Privacy Policy
Israeli Privacy Protection Law · GDPR · Australian Privacy Act
1. Why this policy exists
When you leave us your details, you give us personal information: your name, email, phone number, business name, website, and sometimes free text about what is not working in your marketing.
We need this information so we can get back to you, understand if and how we can help, prepare a proposal, and later provide services. But it is still your information. That is why we want to explain clearly what we collect, why we collect it, where it is stored, who it may be shared with, and what you can ask us to do.
This policy is written with reference to the main principles and obligations under:
- The Israeli Privacy Protection Law, 5741-1981, including section 11 of the law: the duty to notify when collecting information; sections 13-14: the rights of access and correction; section 16: the duty of confidentiality; and section 31A: civil liability in certain cases.
- The Israeli Privacy Protection Law (Amendment No. 13), 5784-2024, which entered into force on 14 August 2025. Israel is our home jurisdiction.
- The Israeli Privacy Protection Regulations (Data Security), 5777-2017.
- The GDPR, where it applies to certain parts of our activity, mainly where we target people in the European Union, the EEA or the United Kingdom, or where we use measurement and tracking tools in relation to visitors from those places.
- The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), where they apply. Based on current information, a small business with annual turnover of AUD 3M or less is generally not required to comply with the APPs unless an exception applies. Still, because one of our founders, Nave Tahar, is based in Sunshine Coast, Queensland, and because English-speaking and Australian visitors may use the website, we have adopted parts of the APP transparency approach as a working standard.
If anything is unclear, you can contact us at hi@allarounder.io.
2. Who we are
The AllArounder website is operated by Nave Tahar and Noam Eyal Hatshuel, working together under the AllArounder brand.
AllArounder is an AI-based marketing and technology agency that helps businesses and organisations build and maintain an intelligent marketing system.
Contact: hi@allarounder.io. Full business details will be provided within the service agreement or on request.
Privacy email: hi@allarounder.io
WhatsApp: +972-54-260-9969
Founders: Nave Tahar, CTO, Australia; Noam Eyal Hatshuel, CEO, Israel.
For privacy law purposes, the controller of the information is Nave Tahar and Noam Eyal Hatshuel, working together under the AllArounder brand. For any privacy matter, contact hi@allarounder.io.
3. What information we collect
3.1 Audit form on /audit/
When you complete the audit form, we collect:
| Field | Type of information | Required or optional |
|---|---|---|
| First name | Identification | Required |
| Last name | Identification | Required |
| Identification and contact channel | Required | |
| Phone | Identification and contact channel | Required |
| Business name | Identifiable business information | Required |
| Business type | Business profile | Required |
| Website | Business profile | Optional |
| Main marketing challenge | Free text | Required |
| hs_context and technical form data | Routing and source data | Automatic |
In free text, you may write sensitive business information, customer details, financial information, or additional personal information. We ask that you do not send medical information, information about children, identity numbers, credit card details, or any sensitive personal information that is not needed to understand your enquiry.
3.2 Onboarding form on /onboarding/
The onboarding form is intended for clients or people who are in the early stages of working with us. It includes up to 26 fields, including:
- Identification and contact details: name, business, email, phone, location.
- Professional profile: website, Facebook, LinkedIn, Instagram, what you do, field, experience, differentiation, ideal customer.
- Current marketing position: active channels, publishing frequency, challenges, what you have tried before, existing content.
- Voice and values: style and emotion scales, what not to write, content you value, red lines, legacy phrases or core wording.
- Goals: main goal, start date, budget, additional information.
- Consents: confirmation of the Privacy Policy and confirmation of the Terms of Use.
Here too, free-text fields may include personal or sensitive business information. We treat them as confidential information.
3.3 Contact form on /contact/
In a regular contact form, we usually collect:
- Name
- Subject of the enquiry
- Message content
The form is submitted to our own server and stored in a secure database (Supabase, hosted in the European Union). "Contact" and audit enquiries are also forwarded to HubSpot (CRM) for lead management.
3.4 Newsletter signup
When newsletter signup is active, we will collect:
- Name, if the field appears in the form
- Consent and signup records, including signup time and signup source
Signup will be consent-based. If we activate double opt-in, signup will be completed only after email confirmation.
3.5 Website usage data
When you visit the website, certain technical data is also collected:
- IP address or information derived from it.
- Browser and device type.
- Operating system.
- Pages viewed.
- Referrer or traffic source.
- Website usage events, if measurement tools are active.
Some of this data is collected through Cloudflare for website security and operation. Analytics data through Google Analytics and non-essential HubSpot data will be activated for visitors from the EU, UK and EEA only after consent, as explained in the Cookies section.
4. Why we use information
We use information for the following purposes:
| Purpose | Legal basis under Israeli law and GDPR, where applicable |
|---|---|
| To respond to an enquiry submitted through a form | Consent, legitimate interest |
| To perform an initial audit and understand service fit | Consent, legitimate interest |
| To prepare a service proposal | Steps before entering into a contract, legitimate interest |
| To manage relationships with active clients | Performance of a contract |
| To set up a marketing, content, automation or website system for a client | Performance of a contract |
| To send a newsletter or marketing material | Consent |
| To manage an unsubscribe list | Legal obligation and legitimate interest |
| To measure website use and improve it | Consent for EU/UK/EEA, Israel and Australia visitors; legitimate interest or consent elsewhere according to applicable law |
| To protect the website from attacks, spam and bots | Legitimate interest, information security |
| To meet accounting, tax and reporting requirements | Legal obligation |
| To handle privacy requests and complaints | Legal obligation and legitimate interest |
If we ask for information in a required field, not providing it may prevent us from responding to you, understanding the enquiry, preparing a proposal, or providing services. Optional fields can be left blank.
5. Use of AI tools
AllArounder uses AI tools as part of its professional work: marketing analysis, draft writing, content system building, information summaries, automations and internal workflows.
The information you provide may be used inside our work systems so we can provide services to you. For example: understanding the voice of the business, building content infrastructure, analysing a website, or preparing a proposal.
We do not use your information to make legal decisions or automated decisions that create a binding legal effect for you without human involvement.
Where we use an external AI provider that receives personal information, we will work to minimise the information sent, use appropriate privacy settings where the service allows it, and make sure there is an appropriate contractual basis or processing terms.
Regular external AI providers, if any: Anthropic Claude, OpenAI GPT, Google Gemini, and additional providers. This list may be updated over time.
6. Who we share information with
We do not sell your personal information.
We do use service providers that help us operate the website, forms, CRM, automations, email, security and analytics. These providers receive only the information they need for their role.
| Provider | Role | What information may be shared | Storage or processing region | Privacy document / DPA |
|---|---|---|---|---|
| Supabase | Form intake and storage of submissions in a database | Form content, contact details | European Union (eu-central-1, Frankfurt); data is stored in a secure database with row-level access control (RLS). | supabase.com/privacy |
| HubSpot | CRM, forms, lead and client management | Contact details, enquiry content, CRM activity | Depends on account configuration (US / EU / Canada / Australia). We rely on Standard Contractual Clauses (SCC) or the EU-US Data Privacy Framework for any transfer to the US. | legal.hubspot.com/dpa |
| Brevo | Email, newsletter and email messages | Email, name, consent status, sending data | European Union: France/Germany/Belgium according to Brevo | brevo.com/legal |
| Make.com | Automations between systems | The data that passes through the automation scenario | EU (Frankfurt) or US depending on the organisation. We rely on Make DPA + SCC for any US transfer. | make.com/dpa |
| Cloudflare | CDN, security, bot protection, hosting/traffic | IP, HTTP requests, technical logs, security cookies | Global network; some processing may take place in the United States | cloudflare.com/dpa |
| Google Analytics 4 | Website usage measurement | Usage events, cookie identifiers, device and browser data, general location | For EU users, initial collection through servers in the European Union before further processing; Google processing may be global | analytics privacy |
We rely on the providers' terms of service, data processing terms, DPA or international transfer mechanisms, as relevant. If a dedicated DPA approval is required in a provider interface, we will complete it with that provider.
7. Transferring information outside Israel
Our website and services use international providers. This means information may be transferred from Israel to other countries, including the European Union, the United States, Australia and other regions.
- Israel and the European Union: Israel has an adequacy decision from the European Commission for data transfers from the European Union to Israel. The original decision was adopted in 2011 and was reviewed again as part of the adequacy review published in 2024.
- United States: When information is transferred to a US provider, we rely on mechanisms such as Standard Contractual Clauses, the EU-US Data Privacy Framework where the provider is certified under it, or another suitable transfer mechanism.
- Cloudflare and global networks: Some processing takes place across a global network for security and performance. The transfer is covered by Cloudflare's terms and DPA.
