Privacy Policy

This Privacy Policy (“Policy”) of Allpay LTD (the “Company”) explains the Company’s practices regarding the privacy of users of the Company’s Website(s) and Services, and how the Company uses information provided by users or collected during their use of the Website(s) and Services.

This Policy is an integral part of the Allpay Terms of Service (“Agreement”).

This Policy applies to: (i) visitors to our website at allpay.co.il (including any subpages, landing pages, forms, and marketing pages); (ii) Users (merchants) who register for and use the Allpay dashboard, web application and/or mobile application (the “App”); and (iii) end-customers and visitors who access Allpay-hosted pages (including checkout and success pages).

For the avoidance of doubt, this Policy covers our use of cookies and similar technologies on allpay.co.il and any similar identifiers that may be used in the App, as described below.

Affiliate Visibility of Aggregated Turnover

Where a User registers through an Allpay affiliate link, the User explicitly agrees that Allpay may display to the referring partner the User’s aggregated monthly turnover amount only, without any access to personal data, individual payments, transaction details, payer information, or identifiers.

This disclosure is strictly limited to enabling the calculation of partner commissions. The referring partner has no rights to access additional User information and must keep all such aggregated turnover information strictly confidential and use it solely for commission-related purposes.

Information about you is collected when you use the Website(s) or Services. Some information personally identifies you (e.g., name, address, products/services you purchase or offer for sale, payment method details you provide). This is information you knowingly provide, for example, when registering.

Some information does not personally identify you; this is aggregated and de-identified information (e.g., pages viewed, offers that interested you).

Certain technical data and online identifiers may be considered “Personal Information” under applicable law, including the Israeli Protection of Privacy Law (as amended). This may include, for example, IP address, device identifiers, advertising identifiers, and identifiers stored in cookies or similar technologies.

Where personal information is required for registration or purchase, the Company requests only what is directly necessary to provide the Services or complete the purchase.

We use personal information in accordance with this Policy and applicable law to:

• allow use of the Services provided by Allpay;
• improve services and content;
• monitor and collect statistics;
• modify or cancel existing services and content;
• process purchases of products and services;
• (where applicable) tailor ads or analytics as configured by the User on Allpay-hosted pages;
• comply with legal and regulatory requirements.

We apply data minimization, collecting and processing only what is necessary for these purposes.

For allpay.co.il, we rely on consent for Marketing, Analytics, and Personalization cookies (where required), and on necessity and/or legitimate interests for Essentials (security, fraud prevention, stability, and basic functionality). For Allpay-hosted pages, the relevant User (merchant) may configure certain tags and is responsible for obtaining any required notices and consents from end-customers.

We use cookies and similar technologies (such as pixels, local storage, and tags) on allpay.co.il and, where applicable, within the App, for the purposes described in this Policy.

Cookie categories

We use the following categories:

‍Essentials (strictly necessary). Required for the website/App to function and for security. These are always active.

‍Personalization. Used to remember choices and preferences (for example, language selection).

‍Analytics. Used to understand how our website is used (for example, Google Analytics or similar tools).

‍Marketing. Used to measure and optimize marketing campaigns and deliver targeted advertising (for example, Meta Pixel or similar tools).

Essentials examples (always active)

Examples of Essentials may include:
(i) security cookies and tokens used to detect fraud, abuse, or automated traffic;
(ii) cookies required to enable and secure form submissions and protect them from bots (including CAPTCHA / reCAPTCHA-related cookies where applicable);
(iii) session cookies and load-balancing cookies used to maintain stability and performance;
(iv) cookies used to store your cookie-consent status and preferences;
(v) cookies required to provide a feature you explicitly requested (e.g., authentication to access your account/dashboard).

Consent

Except for Essentials, we will place and use cookies in these categories only if and after you provide your consent via our cookie consent mechanism.

