Chuppah LLC (“Chuppah,” “we,” “us,” or “our”), a Delaware limited liability company, operates thestateofisrael.com (the “Site”). This Privacy Policy explains what information we collect, how we use it, and the choices available to you. By using the Site you consent to the practices described here. If you do not agree, please do not use the Site.
This document is authoritative in English. Translations provided elsewhere on the Site are for convenience only; in any conflict, the English text controls.
1. Information we collect
1.1 Information you provide
- Newsletter subscription. If you subscribe from the footer form, we collect the email address you enter.
- Account. If you create an account, we collect your email address, a display name you choose, and, if you sign in with Google, the identifiers Google returns to us (Google user ID, email, email-verification status). We do not receive your Google password.
- Comments. If you post a comment on a news item, we store the comment text, your account ID, and a timestamp. Comments are public.
- Community content. If you use community features, we store the forum posts and replies, thoughts, thought comments, group posts and comments, connection maps, tags, reactions, moderation actions, and timestamps you submit. Public community content remains public unless removed under our Terms or privacy controls.
- Social graph and saved items. If you follow users, save articles, join groups, bookmark forum posts, or change privacy settings, we store the choices needed to provide those features.
- Direct messages. If you use messages, we process message plaintext to encrypt, deliver, decrypt, display, and moderate messages. Message bodies are stored at rest as AES-GCM ciphertext, but this is server-mediated encryption, not end-to-end encryption: our backend holds the key material needed to decrypt messages for delivery, safety, and administrator review.
- Contact form. If you write to us through the Site, we collect your email address, any name you provide, and the body of your message.
1.2 Information collected automatically
- Request metadata. Each request to the Site includes an IP address, country, user-agent (browser), and referring URL, provided by our hosting provider Cloudflare. Our application layer does not write raw IPs to durable storage, but IPs may appear in Cloudflare access logs and in short-lived rate-limiting state.
- Analytics events. We operate a first-party analytics stack that records page views and clicks. Each event is tagged with an anonymous UUID stored in your browser’s
localStorage(tsoi_analytics_id), a session ID (tsoi_analytics_session), and device properties (browser, operating system, screen size, timezone fromIntl.DateTimeFormat). - Cookies and browser storage. See Section 3.
1.3 Information from third-party sign-in
If you choose to sign in with Google, we receive from Google only the data associated with the scopes you approve: your Google account email, email-verification status, name, profile picture URL, and Google user ID. We do not receive your Google password. We do not use, transfer, or store Google user data for purposes other than authenticating your access and populating your account profile. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google’s own handling of your data is governed by Google’s privacy policy.
1.4 Data we do not collect
Chuppah LLC does not collect, process, share, or sell:
- “consumer health data” as defined by the Washington My Health My Data Act (RCW ch. 19.373) or comparable statutes in Nevada and Connecticut;
- “biometric identifiers” or biometric information as defined by the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001), or comparable state statutes;
- precise geolocation, government-issued identification numbers, financial-account credentials, or credit/debit-card numbers;
- content of communications with third parties not addressed to the Site.
We do not operate a health, wellness, reproductive-health, biometric-identification, financial, or advertising service, and none of our infrastructure providers infer health, biometric, or financial status from your visit.
2. How we use information
- Deliver the Site and its features (accounts, comments, forum, thoughts, groups, messages, saved articles, follows, notifications, and newsletter).
- Send you emails you asked for (magic sign-in codes, newsletter, contact-form confirmations).
- Send administrative notifications to Site operators.
- Detect abuse, enforce rate limits, and protect the Site and its users.
- Understand aggregate usage and improve the Site.
- Comply with legal obligations.
We do not sell your personal information. We do not use your information to serve advertising, and we do not participate in cross-context behavioral advertising.
3. Cookies and similar technologies
We use a small number of first-party cookies and browser-storage items. We do not set third-party advertising cookies and do not use cross-site tracking pixels.
tsoi_session— HttpOnly session cookie for signed-in accounts. Contains a signed token identifying your account. Expires approximately 30 days after issue; cleared on sign-out.tsoi_locale_choice— records your language preference so we do not show the first-visit language picker again.tsoi_analytics_id(localStorage) — anonymous UUID used for analytics.tsoi_analytics_session(sessionStorage) — analytics session identifier, refreshed after ~30 minutes of inactivity.
