Privacy Policy

Effective date: 28 May 2026
Last updated: 28 May 2026

1. Who we are and how to contact us

Fogel CFO and Management Services LTD, an Israeli private company, company number 515189637, registered office at Derech Hebron 93, Jerusalem 9345006 ("Fogel CFO", "we", "us", "our"), is the owner and the manager (as those terms are used in the Israeli Protection of Privacy Law, 5741-1981 ("PPL")) of the database(s) underlying the Platform and our Services.

This Privacy Policy describes how we collect, use, share and protect personal data in connection with (a) the Fogel CFO online platform (the "Platform"); (b) our fractional CFO, accounting and bookkeeping services (the "Services"); and (c) our marketing website and business communications. It supplements (and is incorporated into) our Terms of Service.

We have prepared this Privacy Policy to comply with the PPL, as amended by the Protection of Privacy Law (Amendment No. 13), 5774-2024, the principal provisions of which entered into force on 14 August 2025, and the Privacy Protection (Data Security) Regulations, 5777-2017 (the "Data Security Regulations"). To the extent the GDPR or US state privacy laws (such as the CCPA/CPRA) apply, the additional disclosures in Sections 11 to 12 also apply.

2. Context: business data with personal-data elements

Our Services and Platform primarily involve business financial data of our Clients (companies and other legal entities). However, business records inevitably contain personal data of individuals, including employees, directors, signatories, contractors, vendors, customers and other business contacts of our Clients, as well as our own users. This Privacy Policy applies to those personal data.

For most personal data about employees or customers of our Clients, our Client is the data controller / database owner, and Fogel CFO acts as a data processor / database holder on the Client's behalf, on the basis of the Terms of Service / Engagement Letter. The Client is responsible for the lawful basis, notice and consent vis-a-vis those individuals.

For personal data of our Authorised Users, prospective clients, marketing contacts and website visitors, Fogel CFO is the data controller / database owner.

3. Categories of personal data we process

3.1 Authorised Users and business contacts (we are controller)

  • Identification and contact: name, business email, business phone, job title, employer, country.
  • Account data: username, hashed password, login timestamps, MFA tokens, access logs.
  • Communications: emails, chat messages, support tickets, meeting recordings (where notified and consented), call notes.
  • Marketing data: consent records, preferences, source of lead.

3.2 Client Data containing personal data (we are typically processor)

  • Financial transactions: invoices, bills, receipts, expense reports, journal entries, payroll runs, bank and credit-card transactions, ledgers.
  • Counterparties: names, business and personal contact details, ID/passport numbers, tax IDs, bank account numbers and addresses of the Client's customers, vendors, employees, contractors and signatories.
  • Documents: invoices, contracts, bank statements, tax filings, payroll slips and supporting documentation.
  • Bank/credit data: account numbers, balances, transactions and metadata retrieved via Plaid, QuickBooks Online or Israeli bookkeeping systems.
  • System metadata: integration tokens, sync logs.

3.3 Technical and usage data

IP address, device identifiers, browser, OS, language, time zone, cookies and similar identifiers, pages visited, features used, error logs.

3.4 Especially sensitive data

We do not seek to process information of "special sensitivity" (as redefined under Amendment 13). However, certain financial details, ID numbers and passport numbers of individuals may appear in client documents we process. We treat these with heightened care under the Data Security Regulations.

4. How we collect personal data

  • Directly from the Client and its Authorised Users (registration, uploads, communications).
  • Through Platform features and cookies/log files.
  • From Third-Party Services the Client connects (QuickBooks Online; Israeli bookkeeping systems such as Rivhit, Hashavshevet, Priority, Green Invoice/Morning, Sumit, iCount; Plaid for bank aggregation; payment processors; email; and others authorised by the Client).
  • From public sources (company registries, tax-authority records, sanctions lists for KYC/AML and conflict checks).
  • From service providers (identity verification, fraud detection).