For users in Israel, we obtain consent for non-essential cookies in line with the Israeli Protection of Privacy Law (as amended, including Amendment No. 13) and related guidance. You can consent to all categories or choose specific categories. We do not activate non-essential cookies before you make your choice.

If you reject non-essential cookies (or certain categories), some parts of the website may not function as intended. For example, if you reject Personalization cookies, we may not be able to remember your language preference and you may need to select it again.

Duration and withdrawal

Your cookie choices are stored for up to 365 days, unless you change them earlier. You can withdraw or change your consent at any time by clicking “Manage cookies” in the website footer.

We may retain a record of your cookie preferences (including the date/time and categories chosen) to demonstrate compliance and to respect your choices.

Third-party cookies

Our website may include third-party services and embedded content (for example, video players such as YouTube) and third-party scripts (for example, analytics and advertising providers). These third parties may process data as independent controllers, and their practices are governed by their own privacy policies.

We block non-essential analytics and marketing tools by default and load them only after you have consented to the relevant cookie category. Embedded media (such as YouTube videos) may be available even if you reject non-essential cookies, because it is content you explicitly choose to view. Where possible, we use YouTube’s privacy-enhanced embedding (youtube-nocookie.com) to reduce cookie usage until you interact with the video.

When you interact with embedded media (for example, by playing a video), the third-party provider may receive technical data such as your IP address and device information and may set cookies or similar identifiers, subject to its own policies.

The User (as defined in the Agreement) is the owner/controller of personal information collected about its customers and visitors on Allpay-hosted pages and is solely responsible for its lawful use, including required notices and consents. Allpay acts as a processor for such data, except where Allpay processes limited data as an independent controller for security, fraud prevention, service reliability, or legal compliance. The User will indemnify Allpay for any claim arising from the User’s non-compliance with privacy laws regarding its customers.

The Company will not transfer your personal information to third parties except in the following cases:

• to complete a purchase of third-party products/services offered through the Allpay platform;
• in a legal dispute between you and the Company that requires disclosure;
• if your actions on the Website(s) are unlawful;
• in response to a court order or lawful request;
• upon sale/transfer of the Website(s) or merger, provided the new entity accepts this Policy;
• to credit or technological companies PayMe LTD, CAL, MAX, Isracard, and CardCom, which provide technical, legal, and financial services;
• to Allpay’s business partners and integration platforms (including but not limited to CRM, e-commerce, and other connected platforms) when necessary to provide Services, complete a transaction, or enable system integrations;
• Tags added by the User via GTM. Where the User enables integrations through GTM on Allpay-hosted pages, data may be shared with the User-selected vendors under the User’s responsibility and subject to those vendors’ terms. Allpay does not control this processing;
• Google as a vendor. To the extent GTM or related Google services are used, personal information may be processed by Google (e.g., Google Ireland Limited/Google LLC) in accordance with Google’s terms, subject to the User’s configuration and applicable consent.

Allpay is not liable for acts or omissions of third parties once personal information has been lawfully transferred to them, provided reasonable measures were taken to ensure compliance with privacy laws.

1. Allpay may allow the User to implement Google Tag Manager (“GTM”) or similar tag managers on Allpay-hosted checkout and/or success pages.Tags deployed via GTM are selected and controlled by the User. Allpay does not review or approve such tags and is not responsible for their operation, legality, or accuracy.The User must ensure that GTM-deployed tags:
   • do not access, collect, or transmit cardholder data or other sensitive information;
   • do not interfere with the checkout flow or degrade the Services;
   • comply with applicable law (including privacy and data protection laws), PCI DSS, and Allpay’s technical guidelines and Content Security Policy (CSP);
   • respect end-customer consent choices (e.g., Google Consent Mode).
   For clarity, payment input fields are hosted in secure iframes that are not accessible to GTM or third-party tags.Allpay may block, suspend, or remove GTM or specific tags at any time if they pose a risk to security, compliance, or user experience.

