Privacy Policy

This Privacy Policy (“Policy”) of Allpay LTD (the “Company”) explains the Company’s practices regarding the privacy of users of the Company’s Website(s) and Services, and how the Company uses information provided by users or collected during their use of the Website(s) and Services.

This Policy is an integral part of the Allpay Terms of Service (“Agreement”).

This Policy applies to: (i) Users (merchants) who register and use Allpay; and (ii) end-customers and visitors who access Allpay-hosted pages, including checkout and success pages.

For data collected on Allpay-hosted pages about end-customers, the User is the data controller and Allpay acts as a service provider/processor, except where Allpay processes limited data as an independent controller for security, fraud prevention, service reliability, or to comply with law.

Information about you is collected when you use the Website(s) or Services. Some information personally identifies you (e.g., name, address, products/services you purchase or offer for sale, payment method details you provide). This is information you knowingly provide, for example, when registering.

Some information does not personally identify you; this is aggregated and de-identified information (e.g., pages viewed, offers that interested you).

Where personal information is required for registration or purchase, the Company requests only what is directly necessary to provide the Services or complete the purchase.

We use personal information in accordance with this Policy and applicable law to:

• allow use of the Services provided by Allpay;
• improve services and content;
• monitor and collect statistics;
• modify or cancel existing services and content;
• process purchases of products and services;
• (where applicable) tailor ads or analytics as configured by the User on Allpay-hosted pages;
• comply with legal and regulatory requirements.

We apply data minimization, collecting and processing only what is necessary for these purposes.

We process personal information based on one or more of: performance of a contract (providing the Services), legitimate interests (security, fraud prevention, service improvement, privacy-preserving analytics), compliance with legal obligations, and consent where required (e.g., advertising/analytics tags on Allpay-hosted pages as configured by the User via GTM).

The User (as defined in the Agreement) is the owner/controller of personal information collected about its customers and visitors on Allpay-hosted pages and is solely responsible for its lawful use, including required notices and consents. Allpay acts as a processor for such data, except where Allpay processes limited data as an independent controller for security, fraud prevention, service reliability, or legal compliance. The User will indemnify Allpay for any claim arising from the User’s non-compliance with privacy laws regarding its customers.

The Company will not transfer your personal information to third parties except in the following cases:

• to complete a purchase of third-party products/services offered through the Allpay platform;
• in a legal dispute between you and the Company that requires disclosure;
• if your actions on the Website(s) are unlawful;
• in response to a court order or lawful request;
• upon sale/transfer of the Website(s) or merger, provided the new entity accepts this Policy;
• to credit or technological companies PayMe LTD, CAL, MAX, Isracard, and CardCom, which provide technical, legal, and financial services;
• to Allpay’s business partners and integration platforms (including but not limited to CRM, e-commerce, and other connected platforms) when necessary to provide Services, complete a transaction, or enable system integrations;
• Tags added by the User via GTM. Where the User enables integrations through GTM on Allpay-hosted pages, data may be shared with the User-selected vendors under the User’s responsibility and subject to those vendors’ terms. Allpay does not control this processing;
• Google as a vendor. To the extent GTM or related Google services are used, personal information may be processed by Google (e.g., Google Ireland Limited/Google LLC) in accordance with Google’s terms, subject to the User’s configuration and applicable consent.

Allpay is not liable for acts or omissions of third parties once personal information has been lawfully transferred to them, provided reasonable measures were taken to ensure compliance with privacy laws.

1. Allpay may allow the User to implement Google Tag Manager (“GTM”) or similar tag managers on Allpay-hosted checkout and/or success pages.Tags deployed via GTM are selected and controlled by the User. Allpay does not review or approve such tags and is not responsible for their operation, legality, or accuracy.The User must ensure that GTM-deployed tags:
   • do not access, collect, or transmit cardholder data or other sensitive information;
   • do not interfere with the checkout flow or degrade the Services;
   • comply with applicable law (including privacy and data protection laws), PCI DSS, and Allpay’s technical guidelines and Content Security Policy (CSP);
   • respect end-customer consent choices (e.g., Google Consent Mode).
   For clarity, payment input fields are hosted in secure iframes that are not accessible to GTM or third-party tags.Allpay may block, suspend, or remove GTM or specific tags at any time if they pose a risk to security, compliance, or user experience.

