O.Dev (“we”, “us”), incorporated in Israel, operates the Marv.inbox platform (“Service”). This Privacy Policy explains what personal data we collect, why, how we use and share it, how long we retain it, and what rights you have. It complies with the Israeli Protection of Privacy Law, 5741-1981 (PPL) and its Amendment No. 13 (effective August 14, 2025).
O.Dev is the data controller for personal data processed in connection with operating the Service and managing customer accounts.
For personal data that our clients submit about their own customers (“End Users”), our clients are the data controllers and we act as a data processor under their instructions.
| Category | Examples |
|---|---|
| Account | Full name, email address, phone number, company name, job title |
| Authentication | Password (hashed — never stored in plain text), session tokens |
| Billing | Card details (processed by Stripe — we never store raw card numbers), billing address, VAT number |
| Communications | Support messages, survey responses |
| Category | Examples | Retention |
|---|---|---|
| Usage data | Features accessed, pages visited, session duration | 90 days |
| Technical data | IP address, browser type, OS, device type | 30 days |
| Server logs | Access logs, error logs | 30 days |
| Cookies | Session cookies, preference cookies | See Section 9 |
When clients use the Service to manage their customer communications, End User data passes through our platform. We process it solely under the client's instructions and never use it for our own purposes.
| Category | Examples |
|---|---|
| Identifiers | Phone numbers, WhatsApp/Messenger/Telegram IDs, email addresses |
| Profile | Names, profile photos (from messaging platforms) |
| Conversation content | Messages, attachments (images, documents, voice notes) across all connected channels |
| Contact metadata | Labels, notes, conversation history, assigned agent or team |
| Basis | When We Rely On It |
|---|---|
| Consent | Newsletter subscriptions, optional analytics cookies, marketing communications |
| Contract performance | Providing the Service, processing payments, managing your account |
| Legal obligation | Tax records, regulatory compliance, court orders |
| Legitimate interests | Service security, fraud prevention, platform improvement using aggregated data |
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Subscription duration + 12 months | Account management, disputes |
| Billing records | 7 years | Israeli tax law (Income Tax Ordinance) |
| End User data (processor) | Subscription duration + 30 days | Service delivery; export grace period |
| Server / access logs | 30 days | Security monitoring |
| Backup snapshots | Up to 90 days | Disaster recovery |
| Support records | 3 years from resolution | Quality assurance |
We share data only as necessary to operate the Service. All processors are bound by data processing agreements.
| Processor | Role | Location |
|---|---|---|
| Supabase | Database hosting | US / EU |
| Google Cloud Run | Backend application hosting | US (Iowa) |
| Fly.io | Worker process hosting | Singapore |
| Vercel | Frontend hosting and CDN | Global edge |
| Redis Labs (Redis Cloud) | Real-time events and job queues | US |
| Cloudflare | DNS, DDoS protection, TLS, CDN | Global |
| Processor | Role | Location |
|---|---|---|
| Stripe | Payment processing and invoicing | US / EU |
| Processor | Role | Location |
|---|---|---|
| Meta Platforms | WhatsApp Business API, Messenger API, Instagram API | US |
| Telegram | Telegram Bot API | Various |
| Microsoft | Microsoft Teams API | US / EU |
Some processors listed above are located outside Israel. We ensure adequate protection through Standard Contractual Clauses (SCCs), Data Processing Agreements, and by transferring only to countries with an adequate level of protection. Israel has been recognised as providing adequate data protection under EU GDPR. Transfers are documented in accordance with Amendment 13.
| Measure | Details |
|---|---|
| Encryption in transit | TLS 1.2+ for all data transmission |
| Encryption at rest | AES-256 for sensitive configuration data and credentials |
| Access control | Role-based access control (RBAC); least-privilege principle |
| Network security | Private VPC networks; databases not exposed to public internet |
| Audit logging | Access and activity logs for security-relevant operations |
In the event of a personal data breach, we will notify the Israeli Privacy Protection Authority (PPA) within 72 hours and affected individuals without undue delay, as required by Amendment 13.
| Type | Purpose | Can Be Disabled? |
|---|---|---|
| Essential | Authentication, CSRF protection — required for the Service to function | No |
| Functional | User preferences (language, theme) | Yes |
| Analytics | Aggregated, anonymised usage statistics | Yes |
Manage cookies through your browser settings or your account preferences. We do not use cookies for cross-site behavioural advertising.
Under the PPL and Amendment No. 13, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data in Hebrew, Arabic, or English. |
| Correction | Request correction of inaccurate or incomplete data. |
| Deletion | Request erasure where there is no legal basis for continued retention. |
| Restriction | Request that we limit processing in certain circumstances. |
| Object | Object to processing based on legitimate interests. |
| Data portability | Receive your data in a structured, machine-readable format. |
| Withdraw consent | Withdraw consent at any time without affecting prior processing. |
The Service is for business use only. We do not knowingly collect personal data from individuals under 18. Contact us at privacy@oshri.dev if you believe we have inadvertently collected such data.
We may update this Policy from time to time. Material changes will be communicated by email or in-platform notice at least 14 days before taking effect. Continued use of the Service after the effective date constitutes acceptance.
O.Dev — HaBarzel 38, Tel Aviv, Israel — privacy@oshri.dev