PRIVACY POLICY – INITEOUT
Update date: February 24, 2026
This policy explains, in clear language, how we handle your information. It reflects Israeli law (including Amendment 13) and, for EEA/UK visitors, the GDPR. It is not legal advice.
Quick Summary
- We collect contact details, usage data, and cookie data to run and improve our services.
- We are usually a Controller; for some services we act as a Processor for customers.
- You can change cookie choices anytime via our consent manager.
- You can exercise privacy rights via our form, email, or by phone.
Who We Are and Our Role (Controller/Processor)
InSiteOut (the “Company”). Privacy contact: [email protected]. In most cases, we act as a Controller (we decide why and how your personal data is processed). For certain services, we act as a Processor for our customers (we process personal data on their documented instructions under a data processing agreement and do not use it for our own purposes).
What We Collect
- Information you provide: contact details, preferences, documents/files if provided.
- Information collected automatically: device, usage and diagnostic data, cookies.
- Information from third parties: analytics/measurement (GA4, Hotjar, Contentsquare).
Why We Use It (Purposes & Legal Bases)
We use data to provide services and answer requests; to operate, secure, and improve our products; to run marketing with consent; and to meet legal obligations. For EEA/UK visitors we rely on consent/contract/legal obligation/legitimate interests under the GDPR. Where we rely on legitimate interests, we run a balancing test to make sure our interests do not override your interests or rights, and we offer an opt‑out where appropriate.
Who We Share With
- Service providers (hosting, maintenance, CRM, mailing, analytics) under data protection terms.
- Authorities, when required by law.
- Business changes (e.g., merger or acquisition).
International Transfers
EEA/UK → Israel: where applicable, transfers rely on an adequacy decision recognizing that the destination ensures an adequate level of protection. Transfers from Israel/EEA/UK to other countries use appropriate safeguards (e.g., Standard Contractual Clauses and supplementary measures, where needed), and we assess local laws to help ensure continuity of protection.
Cookies & Similar Technologies
We use essential cookies to run the site and optional cookies (analytics/behavioral) — only with consent for EEA/UK visitors. Change your preferences anytime in our consent manager.
Cookie Table
| Cookie Name | Provider/Domain | Purpose | Duration | Legal Basis |
|---|---|---|---|---|
| _ga | Google Analytics / insiteout.net | Unique visitor identifier for statistics | Up to 2 years (browser‑dependent) | Consent (EEA/UK) |
| _ga_ | Google Analytics / insiteout.net | Persistence of session/user state | Up to 2 years (browser‑dependent) | Consent (EEA/UK) |
| _hjSessionUser_{site_id} | Hotjar / insiteout.net | Unique user identifier on the site | Up to 365 days | Consent (EEA/UK) |
| _hjSession_{site_id} | Hotjar / insiteout.net | Current session data | ~30 minutes (extended with activity) | Consent (EEA/UK) |
| _hjIncludedInSessionSample | Hotjar / insiteout.net | Check inclusion in the daily session sample | ~30–60 minutes | Consent (EEA/UK) |
| _cs_id | Contentsquare / insiteout.net | Technical user data and number of visits | 13 months | Consent (EEA/UK) |
| _cs_s | Contentsquare / insiteout.net | Session data (number of views/recording state) | 30 minutes | Consent (EEA/UK) |
| _cs_c | Contentsquare / insiteout.net | Consent status for recordings/masking | 13 months | Consent (EEA/UK) |
Information Security
We apply administrative, logical, and technical controls aligned with Israel’s Privacy Protection Regulations (Data Security), 2017. In case of a severe incident, we follow the authority’s guidance.
Data Retention
We keep data only as long as needed for the purposes in this policy and to meet legal duties, then retain it for limited periods for record‑keeping and legal defense.
Your Rights (Israel + EEA/UK)
- Israel: access and correction; for EEA data in relevant databases—also erasure/notification where data was not provided directly.
- EEA/UK (GDPR): access, rectification, erasure, restriction, portability, and objection (including to direct marketing).
Request rights: [email protected].
Session Replay (Hotjar / Contentsquare)
We use session‑replay tools to improve user experience. They load only after consent to non‑essential cookies (EEA/UK). Hotjar suppresses inputs by default and can suppress text/images/videos and long numeric sequences. Contentsquare does not collect text typed into input fields and supports granular masking. We implement mask‑by‑default and only unmask non‑personal areas when needed.
Data Protection Officer (DPO)
If we are required to appoint a DPO, we will publish details here. For now: [email protected].
Changes to This Policy
We may update this policy and will post the latest update date at the top.
Contact
Questions, rights requests, complaints: [email protected].
