
WhatNextAI
Privacy Policy
v1.0 — Effective 14 July 2026
Effective date: 14 July 2026
This Privacy Policy describes how WhatNext Ltd (Company No. 517203642), a company incorporated in Israel with its registered office at 4 Gershon Shatz St., Tel Aviv-Yafo, Israel, doing business as “WhatNextAI” (“WhatNext”, “we”, “us”), collects, uses, shares and protects personal data in connection with our website at whatnextai.com (the “Site”) and our execution-and-governance platform and related services (the “Services”).
Summary of key points
- We are an Israeli company. Our processing is governed primarily by the Israeli Protection of Privacy Law, 5741-1981 (“PPL”), the Privacy Protection (Data Security) Regulations, 5777-2017, and guidance of the Israeli Privacy Protection Authority (“PPA”). Where we serve customers in the EEA or the UK, the GDPR / UK GDPR also applies.
- Two roles. For Site visitors, prospects, investors and our customers’ business contacts we act as a controller. For personal data our customers submit to the platform (“Customer Data”), we act as a processor on the customer’s documented instructions under our Data Processing Addendum (“DPA”). This Policy covers the first role; Customer Data is governed by the customer’s own privacy notices and the DPA.
- We do not sell personal data.
- To exercise your rights, including inspection and rectification rights under sections 13–14 of the PPL, contact privacy@whatnextai.com.
1. What information we collect
| Category | Examples | Source |
|---|---|---|
| Identifiers & contact details | Name, business e-mail, phone, employer, job title | You; your employer; public professional sources (e.g., LinkedIn) |
| Commercial information | Inquiries, proposals, contract and billing details | You; your employer |
| Internet & device activity | IP address, browser and OS, pages viewed, referring URL; aggregated, anonymized site-usage statistics (cookieless analytics) | Automatic collection (see Section 6) |
| Communications | E-mails, meeting notes, support requests | You |
| Marketing & investor-relations data | Preferences, consents and opt-outs, event registrations, investor-update subscriptions | You |
| Recruitment data | CVs, references, interview notes (candidates) | You; recruiters |
2. How we collect it
Directly from you (forms, e-mail, meetings, events); automatically when you use the Site (server logs and strictly necessary cookies — see Section 6); and from third parties such as your employer (when it is our customer or prospect), business partners, and publicly available professional sources.
3. Why we process it
- Providing, operating, securing and improving the Site and the Services, including understanding aggregate Site usage through anonymized, cookieless analytics;
- Responding to inquiries; managing pre-contractual discussions, pilots and proofs-of-concept;
- Contract administration, invoicing, accounting and audit;
- Sending investor updates and business communications to people who have shared their contact details with us or opted in — every mailing includes a working unsubscribe option, and we honor opt-outs immediately, consistent with Section 30A of the Israeli Communications (Telecommunications and Broadcasting) Law, 5742-1982;
- Security, fraud prevention, and compliance with legal obligations;
- Establishing, exercising or defending legal claims;
- Recruitment.
4. Legal bases
Under the PPL, our processing rests on the data subject’s informed consent or on another authorization under law. Notice under Section 11 of the PPL: you are under no legal duty to provide personal data to us; provision is voluntary; the purposes are those listed in Section 3; the recipients are those listed in Sections 5 and 7.
Where the GDPR / UK GDPR applies, we rely on the following bases:
| Processing | GDPR basis |
|---|---|
| Responding to inquiries, pre-contractual steps, providing the Services | Art. 6(1)(b) — contract / pre-contractual steps |
| B2B relationship management, investor relations, Site security, aggregated cookieless Site analytics | Art. 6(1)(f) — legitimate interests, balanced against your rights |
| E-mail communications where consent is required | Art. 6(1)(a) — consent |
| Accounting, tax and regulatory duties | Art. 6(1)(c) — legal obligation |
5. Sharing and recipients
We share personal data only with the following categories of recipients, under contractual confidentiality and data-protection terms:
- Hosting and infrastructure: Hetzner Online GmbH (Falkenstein, Germany) — platform infrastructure; Framer B.V. (Amsterdam, the Netherlands) — website hosting and built-in cookieless site analytics (aggregated and anonymized; see Section 6).