- Australia: Nave Tahar, one of AllArounder's founders, lives in Sunshine Coast, Queensland. That fact helps explain why Australian visitors may interact with us, but it does not by itself remove our Israeli home-jurisdiction context or make every part of our activity subject to the Australian Privacy Act 1988 (Cth). If we actively target the Australian market, provide services to Australian clients, or otherwise fall within the scope of the Privacy Act 1988, we will review and update this policy accordingly. Based on current information, the AUD 3M small-business threshold and relevant exceptions need to be checked before treating the APPs as mandatory for AllArounder.
8. Cookies and similar technologies
The website uses or may use cookies, local storage and similar technologies.
| Cookie / tool | Purpose | Type | Is consent required |
|---|---|---|---|
__cf_bm | Bot protection through Cloudflare | Strictly necessary for security | No, when used for security only |
cf_clearance | Stores the result of a Cloudflare security challenge | Strictly necessary for security | No, when used for security only |
_ga, _ga_* | Google Analytics 4 | Analytics | Yes for EU/UK/EEA, Israel and Australia visitors before activation |
__hssc, __hssrc, __hstc, hubspotutk | HubSpot analytics/session/CRM linkage | Analytics and marketing | Yes for EU/UK/EEA, Israel and Australia visitors before activation |
How we manage consent
For visitors from the European Union, EEA, United Kingdom, Israel and Australia: Google Analytics and non-essential HubSpot tracking will be activated only after prior consent. You can reject non-essential cookies and continue using the website.
For visitors from other countries: Analytics cookies may be activated according to applicable local law, subject to this policy and browser control options. If local law requires prior consent, we will act accordingly.
The fact that one of the founders is resident in Australia does not by itself bring EU GDPR into scope. GDPR relevance comes mainly from targeting people in the EU/UK/EEA or monitoring behaviour that takes place there, including through analytics and tracking technologies.
The website includes a cookie consent banner that activates automatically for visitors from the EU, EEA, UK, Israel and Australia. It actively blocks GA4 and HubSpot before consent, offers a Reject option with equal prominence to Accept, and allows withdrawal at any time via the "Cookie settings" link in the footer. Browser Do Not Track is not relied upon as a GDPR/TTDSG/TDDDG solution.
9. How long we keep information
We keep information only for as long as it is needed for the purposes for which it was collected, or for as long as we have a legal obligation to keep it.
| Type of information | Retention period |
|---|---|
| Leads from an audit form or contact form that did not become clients | Up to 24 months from the last enquiry, unless you ask for earlier deletion and there is no obligation to retain |
| Active client details | For the full period of the engagement |
| Client documents, proposals, contracts, invoices and financial records | The engagement period and up to 7 additional years, for tax, accounting, legal defence and business management purposes |
| Onboarding materials for a client who did not start work | Up to 24 months from the last enquiry |
| Newsletter subscribers | Until unsubscribed from the list |
| Email unsubscribe list | Up to 6 years, or another reasonable period, to prove and honour opt-out |
| Technical and security logs | Usually up to 30 days on our side, subject to provider retention periods |
| Cookies | According to each cookie's lifetime and browser or consent mechanism settings |
| Privacy requests and complaints | Up to 7 years for documentation and legal defence purposes |
At the end of the retention period, we will delete the information or anonymise it where possible, subject to legal retention obligations.
10. Database and registration in Israel
Under Amendment 13 to the Israeli Privacy Protection Law, the database registration requirement in Israel was reduced.
Based on current information about AllArounder, we are not a public body, we are not in the business of commercialising personal information as a main activity, and we do not hold a database with highly sensitive information about more than 100,000 people. Therefore, as of May 2026, it appears that there is no obligation to register the database or submit a notice to the Israeli Privacy Protection Authority.
However, business databases are still subject to the law, the 2017 Data Security Regulations, transparency duties, confidentiality duties, data subject rights and security obligations. We will therefore maintain internal documentation of the types of information, processing purposes, people with access, providers, retention periods and security measures.
AllArounder maintains an internal database specification document per the Israeli Data Security Regulations 2017, recording data types, processing purposes, access controls, processors, retention periods, and security measures.
An internal database specification document must be prepared and maintained according to the 2017 Data Security Regulations.
If the scope of activity changes, if we begin processing highly sensitive information at scale, or if we begin transferring personal information to third parties as a business activity, we will reassess the registration or notice obligation.