You can clear these at any time in your browser’s settings. Blocking the session cookie will prevent you from signing in.
3.1 Do-Not-Track and Global Privacy Control
Because there is no industry-standard interpretation of the browser Do-Not-Track (“DNT”) header, we do not currently respond to it. We do honor the Global Privacy Control (“GPC”) signal as a valid opt-out of any “sale” or “sharing” of personal information under the California Consumer Privacy Act as amended by the CPRA (see Section 6.2). Regardless of either signal, we do not sell or share personal information as those terms are defined by California law.
3.2 First-party analytics and cookie consent
Our analytics stack is entirely first-party: it runs on infrastructure we operate at ntpyi.storyz.com, stores only session and anonymous-identifier data, performs no cross-site tracking, uses no IAB TCF framework or ad-tech integration, and does not profile individual users. IP addresses are anonymized server-side before long-term storage. On this basis we treat these first-party audience-measurement cookies as consent-exempt for EU/UK visitors under the strict-analytics guidance issued by the French CNIL (deliberation of 17 March 2022, updated 2024), the Spanish AEPD, and the Italian Garante. Where a Member State authority requires prior consent for first-party analytics, EU/UK visitors can clear their analytics identifier from the browser at any time; blocking cookies for our origin prevents analytics collection.
4. Sharing with service providers and third parties
We share data only with the service providers we use to operate the Site. Each is contractually limited to processing on our behalf:
- Cloudflare, Inc. — hosting, CDN, security, rate limiting.
- Amazon Web Services (AWS SES) — transactional and notification email.
- Google Cloud Platform — the accounts, comments, community, messages, notifications, and social-feature backend runs on Google Cloud Run and Google Cloud SQL, processing data on our behalf as a subprocessor.
- Google LLC (Sign in with Google) — only if you choose Google sign-in. This is a direct interaction with Google under Google’s terms.
- Chuppah-operated analytics service — analytics events are transmitted to a first-party analytics endpoint we operate at
ntpyi.storyz.com. No third-party analytics or advertising SDKs are embedded on the Site.
We may disclose information (a) when required by law, court order, or lawful government request; (b) to protect the safety, rights, or property of Chuppah, our users, or the public; and (c) in connection with a merger, acquisition, or sale of assets, in which case we will provide notice.
We do not disclose account emails, direct-message contents, nonpublic community content, or IP addresses to third parties for their own marketing.
5. Data retention
- Newsletter emails — retained while you remain subscribed. Unsubscribe at any time using the unsubscribe link in the email or by writing to us.
- Account records — retained until you delete your account. Request deletion by writing to admin@thestateofisrael.com. Certain records (e.g., audit logs) may be retained longer where required by law or for security investigations.
- Public comments and community posts — retained until deleted by you where the feature allows deletion, removed by moderation, or removed in connection with account deletion, subject to backups, legal holds, and public archive integrity.
- Direct messages — retained while a conversation is active. Hiding a conversation removes it from your inbox view but does not delete the peer's copy. Deleting a message soft-deletes it and replaces the stored ciphertext with a deletion marker.
- Follows, saved articles, bookmarks, group memberships, and privacy settings— retained while your account is active or until you change the relevant setting.
- Magic-code login attempts — expire and are purged within 24 hours.
- Analytics events — retained for up to 24 months.
- Server and CDN logs — retained by our infrastructure providers on their default schedules (typically under 30 days).
6. Your rights
Regardless of where you live, you can:
- Ask what information we hold about you.
- Ask us to correct or delete your account.
- Unsubscribe from our newsletter at any time.
- Sign out and clear the local cookies from your browser.
6.1 EEA, UK, and Swiss residents (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation or the UK GDPR: access, rectification, erasure, restriction of processing, portability, and objection. You also have the right to lodge a complaint with your local supervisory authority.
Our legal bases for processing are:
- your consent (newsletter, analytics);
- performance of a contract with you (account features);
- our legitimate interests in operating and securing the Site.
