1. Introduction
In brief: We protect your medical information to the highest standard. This policy details exactly what we collect, why, and how — with full transparency.
At Vera, protecting your privacy is a core value. This policy details how we collect, use, store, and protect your personal and medical information when using the Vera application, the website, and the physical QR stickers (collectively: "the Service").
We operate in accordance with the Protection of Privacy Law, 1981 (חוק הגנת הפרטיות, התשמ"א-1981) (including Amendment 13, 2025 / תיקון 13, התשפ"ה-2025), the Protection of Privacy Regulations (Data Security), 2017 (תקנות הגנת הפרטיות (אבטחת מידע), התשע"ז-2017), and the European GDPR (Regulation 2016/679) insofar as it applies to users residing in the European Union.
We recommend reading this policy carefully. Use of the Service constitutes consent to the collection and processing of information as detailed in this policy, subject to dedicated consent mechanisms for sensitive medical information as described in Section 7.
This Privacy Policy was drafted in Hebrew. In case of any discrepancy between the Hebrew version and this translation, the Hebrew version shall prevail.
2. Definitions
- "Personal Information" — Any information that identifies or enables the identification of an individual, as defined under the Protection of Privacy Law (חוק הגנת הפרטיות).
- "Sensitive Information" (Information of Special Sensitivity / ISS) — Medical or health-related information, or any information classified as having special sensitivity under Amendment 13 to the Protection of Privacy Law, and "Special Category Data" under Article 9 of the GDPR.
- "Processing" — Any operation performed on information, including collection, storage, access, use, transfer, deletion, or destruction.
- "Data Controller" — The entity that determines the purposes and means of data processing — Shalhevet Software Solutions.
- "Data Processor" — An entity that processes information on behalf of and under the instructions of the Data Controller.
- "QR Sticker" — A physical sticker bearing a unique QR code that is linked to the User's medical profile.
- "Scan" — The action whereby any third party scans the QR code and gains access to the shared medical information.
- "Medical Profile" — The entirety of medical information entered by the User in the Application.
3. Identity of the Data Controller
Shalhevet Software Solutions
Email: contact@shalhevet.tech
Phone: +972-54-681-1111
Website: www.shalhevet.tech
Shalhevet Software Solutions is the Data Controller and the entity responsible for the processing of your personal information.
3.1 Data Protection Officer (DPO)
In accordance with Amendment 13 to the Protection of Privacy Law, Vera has appointed a Data Protection Officer responsible for ensuring compliance with legal requirements. For privacy-related inquiries:
Data Protection Officer — Shalhevet Software Solutions
Email: contact@shalhevet.tech
4. Types of Data We Collect
In brief: We collect only the data necessary to operate the Service — basic personal information, medical information (with explicit consent), payment data, and technical information.
4.1 Personal Identifying Information
- Full name
- Date of birth
- Phone number
- Email address
- Shipping address (city, street, apartment, postal code)
4.2 Sensitive Medical Information
This information is classified as "Information of Special Sensitivity" (ISS) under Amendment 13 to the Protection of Privacy Law, and as "Special Category Data" under Article 9 of the GDPR. This data is handled with the highest level of protection and is collected exclusively with explicit, separate, and unambiguous consent.
- Medications (names, dosages, administration frequency)
- Allergies and sensitivities
- Pre-existing conditions and chronic conditions
- Blood type
- Emergency contacts (names, phone numbers, relationship)
- Additional medical information the User chooses to enter in the profile
4.3 Payment and Transaction Information
- Transaction details (amount, date, product purchased)
- Credit card details — processed directly by Stripe and never stored on Vera's servers
- Billing address (if different from the shipping address)
4.4 Technical and Usage Information
- IP address
- Device type, operating system, and browser version
- Device ID and Firebase Installation ID
- Application usage data (pages viewed, actions performed, usage times)
- QR scan logs (timestamp, scanner IP address, scanner device type)
- Language preference
- Crash reports
4.5 Data We Do Not Collect
- We do not collect location data (GPS) from your device.
- We do not collect biometric information (fingerprint, facial recognition).
