Privacy Policy

Last Updated: May 28, 2026

1. About This Policy

ZeKol is a cloud platform that lets website owners add a Hebrew-speaking AI voice agent to their site. The agent is trained on the owner's own website and uploaded materials, and answers visitors' questions out loud in natural conversation (the "Service").

The Service is operated by Merhav Technologies (מרחב טכנולוגיות) ("Merhav," "ZeKol," "we," "us," or "our"). We take privacy seriously and aim to be straightforward about what we do with personal data.

This Policy describes how we handle personal data relating to:

  • Visitors to our website, dashboard, and billing pages;
  • Customers and their team members who sign up to build and run a voice agent; and
  • End users — the visitors who talk to a voice agent that a Customer has embedded on their own website.

We may revise this Policy as the Service or the law evolves. If we make a material change, we'll flag it on our website or by email. Continuing to use the Service after an update means you accept the revised Policy.

2. Two Roles: When We're the Controller and When We're the Processor

Privacy law distinguishes who decides how data is used (the controller) from who handles it on someone else's instructions (the processor). Which role we play depends on the data:

  • For our own users' data — your account, your dashboard activity, your billing — ZeKol is the controller. This Policy governs that data.
  • For end-user voice conversations that happen inside an agent a Customer has embedded on their website, the Customer is the controller and ZeKol is the processor. We process those conversations on the Customer's behalf, under our agreement with them. End users with questions about that data should contact the relevant site owner. Section 7 explains this in detail.

3. What We Collect

3.1 Customer and team-member data

When you create an account, configure an agent, subscribe, or contact us, we collect:

  • Identity and contact details: name, business name, email address, and any phone number you provide.
  • Account and configuration: login credentials, tenant/workspace settings, and the way you've set up each agent — its name, greeting, persona, behavior rules, and widget appearance.
  • Knowledge-base content: the public website pages we scan at your request and any materials you upload, which we process into the agent's knowledge base. You're responsible for having the right to provide this content.
  • Billing data: your plan, invoices, and payment confirmations. Card details are handled by our payment provider (Polar Payments Ltd.), not by us — we don't store full card numbers.
  • Support and correspondence: the messages, tickets, and history of your communications with us.

3.2 Technical and usage data (our site and dashboard)

Like most online services, we automatically record certain diagnostic data when you use our website or dashboard: a masked or truncated IP address, approximate region derived from it, browser and device/OS type, pages viewed, timestamps, session and request identifiers, and error logs. We use this to run the Service, keep it secure, and understand how it's performing.

3.3 Website scanning

To build your agent's knowledge base, we run a bounded crawl of the public pages on the website address you give us — same-domain, limited in depth and page count, and respectful of robots directives. We collect only the public content needed to answer questions about your site. We don't attempt to access pages behind a login or content you haven't asked us to scan.

3.4 End-user voice interactions

When a visitor talks to an embedded agent, we process the conversation on the Customer's behalf (see Section 7). In short: we store the text transcript of the conversation so the site owner can review it and so we can run and improve the Service. We do not retain the raw audio after it has been processed.

4. How We Use Personal Data

We use personal data to:

  • provide, operate, and maintain the Service, including account setup and customer support;
  • scan your website and build, store, and serve your agent's knowledge base;
  • generate and deliver voice responses by converting speech to text, retrieving relevant knowledge, generating an answer, and converting it back to speech;
  • process payments and manage subscriptions;
  • keep the Service secure, prevent fraud and abuse, enforce rate limits, and ensure reliability;
  • analyze usage and improve the quality, accuracy, and performance of the Service; and
  • comply with our legal, tax, and accounting obligations.

With your consent, where required, we may also send you product or marketing communications. You can opt out at any time.

5. Legal Bases (EU / UK)

Where the EU or UK GDPR applies, we rely on:

  • Performance of a contract — to provide the Service you've signed up for.
  • Legitimate interests — to secure, operate, analyze, and improve the Service, balanced against your rights and interests.
  • Legal obligation — for tax, accounting, and similar requirements.
  • Consent — for optional marketing and, in future, any non-essential analytics. You can withdraw consent at any time.

