Privacy Policy

MATANA Ltd. (“MATANA”, “we”, “us”, or “our”) provides an Employee Experience Platform that enables companies (“Clients”) to manage employee perks, gifts, events, clubs, and benefits. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our platform, website, and related services (collectively, the “Services”).

By accessing or using our Services, you agree to the practices described in this policy. If you do not agree, please do not use the Services.

1. Our Role as Controller and Processor

MATANA operates in two distinct data roles depending on context:

• Data Processor — when processing personal data of employees ("End Users") on behalf of our Clients. In this role, we act solely on our Clients' documented instructions. The Client is the data controller and retains responsibility for the lawfulness of the underlying data processing.
• Data Controller — when we collect and use data for our own purposes, such as managing Client accounts, providing customer support, sending service communications, improving the platform, and complying with legal obligations.

If you are an employee whose data is processed through the MATANA platform, your employer (the Client) is the primary point of contact for data rights related to that processing. You may also contact us directly as set out in Section 12.

2. Information We Collect

2.1 Client Account Data

When a company registers to use MATANA, we collect information necessary to create and manage the account, including:

• Company name, billing address, and VAT / tax identification number
• Admin user names, email addresses, and job titles
• Payment and billing details (processed securely via our payment provider — we do not store full card numbers)
• Platform configuration, preferences, and settings

2.2 Employee Data (Processed on Behalf of Clients)

Clients provide us with employee data required to operate the platform on their behalf. This may include:

• Full name, work email address, and employee ID
• Department, team, location, and role
• Budget allocations and wallet balances
• Gift and perk redemption history
• Event RSVPs and attendance records
• Club memberships and participation activity
• Profile photo (if uploaded by the employee)

We process this data only to the extent necessary to provide the Services, and strictly in accordance with our Data Processing Agreement with each Client.

2.3 Usage and Technical Data

We automatically collect certain technical data when you interact with our platform or website:

• IP address, browser type, and operating system
• Pages visited, features used, and time spent
• Device type and mobile OS version (for the employee app)
• Error logs, crash reports, and performance metrics
• Referring URLs and session identifiers

2.4 Communications

If you contact us by email, form, or other means, we collect the content of your message and any contact information you provide, in order to respond and maintain records of our interactions.

3. How We Use Information

We use the information we collect for the following purposes:

• Providing and operating the Services — delivering platform features, processing transactions, and enabling all functionality
• Fulfilling Client contracts — processing employee data strictly according to our agreement with each Client
• Account management — creating accounts, managing subscriptions, and processing billing
• Customer support — responding to inquiries, troubleshooting issues, and resolving disputes
• Platform improvement — analysing aggregated usage data to improve features, fix bugs, and inform product decisions
• Security and fraud prevention — monitoring for suspicious activity, enforcing our terms, and protecting users
• Legal compliance — meeting obligations under applicable laws, regulations, and accounting standards
• Service communications — sending essential notices about the platform, security updates, or changes to our terms

We do not sell personal data to third parties. We do not use employee data provided by Clients for advertising, profiling, or any purpose unrelated to providing the Services to that Client.

4. How We Share Information

4.1 Sub-processors

We engage trusted third-party service providers (“sub-processors”) to help us deliver the Services. These may include providers of:

• Cloud hosting and infrastructure
• Payment processing
• Product analytics and error monitoring
• Email and in-app communications
• Customer support tooling

All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organisational safeguards. An up-to-date list of sub-processors is available to Clients upon written request.

4.2 Within the Client Organisation

Client administrators have access to employee data within their account scope as configured by the Client. MATANA does not share one Client's data with any other Client.

4.3 Legal and Regulatory Disclosures

We may disclose personal data if we believe in good faith that disclosure is required to: (a) comply with a legal obligation or valid legal process; (b) protect the rights, property, or safety of MATANA, our Clients, users, or the public; or (c) detect, prevent, or address fraud or security issues.

4.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, personal data may be transferred to the relevant successor entity. We will provide affected Clients with reasonable notice and the opportunity to review any material changes before they take effect.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy and to comply with our legal obligations:

• Client account and admin data — retained for the duration of the subscription, and for up to 3 years after contract termination for audit and dispute resolution purposes
• Employee data (processed on behalf of Clients) — retained for the duration of the Client's active subscription; Clients may request earlier deletion at any time
• Usage and technical logs — retained for up to 12 months
• Financial and billing records — retained for 7 years in accordance with applicable accounting and tax regulations
• Communications — retained for as long as needed to resolve the matter, subject to applicable law

When retention periods expire, data is securely deleted or anonymised in accordance with our data lifecycle management procedures.

6. Data Security

We implement industry-standard technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, including:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent
• Role-based access controls limiting data access to authorised personnel
• Multi-factor authentication for administrative access
• Regular security reviews, vulnerability assessments, and penetration testing
• Incident response and breach notification procedures

Despite these measures, no transmission over the internet or electronic storage system is 100% secure. In the event of a personal data breach that poses a risk to affected individuals, we will notify the relevant Clients and, where required by law, the appropriate supervisory authority, within the timeframes prescribed by applicable data protection legislation.

7. Your Rights

7.1 Rights of End Users (Employees)

Because MATANA processes employee data as a data processor acting on behalf of your employer (the Client), your employer is the appropriate first point of contact for exercising rights such as access, correction, deletion, or portability with respect to data held in the platform on your behalf.

Where MATANA acts as a data controller in its own right (for example, for platform analytics or direct communications), you may exercise your rights by contacting us directly at the address in Section 12.

7.2 Rights of Client Admins and Contacts

If you are a Client contact or admin user located in the European Economic Area, United Kingdom, or Israel, you have rights under applicable data protection law, including:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your data in certain circumstances
• Right to restriction — request that we limit processing in certain circumstances
• Right to data portability — receive your data in a commonly used, machine-readable format
• Right to object — object to processing based on our legitimate interests
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, please contact us at privacy@matana-il.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

7.3 California Residents (CCPA / CPRA)

California residents have the right to know what personal information is collected about them, to request deletion, to opt out of the “sale” of personal information, and to non-discrimination for exercising their rights. MATANA does not sell personal information as defined under California law.

8. Cookies and Tracking Technologies

Our web platform and marketing website use cookies and similar technologies. We use:

• Strictly necessary cookies — required for login sessions and core platform functionality; cannot be disabled
• Analytics cookies — help us understand how the platform is used, using aggregated and anonymised data
• Performance cookies — monitor platform speed and reliability to improve user experience

We do not use advertising or behavioural tracking cookies. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will affect platform functionality.

9. International Data Transfers

MATANA is headquartered in Israel. The State of Israel has been recognised by the European Commission as providing an adequate level of protection for personal data under the GDPR (Commission Decision of 31 January 2011, updated).

Where we transfer personal data to sub-processors or other recipients in countries without an adequacy decision, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or equivalent mechanisms recognised under applicable law.

10. Children's Privacy

The MATANA platform is designed for use in a business (B2B) context and is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without appropriate consent, please contact us and we will take steps to delete such data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on this page with a revised “Last Updated” date
• Notify active Clients by email or via an in-platform notice at least 30 days before the changes take effect

Your continued use of the Services after the effective date of an updated policy constitutes your acceptance of the revised terms.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: