Privacy Policy

Last updated: May 2026

Effective date: May 2026

1. Introduction and Controller Identity

Mr. Robot ("we", "our", "us") operates the services offered at mrrobot.co.il and its associated platforms. This policy explains what personal data we collect, how we use it, who we share it with, and the rights available to you. For any privacy-related inquiry, please contact us at contact@mrrobot.co.il.

2. Information We Collect

We collect the following categories of personal data:

  • Account and contact data: name, email address, phone number, company name, and billing address.
  • Payment data: handled by our payment provider. We do not store card details on our servers.
  • Content you provide: files, text, branding, messages, and other information you upload or create.
  • Technical data: IP address, browser type, operating system, device information, and approximate location.
  • Communications: emails, support tickets, and chat messages you send to us.
  • WhatsApp data: applies only when you contact us via WhatsApp (see section 8).
  • Google account information: when a customer connects a Google account to enable the meeting-booking feature on a landing page, we receive an OAuth access token, refresh token, token expiry, granted scope string, and the connected Google account email address. See section 9.
  • Cookies and similar technologies: see section 6.

3. Legal Basis for Processing

We process personal data on one or more of the following bases: (a) performance of a contract with you; (b) your consent, which you may withdraw at any time; (c) our legitimate interests (such as securing the Service, preventing fraud, and improving the product), balanced against your rights; (d) compliance with a legal obligation to which we are subject.

4. How We Use Your Information

  • To provide, operate, and maintain the Service.
  • To manage accounts, billing, subscriptions, and invoicing.
  • To communicate with you about the Service, updates, and support.
  • To improve the Service and its quality, including the quality of models and automated outputs.
  • To prevent fraud, abuse, and security incidents.
  • To comply with legal obligations and enforce our agreements.

5. Automated Processing and AI

The Service uses artificial intelligence to generate content and to automate interactions on your behalf. AI output may contain errors and should be reviewed before use. We do not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you. Google user data received via Google APIs (including data from the Google Calendar API) is excluded from any model training, fine-tuning, or quality-improvement process, and is never sent to any AI provider. See section 9.

6. Cookies and Similar Technologies

We use cookies in the following categories: essential (authentication and session state), preferences (language, theme, and similar), analytics (usage measurement and improvement), and affiliate attribution. You can manage consent through the cookie banner on the site and through your browser settings. Blocking certain cookies may affect how the Service works.

7. Sharing with Third Parties

We do not sell your personal data. We share information only with the following categories of service providers acting on our behalf and under our instructions:

  • Payment processors (for billing and fraud prevention).
  • Cloud infrastructure and storage providers.
  • Communication providers (email, SMS, messaging).
  • AI providers (for features that rely on generative AI).
  • Google (Google Identity Services for "Sign in with Google", and the Google Calendar API for the meeting-booking feature) — see section 9 for the specific data, scopes, and limited-use commitments.
  • Analytics and security providers.
  • Professional advisors, public authorities, and law-enforcement authorities — where legally required or to protect our rights.

A current list of our sub-processors is available on written request.

8. Meta WhatsApp Business Platform

When you contact us via WhatsApp, we receive from Meta your WhatsApp phone number, WhatsApp ID, public display name, and message content (text, images, audio, documents). This information is used to respond to your inquiries, provide support, and power our chatbot services. To request deletion, email contact@mrrobot.co.il with the subject "DELETE MY DATA" and your phone number. WhatsApp conversations are retained until you request deletion or the conversation is considered inactive, subject to applicable law and Meta's policies.

9. Google Account Connections (Google Calendar Integration)

Customers who run a landing page may choose to connect their Google account so that visitors can book meetings directly into their Google Calendar. When the customer authorizes the connection, we receive and store the following from Google: an OAuth access token, an OAuth refresh token, the access-token expiry, the granted scope string, and the email address of the connected Google account. We request the scope https://www.googleapis.com/auth/calendar.events (to read free/busy times and to create events on calendars the user owns) together with the basic profile email scope (to display which Google account is connected).

We use Google user data only to power the meeting-booking feature the customer enabled: (a) reading free/busy intervals on the calendar selected by the customer to compute available slots for visitors; (b) listing the customer's writable calendars in the settings UI so they can pick which calendar to book into; (c) creating events on that calendar, with the visitor's name and email as the event attendee, when a visitor submits the booking form.

Limited Use. Mr. Robot's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not use Google user data to serve advertising or for any advertising purpose.
  • We do not sell Google user data and we do not transfer it to data brokers or information resellers.
  • We do not use Google user data to train, fine-tune, or improve any generalized or third-party AI/ML model, and we do not send Google user data to any AI provider.
  • We do not allow humans to read Google user data except (i) with the customer's explicit consent, (ii) for security purposes (such as investigating abuse), (iii) to comply with applicable law, or (iv) where the data has been aggregated and anonymized.

Storage and security. OAuth tokens and the connected account email are stored on the same cloud infrastructure as the rest of the customer's account, protected by access controls and encryption in transit. No part of this data is sent to any third party other than Google itself, in order to call the Google Calendar API on the customer's behalf.

Retention and deletion. OAuth tokens and connected-account metadata are retained for as long as the customer keeps the integration enabled on their landing page. The customer can disconnect at any time from /platform/landing-pages → Meetings → Disconnect Google, which immediately revokes the refresh token at Google's /oauth2/revoke endpoint and erases the stored OAuth blob. The customer can also independently revoke our access at any time from https://myaccount.google.com/permissions. Events already created on the customer's Google Calendar before disconnection remain on Google's calendar and are governed by Google's own terms; we do not retain a copy of the event body.

Visitor data. When a visitor books a meeting on a customer's landing page, the visitor's name, email address, the chosen time slot, and the form submission are sent to Google to be inserted as an event (with the visitor as the attendee) on the customer's calendar. In that flow the customer is the data controller for the visitor's data and Mr. Robot acts as a data processor on the customer's behalf (see section 16). Visitors who want their data removed should contact the customer who owns the landing page; we will assist customers in honoring such requests.

10. International Data Transfers

Your data may be transferred to and processed outside of your country of residence (including outside the European Economic Area). Where legally required, we rely on appropriate safeguards, such as adequacy decisions or standard contractual clauses.

11. Data Retention

We retain personal data for as long as necessary to provide the Service, to comply with legal, accounting, and tax obligations, to resolve disputes, and to enforce our agreements. When data is no longer needed, we delete or anonymize it. Retention periods vary by data category and applicable law. OAuth tokens and connected-Google-account metadata associated with the Calendar integration are retained while the integration is enabled and erased immediately on disconnect — see section 9.

12. Your Rights

Subject to applicable law, you have the following rights: access to your personal data; rectification of inaccurate data; erasure; restriction of processing; data portability; objection to processing; withdrawal of consent at any time without affecting processing carried out beforehand; and the right to lodge a complaint with the competent supervisory authority. To exercise these rights, contact us at contact@mrrobot.co.il.

13. Region-Specific Rights

Israel: processing is conducted in accordance with the Protection of Privacy Law, 5741-1981, and regulations issued under it.
European Union / United Kingdom: EEA and UK residents are entitled to the rights provided by the GDPR (and UK GDPR), including the right to lodge a complaint with a national supervisory authority.
California (USA): California residents have rights under the CCPA/CPRA, including the right to know, the right to delete, and the right not to have their personal information "sold" or "shared." We do not sell personal information.

14. Children's Privacy

The Service is not directed to children under the age of 16 (European Union) or under the age of 13 (United States). We do not knowingly collect personal data from minors. If we become aware that such data has been collected, we will delete it. A parent or guardian may contact us to request deletion.

15. Security

We implement reasonable technical and organizational measures to protect your data, including encryption in transit and access controls. However, no method is completely secure. In the event of a material security incident, we will act in accordance with applicable notification requirements.

16. Customer Sites — Processor Relationship

When you use the Service to build a site or application that collects data from your own visitors, you act as the data controller and we act as the data processor on your behalf. You are responsible for publishing your own privacy policy, obtaining required consents, and complying with the laws applicable to your activity.

17. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the content or privacy practices of external sites or of sites built by you and hosted elsewhere.

18. Changes to This Policy

We may update this policy from time to time. Material changes take effect no earlier than 30 days after reasonable notice (by email or in-platform message), and the "Last updated" date at the top of this document will reflect the change.

19. Contact

For questions, requests, or exercise of rights under this policy, contact us at contact@mrrobot.co.il or through our contact page.