Privacy Policy

We respect your privacy. This policy explains what information is collected on karinanaftaly.com, how it is used, and your rights under Israel's Privacy Protection Law (1981) including Amendment 13 (2026), and under the EU GDPR. The policy reflects the site's actual technical state as of the last-updated date below.

1. Data Controller

Karina Naftaly, paramedical aesthetic clinic. Address: 5 HaGdud HaIvri Street, Ashdod, Israel. Phone: 050-333-7953. For privacy matters and data-subject requests: karina@nfo.co.il.

2. What we actually collect

Forms (contact, booking, newsletter): these forms are currently disabled. They do not transmit any data to a server and do not collect any personal data. As a fallback the site links directly to WhatsApp. Skin quiz: answers are stored in your browser's sessionStorage only and never sent to a server. The quiz result is computed client-side, displayed, and discarded when your session ends. Quiz content is never sent to Google Analytics. Analytics: Google Analytics 4 (property G-K62LE968RB) under Consent Mode v2. Default consent is 'denied': the GA4 script loads but no cookies are set and no identities are linked. After you Accept, anonymous events are sent with IP anonymization enabled. If you Reject, only anonymous pings are sent under Google's Consent Mode v2 mechanism (no cookies, no user-ID, no behavior chains). Language preference: NEXT_LOCALE cookie (functional).

3. Which GA4 events are collected (closed 7-event taxonomy)

page_view (path + locale) · cta_click (button identifier) · outbound_click (destination domain only, not full URL) · scroll_depth (25/50/75/100) · quiz_started (no answers) · quiz_completed (no result category) · language_switch (from/to locale). These events constitute the closed schema. Adding a new event requires updating this notice.

4. What we never collect

Quiz answers, quiz result category, form contents, medical-condition identifiers, advertising pixels (Meta, TikTok, LinkedIn), remarketing pixels, social embeds that set cookies, behavioral profiling at the user level. GA4 ad_storage always remains denied. Never enabled.

5. Retention

While forms remain disabled, no personal data is collected or retained by us. When the forms are activated in the future, contact data will be retained for up to 24 months, unless you request earlier deletion. If your inquiry becomes an actual treatment relationship, your data will be retained under clinical-records rules (7 years) separately from this site. GA4 data: retained for the minimum period Google allows (currently 14 months).

6. Third-party processors

Google LLC: Google Analytics 4. Data flows to Google servers in the United States, under Google's standard Data Processing Amendment and Standard Contractual Clauses (SCCs). DigitalOcean LLC: the hosting infrastructure (droplet) on which the site runs. Data centers in EU/US regions under DigitalOcean's standard DPA. No other processors are currently engaged. The site is not hosted on Vercel and does not use Cloudinary.

7. Cross-border data transfer

Per Privacy Law Amendment 13 and GDPR Article 46, we disclose: GA4 events are transferred to Google servers in the US under SCCs. Site traffic may route through DigitalOcean data centers in Europe and the United States under SCCs. IP anonymization is always applied before data reaches the Google network.

8. Your data-subject rights

Right to access (Section 13 of Israeli law; GDPR Article 15). Right to rectify incorrect data (Section 14; GDPR Article 16). Right to erasure, the 'right to be forgotten' where applicable (GDPR Article 17; Section 14b). Right to data portability (GDPR Article 20). Right to object to processing (GDPR Article 21). Right to file a complaint with Israel's Privacy Protection Authority (https://www.gov.il/en/departments/the_privacy_protection_authority) or the relevant EU supervisory authority.

9. How to exercise your rights

Send a written request to karina@nfo.co.il including your name, identification, and the nature of the request. We will respond within 30 days, as required by Privacy Law Amendment 13. Deletion requests will be honoured unless a legal obligation requires continued retention (for example, clinical records subject to a 7-year retention rule).

10. Minors

Our services are intended for adults only (18+). We do not knowingly collect data from minors. In cases where treatment of a minor is necessary, a legal guardian's consent and a separate in-clinic form are required. This provision follows the Privacy Protection Authority guidance on minors' data (2022 update).

11. Security

The site is served over HTTPS with HSTS. The hosting infrastructure (DigitalOcean) operates under default security, restricted access to user data, and routine backups. When the forms are activated in the future, additional controls will be implemented, compliant with Privacy Protection (Security) Regulations 2017 at the Basic level at minimum, and with Privacy Law Amendment 13.

12. Updates to this policy

This policy may be updated. Changes will be published on this page with an updated version date. A material change will also be flagged on the site homepage for at least 14 days.

Cookies and Browser Storage

This site uses cookies and browser storage only to the extent necessary for operation and (after your consent) analytics. Full list:

  • kn_consent_v1 (localStorage)Functional. Stores your cookie-banner choice. Value: accepted or rejected. Not shared with any third party.
  • _ga, _ga_K62LE968RB (Google Analytics 4 cookies)Set only after you click Accept on the banner. If you choose 'Reject,' these cookies are never set.
  • NEXT_LOCALE (cookie)Functional. Stores your language preference (he/en/ru). Exempt from consent under Israeli Privacy Protection Authority interpretation.

To change your consent, click the button below to reset your preferences. The banner will re-appear on the next page load, and you can choose again between Accept and Reject. You may also manually remove the kn_consent_v1 key from your browser's local storage.

Effective: 2026-05-26 · Last updated: 2026-05-26 · Version 2.0