you accept the cookie banner. Sends page-view events with truncated IP | Anonymous traffic analytics |
| Open Library / archive.org | Book-cover image fetches. Requests originate from our server (not your browser) | Book cover delivery |
| Hetzner Cloud (Germany) | Hosts the server itself | Hosting infrastructure (sub-processor) |
Google and Groq may process data outside the EEA. For EU/EEA visitors, transfers occur under each provider's Standard Contractual Clauses.
⚖️ Legal basis for processing
- Consent (GDPR Art 6(1)(a)): Google Analytics — loaded only after you click "Accept".
- Legitimate interests (Art 6(1)(f)): chat rate limiting (interest: keeping the service available for everyone).
- Performance of a request (Art 6(1)(b)): forwarding your message to the AI provider — there's no way to answer the chat without processing it.
🛡️ Your rights
Under Israeli privacy law and the GDPR you have the right to:
- Access: ask what data we hold about you.
- Rectify: ask us to correct or delete inaccurate data.
- Erase ("right to be forgotten"): request deletion of data you submitted (e.g. a follow suggestion).
- Restrict processing in certain circumstances.
- Withdraw consent: you can decline analytics at any time by clearing your browser's localStorage (the banner will reappear on the next visit).
- Lodge a complaint with the regulator: in Israel, the Privacy Protection Authority (gov.il/en/departments/the_privacy_protection_authority); in the EU/EEA, your country's supervisory authority.
To exercise any right, email smartaccess.mgmt@gmail.com. We respond within 30 days (the standard GDPR window).
🔐 How we secure your data
The Site went through a security hardening sprint (May 2026) against industry baselines. Current controls include:
- TLS 1.3 in transit via Caddy.
- Admin access via Google OAuth with multi-factor auth.
- Database user with DML-only privileges (no DDL).
- Enforced Content Security Policy.
- Per-token API rate limits.
- CSRF tokens on every state-changing form.
That said, no system is 100% safe. If we discover a security incident affecting your personal data, we will notify the Israeli Privacy Protection Authority within 72 hours (per the 2017 Regulations) and affected users as soon as practicable.
🍪 Cookies
The Site uses these cookies:
- smartaccess_lang — remembers your language preference (essential).
- JSESSIONID — site-owner admin session (essential for the operator only; not present for regular visitors).
- smartaccess_cookie_consent in localStorage — remembers your decision about the cookie banner.
- _ga, _gid, etc. — Google Analytics (only if you accept).
📄 Changes to this policy
We will update this page when the service materially changes (for instance when the Site grows into a multi-user platform). The last-updated date appears at the bottom of the page. For material changes, we will display a visible notice on the Site.