6. AI Processing and Model Training

The Service uses third-party AI models to transcribe speech, generate answers, and synthesize Hebrew speech (see Section 9 for the providers). We send to these models only what's needed to produce a response — the relevant knowledge-base content and conversation context.

We do not sell personal data, and we do not use Customer content or end-user conversations to train foundation models or general-purpose AI. Our model providers act as our sub-processors and are contractually restricted from using your data to train their own models other than as needed to provide their service to us.

7. End-User Voice Conversations (Processor Detail)

This section covers conversations between visitors and an agent embedded on a Customer's site. Here, the Customer is the controller and ZeKol is the processor, acting under a data processing agreement.

  • When collection begins. The agent requests microphone access in the visitor's browser. We don't begin capturing conversation content until the visitor starts speaking to the agent. Connecting the call and routing live audio relies on our real-time voice infrastructure provider; that routing is necessary to deliver the Service.
  • What we keep. The visitor's speech is transcribed and answered in real time. We store the resulting text transcript so the site owner can review the conversation. The raw audio stream is not retained once it has been processed into text and a response.
  • Technical metadata. To run the Service and prevent abuse, we may process limited technical metadata — masked IP or coarse location derived from it, browser/device type, timestamps, and session/request identifiers.
  • How we use it. We process these conversations to deliver the Service to the Customer, to provide support, to keep the Service secure, and to maintain and improve its quality. For company-level research and product improvement, we rely on de-identified and aggregated data rather than identifiable transcripts.
  • What we never do. We do not sell conversation data, and we do not use it to train foundation or general-purpose AI models.
  • Deletion. We honor verified deletion requests. Because the Customer is the controller, end users should direct deletion requests to the site owner, who can instruct us; we then delete the relevant data, including from backups within a reasonable period.

8. De-Identified and Aggregated Data

We may produce and use de-identified and aggregated information — statistics and insights that can't reasonably be linked back to an identifiable person — to operate, secure, and improve the Service, to understand performance, and in confidential business communications (for example, with prospective investors). Because this data is no longer personal data, we may retain and use it indefinitely. We do not share raw transcripts or identifiable personal data for these purposes.

9. Sub-Processors and Sharing

We share limited personal data with vetted service providers who help us run the Service. Each is bound by contract to process data only on our instructions and in line with applicable privacy law; we remain responsible for their handling of it.

Provider Role
Google Cloud / Google LLC Hosting and compute (Cloud Run), database (Cloud Firestore), authentication (Firebase Auth), static hosting, and AI models — large-language-model responses, text embeddings, speech-to-text, and Hebrew text-to-speech.
LiveKit Real-time voice infrastructure — routing live audio and running the voice-agent session.
Polar Payments Ltd. Payment processing and subscription management.
PostHog Product analytics for our marketing site and dashboard (usage events and session recordings), used only with your consent. Processed in the European Union.

Where we enable alternative speech providers for quality or availability (for example Microsoft Azure for speech-to-text or Deepdub for text-to-speech), they act as sub-processors under the same terms. We'll keep this list current as our providers change.

We may also disclose personal data when we reasonably need to:

  • comply with applicable law, a lawful request, or a court order;
  • protect the rights, safety, or property of ZeKol, our Customers, or others; or
  • carry out a merger, acquisition, financing, or similar corporate transaction (we'll require the recipient to honor this Policy).

We do not sell personal data, and we do not share it for cross-context behavioral advertising.

10. International Data Transfers

Our primary database is hosted in Israel (Tel Aviv region). Depending on the provider, data may also be processed in the European Union, the United States, or other regions where our providers operate (for example, our real-time voice infrastructure runs in the EU, and some AI processing may occur in the United States).

Where the GDPR or UK GDPR requires it, we rely on appropriate safeguards for international transfers, including the EU Standard Contractual Clauses (Commission Decision 2021/914) and the UK International Data Transfer Addendum, supported by additional measures and equivalent obligations in our contracts with sub-processors. Israel benefits from an EU adequacy decision for many transfers from the EEA. For transfers of personal data out of Israel, we rely on the transfer conditions permitted under Israeli law (such as the recipient being subject to adequate protection or bound by appropriate contractual safeguards).

