Lynxbe Platform App

Privacy Policy

Lynxbe Platform — Unified Business Operations

Effective Date: February 13, 2026 | Version 2.0

☑ HIPAA Compliant ☑ CCPA Compliant ☑ Israeli Privacy Law

Table of Contents

About Lynxbe Platform
Data We Collect
How We Use Your Data
Data Sharing & Third Parties
Data Security
Multi-Tenant Isolation
HIPAA Compliance
GDPR Compliance
CCPA & State Privacy Laws
Israeli Privacy Law
Data Retention & Deletion
Your Privacy Rights
Children's Privacy
Push Notifications & Permissions
AI & Automated Processing
Audit Logging & Accountability
International Data Transfers
Changes to This Policy
Contact & Data Protection Officer

1. About Lynxbe Platform

Lynxbe Platform (the "App") is a unified business operations platform developed by Lynxbe Ltd ("we", "us", "our"), an Israeli software company. The App is available on iOS, Android, and Web.

Lynxbe Platform provides businesses with an integrated system connecting:

Communication Channels — WhatsApp Business API, SMS, Voice (VoIP/PSTN), Email, Social Media
CRM — Customer management, deal pipelines, CRM templates, CRM automations
Team Management — Roles, permissions, team visibility scoping
Analytics & Reporting — Business dashboards, conversion tracking, performance reports
Automation — Workflow builder, triggers, scheduled actions, webhook events
AI Enrichment — Smart routing, message suggestions, call intelligence, analytics insights
Voice Administration — IVR flows, call queues, recordings, SIP/FreeSWITCH management
Compliance — GDPR & HIPAA compliance engine, consent management, data classification, audit trails
Notifications — In-app, push, email, WhatsApp, and SMS notification engine
Booking & Services — Appointment scheduling, service catalog, availability management
Invoicing & Payments — Invoice generation, payment tracking, financial reporting

Every feature in the platform is interconnected. No capability exists in isolation — communications feed CRM, CRM feeds analytics, analytics feed automation, and compliance governs all.

2. Data We Collect

2.1 Account & Profile Data

Data	Collection	Purpose
Full name, display name	Required	Account identity, team display
Email address	Required	Authentication, notifications, password recovery
Phone number	Required	Account verification, voice/SMS features
Password	Encrypted	Authentication (bcrypt hashed, never stored in plaintext)
Profile photo	Optional	User identity within team
Role & team assignment	Automatic	Permission enforcement, data visibility scoping

2.2 Business & Organization Data

Data	Collection	Purpose
Business name, address, contact info	Required	Business profile, invoicing, compliance
Business logo & branding	Optional	Branded communications
WhatsApp Business Account tokens	Encrypted	WhatsApp API connectivity (AES-256 encrypted)
Channel configurations (SMS, Voice, Email)	Encrypted	Multi-channel communication delivery
Team structure & user assignments	Automatic	Permission enforcement, conversation routing

2.3 Communication & CRM Data

Data	Collection	Purpose
WhatsApp / SMS / Email messages	Automatic	Conversation management, CRM history
Voice call logs & recordings	Automatic	Call history, quality assurance, AI analytics
Customer contacts & profiles	Required	CRM, customer relationship management
Media files (images, documents, audio, video)	Automatic	Message attachments, document management
Conversation metadata (timestamps, delivery status)	Automatic	Analytics, delivery tracking, SLA monitoring
CRM deals, pipelines, notes	Required	Sales management, revenue tracking
Automation flow configurations	Required	Workflow automation execution

2.4 Device & Technical Data

Data	Collection	Purpose
Device model & OS version	Automatic	App compatibility, bug diagnosis
App version	Automatic	Feature availability, update prompts
IP address	Automatic	Security, audit logging, geo-compliance
Push notification token (FCM/APNs)	Automatic	Push notification delivery
Crash reports & performance data	Automatic	Stability monitoring, bug fixes

2.5 Data We Do NOT Collect

We do not access your device contacts, camera, or microphone unless you explicitly initiate a voice call or media upload
We do not track your location (GPS) — only approximate location from IP address for security
We do not sell your data to advertisers or data brokers — ever
We do not use your communication content for ad targeting
We do not share individual message content with any third party except as required to deliver the message (e.g., WhatsApp API, SMS gateway)

3. How We Use Your Data

Purpose	Legal Basis (GDPR)	Data Used
Provide platform features (messaging, CRM, analytics, automation)	Contract performance	Account, business, communication data
Authenticate users & enforce permissions	Contract performance	Credentials, role, team, JWT tokens
Deliver notifications (in-app, push, email, WhatsApp, SMS)	Contract performance	Contact info, push tokens, preferences
Generate business analytics & reports	Contract performance	Communication metadata, CRM data
Execute automation workflows & triggers	Contract performance	CRM data, communication events, webhook configs
AI enrichment (smart routing, suggestions, call intelligence)	Legitimate interest / Consent	Anonymized communication patterns
Security monitoring & fraud prevention	Legitimate interest	IP address, device info, access patterns
Audit logging & compliance	Legal obligation	All administrative actions, access events
Improve platform stability & performance	Legitimate interest	Crash reports, performance metrics
HIPAA/GDPR compliance enforcement	Legal obligation	Data classification tags, consent records, access logs

