Skip to main content

Privacy Policy

Last updated: 29 May 2026 · Effective: 29 May 2026

Plain-language summary: Kahal stores your name, email, phone, the classes you book, and the payments you make — only so the platform works. We do not sell your data. You can ask us what we hold and tell us to delete it. Questions: support@mykahal.com.

1. Who we are

Kahal is a software-as-a-service platform for community centers, operated by AmihaiTech ("we", "us", "Kahal"), a sole proprietorship based in Israel. We are the controller of personal data processed about visitors to our marketing site (mykahal.com) and account holders. For data processed about end-members of a community center using Kahal, the community center is the controller and Kahal is the processor.

Contact: support@mykahal.com

2. What data we collect

2.1 Account & profile data

  • Name, email address, phone number (optional)
  • Authentication identifiers (Google OAuth ID where used; encrypted 2FA secrets and backup codes for admins)
  • Organization role (admin, instructor, member) and the organization(s) you belong to

2.2 Activity data

  • Bookings, class attendance, check-in records
  • Purchased passes / session packs and remaining credits
  • Health declaration responses and digital signatures (where the community center uses this feature)

2.3 Payment data

  • We do not store full card numbers. Each organization chooses one third-party payment provider per organization — either Sumit or HYP (היפ) — which processes member payments, returns a transaction reference and status, and issues tax invoices on the organization's behalf.
  • We retain transaction metadata (amount, date, gateway reference, payer identity) for accounting and legal retention requirements.

2.4 Technical data

  • IP address, browser type, device type, pages visited, and timestamps — for security (rate limiting, abuse prevention) and for diagnosing errors.
  • Anonymous and marketing-site analytics: page views and interactions on our marketing pages are captured by PostHog (EU), our product-analytics provider, only after you accept analytics cookies via the cookie banner. Client IP addresses are discarded by PostHog and not stored with events. We use no advertising or cross-site tracking.
  • Signed-in account events: when you are signed in, we additionally record server-side product events (sign-ins, bookings created or cancelled, purchases initiated, onboarding steps) tied to your account — regardless of cookie preference — because these are necessary to operate and improve the service. Legal bases: legitimate interest (Art. 6(1)(f) GDPR) and performance of contract (Art. 6(1)(b)). You may request access to or deletion of this data — see Section 7.
  • Session recordings: if you accepted analytics cookies, your interactions (clicks, navigation, scroll, page structure) may be recorded by PostHog for product improvement. All <input> field content is masked at capture time; visible page text, URLs, and other on-screen elements are recorded. Recordings are not used for advertising and are retained per Section 6.
  • Cookies strictly necessary for sign-in sessions and CSRF protection are always set; analytics cookies are set only with your consent. See Section 10.

2.5 Marketing-site leads

If you submit the interest form on mykahal.com, we store your name, email, and message to follow up about the beta.

3. Why we process this data (legal bases under GDPR)

  • Performance of a contract — to deliver the booking, payment, and account features you (or your community center) signed up for.
  • Legitimate interests — security, fraud prevention, service improvement, and responding to support requests.
  • Legal obligation — tax and accounting record retention; responding to lawful requests from authorities.
  • Consent — for optional features such as health declarations or marketing emails. You can withdraw consent at any time.

Under the Israeli Privacy Protection Law, 5741–1981, our processing relies on the consent (express or implied through use of the service) you provide when creating an account or being added by a community center, together with the purposes registered for the relevant database.

4. Who we share data with

We share personal data only with the following categories of recipients, and only to the extent necessary:

  • Hosting & infrastructure: Hetzner (servers in the EU), Cloudflare (edge / DNS / TLS).
  • Payment processing & invoicing: Sumit or HYP (היפ) — each organization chooses one of these providers, which processes member payments and issues tax invoices on the organization's behalf. Each is subject to its own privacy policy.
  • Email delivery: Resend — for transactional emails such as magic links, invitations, and notifications.
  • Product analytics & session replay: PostHog Cloud (EU region, eu.i.posthog.com) — processes analytics events and session recordings on our behalf under a Data Processing Agreement. See PostHog's privacy policy.
  • Authentication: Google (where you choose to sign in with Google OAuth).
  • Authorities: when required by Israeli law, a court order, or a binding regulatory request.

We do not sell personal data and we do not share it for advertising.

5. International transfers

Our primary infrastructure is in the EU. Some sub-processors (e.g. Cloudflare, Google) may process data outside Israel and the EEA. For transfers from the EEA, we rely on adequacy decisions or Standard Contractual Clauses; transfers from Israel rely on the conditions set out in the Privacy Protection Regulations (Transfer of Data Abroad), 5761–2001.

6. How long we keep data

  • Account data: for as long as your account is active, plus up to 90 days after deletion request to handle disputes and backups.
  • Booking and attendance records: for as long as the community center retains them, subject to its own retention policy.
  • Payment and tax records: at least 7 years, as required by Israeli tax law.
  • Marketing leads: until you ask us to delete them, or 24 months of inactivity.
  • Analytics events and session recordings: retained by PostHog for 1 year (the retention applied by our current PostHog plan tier).
  • Server logs: typically 30 days.

7. Your rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data ("right to be forgotten" under GDPR; right of inspection and correction under Israeli PPL)
  • Restrict or object to certain processing
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent at any time, without affecting prior lawful processing
  • Lodge a complaint with the Israeli Privacy Protection Authority or, if you are in the EEA, your local data protection authority

To exercise any of these rights, email support@mykahal.com. We will respond within 30 days.

If you are a member of a community center using Kahal and want to delete or correct data the center holds about you, please contact the community center directly — they are the controller of that data and we act on their instructions.

8. Security

We use industry-standard practices: TLS for all traffic, encryption at rest for sensitive fields (authentication secrets, 2FA keys, backup codes), per-user session timeouts, magic-link tokens with 15-minute expiry, rate limiting on sign-in and invite endpoints, and least-privilege access for our own staff. No system is perfectly secure — if you suspect unauthorized access to your account, contact us immediately.

9. Children

Kahal is designed for adult account holders. If a community center records a minor's attendance or bookings, the parent/guardian is responsible for providing any required consent. We do not knowingly collect data directly from children under 16.

10. Cookies

We use two categories of cookies:

  • Strictly necessary — always set. Session cookies for authentication and session continuity, CSRF tokens for security, and the kahal_cookie_consent cookie (1 year) that remembers your choice from the cookie banner so we do not ask again on every visit.
  • Analytics — set only with your consent. When you choose "Accept all" in the cookie banner, our analytics provider PostHog sets its own cookies (prefixed ph_) to count visits, attribute events, and — if applicable — identify your account once you sign in. Choosing "Essential only" (or never accepting) means PostHog does not load on your visits and no ph_ cookies are set.

We do not use cookies for advertising, profiling, or cross-site tracking. To revoke analytics consent, clear the kahal_cookie_consent cookie in your browser and the banner will appear again on your next visit. Clearing all cookies signs you out.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email or by a notice on the platform at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy questions, data requests, or complaints:
AmihaiTech — Israel
Email: support@mykahal.com