- AI model services: Google (Gemini models via Google Cloud services) — processing of content within the cloud edition of the Services. Our agreements do not permit the use of such content to train Google’s foundation models. In customer-hosted (on-premise) deployments, content is processed entirely within the customer’s own environment and is not sent to any external model provider.
- Business tools: Google Workspace — corporate e-mail and document collaboration.
- Professional advisers: lawyers, accountants, auditors and insurers, under professional or contractual confidentiality.
- Corporate transactions: potential investors or acquirers in due diligence, under confidentiality obligations and data minimization.
- Authorities: where required by law or court order.
We do not sell personal data and do not share it for cross-context behavioral advertising. A full list of subprocessors that process Customer Data on the platform is available to customers and prospective customers upon request at privacy@whatnextai.com.
6. Cookies and analytics
The Site uses only strictly necessary cookies set by our website platform — those required for the Site to function and to maintain security. We do not set analytics, advertising or other non-essential cookies.
To understand how the Site is used, we rely on our website platform’s built-in cookieless analytics (Framer B.V.): it sets no cookies and creates no persistent identifiers. To count daily unique visitors, the visitor’s IP address and browser signature are hashed with a secret key that rotates and is deleted every day; the resulting statistics are aggregated and anonymized and cannot be traced back to any individual. Because no identifier is stored on your device and no individual-level profile is created, this processing does not require your consent; our legal basis is our legitimate interest in understanding and improving the Site.
If we ever introduce non-essential cookies or individual-level tracking, we will deploy a consent banner and publish a cookie policy before doing so, in line with PPA guidance on consent.
7. International transfers
- Our infrastructure is located in the European Union (Germany and the Netherlands); our team operates from Israel. Transfers from the EEA to Israel are covered by the European Commission’s adequacy decision for Israel; transfers from the UK are covered by UK adequacy regulations.
- Transfers of personal data from Israel are made in accordance with the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001.
- Where AI model services process data in the United States, the transfer is protected by the provider’s certification under the EU–US Data Privacy Framework and/or the EU Standard Contractual Clauses incorporated in its terms.
8. Retention
We keep personal data only as long as necessary for the purposes above or as law requires, then delete or anonymize it:
| Data | Retention |
|---|---|
| Prospect, marketing and investor-relations data | 24 months after last meaningful interaction, or until you opt out |
| Customer contract & billing records | 7 years (Israeli tax and accounting requirements) |
| Site server logs | 12 months |
| Recruitment data (unsuccessful candidates) | 12 months after the decision, then deleted |
| Customer Data on the platform | Per customer instructions and the DPA — returned or deleted on termination |
9. How we keep it safe
We maintain administrative, technical and physical safeguards aligned with the Privacy Protection (Data Security) Regulations, 5777-2017, including encryption in transit (TLS 1.2+), role-based least-privilege access controls, logging, personnel confidentiality undertakings, and vendor due diligence. Security incidents are handled under a documented procedure, including notification to the PPA and affected individuals where required by law.
10. Children
The Site and Services are intended for business users aged 18 and over. We do not knowingly collect data from children.
11. Your rights
- Israel (PPL): the right to inspect data held about you (s.13), to request correction or deletion of inaccurate, incomplete or outdated data (s.14), to opt out of direct-mailing (s.17F), and to complain to the Privacy Protection Authority.
- EEA/UK (GDPR): access, rectification, erasure, restriction, portability, objection (including to direct marketing), withdrawal of consent, and complaint to your supervisory authority.
- We will not discriminate against you for exercising any right.
12. How to exercise your rights
E-mail privacy@whatnextai.com. We will verify your identity proportionately, respond within the period required by law, and keep a record of your request. If we hold your data only as a processor for one of our customers, we will refer your request to that customer and assist them under the DPA.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be flagged on the Site with a new effective date and, where required by law, notified or re-consented.
14. Contact
WhatNext Ltd (Company No. 517203642), 4 Gershon Shatz St., Tel Aviv-Yafo, Israel.
Privacy inquiries and rights requests: privacy@whatnextai.com. You may also lodge a complaint with the Israeli Privacy Protection Authority.
