Skip to main content

Privacy Policy

Effective date: 20 June 2026

This Privacy Policy explains how Aun & Co. — Attorneys & Advisors ("the Firm", "we", "us") collects, uses, discloses, and protects personal data, and the rights you have over your information. It is governed by the Israeli Privacy Protection Law, 5741-1981 (including Amendment 13), and — where applicable to EU residents — the EU General Data Protection Regulation (GDPR). The Firm is the data controller. This policy forms part of, and is incorporated by reference into, our Terms & Conditions.

1. Introduction

Aun & Co. — Attorneys & Advisors is a law firm operating in Israel. We are committed to protecting the confidentiality and privacy of every client, prospective client, and website visitor. This policy applies to data collected through our website, our intake and communication channels, and the AI-assisted tools described below.

2. Data We Collect

We collect: (a) information you provide directly — your name, email, phone number, and the contents of messages, calls, and correspondence; (b) matter-related information you share when engaging or consulting the Firm; and (c) technical data collected automatically — IP address, browser type, pages visited, and session duration. We do not collect special-category (sensitive) data unless you provide it voluntarily in the course of a legal matter.

3. Lawful Basis for Processing

We process personal data on the following bases (GDPR Art. 6; Privacy Protection Law §§ 11, 13–14): your consent; the performance of, or steps toward, an engagement with the Firm; the Firm's legitimate interest in operating and responding to inquiries; and compliance with legal and professional obligations.

4. How We Use Your Data, Including AI Assistance

We use your data to respond to inquiries, deliver legal services, operate and secure our systems, and meet legal obligations. The Firm uses artificial-intelligence tools in two — and only two — defined functions: (a) AI assists in drafting client correspondence (emails and letters), and (b) the Nansy AI Secretary handles inbound calls, voice interactions, and asynchronous responses (e.g. WhatsApp and email). In both functions, AI output is a draft or first-line response that a lawyer reviews. The Firm does NOT use AI for document analysis, meeting transcription, or legal research. We never sell personal data.

5. Retention

Inquiries that do not lead to engagement: 12 months. Contact and correspondence records: 24 months. Cookie-consent records: 5 years (legal requirement). Client files: 7 years after the matter closes (Bar Association requirement). We delete or anonymise data once its retention period ends.

6. Data Security

We apply appropriate technical and organisational measures — including TLS encryption in transit, access controls, and contractual data-processing agreements with every sub-processor — to protect personal data against unauthorised access, alteration, disclosure, or loss.

7. International Transfers

Some sub-processors listed below process data outside Israel and the EU (e.g. in the United States). Where data leaves the EEA, transfers are protected by appropriate safeguards (such as Standard Contractual Clauses) and the sub-processor's data-processing agreement, consistent with GDPR Chapter V and Israeli data-protection requirements.

8. Sub-processors (GDPR Art. 28)

The Firm relies on the Nansy platform, which engages the following sub-processors to handle personal data on the Firm's behalf. For each we state the purpose of processing, the categories of data involved, and the processing region. We give notice before adding a new sub-processor.

Sub-processorPurpose of processingData typesRegion
AnthropicClaude AI processing — correspondence drafting and the Nansy AI SecretaryMessage and correspondence text, caller/inquiry context provided to the modelUnited States
SupabasePrimary database and authenticationContact details, matter metadata, CRM and scheduling recordsEU (Frankfurt)
VercelApplication hosting, CDN, and serverless functionsRequest and IP logs, application data in transitEU (multi-region)
ResendTransactional and correspondence email deliveryRecipient email address, message subject and bodyUnited States
MicrosoftMicrosoft 365 email and OneDrive file storage (when a partner connects it)Mailbox content, calendar entries, stored documentsEU / United States
CloudflareDNS, R2 object storage, and KV configuration cacheDNS queries, stored documents and media, cached configurationGlobal (US-headquartered)
Extra MobileInbound voice-call handling and faxCall audio, caller phone number, fax contentIsrael
WhatsApp / MetaInbound WhatsApp message handlingMessage content, sender phone numberUnited States / EU

9. Your Rights (GDPR Articles 15–22)

Subject to the Privacy Protection Law and, where applicable, the GDPR, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erase your data — the "right to be forgotten" (Art. 17).
  • Restrict processing in certain circumstances (Art. 18).
  • Receive your data in a portable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22). Every AI output at the Firm is reviewed by a lawyer; no legal decision about you is made solely by an automated system.

To exercise any of these rights, contact our Data Protection Officer (below). We respond within 30 days.

10. Bar Rule 19 — Confidentiality and AI Ethics

As a law firm, Aun & Co. — Attorneys & Advisors is bound by Rule 19 of the Israel Bar Association Rules (Professional Ethics), 5746-1986: a lawyer must keep secret everything brought to their knowledge by, or on behalf of, a client in the course of performing their duties, and must ensure that the firm's staff do the same.

Our use of AI is governed by the National Ethics Committee's Preliminary Opinion on the Use of Artificial Intelligence in the Work of Lawyers (Opinion את/60/24, May 2024). In line with that opinion: (i) every AI output is treated as a suggestion subject to lawyer review and verification; (ii) client personal data is processed only through the contractually bound sub-processors listed above, under data-processing agreements; and (iii) the Firm — through its attorneys — retains full professional responsibility for every document and communication that leaves the Firm (Rule 2). No professional judgment is delegated to an automated system.

11. Contact & Data Protection Officer

For privacy questions or to exercise your rights, contact us at office@aunand.co, or our Data Protection Officer, Khaled Aun, at khaled@aunand.co. Aun & Co. — Attorneys & Advisors, Israel.

See also our Terms & Conditions.