4. Data Sharing & Third Parties

We never sell your data. We share data only as necessary to operate the platform:

4.1 Communication Channel Providers

Provider	Purpose	Data Shared	Their Privacy Policy
Meta (WhatsApp Business API)	WhatsApp messaging	Message content, phone numbers, media	WhatsApp Business Policy
SMS Gateway Providers	SMS delivery	Phone numbers, message content	Per provider agreement
FreeSWITCH / VoIP Providers	Voice calls	Phone numbers, call audio (when recording enabled)	Per provider agreement
SMTP / Email Providers	Email delivery	Email addresses, message content	Per provider agreement

4.2 Infrastructure & Service Providers

Provider	Purpose	Data Shared
Amazon Web Services (AWS)	Cloud hosting, RDS, S3 storage	All platform data (encrypted at rest & in transit)
Google Firebase	Push notifications (FCM), crash analytics	Device tokens, crash data
Apple Push Notification Service (APNs)	iOS push notifications	Device tokens, notification payloads
OpenAI	AI features (when enabled by admin)	Anonymized/redacted conversation patterns

4.3 Legal & Business Disclosures

Law enforcement: When required by valid legal process (court order, subpoena)
Business transfers: In case of merger, acquisition, or sale — with advance notice to users
Safety: To prevent imminent harm, fraud, or security threats

5. Data Security

5.1 Encryption

In transit: All data transmitted over TLS 1.2+ (HTTPS)
At rest: AWS RDS encryption, S3 server-side encryption (AES-256)
Credentials: OAuth tokens, API keys, and secrets encrypted with AES-256-GCM before database storage
Passwords: Hashed with bcrypt (12+ salt rounds) — never stored in plaintext

5.2 Access Control

JWT-based authentication with short-lived tokens and refresh rotation
Role-based access control (RBAC) with 6 permission levels: Super Admin, Company Admin, Manager, Employee, Viewer, Custom
Granular permission system with 168+ configurable sub-menu permissions per user
Business module restrictions — administrators can disable entire feature modules
Team-scoped visibility — users only see data assigned to their team unless granted broader access

5.3 Infrastructure Security

AWS VPC with private subnets for database layer
WAF (Web Application Firewall) protection
DDoS mitigation via AWS Shield
Automated security patching and vulnerability scanning
No sensitive data in application logs (tokens, passwords redacted)

6. Multi-Tenant Data Isolation

Lynxbe Platform is a multi-tenant system where each business organization's data is strictly isolated:

Database-level isolation: Every query is filtered by business_id — cross-tenant access is technically impossible at the application layer
API-level enforcement: All API endpoints verify business context from the authenticated JWT — requests without valid business context are rejected
Permission enforcement: Both UI (Flutter) and API (Node.js) independently enforce permissions — no client-side-only checks
Team scoping: Within a business, data visibility is further scoped by team assignment
Audit trail: All cross-boundary access attempts are logged and flagged

7. HIPAA Compliance

HIPAA — Health Insurance Portability and Accountability Act

For businesses in the healthcare sector or those handling Protected Health Information (PHI), Lynxbe Platform provides HIPAA-compliant data handling capabilities.

7.1 Administrative Safeguards

Business Associate Agreement (BAA): Available for healthcare customers upon request. Contact compliance@lynxbe.co.il
Designated Privacy Officer: Responsible for HIPAA compliance oversight
Workforce training: Staff handling PHI undergo privacy and security training
Risk assessments: Regular security risk assessments conducted per HIPAA requirements
Incident response: Breach notification procedures in place per HIPAA Breach Notification Rule (45 CFR §§ 164.400-414)

7.2 Technical Safeguards

Access controls: Unique user identification, role-based access, automatic session timeout
Audit controls: Complete audit trail of all access to PHI — who accessed what, when, and from where
Integrity controls: Data validation, checksums, and tamper detection
Transmission security: All PHI transmitted via TLS 1.2+ encryption
Encryption: PHI encrypted at rest using AES-256
Emergency access: Procedures for accessing PHI during emergencies

7.3 Physical Safeguards

Data center security: AWS data centers meet HIPAA physical safeguard requirements (SOC 2 Type II certified)
Device controls: Mobile app data can be remotely wiped by business administrators
Media disposal: Proper procedures for disposal of electronic media containing PHI

