Asaf KatzGTM Advisory

Legal · Privacy

Privacy Policy

Last updated: 7 July 2026

1. Who we are

Data controller: Asaf Katz Advisory, operated by Asaf Katz. Our principal place of business is Tel Aviv, Israel, with clients and visitors worldwide.

Privacy contact: privacy@asafkatz.com

This policy covers all personal data collected via https://asafkatz.com and any associated service (contact forms, newsletter sign-up, proposals, teardown tool, and the first-party visitor pixel).

2. Data we collect and why

ContextData collectedPurposeLegal basis (GDPR)
Contact / enquiry formsName, email, company, website URL, free-text messageRespond to your enquiry; assess commercial fitLegitimate interest (pre-contractual communication)
Newsletter sign-upEmail addressSend the newsletter; measure open / click ratesConsent (you opt in; you can unsubscribe at any time)
Teardown toolLanding-page URL or copy you paste; optional emailDeliver the AI analysis; improve the modelLegitimate interest / consent if email provided
GTM Check formCompany stage, revenue, channels, emailProvide a personalised recommendation; follow up if requestedLegitimate interest / consent
Proposal systemName, email, company, signatureExecute a consulting agreementContract performance; legal obligation (record-keeping)
Analytics & pixelPseudonymous visitor ID, page views, referrer, rough geo (country/city)Understand site traffic; improve contentConsent (via Cookiebot banner)
Server logsIP address, browser/OS, timestampSecurity, fraud prevention, uptimeLegitimate interest

We do not collect sensitive personal data (health, race, religion, biometrics, etc.). We do not sell personal data to any third party.

3. Cookies and tracking

We use Cookiebot to manage cookie consent. On your first visit a banner appears. You may accept all, reject non-essential, or choose granular categories:

  • Strictly necessary — session security, consent record. No opt-out required.
  • Statistics / analytics — first-party pixel (sr.js), aggregate usage data. Opt-in required (EU/AU/NZ/CA).
  • Marketing — currently none set. Reserved for future use.

You can change your preferences at any time:

The full Cookiebot cookie declaration is embedded on this page and lists every cookie, its duration, and its purpose. We honour the Global Privacy Control (GPC) browser signal as an opt-out of non-essential tracking under CCPA/CPRA.

4. How long we keep data

Data typeRetention period
Contact / enquiry3 years from last contact, or until deletion request
NewsletterUntil you unsubscribe; then deleted within 30 days
Teardown / GTM Check12 months (statistical improvement), then anonymised
Signed proposals7 years (legal/accounting obligation)
Analytics / pixel data13 months rolling
Server logs90 days

5. Who we share data with

We share data only with processors who act on our instructions under appropriate safeguards:

ProcessorLocationPurposeTransfer mechanism
Vercel Inc.USAWebsite hosting and serverless functionsSCCs + DPF
Supabase Inc.USA (AWS us-east-1)Database (form submissions, proposals, analytics events)SCCs
Resend Inc.USATransactional email deliverySCCs
Cybot A/S (Cookiebot)Denmark (EU)Cookie consent managementEU–based
Calendly LLCUSAMeeting booking (if you click a Calendly link)SCCs + DPF

SCCs = EU Standard Contractual Clauses. DPF = EU–US Data Privacy Framework. No data is transferred to countries without an adequacy decision or appropriate safeguards.

We may disclose data if required by law, a court order, or to protect legal rights.

6. Your rights — GDPR / UK GDPR (EU & UK residents)

Under the GDPR and UK GDPR you have the right to:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion where no overriding legitimate interest or legal obligation applies.
  • Restriction — pause processing while accuracy or lawfulness is disputed.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests (including direct marketing).
  • Withdraw consent — at any time, without affecting prior processing.
  • Lodge a complaint — with your national supervisory authority (e.g. the Irish DPC, UK ICO, or the authority in your country of residence).

Submit a request: asafkatz.com/dsr or email privacy@asafkatz.com. We respond within 30 days.

7. Your rights — CCPA / CPRA (California residents)

California residents have the following rights under the California Consumer Privacy Act (as amended by CPRA):

  • Know — what personal information we collect, use, share, or sell.
  • Delete — request deletion of your personal information, subject to exceptions.
  • Correct — request correction of inaccurate personal information.
  • Opt-out of sale / sharing — we do not sell or share personal information for cross-context behavioural advertising. We honour the GPC signal as an opt-out.
  • Limit use of sensitive personal information — we do not collect sensitive PI as defined by CCPA.
  • Non-discrimination — exercising your rights will not result in different service or pricing.

To submit a request: asafkatz.com/dsr. We will verify your identity before fulfilling access or deletion requests. Response within 45 days (extendable by 45 days with notice).

Categories of personal information collected in the past 12 months: identifiers (name, email), internet activity (page views, referrer), geolocation (country/city). No sale or sharing has occurred.

8. Your rights — Australian Privacy Act 1988 (Australian residents)

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You have the right to:

  • Access the personal information we hold about you (APP 12).
  • Correct personal information that is inaccurate, out of date, incomplete, or misleading (APP 13).
  • Know how data is collected and used — this policy satisfies APP 1 and APP 5 notice requirements.
  • Opt out of direct marketing at any time (APP 7).
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We take reasonable steps to protect personal information from misuse and unauthorised access (APP 11). Cross-border disclosures (e.g. to US processors) are covered by contractual obligations equivalent to the APPs (APP 8).

Submit a request: asafkatz.com/dsr. Response within 30 days.

9. Your rights — NZ Privacy Act 2020 (New Zealand residents)

We comply with the New Zealand Privacy Act 2020 and the 13 Information Privacy Principles (IPPs). You have the right to:

  • Access personal information we hold about you (IPP 6).
  • Correct inaccurate or misleading personal information (IPP 7).
  • Know the purpose for collection at or before the time of collection (IPP 3).
  • Lodge a complaint with the New Zealand Privacy Commissioner at privacy.org.nz.

We take reasonable security safeguards (IPP 5) and will notify the Privacy Commissioner and affected individuals of serious privacy breaches (mandatory breach notification). Response to access requests within 20 working days.

10. Your rights — PIPEDA / Law 25 (Canadian residents)

We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Law 25 (Act to modernise legislative provisions as regards the protection of personal information).

  • Access — you can request access to your personal information.
  • Correction — you can challenge the accuracy of your data.
  • Withdraw consent — where processing is consent-based, you may withdraw at any time.
  • Portability (Quebec) — you may request your data in a structured, commonly-used technological format.
  • Automated decision-making (Quebec) — you may request human review of automated decisions that significantly affect you.
  • Lodge a complaint — with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or the Commission d'accès à l'information du Québec for Quebec matters.

We collect only the minimum personal information necessary (data minimisation). Response within 30 days.

11. Security

We use industry-standard measures: TLS encryption in transit, encrypted databases at rest, access controls, and regular security reviews. Despite these measures, no system is impenetrable. In the event of a breach that is likely to result in significant harm, we will notify affected individuals and relevant regulators as required by law.

12. Children

This site is directed at business professionals and is not intended for children under 16 (or 13 in jurisdictions where that is the minimum age). We do not knowingly collect data from children. If you believe a child has submitted data to us, contact privacy@asafkatz.com and we will delete it promptly.

13. Changes to this policy

We may update this policy periodically. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by a notice on the homepage for 30 days. Continued use of the site after that period constitutes acceptance of the revised policy.

14. Contact and complaints

For any privacy question, DSR, or complaint:

If you are not satisfied with our response you may lodge a complaint with the supervisory authority in your jurisdiction (see sections 6–10 above for the relevant authority).

Submit a data request