Privacy Policy

Fleuraby ("the Company", "we", "us", "our") is committed to protecting the privacy of its users. This Privacy Policy explains how we collect, use, store and share personal information collected through the website www.fleuraby.com, our application, and the Flora AI service — an AI agent operating over WhatsApp.

Your use of the service constitutes consent to the collection and processing of information as described in this policy. If you do not agree, please stop using the service.

This policy was written in accordance with the Israeli Protection of Privacy Law, 5741-1981 and Amendment No. 13 (2024).

• "Service" — the website www.fleuraby.com, the Fleuraby app, the WhatsApp and Flora AI interfaces, and any related component.
• "User" / "visitor" — any person using the service, including building committee representatives, apartment owners, residents and professionals.
• "Personal information" — information that identifies you, as defined in the Israeli Protection of Privacy Law, 5741-1981 and its amendments.
• "Flora" — Fleuraby's AI agent operating over WhatsApp.
• "the Authority" — the Israeli Privacy Protection Authority within the Ministry of Justice.
• "Sub-processor" — a third party that processes personal information on our behalf (e.g. a cloud infrastructure or AI-model provider).

3.1 Information you provide directly

• Contact details: name, phone number, email address, nicknames
• Building details: address, apartment number, owners and residents
• Financial information: payment status for building dues and maintenance (payment-method details are not stored on our servers — see §19)
• Service requests, complaints and tickets opened through the service
• Content of messages, images and voice recordings you share with Flora

3.2 Information collected automatically

• Conversation history with Flora over WhatsApp, including transcripts of voice messages
• Usage data (login times, actions taken, screens viewed)
• IP addresses, browser type, operating system and device identifiers
• Cookies and analytics identifiers (see §17)

3.3 Information from third-party sources

• WhatsApp/Meta metadata (sending phone number, public profile status)
• Bank transaction files that you upload for reconciliation purposes, with your consent

We process information for the following purposes, each on an appropriate legal basis:

• Providing the service (basis: contract) — operating Flora, managing tickets and building operations
• Collecting payments (basis: contract + legal obligation) — reminders, reconciliation, issuing receipts
• Service notifications (basis: contract) — operational updates on tickets, payments and building events (see §6)
• Marketing messages (basis: explicit consent) — Fleuraby promotional material, only with your consent (see §6)
• Service improvement (basis: legitimate interest) — aggregate usage analytics for bug detection and UX improvement
• Security and fraud prevention (basis: legitimate interest + legal obligation) — anomaly detection and system protection
• Legal compliance (basis: legal obligation) — compliance with law, court orders and regulatory requirements

Flora is an AI agent powered by a leading enterprise large language model (LLM) provider. What you should know:

• The content of your messages (text, images, recordings) is sent to the provider's AI models for understanding and reply generation.
• User content is not used to train models — neither by the provider nor by any third party. Our use of the model is under enterprise terms that prohibit training on customer content.
• Conversation observability — to improve answer quality and diagnose issues, we log conversations with Flora in a dedicated AI conversation logging system. Logs are retained for up to 18 months and then automatically deleted.
• Automated decisions — Flora may classify tickets, suggest replies and produce drafts for committee approval. A material decision (e.g. approving a payment or rejecting a request) requires human approval by an authorised representative.
• Right to human review and appeal — for any decision influenced by automated processing, you have the right to request human review and to appeal. Contact ofir@fleuraby.com.

We distinguish between two types of messages:

• Service (operational) messages — payment reminders, ticket updates, receipt confirmations and committee notices. These are essential to the service and are sent under our agreement with you.
• Marketing messages — promotions, marketing surveys and offers. Sent only after explicit consent, in accordance with §30A of the Israeli Communications (Telecommunications and Broadcasting) Law, 5742-1982.

You can withdraw consent at any time. On WhatsApp: reply "STOP" or "UNSUBSCRIBE" (or "הסר"). By email: click the unsubscribe link at the bottom of the message. Withdrawing marketing consent does not stop service messages.

We do not sell, rent or use your information for third-party targeted advertising. Information is shared only in the following cases:

• Sub-processors — service providers acting on our behalf and under our instructions (see §8)
• Competent authorities — where there is a legal obligation, court order or regulatory requirement
• Building committee representatives — relevant building information is accessible to authorised committee members within their role
• Apartment owners — information about their apartment, including resident details, to the extent necessary for building management
• Change of ownership — in a merger, sale or acquisition, subject to prior notice and maintenance of an equivalent protection level

We rely on the following categories of providers to process information on our behalf. All are bound by Data Processing Agreements (DPAs) and accepted information-security standards:

• Leading international cloud infrastructure provider — compute, database storage, user authentication and push notifications (EU / US)
• Enterprise large language model (LLM) provider — processing of Flora conversations under enterprise terms that prohibit training on customer content
• WhatsApp Business and SMS gateway provider — sending and receiving messages (US / Ireland)
• Meta Platforms (WhatsApp Business) — WhatsApp messaging infrastructure itself
• AI conversation logging tool for quality control — observability of Flora conversations (EU)

Specific provider names are available to business customers upon request, subject to NDA. We commit to providing at least 30 days' notice, via your registered email address, before a material change to a category or the addition of a new sub-processor category.