11. Data Security

We maintain technical and organizational safeguards appropriate to the risk, including:

  • encryption in transit (TLS) and at rest;
  • role-based access on a least-privilege basis, with strong authentication for production systems;
  • tenant isolation — each Customer's data is segregated, and client applications cannot write directly to the database;
  • logging and monitoring, rate limiting, and abuse prevention;
  • domain/origin allow-listing for embedded widgets and short-lived, scoped access tokens; and
  • secure cloud infrastructure with periodic review.

No system is perfectly secure, but we work continuously to strengthen our protections.

12. Data Retention

  • Customer account and configuration data (ZeKol as controller): kept while your account is active and afterward as needed for support, dispute resolution, fraud prevention, and legal or accounting obligations.
  • Knowledge-base content: kept while the relevant site is active in your account; removed or rebuilt when you delete the site or close your account.
  • Technical and usage logs: kept for a limited period for security and service integrity, then deleted or de-identified.
  • End-user conversation transcripts (ZeKol as processor): kept for as long as the Customer's account and the relevant site are active and for as long as needed for the purposes in this Policy — enabling the site owner to review conversations, and operating, supporting, securing, and improving the Service. We are not obligated to delete on a fixed schedule, but we will delete or de-identify transcripts on the Customer's instruction, on a verified erasure request, when an account is closed, or when they are no longer needed. Deletions propagate from active systems promptly and from backups within a reasonable period, unless we're legally required to keep the data.
  • De-identified and aggregated data: may be retained indefinitely, as it is not personal data.

13. Your Privacy Rights

Depending on where you live, you may have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your data;
  • restrict or object to certain processing;
  • receive a portable copy of your data; and
  • withdraw consent where we rely on it.

EU / UK (GDPR): the rights above apply, and you may lodge a complaint with your local Data Protection Authority (in the UK, the ICO).

United States (including California): where applicable, you may request access to and deletion of your personal information and may not be discriminated against for exercising these rights. We do not sell your personal information and do not share it for cross-context behavioral advertising.

Israel: you have rights of access and correction under the Protection of Privacy Law, and may contact the Israeli Privacy Protection Authority (PPA).

How to exercise your rights:

  • Account holders (Customers and team members): email us at zekol.agents@gmail.com. We'll respond as required by applicable law and may need to verify your identity.
  • End users (you talked to an agent on someone's website): please contact that website's owner, who controls your conversation data. We'll support them in responding to your request.

14. Cookies and Similar Technologies

  • The embedded voice widget sets no cookies. When an agent runs on a Customer's site, our widget does not place cookies or store data on the visitor's device for tracking; it requests microphone access only to enable the conversation.
  • Our website and dashboard use essential storage — for example, the authentication tokens our sign-in provider stores in your browser to keep you logged in.
  • Analytics, with your consent. On our marketing website and dashboard (but never the embedded widget) we use PostHog for product analytics and session recording to understand how the product is used and where people get stuck. This is off by default: it runs only after you accept it in our consent banner, and you can decline at any time. Session recordings mask all input fields so we don't capture what you type (such as passwords or message contents). Analytics data is processed in the European Union.

15. Children's Data

The Service isn't intended for children under 16, and we don't knowingly collect their personal data. If we learn that we've collected personal data from a child, we'll delete it promptly.

16. Complaints

You can always contact us first at zekol.agents@gmail.com and we'll try to resolve your concern. You also have the right to complain to a supervisory authority:

  • Israel: the Privacy Protection Authority (PPA).
  • EU / EEA: your local Data Protection Authority.
  • UK: the Information Commissioner's Office (ICO).

17. Changes to This Policy

We may update this Policy from time to time. We'll revise the "Last Updated" date above and, for material changes, give notice on our website or by email.

18. Contact Us

Merhav Technologies (operator of ZeKol) Tel Aviv, Israel Email: zekol.agents@gmail.com