- We do not collect information from the contacts on your device.
5. How We Collect Data
- Directly from you — Information you actively enter: account registration, completion of a medical profile, placing an order, contacting customer service.
- Automatically — Technical information collected automatically during use: IP address, device type, usage data, QR scan logs.
- From service providers — Information generated by our service providers: transaction details from Stripe, analytics data from Firebase.
Obligation to provide information: Providing basic personal information (name, email, phone) is required to create an account. Providing medical information is entirely voluntary but is required in order to use the core features of the Service (medical profile, QR sticker). Without medical information, it will not be possible to activate a QR sticker or use the safety check features.
6. Purposes of Data Processing and Legal Basis
In brief: We use your information solely to operate, secure, and improve the Service. We do not sell data, do not use it for advertising, and do not engage in profiling.
| Data Type | Purpose | Legal Basis (Israeli / GDPR) |
|---|---|---|
| Medical information | Creating a medical profile, sharing emergency information via QR, medication safety checks | Explicit consent (Section 1 of the Law / Art. 6(1)(a) + Art. 9(2)(a) GDPR) |
| Medical information (emergency scan) | Displaying critical medical information to a QR scanner in emergency situations | Vital interests (Art. 6(1)(d) + Art. 9(2)(c) GDPR) |
| Payment information | Processing sticker purchases, issuing invoices | Performance of a contract (Art. 6(1)(b) GDPR) |
| Shipping address | Delivering physical stickers | Performance of a contract (Art. 6(1)(b) GDPR) |
| Technical information | Service operation, security, fraud prevention, service improvement | Legitimate interest (Art. 6(1)(f) GDPR) |
| Scan logs | Security, abuse prevention, displaying scan history to the User | Legitimate interest (Art. 6(1)(f) GDPR) |
| Customer service inquiries | Responding to inquiries, resolving issues | Performance of a contract / Legitimate interest |
What we never do:
- We never sell personal or medical information to third parties.
- We never use medical information for advertising, targeted marketing, or profiling.
- We never transfer information to insurance companies, employers, or commercial entities.
7. Consent and Withdrawal of Consent
7.1 Explicit Consent for Medical Information
- The processing of medical information requires explicit, separate, unambiguous, and informed consent. This consent is not part of the general acceptance of the Terms of Service.
- Consent is requested at the stage of entering medical information in the Application, with a clear explanation of how the information will be used and shared.
- Consent is recorded and documented for compliance and audit purposes.
7.2 Withdrawal of Consent
- Consent to the processing of medical information may be withdrawn at any time through the Application settings.
- Withdrawal of consent will result in deactivation of the medical profile, cessation of information sharing via QR, and deletion of medical information within 30 days.
- Withdrawal of consent will not affect the lawfulness of processing carried out prior to the withdrawal.
- Withdrawal of consent will not prevent the use of features that do not require medical information.
7.3 Consequences of Not Providing Consent
Without consent to the processing of medical information, it will not be possible to: create a medical profile, activate a QR sticker, or use the safety check features. Other Application features (such as general reminders) will remain available.
8. Information Sharing via QR
This section details how medical information is exposed through QR stickers. Please read carefully.
8.1 How It Works
By activating a QR sticker, the User expressly consents that:
- The medical information selected for sharing will be accessible to any person who scans the QR code — without the need for identification, downloading an application, or obtaining the User's approval.
- The purpose of this open access is to enable rapid access to critical information in emergency situations, including by paramedics, physicians, and bystanders.
- The legal basis for this access is explicit consent (upon sticker activation) and vital interests (Art. 9(2)(c) GDPR) in situations where the User is unable to give consent.
8.2 User Control
- The User controls which data fields are displayed in the QR scan through the Application settings.
- A sticker may be deactivated at any time through the Application. After deactivation, scanning the code will not display any information.
- In the event of loss or theft of a sticker, it must be deactivated immediately through the Application.
8.3 Acknowledged Risks
- Vera cannot control the identity of scanners or prevent scans by unauthorized parties.
- Information viewed by a scanner cannot be "undone" after viewing.
- Vera logs scans (timestamp, IP address, device type) and displays a scan history to the User.
9. Sharing Information with Third Parties
In brief: We share information only with the service providers necessary to operate Vera, and only to the extent required. Data Processing Agreements (DPAs) are signed with every provider.
9.1 Service Providers (Data Processors)
Firebase / Google Cloud Platform
Role: Data storage, user authentication, analytics, push notifications, crash reports.
Data shared: Account information, medical information (encrypted), technical information, installation IDs.
Security: Google operates as a Data Processor subject to Data Processing Terms and complies with SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and the GDPR.
Stripe
Role: Payment processing.
Data shared: Name, billing address, credit card details (transmitted directly to Stripe; they do not pass through Vera's servers).
Security: Stripe complies with PCI-DSS Level 1 and operates in accordance with Stripe's Privacy Policy. Stripe may collect information using cookies and similar technologies.
Resend
Role: Transactional email delivery (order confirmations, service notifications).
Data shared: Email address, name, order details.
Security: Resend operates as a Data Processor and complies with SOC 2 Type II and the GDPR. Emails are transmitted over TLS.
Data Processing Agreements are signed with all service providers in accordance with the requirements of Article 28 of the GDPR and Amendment 13 to the Protection of Privacy Law.
9.2 Authorities
Vera may disclose personal information to legal authorities if required by law, court order, or for the protection of the rights, safety, or property of Vera, its users, or the public.
9.3 What We Do Not Do
- We never sell personal or medical information to third parties — ever.
- We do not share medical information with advertising, marketing, or data brokerage entities.
- We do not transfer information to insurance companies, employers, or any other commercial entity.
- We do not permit service providers to access medical information beyond what is necessary for operating the Service.
10. International Data Transfers
- Data is stored on Firebase / Google Cloud servers, which may be located in the United States, the European Union, or other regions.
- Israel is recognized by the European Union as a country with an adequate level of privacy protection (Adequacy Decision); therefore, data transfers between Israel and the European Union are permitted.
- Data transfers to the United States and other countries are conducted subject to Standard Contractual Clauses (SCCs) and Google's Data Processing Terms.
- Stripe processes payments on servers with the highest level of PCI-DSS certification and implements SCCs for international transfers.
- All international data transfers are conducted subject to data transfer agreements that ensure a level of protection equivalent to Israeli law and the GDPR.
11. Data Retention Periods
| Data Type | Retention Period |
|---|---|
| Medical profile | As long as the account is active. Deleted within 30 days of account deletion or withdrawal of consent. |
| Account information (name, phone, email) | As long as the account is active. Deleted within 30 days of account deletion. |
| Payment records | 7 years from the date of the transaction (as required under Israeli tax law). |
| QR scan logs | 12 months. |
| Technical information and logs | 6 months. |
| Backups | Up to 90 days. Backups containing deleted data will be purged in the next backup cycle. |
At the end of the retention period, data will be securely deleted or fully anonymized in a manner that does not allow reconstruction.
Vera conducts an annual review of stored data to ensure compliance with retention periods.
12. Data Security
In brief: We implement advanced security measures in accordance with the Data Security Regulations, 2017, Amendment 13, and international standards.
- Encryption — All data is encrypted both at rest and in transit using TLS 1.2+ and AES-256 protocols.
- Access control — Access to medical information is restricted to authorized personnel only via Role-Based Access Control (RBAC).
- Secure infrastructure — Firebase / Google Cloud comply with SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018 standards.
- Monitoring and logging — Continuous monitoring of database access, activity logging, and anomaly detection.
- PCI-DSS — Payments are processed by Stripe in accordance with PCI-DSS Level 1.
- Written information security policy — Vera maintains a written and updated information security policy as required by the Regulations.
- Annual review — The information security program is reviewed and updated at least once a year.
Despite our security efforts, no method of digital storage or transmission is 100% secure. We are committed to exercising reasonable diligence to protect your information and to notify you of any significant security incident in accordance with the law.