Allpay does not store full payment card details of Users or their customers. Card data is transmitted over a secure connection directly to the payment service provider. Allpay may receive limited transaction metadata (e.g., last 4 digits, transaction ID, payer name) for reconciliation, fraud prevention, and support. Payment input fields are hosted in secure iframes that are not accessible to GTM or other third-party scripts.

As of the effective date, Allpay maintains databases containing fewer than 100,000 individual records and does not operate a credit database as defined by Israeli law.

The Company implements up-to-date security systems and procedures. While these reduce risks of unauthorized intrusion, they do not provide complete protection. The Company does not guarantee immunity from unauthorized access.

Personal information is retained only as long as necessary for the purposes collected or as required by law.

The Company is not responsible for unauthorized access, disclosure, loss, or alteration of personal information beyond its reasonable control, including cyberattacks or force-majeure events.

Where the User deploys GTM or third-party tags, the User must ensure those vendors provide appropriate security and comply with applicable privacy laws. Allpay may enforce technical controls (e.g., CSP allow-lists) to reduce risk from third-party tags.

We may transfer personal information to countries outside your country of residence (e.g., to service providers in the EU, US, or other jurisdictions). Where required by law, we implement appropriate safeguards for such transfers (e.g., contractual clauses or equivalent mechanisms).

The Company stores and processes certain data using secure infrastructure located in jurisdictions that provide an adequate level of data protection or under Standard Contractual Clauses ensuring equivalent safeguards

We retain personal information only for as long as necessary to provide the Services, for legitimate business purposes (e.g., security, fraud prevention), or to comply with legal obligations. For processor data handled on behalf of the User, retention follows the User’s instructions and our agreement with the User.

The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

Allpay will not allow any third party to process personal information except as stated in this Policy. No transfer will occur unless:

• Allpay assesses information security risks and finds no significant privacy-invasion risk;
• Allpay signs an agreement obligating the subcontractor to maintain confidentiality and comply with privacy laws;
• for integration services, the scope of data provided is strictly limited to what is necessary for that purpose.

End-customers who interact with Allpay-hosted pages may exercise applicable rights (access, correction, deletion, objection, restriction) by contacting the relevant User (controller). Allpay will reasonably assist the User in fulfilling such requests as a processor. Where Allpay acts as an independent controller (e.g., security/fraud/logs), requests can be sent to info@allpay.co.il.

Cookie preferences on allpay.co.il can be changed or withdrawn at any time via the “Manage cookies” link in the website footer. For Allpay-hosted pages operated on behalf of a User (merchant), cookie and tracking choices (if available) are managed by that User, and requests should be directed to the User as the controller.

Allpay will notify the User of any incident or suspected incident regarding an information-security breach in User databases or User personal information, and provide relevant details where possible.

Allpay may process:

• customer’s full name;
• social ID number;
• contact information (address, phone, email);
• company name, gender, date of birth (where provided);
• items added to cart or purchased;
• behavior on the User’s website.

Permitted uses are limited to providing the Services under the Agreement, including storage, transfer, amendment, access provision, and integration with partners and platforms strictly for operational purposes.

Subject to consent where required, tags configured by the User via GTM may collect device and interaction data (e.g., page URLs, referrers, event timestamps, pseudonymous identifiers such as gclid/fbp/fbc, and purchase metadata like order ID, amount, currency). Such collection is controlled by the User and subject to the User’s vendor terms and privacy notices.

Privacy oversight contact: info@allpay.co.il.

This Policy is governed by the law specified in the Agreement and under the jurisdiction of the courts specified therein.
In case of changes to applicable law, including the Privacy Protection Law and its regulations, Allpay may amend this Policy accordingly.

Significant changes to the use of personal information will be announced on the Website’s homepage and/or via email to registered Users.

The Website may contain links to external services operated by third parties. These are not covered by this Policy, and Allpay is not responsible for interactions between users and such third parties.