11. Your rights
Under Israeli law, the GDPR where it applies, and the APPs where they apply, you may have the following rights:
| Right | What it means | How to contact us |
|---|---|---|
| Access | Ask what personal information we hold about you | Email hi@allarounder.io |
| Correction | Ask us to correct wrong, incomplete or inaccurate information | Same channel |
| Deletion | Ask us to delete information, subject to legal retention obligations | Same channel |
| Restriction of processing | Ask us to stop certain uses of the information | Same channel |
| Objection | Object to processing based on legitimate interest, mainly marketing | Same channel |
| Data portability | Receive a structured copy of information you gave us, where GDPR applies | Same channel |
| Withdrawal of consent | Withdraw consent for email, cookies or other consent-based processing | Through an unsubscribe link, cookie settings, or email |
| Not being subject to automated decision-making | Not be subject to an automated decision that creates legal or similar effect, where GDPR applies | Not relevant today, because we do not make such decisions without a person involved |
We will respond to requests within a reasonable time. For GDPR requests, we will usually respond within one month, with a possible extension up to three months for complex requests. For requests under Israeli law, we will act according to the periods set by law and regulations.
Before fulfilling a request, we may ask you for additional information to confirm that you are the person the information relates to.
12. Marketing emails
We will send marketing emails only where we have an appropriate basis for doing so, for example consent to join a newsletter or an existing business relationship that allows contact under applicable law.
You can unsubscribe at any time:
- Through the "unsubscribe" link at the bottom of the email.
- By contacting
hi@allarounder.io.
After you unsubscribe, we may keep your email address on a suppression list to make sure you are not added again by mistake.
13. Information security
We take reasonable security measures in proportion to the size of our activity, the type of information and the risks. These include:
- Limiting access to information according to work need.
- Using recognised services with encryption and accepted security terms.
- Protecting the website through Cloudflare.
- Using HTTPS on the website.
- Separating personal and team access where possible.
- Reducing the amount of information sent to external providers.
- Periodically checking permissions and providers.
- Internally documenting databases and processing processes.
No system is completely protected. If we discover a security incident that may affect you, we will act according to applicable law. Where GDPR applies, we will assess whether to notify the supervisory authority within 72 hours after becoming aware of the incident, if such a duty exists, and also notify data subjects if there is a high risk to their rights. In Israel, in a serious security incident, we will act according to the 2017 Data Security Regulations and the instructions of the Israeli Privacy Protection Authority. In Australia, where the Privacy Act 1988 (Cth) applies, we will assess whether the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act requires notification to affected individuals and to the Office of the Australian Information Commissioner.
14. Children
Our services are intended for business owners, organisations and adults. We do not knowingly collect personal information from children under the age of 16.
If you are a parent or guardian and discover that a child has provided us with personal information, contact us at hi@allarounder.io and we will act to delete the information, unless there is a legal obligation to keep it.
15. Sensitive information
We do not ask you to provide medical information, biometric information, information about political opinions, sexual orientation, religious information, identity numbers, credit card details, or other sensitive personal information, unless it is expressly required for a specific service and subject to appropriate consent and documentation.
If you nevertheless send us this kind of information in free text, we will treat it carefully, minimise its use, and delete it when it is no longer required.
Some Australian state and territory privacy laws mainly apply to public sector agencies. NSW, Victoria and the ACT also have specific health information privacy rules that can affect private sector health service providers. AllArounder is not a health service provider and asks you not to send health information unless it is genuinely required for a specific service.
16. Complaints
If you think we handled your information incorrectly, write to us at hi@allarounder.io. We will review the matter and get back to you.
If our response is not satisfactory, you may also contact the relevant regulator:
- In Israel: the Privacy Protection Authority, Ministry of Justice.
- In the European Union or EEA: the data protection authority in your country of residence, where GDPR applies.
- In the United Kingdom: the Information Commissioner's Office, where UK GDPR applies.
- In Australia: the Office of the Australian Information Commissioner, where the Privacy Act 1988 (Cth) applies.
17. Changes to this policy
We will update this policy from time to time, for example if we add providers, change forms, activate a newsletter, begin targeting new markets, or if the law changes.
When there is a change that requires attention, we will update the "Last updated" date at the top of the document. If the change materially affects how we use information that has already been collected, we will take reasonable steps to provide notice, for example by publishing on the website or sending an email to relevant users.
18. Contact
For any question, request or complaint about privacy:
- Email:
hi@allarounder.io - WhatsApp: +972-54-260-9969
- Full business details: provided within the service agreement or on request.
- Controller: Nave Tahar and Noam Eyal Hatshuel, working together under the AllArounder brand.
We will try to respond within 5 business days, and in any case will act within the periods required by law.