7.4 PHI Data Handling

Data classification: The compliance engine automatically classifies data fields that may contain PHI
Minimum necessary: Users only access the minimum PHI required for their role
De-identification: Analytics and AI features use de-identified data where possible
Consent tracking: Patient consent for communications is tracked and enforced
Retention policies: Configurable PHI retention periods per HIPAA requirements (minimum 6 years for compliance records)
Data redaction: Automated redaction of PHI in exported reports and shared analytics

7.5 Breach Notification

In the event of a breach involving unsecured PHI, Lynxbe will:

Notify affected covered entities without unreasonable delay, no later than 60 days after discovery
Provide details of the breach including: nature of PHI involved, steps taken, mitigation recommendations
Maintain a log of all breaches as required by the Breach Notification Rule
Cooperate with covered entity's obligation to notify HHS and affected individuals

8. GDPR Compliance

8.1 Legal Bases for Processing

Processing Activity	Legal Basis (Art. 6)	Details
Providing platform services	Art. 6(1)(b) — Contract	Necessary to perform the service agreement
Security & fraud prevention	Art. 6(1)(f) — Legitimate Interest	Protecting users and platform integrity
AI-powered features	Art. 6(1)(a) — Consent	Opt-in by business administrator
Marketing communications	Art. 6(1)(a) — Consent	Opt-in with easy unsubscribe
Audit logging	Art. 6(1)(c) — Legal Obligation	Required for compliance and accountability
Analytics & improvement	Art. 6(1)(f) — Legitimate Interest	Improving platform quality (balanced against privacy)

8.2 Data Subject Rights (GDPR Articles 15-22)

Right	Article	How to Exercise
Right of Access	Art. 15	Request a copy of all personal data we hold about you
Right to Rectification	Art. 16	Correct inaccurate or incomplete personal data
Right to Erasure ("Right to be Forgotten")	Art. 17	Request deletion of your personal data
Right to Restrict Processing	Art. 18	Limit how we process your data in certain circumstances
Right to Data Portability	Art. 20	Receive your data in machine-readable format (JSON/CSV)
Right to Object	Art. 21	Object to processing based on legitimate interests
Right Against Automated Decisions	Art. 22	Not be subject to decisions based solely on automated processing
Right to Withdraw Consent	Art. 7(3)	Withdraw consent at any time without affecting prior processing

To exercise any right, email privacy@lynxbe.co.il. We respond within 30 days (extendable to 60 days for complex requests with notice).

8.3 Data Protection by Design & Default (Art. 25)

Privacy settings default to the most restrictive option
Data minimization — we collect only what is necessary for each feature
Pseudonymization applied to analytics data where possible
New features undergo privacy impact assessments before deployment

8.4 Data Processing Agreements (Art. 28)

We maintain Data Processing Agreements (DPAs) with all sub-processors. A list of current sub-processors is available upon request. We notify customers of any changes to sub-processors with 30 days' advance notice.

8.5 Data Protection Impact Assessments (Art. 35)

We conduct DPIAs for high-risk processing activities, including:

Large-scale processing of communication data
AI/ML processing of customer interactions
Processing of special category data (health data for HIPAA-covered entities)

8.6 Cross-Border Data Transfers (Art. 46)

For transfers outside the EEA, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Supplementary measures including encryption and access controls

9. CCPA & State Privacy Laws

For California residents under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA):

Right to Know: What personal information we collect, use, share, and sell (we do not sell)
Right to Delete: Request deletion of personal information
Right to Opt-Out: We do not sell personal information. No opt-out needed.
Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights
Right to Correct: Request correction of inaccurate personal information
Right to Limit Use of Sensitive Data: Control processing of sensitive personal information

10. Israeli Privacy Protection Law

As an Israeli company, we comply with the Israeli Privacy Protection Law, 5741-1981 and its regulations:

We maintain registered databases in accordance with Israeli law
We respect all rights granted to data subjects under Israeli privacy legislation
We comply with the Israeli Privacy Protection Authority (PPA) guidelines
We implement the Information Security Regulations (5777-2017) for database protection
Cross-border data transfers comply with Israeli data export requirements

11. Data Retention & Deletion

Data Type	Retention Period	Deletion Method
Account data	While active + 90 days after closure	Hard delete from all systems
Communication messages	Per business retention policy (configurable)	Soft delete, then hard delete after retention period
Voice recordings	Per business retention policy (default: 90 days)	Deleted from S3 storage
CRM data	While business active + 90 days	Hard delete with cascade
Audit logs	Minimum 12 months (HIPAA: 6 years)	Automated purge after retention
Analytics (aggregated)	Indefinite (anonymized)	No personal data retained
Encrypted backups	30 days rolling	Automatic expiration
Compliance records	Per applicable regulation (up to 6 years)	Automated purge after legal hold

Right to Deletion: You may request deletion of your data at any time by contacting privacy@lynxbe.co.il. We process deletion requests within 30 days, subject to legal retention obligations.

