Privacy Policy

Last updated: April 17, 2026 · Effective: April 17, 2026

1. Who we are

Hotam ("the Service", "we") operates an online platform that helps Israeli small and medium businesses assess their ISO 9001 readiness. This policy explains what personal data we collect, why, how we protect it, and your rights.

We process personal data in accordance with Israel's Protection of Privacy Law, 5741-1981 and the Protection of Privacy Regulations (Data Security), 5777-2017, as updated by Amendment 13 (effective August 14, 2025). Where users are located in the EU, we also act in line with the GDPR.

2. What data we collect

2.1 Information you provide

  • Contact & identity: Israeli mobile phone number, name, email, company name, role.
  • One-time password (OTP): sent via SMS for login; stored only as a SHA-256 hash to prevent replay.
  • Assessment answers: information about your organisation's processes and ISO 9001 readiness.
  • Generated reports: gap analysis and readiness reports derived from your answers.

2.2 Data collected automatically

  • Cookies & technical identifiers: JWT session cookie, IP address, browser and OS, pages viewed.
  • Usage analytics: we use Google Analytics 4 — see section 7.

3. Purposes and legal bases

  • Service delivery — running the assessment, generating the report, saving your results (contract performance / consent).
  • Authentication & security — sending OTP codes, managing sessions, preventing abuse (legitimate interest & compliance with the Data Security Regulations).
  • Product improvement — aggregated usage analytics and feature testing (legitimate interest).
  • Legal compliance — retaining records where required by law.

4. Sharing with third parties

We do not sell your data. We share it only with processors that run the service:

  • Neon / PostgreSQL — database hosting.
  • SMS gateway provider — delivers OTP codes to your phone.
  • Resend — transactional email (e.g. report links).
  • Google Analytics 4 (Google Ireland Ltd.) — usage analytics.
  • Cloud infrastructure & monitoring providers — to the extent used to run the service.

Some processors operate outside Israel (mainly EU and US). Cross-border transfers are carried out in accordance with Amendment 13 to the Privacy Protection Law and the Protection of Privacy Regulations (Transfer of Data to Databases Abroad), 5761-2001.

5. Data security

We maintain the security level required by our database classification under the Protection of Privacy Regulations (Data Security), 5777-2017, including password and OTP hashing, TLS in transit, role-based access control, access logging, regular backups, and a documented security incident procedure.

6. Retention

  • Account & assessment data: for the life of the account and up to 24 months after, unless you request earlier deletion.
  • OTP codes: up to 10 minutes; then expired and deleted.
  • Security & access logs: up to 24 months, as required by the Data Security Regulations.

7. Cookies and Google Analytics

We use a session cookie for login and Google Analytics 4 for usage analytics (pages, session duration, referrer). You can block cookies in your browser or install Google's official Analytics Opt-out add-on.

8. Your rights

Under the Privacy Protection Law and Amendment 13, and subject to statutory exceptions, you have:

  • Right of access (Section 13) — obtain a copy of your personal data.
  • Right of rectification (Section 14) — correct inaccurate or outdated data.
  • Right of deletion — delete your account and personal data, subject to retention duties required by law.
  • Right to opt out of direct marketing (Section 17F).
  • Right to withdraw consent — for any processing based on consent.

To exercise these rights, contact us at privacy@hotam.app. You may also file a complaint with the Israeli Privacy Protection Authority (Ministry of Justice).

9. Minors

The service is intended for authorised representatives of businesses and is not directed at children under 18. If we learn that we collected data from a minor, we will delete it.

10. Changes to this policy

We may update this policy from time to time. We will notify you by email or an on-site notice before material changes take effect.

11. Contact

Hotam · Email: privacy@hotam.app

Legal references: Protection of Privacy Law, 5741-1981 · Law text (Nevo) · Amendment 13 (S.H. 3085) · Privacy Protection Authority

Privacy Policy | Hotam