Some information is stored and processed on cloud servers outside Israel (primarily in the US and the EU, via our cloud infrastructure and messaging providers). Such transfers are performed in accordance with the Privacy Protection Regulations (Transfer of Data to Databases Outside the State Boundaries), 5761-2001, and under data-processing agreements that ensure a level of protection comparable to that under Israeli law.

• Active accounts — for as long as the account is active and for a reasonable period thereafter
• After termination — deletion within up to 24 months, to allow service reinstatement and the resolution of operational disputes; earlier deletion can be requested (see §14)
• Flora conversation logs — up to 18 months from the last interaction
• Raw voice recordings — deleted within 7 days of transcription
• Financial information and transaction records — 7 years, as required by the Israeli Income Tax Ordinance and companies legislation
• Security logs — up to 12 months, for investigation and threat response

We implement technical and organisational security measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-Based Access Control (RBAC) and the principle of least privilege
• Monitoring, audit logging and anomaly alerts
• Periodic encrypted backups and restoration testing
• Confidentiality agreements with every employee and vendor
• Compliance with the Privacy Protection (Data Security) Regulations, 5777-2017 at a medium-to-high security level

In the event of a serious security incident affecting the confidentiality, integrity or availability of information, we commit to:

• Notifying the Israeli Privacy Protection Authority without delay, in accordance with the 2017 Data Security Regulations
• Notifying affected data subjects without undue delay, by WhatsApp and email, where the incident creates a real risk to their rights
• Documenting the incident, its causes and the remediation steps taken, and retaining the documentation for at least 5 years
• Offering reasonable assistance to mitigate harm

The Fleuraby database is managed in accordance with the Israeli Protection of Privacy Law. Where registration with the Registrar of Databases is required, registration is or will be carried out within the statutory timeframe. For information on registration status or registry number, contact ofir@fleuraby.com.

In accordance with the Israeli Protection of Privacy Law and Amendment No. 13, you have the following rights:

• Right of access — to request the information held about you
• Right to rectification — to correct inaccurate or outdated information
• Right to erasure ("right to be forgotten") — subject to legal retention obligations
• Right to object — to processing for marketing or based on legitimate interest
• Right to portability — to receive the information in a structured, commonly used format
• Right to human review — of any decision based on automated processing (see §5)
• Right to lodge a complaint with the Privacy Protection Authority (see §22)

We will respond to a request within 30 days of its receipt. To exercise your rights: ofir@fleuraby.com.

The service is intended for users aged 18 and over. We do not knowingly collect information from minors under the age of 18 without the consent of a parent or legal guardian. If you notice that information about a minor has been provided without such consent, contact us promptly and we will arrange for its deletion.

Where a minor resident lives in an apartment in a managed building, we use the contact details of their parents or of the apartment owner for communication, not the minor's personal details.

A building is enrolled in the service by a committee representative or by an apartment owner. In some cases, resident contact details are provided to us by the committee or by the apartment owner for the purpose of building management (for example, sending payment reminders or maintenance notices).

The legal basis for processing the data of a resident who did not sign up directly is the legitimate interest of the building committee, alongside the cooperation duty set out in Chapter VI of the Israeli Land Law, 5729-1969. A resident is entitled at any time:

• To request to see the information held about them
• To request deletion of their details, subject to the committee's legal obligations
• To object to processing of their details for purposes beyond building management

The site uses cookies for:

• Basic service operation (session cookies) — essential, no consent required
• Usage analytics (Google Analytics, with IP anonymisation) — consent required
• User experience improvements — consent required

On your first visit, a consent banner asks you to approve non-essential cookies. You can change your preferences at any time via your browser settings or the consent banner.

The service operates via Meta's WhatsApp Business API. Use of the service constitutes consent to the routing of messages through Meta/WhatsApp servers, subject to the WhatsApp Privacy Policy. Fleuraby is responsible only for information processed in its own systems and does not control processing by WhatsApp/Meta.

As of the date of this policy, Fleuraby does not process payments and does not act as a payment processor. Residents pay the building committee through external means (bank transfer, cheque, etc.), and Fleuraby only tracks the resulting payment status — either by manual report or by reconciliation against a bank transactions file uploaded by the user.

If and when payment-processing capability is added to the service, this policy and the sub-processor list (§8) will be updated, and at least 30 days' advance notice will be given before the feature is enabled. In any case, payment-method details will never be stored on Fleuraby's servers and will be transmitted directly to an authorised PCI-DSS-compliant payment processor.

We may use anonymous and aggregate information (information that does not permit personal identification) for research, analytics, service development and the publication of professional insights. Such aggregate information is not personal information and is not subject to the restrictions of this policy.

Fleuraby's Privacy Officer is Ofir Suranyi. You can reach the Privacy Officer at:

Email: ofir@fleuraby.com
Site: www.fleuraby.com

You may direct any question, request to exercise a right, or suspected security incident to the Privacy Officer.

For an initial enquiry, contact ofir@fleuraby.com. We aim to respond within 30 days.

If a complaint is not resolved to your satisfaction, you may contact the Israeli Privacy Protection Authority at the Ministry of Justice: gov.il — Privacy Protection Authority

We may update this policy from time to time. Any material change will be posted on the site and a notice will be sent to your registered email at least 30 days before the change takes effect.

A change that broadens the scope of collection or processing of information beyond what is described in this policy will require renewed consent, and will not rely on notice alone.

Previous versions of this policy are available on request to ofir@fleuraby.com.