12. Your Privacy Rights

Regardless of your location, you have the following rights:

Access your personal data and receive a copy
Correct inaccurate or incomplete data
Delete your personal data (subject to legal obligations)
Export your data in machine-readable format (JSON, CSV)
Object to processing based on legitimate interests
Restrict processing in specific circumstances
Withdraw consent for optional features (AI, marketing) at any time
Lodge a complaint with a supervisory authority (e.g., Israeli PPA, EU DPA)

How to Exercise Your Rights

Email: privacy@lynxbe.co.il

We will verify your identity before processing any request. Response time: 30 days (GDPR), 45 days (CCPA).

Business administrators can also manage user data directly through the Lynxbe Platform's compliance dashboard.

13. Children's Privacy

The Lynxbe Platform is a B2B business operations tool and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 16 (GDPR) or 13 (COPPA).

If you believe a child has provided us with personal information, contact us immediately at privacy@lynxbe.co.il and we will delete the data promptly.

14. Push Notifications & Device Permissions

14.1 Push Notifications

The App may send push notifications for:

New incoming messages (WhatsApp, SMS, Email)
Incoming voice calls (VoIP)
Team assignments and mentions
CRM pipeline updates and reminders
Scheduled message confirmations
System alerts and maintenance notices

You can disable push notifications at any time through your device's Settings app. Within the Lynxbe app, you can configure which notification types you wish to receive.

14.2 Device Permissions

Permission	When Requested	Purpose	Required?
Notifications	First launch	Push notification delivery	Optional
Microphone	When making a call	VoIP voice calls, voice messages	For voice features only
Camera	When taking a photo	Capture photos for messages	For media features only
Photo Library	When attaching media	Send images/videos in conversations	For media features only
Background Refresh	After setup	Receive calls and messages when app is in background	Optional

All permissions can be revoked at any time through your device settings. The app will continue to function with reduced capabilities.

15. AI & Automated Processing

15.1 AI Features (Opt-In)

The Lynxbe Platform offers optional AI-powered features that must be explicitly enabled by the business administrator:

Smart message suggestions — AI-assisted reply recommendations
Call intelligence — Transcription, sentiment analysis, key topic extraction
Analytics insights — AI-generated business performance summaries
Smart routing — Automated conversation assignment based on content analysis

15.2 Data Used for AI

AI features use anonymized and/or redacted data where possible
PHI (HIPAA) and special category data (GDPR) is automatically excluded from AI processing
We use OpenAI as our AI provider — data sent to OpenAI is subject to their data processing agreement and is not used to train their models
Business administrators can disable all AI features at any time through the platform settings

15.3 Automated Decision-Making

Per GDPR Article 22, we do not make decisions that produce legal effects or similarly significant effects based solely on automated processing. AI features provide recommendations only — human review is always available.

16. Audit Logging & Accountability

The Lynxbe Platform maintains comprehensive audit trails as required by HIPAA and GDPR:

Administrative actions: User creation/deletion, permission changes, settings modifications
Data access: Who accessed customer data, when, and from what IP
Communication actions: Messages sent, calls made, templates used
Compliance events: Consent given/withdrawn, data deletion requests, breach notifications
Authentication events: Logins, failed attempts, password changes, session expirations

Audit logs are immutable, timestamped, and retained per regulatory requirements. Business administrators can access audit logs through the platform's Audit Log page.

17. International Data Transfers

Your data is processed and stored in the following locations:

Region	Infrastructure	Purpose
European Union (Frankfurt, Germany)	AWS eu-central-1	Primary application hosting, database
Europe (Ireland)	AWS eu-west-1	Secondary infrastructure, VoIP services
United States	OpenAI API, Firebase	AI processing (when enabled), push notifications

All cross-border transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions, and supplementary technical measures (encryption, access controls).

18. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes:

We will post a prominent notice within the Lynxbe Platform app
We will notify business administrators via email
We will update the "Effective Date" and version number at the top of this page
For HIPAA-covered entities, we will provide 30 days' advance notice of material changes

Continued use of the app after changes take effect constitutes acceptance. If you disagree with changes, you may delete your account.

19. Contact & Data Protection Officer

Contact Type	Details
Privacy inquiries & data subject requests	privacy@lynxbe.co.il
HIPAA compliance & BAA requests	compliance@lynxbe.co.il
Security incidents & breach reports	security@lynxbe.co.il
General support	info@lynxbe.co.il
Company	Lynxbe Ltd, Israel
Website	www.lynxbe.co.il

Data Protection Officer

Our Data Protection Officer (DPO) can be reached at privacy@lynxbe.co.il for any privacy-related concerns, GDPR inquiries, or to exercise your data subject rights.