13. User Rights
In accordance with the Protection of Privacy Law (including Amendment 13) and the GDPR, you have the following rights:
Right of Access
To request to view all personal information we hold about you and to receive a copy thereof.
Right to Rectification
To request correction of inaccurate, outdated, or incomplete information.
Right to Erasure
"The right to be forgotten" — to request deletion of your personal data, subject to legal retention obligations.
Right to Data Portability
To receive your data in a structured format (JSON/CSV) and transfer it to another service.
Right to Restriction of Processing
To request restriction of the processing of your data under certain circumstances.
Right to Object
To object to processing based on legitimate interest.
Withdrawal of Consent
To withdraw consent to data processing at any time, without affecting the lawfulness of prior processing.
Filing a Complaint
To file a complaint with the Privacy Protection Authority (PPA) or with a supervisory authority in the European Union.
To exercise your rights — contact us at contact@shalhevet.tech. We will respond within 30 days. Complex requests may require up to 60 days, in which case we will inform you of the extension.
To request account and data deletion via the web — send an email to contact@shalhevet.tech with the subject line "Account Deletion Request." You may also delete your account directly through the Application settings.
14. Data Breach Notification
- In the event of a severe security incident that may infringe upon your rights, we will notify the Privacy Protection Authority (PPA) without undue delay, in accordance with the Data Security Regulations.
- If the breach is likely to pose a high risk to your rights, we will also notify you directly (by email, in-app notification).
- For breaches subject to the GDPR, notification to the supervisory authority will be sent within 72 hours (Article 33 of the GDPR). A breach involving medical information will almost always be considered "high risk" requiring notification to affected individuals.
- The notification will include: a description of the breach, the types of data exposed, the steps taken to mitigate the harm, and contact information for further inquiries.
15. Privacy of Minors and Dependent Profiles
15.1 Minors
- The Service is intended for individuals aged 18 and above only for independent account creation.
- Minors aged 14–17 may use the Service with the consent of a parent or legal guardian.
- We do not knowingly collect personal information from minors under the age of 14 without verified parental consent.
- If we become aware that information from a minor has been collected without appropriate consent, the information will be deleted immediately.
- If you are a parent or guardian and discover that your child has used the Service, please contact us and we will address the matter immediately.
15.2 Dependent Profiles (Family Members)
- Account holders may create and manage medical profiles for dependent family members (children, elderly parents, spouses).
- Creating a profile for another person requires the explicit consent of that person, or legal authority (guardianship, power of attorney).
- The account holder bears responsibility for the accuracy of the information and for obtaining the required consent.
17. Automated Decision-Making
- Vera does not perform automated decision-making or profiling that significantly affects users.
- Medication safety checks (drug interactions, allergies) are based on algorithmic comparison against pharmaceutical databases and are presented to the User as informational only — they do not constitute medical advice and do not replace professional evaluation.
- No artificial intelligence (AI) is used to analyze or process users' medical information.
18. Changes to the Privacy Policy
- Vera may update this policy from time to time.
- Material changes (particularly those relating to the processing of medical information) will be communicated via the Application, the website, or by email at least 30 days in advance.
- Material changes to the processing of medical information will require renewed consent — it will not be possible to continue processing medical information without active approval on your part.
- The date of the last update is indicated at the top of this document.
19. Language and Governing Law
- This Privacy Policy was drafted in Hebrew. In the event that it is translated into additional languages and a discrepancy arises, the Hebrew version is the binding version.
- This policy is governed by the laws of the State of Israel.
- Exclusive jurisdiction for any matter arising from this policy is vested in the competent courts of the Tel Aviv-Jaffa district.
20. Contact Us Regarding Privacy
For questions, inquiries, rights exercise requests, or complaints regarding privacy:
General Inquiries
Shalhevet Software Solutions
Email: contact@shalhevet.tech
Phone: +972-54-681-1111
Website: www.shalhevet.tech
Data Protection Officer
Email: contact@shalhevet.tech
You may also file a complaint with the Privacy Protection Authority (PPA):
Website: Privacy Protection Authority (Israel)
Users residing in the European Union may contact the Data Protection Authority (DPA) in their country of residence.