Privacy Policy
Version 1.0 · Effective: 25 May 2026
This policy explains what data Lametapel processes, how, who else touches it, and what rights you have under Israeli law. Written in plain English on purpose. If anything is unclear, contact our DPO (§11). The Hebrew version controls in case of conflict.
1. Who we are
- Service: Lametapel (למטפל)
- Operator: Itay Dressler (sole proprietor)
- Business contact: [email protected]
- Data Protection Officer: [email protected]
Lametapel is a SaaS platform for licensed mental-health practitioners in Israel. It helps therapists document their sessions — recording, automated transcription, session summaries, and structured clinical records generated with AI.
2. Roles & responsibilities
| Party | Status | Meaning |
|---|---|---|
| Therapist (Lametapel customer) | Data controller for their patients | Responsible for obtaining patient informed consent, professional secrecy under the Patient Rights Law and Psychologists Law, and using the service per the Therapist Agreement. |
| Lametapel (the service) | §15 processor under the Data Security Regulations 2017 | Processes data only on the therapist's instructions and for the purposes the therapist set. |
| Patient | Data subject | Holds all data-subject rights under the Privacy Protection Law and Patient Rights Law (see §9). |
3. Data we hold
Therapists (active users)
- Name, email, identity records (via Clerk)
- Service preferences, aggregate usage statistics
- History of internal chat conversations with the service's AI assistant
Patients (not direct users)
- Display name (typically a first name or nickname)
- Clinical profile fields entered by the therapist: age, gender, family status, presenting issue, diagnoses, medications, risk factors, relevant history
- Audio recordings of sessions (if the patient consented)
- Session transcripts, summaries, clinical records
- Therapist's personal notes
- Appointment schedules
Patient data reaches Lametapel only through the treating therapist.
4. Purposes of processing
- Recording sessions, transcribing them, generating summaries and clinical records.
- Maintaining a longitudinal patient record across sessions.
- An AI assistant interface for the therapist to search their own patient material.
- Service operations: authentication, billing, error tracking.
Data is not used for: AI model training, external research, marketing, or any purpose outside the therapeutic relationship.
5. Sub-processors
| Provider | Role | Processing location | Data category |
|---|---|---|---|
| Google Cloud | Storage, database, compute | Israel (Tel Aviv) | All data |
| Google Gemini | AI model — transcription, summary, clinical record | USA | Transcripts, summaries, profile |
| ElevenLabs | Speech-to-text | USA | Audio recordings |
| PostHog | Product analytics (no clinical content) | EU | Pseudonymous usage events |
| Langfuse | Technical observability of AI calls | EU (Frankfurt) | AI inputs/outputs, 7-day retention |
6. Cross-border transfers
Some processing happens outside Israel (USA and EU). This is permitted under the Privacy Protection (Transfer of Data to Databases Abroad) Regulations 5761-2001, based on:
- documented patient consent in advance (§7);
- DPAs requiring Israeli-equivalent standards;
- contractual no-training and no-onward-transfer commitments.
7. Lawful basis
- Therapists: acceptance of the ToS and Therapist Agreement on signup (contract).
- Patients: written informed consent, collected by the therapist before the first recorded session.
- Clinical records: additionally, Patient Rights Law 5756-1996 §17 requires retention of medical records for at least 7 years.
8. Retention
| Data class | Retention |
|---|---|
| Therapist account | While the account is active |
| Raw audio recordings | Deleted automatically as soon as processing succeeds |
| Transcripts & clinical summaries | 7 years from end of therapy (Patient Rights Law §17) — or until age 25 for minors |
| Internal chat history | While the account is active |
| Langfuse technical logs | 7 days from creation |
| Operational logs | At least 24 months |
9. Your rights (as a patient)
- Right of access — request what is held about you.
- Right to correction — correct inaccurate data.
- Right to deletion — subject to the 7-year clinical-record duty.
- Right to withdraw consent — any consent, separately, at any time.
- Right to receive a copy of your recordings and transcripts.
- Right to object to certain processing.
10. How to exercise a right
Fastest path: ask your therapist — they can perform the action in the system.
Direct channel: [email protected] — Data Protection Officer.
Requests are handled within 30 days.
11. Data Protection Officer
- Name: Itay Dressler (transitional DPO)
- Email: [email protected]
12. Information security
Operated at the high tier under the Privacy Protection (Data Security) Regulations 5777-2017: encryption in transit and at rest; role-based access; audit logs; periodic penetration tests; written incident-response plan.
13. Changes to this policy
This is version 1.0. Material changes are notified to therapists by email at least 14 days in advance.
14. Governing law
Israeli law. Exclusive jurisdiction: the courts of Tel Aviv-Yafo.