5. Purposes, legal bases and consequences of refusal

In accordance with section 11 of the PPL, as expanded by Amendment 13, we process personal data for the following purposes and legal bases:

  • Providing the Platform and Services (all Client Data and Authorised User data): performance of contract; informed consent; legitimate interest.
  • Account administration, authentication, security and fraud prevention (account and technical data): legitimate interest; legal obligation; informed consent.
  • Producing Output such as reports, reconciliations, dashboards and models (Client Data): performance of contract.
  • AI-assisted extraction, classification and analysis of financial documents and transactions (Client Data): performance of contract; informed consent.
  • Communicating with Authorised Users and Clients (contact and account data): performance of contract; legitimate interest.
  • Marketing, only where permitted and opt-in for direct mailing under the Israeli Spam Law (contact data, preferences): consent; legitimate interest for existing-client communications.
  • Legal and tax compliance, including record retention (all categories as required by law): legal obligation, e.g. 7-year retention under Israeli tax/VAT law.
  • Defending legal claims and responding to lawful demands (all categories): legitimate interest; legal obligation.
  • Improving the Platform, security and Services (de-identified data only): legitimate interest.

Consequences of refusal. Providing personal data is generally voluntary, except where required by law (e.g. tax reporting). However, refusal to provide certain data, for example bank-account access via Plaid, Authorised User credentials, or core accounting data, will prevent us from providing the Services or specific features.

No general AI training on Client Data. We do not use Client Data to train general-purpose AI models. See Section 7.

6. Sharing and subprocessors

We share personal data with the following categories of recipients, only as necessary and under appropriate confidentiality and data-protection terms:

  • Intuit / QuickBooks Online (US), to retrieve and synchronise accounting data the Client has authorised, governed by the Intuit Developer Terms of Service and the Intuit App Partner Program.
  • Israeli bookkeeping and ERP providers: Rivhit, Hashavshevet, Priority, Green Invoice / Morning, Sumit, iCount and similar.
  • Plaid Inc. (US), for bank-account data aggregation. Plaid's processing of personal data is governed by Plaid's End User Privacy Policy at https://plaid.com/legal/#end-user-privacy-policy.
  • Workflow and automation tools, including n8n (self-hosted or licensed cloud instance).
  • AI model providers such as OpenAI, Anthropic and Google, via no-training configurations, used to process documents and transactions.
  • Email, communications and CRM providers (e.g. Google Workspace / Microsoft 365, HubSpot, Slack).
  • Document storage, OCR and PDF tools.
  • Identity verification, KYC/AML, sanctions screening and fraud-prevention providers.
  • Professional advisors (lawyers, accountants, auditors, insurers), bound by confidentiality.
  • Government authorities, courts and regulators, where required by law.
  • Acquirers or successors, in connection with a merger, acquisition, financing or sale of assets, subject to confidentiality.

7. Artificial intelligence

We use AI Tools (third-party large-language-model APIs and proprietary tooling) to assist with extracting data from invoices, receipts, bank statements and contracts; classifying and reconciling transactions; drafting commentary; generating reports; and detecting anomalies.

  • No solely automated decisions with legal effect. Our AI use is decision-support only.
  • No training of general models on your data. Our enterprise/API agreements with AI providers are configured so that Client Data is not used to train their public models. We will not enable any training-on-customer-content option without the Client's express written consent.
  • Verify before relying. AI-assisted Output may contain errors. Authorised Users must review Output before relying on it.
  • Israeli-law notice. Where data subjects interact with an AI/chatbot feature, we will clearly disclose that the interaction is with an automated system, together with the categories of data collected, purposes and recipients, consistent with section 11 PPL and the Privacy Protection Authority's guidance.

8. International transfers

We are an Israeli entity, but several of our subprocessors (notably Intuit, Plaid, AI providers and major cloud hosts) are based in the United States or operate globally. As a result, personal data may be transferred from Israel to recipients outside Israel.

We transfer personal data abroad pursuant to the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001, including, as applicable: transfers to countries that receive personal data from EEA member states under the same terms; transfers under written agreements with recipients that contractually commit to a level of protection materially equivalent to Israeli law; and transfers based on the informed consent of the data subject. Where the GDPR applies, transfers outside the EEA are made under appropriate safeguards such as Standard Contractual Clauses. Israel benefits from an EU adequacy decision (Commission Decision 2011/61/EU).