United States / California – CCPA/CPRA Disclosures
This section applies to California residents when the CCPA (as amended by the CPRA) covers our business.
Your California Rights
- Know/Access, Delete, Correct.
- Opt‑out of the sale or sharing of personal information (including via Global Privacy Control signals).
- Limit the use/disclosure of Sensitive Personal Information.
- No discrimination for exercising rights.
Sale/Sharing and Cross‑Context Behavioral Advertising
We do not sell personal information for money. We may ‘share’ personal information for cross‑context behavioral advertising. You can opt out anytime using ‘Do Not Sell or Share My Personal Information’ / ‘Your Privacy Choices’ and by enabling a compatible GPC signal.
Sensitive Personal Information (SPI) and Right to Limit
If we use or disclose SPI beyond permitted purposes, you can direct us to limit such use via ‘Limit the Use of My Sensitive Personal Information’ or through the consolidated ‘Your Privacy Choices’.
Notice at Collection and Retention
At or before collection, we state categories, purposes, whether data is sold/shared, and how long we keep each category (or the criteria we use).
Submitting Requests and Timelines
Send requests via our online form, by email to [email protected], or by calling us at +972 3‑639‑3033 (standard rates; not toll‑free). We acknowledge within 10 business days and respond within 45 days of receipt (we may extend this by 45 days when reasonably necessary). We verify identity as required. For online deletion, we may use a two‑step confirmation.
Global Privacy Control (GPC)
We honor GPC as a valid opt‑out signal for the browser/device and, where feasible, for your logged‑in account.
Record‑Keeping
We keep a log of requests and responses for at least 24 months and protect those records.
EEA/UK/Switzerland – CMP and Google Consent Mode v2
For users in the EEA/UK/Switzerland, we use a Google‑certified consent management platform (CMP) integrated with the IAB TCF, where needed to serve ads. We implement Consent Mode v2 and signal: ad_storage, analytics_storage, ad_user_data, and ad_personalization. We obtain consent before tags process personal data and let you change choices any time.
United States – New York (NY) Addendum
As of February 9, 2026, New York has not enacted a comprehensive consumer privacy law equivalent to California’s CCPA/CPRA. We therefore provide these New York–specific disclosures and voluntary commitments in addition to our core policy.
New York SHIELD Act (Data Security & Breach Notification)
We maintain reasonable administrative, technical, and physical safeguards and follow New York’s breach‑notification rules when handling the private information of New York residents.
New York City Biometric Identifier Information Law (if applicable)
For commercial establishments in NYC that collect or use customer biometric data, we post required entrance signage and do not sell, lease, trade, or otherwise profit from biometric data.
Voluntary Consumer Rights for New York Residents
Even without a comprehensive NY law, we extend: (i) access/know; (ii) deletion (subject to lawful exceptions); (iii) correction; and (iv) opt‑out of sale/sharing and targeted advertising.
Opt‑Out & Global Privacy Control (GPC)
New York law does not currently require recognition of GPC, but we honor GPC for New York residents as a matter of policy. Use ‘Your Privacy Choices’ and/or enable a compatible GPC signal.
How to Exercise Your Rights (NY)
Use our online form, email [email protected], or call us at +972 3‑639‑3033 (standard rates; not toll‑free).
Terminology & Style (Plain‑English Glossary)
Controller: Decides why and how personal data is processed. InSiteOut is usually the Controller for our websites and direct interactions.
Processor: Processes personal data on a Controller’s documented instructions. When we provide certain services to customers, we act as their Processor under a data processing agreement (DPA).
Adequacy decision: A formal decision by a data protection authority (e.g., European Commission or UK government) that a destination ensures an adequate level of protection, enabling transfers without extra tools.
Legitimate interests: A lawful basis where processing is necessary for our (or a third party’s) legitimate purposes, provided these are not overridden by your interests or rights. We document a balancing test and offer an opt‑out where appropriate.
Personal data / Personal information: Information that identifies or can reasonably be linked to a person or household (e.g., identifiers, device, and usage data).
Sell / Share (California): ‘Sell’ includes disclosure for monetary or other valuable consideration; ‘Share’ covers disclosure for cross‑context behavioral advertising. Both come with opt‑out rights.
Sensitive personal information (California): A subset of personal information (e.g., precise geolocation, government IDs, account log‑ins) with added rights, including the right to limit certain uses.
Global Privacy Control (GPC): A browser or extension signal communicating an opt‑out choice. We honor GPC where required and, as a policy, for New York residents too.
CMP & Consent Mode v2: A consent platform that captures choices; Google’s Consent Mode v2 parameters adjust tag behavior to match consent.