Allpay does not store full payment card details of Users or their customers. Card data is transmitted over a secure connection directly to the payment service provider. Allpay may receive limited transaction metadata (e.g., last 4 digits, transaction ID, payer name) for reconciliation, fraud prevention, and support. Payment input fields are hosted in secure iframes that are not accessible to GTM or other third-party scripts.

We use cookies and similar technologies for the stable and secure operation of Allpay, to collect statistics, remember preferences, and (where enabled by the User via GTM) to support analytics and advertising. Modern browsers allow you to block or delete cookies; see your browser’s help for instructions.

Where required by law, non-essential cookies (e.g., advertising/analytics) run only after consent. Users (merchants) must ensure that any tags deployed via GTM honor consent choices on Allpay-hosted pages (e.g., via Google Consent Mode or an equivalent consent signal).

Consent Signals

Allpay supports industry consent signals (e.g., Google Consent Mode). Users must ensure GTM configurations conditionally fire advertising/analytics tags only after consent, where required by law.

As of the effective date, Allpay maintains databases containing fewer than 100,000 individual records and does not operate a credit database as defined by Israeli law.

The Company implements up-to-date security systems and procedures. While these reduce risks of unauthorized intrusion, they do not provide complete protection. The Company does not guarantee immunity from unauthorized access.

Personal information is retained only as long as necessary for the purposes collected or as required by law.

The Company is not responsible for unauthorized access, disclosure, loss, or alteration of personal information beyond its reasonable control, including cyberattacks or force-majeure events.

Where the User deploys GTM or third-party tags, the User must ensure those vendors provide appropriate security and comply with applicable privacy laws. Allpay may enforce technical controls (e.g., CSP allow-lists) to reduce risk from third-party tags.

We may transfer personal information to countries outside your country of residence (e.g., to service providers in the EU, US, or other jurisdictions). Where required by law, we implement appropriate safeguards for such transfers (e.g., contractual clauses or equivalent mechanisms).

We retain personal information only for as long as necessary to provide the Services, for legitimate business purposes (e.g., security, fraud prevention), or to comply with legal obligations. For processor data handled on behalf of the User, retention follows the User’s instructions and our agreement with the User.

The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

Allpay will not allow any third party to process personal information except as stated in this Policy. No transfer will occur unless:

• Allpay assesses information security risks and finds no significant privacy-invasion risk;
• Allpay signs an agreement obligating the subcontractor to maintain confidentiality and comply with privacy laws;
• for integration services, the scope of data provided is strictly limited to what is necessary for that purpose.

End-customers who interact with Allpay-hosted pages may exercise applicable rights (access, correction, deletion, objection, restriction) by contacting the relevant User (controller). Allpay will reasonably assist the User in fulfilling such requests as a processor. Where Allpay acts as an independent controller (e.g., security/fraud/logs), requests can be sent to info@allpay.co.il.

Requests to change cookie/consent choices can be made via the cookie-settings link (where available) or by contacting the User.

Allpay will notify the User of any incident or suspected incident regarding an information-security breach in User databases or User personal information, and provide relevant details where possible.

Allpay may process:

• customer’s full name;
• social ID number;
• contact information (address, phone, email);
• company name, gender, date of birth (where provided);
• items added to cart or purchased;
• behavior on the User’s website.

Permitted uses are limited to providing the Services under the Agreement, including storage, transfer, amendment, access provision, and integration with partners and platforms strictly for operational purposes.

Subject to consent where required, tags configured by the User via GTM may collect device and interaction data (e.g., page URLs, referrers, event timestamps, pseudonymous identifiers such as gclid/fbp/fbc, and purchase metadata like order ID, amount, currency). Such collection is controlled by the User and subject to the User’s vendor terms and privacy notices.

Privacy oversight contact: info@allpay.co.il.

This Policy is governed by the law specified in the Agreement and under the jurisdiction of the courts specified therein.
In case of changes to applicable law, including the Privacy Protection Law and its regulations, Allpay may amend this Policy accordingly.

Significant changes to the use of personal information will be announced on the Website’s homepage and/or via email to registered Users.

The Website may contain links to external services operated by third parties. These are not covered by this Policy, and Allpay is not responsible for interactions between users and such third parties.