9. Data security

In line with the Data Security Regulations and Amendment 13, we maintain a written information security policy and apply administrative, technical and physical safeguards appropriate to the type, sensitivity and volume of personal data we process. Our measures include:

  • A database definition document, data-security procedure and, where required, a designated Information Security Officer / DPO.
  • Access controls and role-based permissions on a least-privilege basis.
  • Multi-factor authentication for Platform access where supported.
  • Encryption of personal data in transit (TLS 1.2+/1.3) and at rest (AES-256 or equivalent).
  • Logging, monitoring and alerting; periodic review of access logs.
  • Periodic risk assessments and, for databases at the appropriate security level, penetration tests and vulnerability management.
  • Employee training, background checks and confidentiality undertakings.
  • Subprocessor due diligence and contractual data-protection terms.
  • Incident response and business-continuity procedures.

No security measure is perfect. We cannot guarantee absolute security but will respond to incidents in accordance with Section 10.

10. Data breach notification

In the event of a "Severe Security Incident" within the meaning of the Data Security Regulations, we will: (a) promptly notify the Israeli Privacy Protection Authority as required; (b) notify affected Clients without undue delay so that they may inform data subjects as appropriate; and (c) report on the measures taken. Where the GDPR applies, we will assist the data controller in meeting its 72-hour notification obligations.

11. Your rights

11.1 Under Israeli law (PPL, as amended)

Subject to the conditions set out in the PPL, individuals have the right to: inspect the personal data held about them (section 13 PPL); request correction or deletion of data that is incorrect, incomplete, unclear or outdated (section 14 PPL); object to direct mailing and request removal from direct-mailing databases (section 17F PPL); withdraw consent, where processing is based on consent, with effect for future processing; and receive information about the controller's identity and contact details, the categories of data processed, the purposes and recipients, the consequences of refusing to provide data, and the existence of data-subject rights.

11.2 Under the GDPR (where it applies)

Where the GDPR applies, data subjects also have the rights of access, rectification, erasure, restriction of processing, data portability, objection, and the right not to be subject to solely automated decisions with legal effect. Data subjects may complain to a supervisory authority.

11.3 Under the CCPA/CPRA (California, where it applies)

California residents whose personal data we process may have the rights to know, delete, correct, opt out of "sale" or "sharing" (we do not sell or share personal data for cross-context behavioural advertising), limit use of sensitive personal information, and non-discrimination.

12. Extraterritorial application; GDPR and CCPA/CPRA

We are an Israeli entity with no US or EU establishment. However, the GDPR may apply to the extent we offer services to data subjects in the EEA/UK or monitor their behaviour; where our Clients have EU/UK employees, vendors or customers whose data we process, we will, on request, enter into an Article 28 Data Processing Addendum and assist the Client as controller with GDPR compliance. The CCPA/CPRA employee and B2B exemptions expired on 1 January 2023, so personal data of California residents acting in business capacities is in principle within scope; most US Clients will not themselves meet the CCPA thresholds, and we do not "sell" or "share" personal data in the CCPA/CPRA sense. We will act as a "service provider" and enter into a CCPA-compliant addendum on request.

13. Cookies and similar technologies

The Platform uses cookies and similar technologies that are strictly necessary to operate the service (session, login, security), as well as analytics cookies where consented to. For our marketing website, see our separate Cookie Notice / consent banner.

14. Children

The Platform and the Services are intended for businesses and are not directed at individuals under 18. We do not knowingly collect personal data from children.

15. Retention

We retain personal data as long as necessary for the purposes for which it was collected, including: active Client Data for the duration of the engagement; after termination, for up to seven (7) years (or longer if required by Israeli tax/VAT law, the Companies Law or professional standards, or in response to actual or anticipated legal claims); marketing data until consent is withdrawn; and logs and security data typically for 12 to 24 months.

16. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified through the Platform and, where appropriate, by email. The "Last updated" date at the top of this Policy indicates the latest version.

17. Complaints

If you believe your privacy rights have been violated, please first contact us at info@fogelcfo.com. You may also lodge a complaint with the Israeli Privacy Protection Authority, or with the relevant data-protection authority in your jurisdiction (e.g. an EU Member State data protection authority, or the California Privacy Protection Agency).

Financial empowerment starts here.

Full-time, English-speaking support from seasoned professionals with deep expertise in Israeli & U.S. bureaucracy: Taxes, social security, and beyond. We craft a flexible package tailored to your business, from everyday logistics to executive strategy, with add-on services on demand.

Contact us