6.2 California residents (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate personal information, and to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined by California law. We do not knowingly collect the personal information of California residents under 16 for sale or sharing.
Sensitive personal information. We do not collect sensitive personal information as defined by Cal. Civ. Code §1798.140(ae) (for example, government identifiers, precise geolocation, financial-account credentials, health or biometric data), other than any such content you voluntarily send us through the contact form or a comment. We do not use or disclose any such information for purposes other than those permitted by Cal. Civ. Code §1798.121(a), and California residents have the right to limit any additional use of sensitive personal information we may collect in the future.
Global Privacy Control. We honor the GPC browser signal as a valid opt-out of any “sale” or “sharing” of personal information under the CCPA/CPRA, though as noted above we do not engage in either.
6.3 Other U.S. state privacy laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Iowa, Indiana, Tennessee, Maryland, Minnesota, Nebraska, Kentucky, Rhode Island, and other states with comprehensive consumer-privacy laws have rights that are substantially equivalent to those described above: access, deletion, correction, portability, and opt-out of targeted advertising, sale, or profiling with legally significant effects. To exercise any such right, contact admin@thestateofisrael.com.
6.4 How we verify rights requests
To protect your information we may need to verify your identity before responding to a rights request. For account holders, we typically verify by asking you to confirm the request from the email address on file or to complete an in-session action. For non-account requests we may ask you to provide enough information to reasonably match you to the record you are asking about. We will not charge you for a first request in a twelve-month period; repeated, manifestly unfounded, or excessive requests may be declined or subject to a reasonable fee as permitted by law. You may designate an authorized agent to submit a request on your behalf; we may require the agent to provide proof of authorization.
6.5 Delaware residents
If you are a Delaware resident, we honor access, correction, deletion, and portability rights and universal opt-out signals (Global Privacy Control) regardless of whether Chuppah LLC’s processing meets the applicability thresholds of the Delaware Personal Data Privacy Act, 6 Del. C. §12D-101 et seq. Requests may be submitted to admin@thestateofisrael.com; we will respond within forty-five (45) days, subject to a single forty-five (45)-day extension where reasonably necessary.
6.6 Automated decisionmaking and profiling
We do not use automated decisionmaking technology (ADMT) as defined by California Code of Regulations, tit. 11, §7001, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you — including in the areas of finance, housing, education, employment, insurance, health care, criminal justice, or access to essential goods and services. Our first-party analytics classify visits by anonymous session ID and coarse geographic country only, and are not used to profile individuals or to make significant decisions about them.
6.7 Israeli residents
If you are located in Israel, we process your personal data in accordance with the Protection of Privacy Law, 5741–1981, as amended by Amendment No. 13 (in force 14 August 2025). You may exercise access, correction, and deletion rights by writing to admin@thestateofisrael.com. Our lawful basis for processing account, community, and message data is your consent and our legitimate interest in operating an editorial and community site. If the volume of our Israeli processing reaches the appointment thresholds under Israeli law, we will designate a Data Protection Officer and publish the DPO’s contact details in this Privacy Policy.
7. Children
The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in violation of the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§6501–6506. If we learn we have collected personal information from a child under 13 without verified parental consent, we will delete that information promptly and terminate any associated account. Parents or legal guardians who believe we may have such information should contact admin@thestateofisrael.com; please include enough detail for us to identify the record. For residents of the EEA and the UK, “children” for this purpose means anyone under 16 (or a lower age set by their member state, but not less than 13).
8. International transfers
Chuppah LLC is a Delaware, United States company. Our servers and service providers are primarily located in the United States. If you access the Site from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws different from those in your country.
For transfers of personal data from the European Economic Area subject to the GDPR, we rely on the European Commission’s 2021 Standard Contractual Clauses (Module 2: Controller-to-Processor) with our infrastructure providers, supplemented by the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office for UK transfers, and by the Swiss Federal Data Protection and Information Commissioner’s 2022 recognition of the SCCs for Swiss transfers.
EU / UK Article 27 representative. We monitor EEA and UK visitor traffic in aggregate only and do not target goods or services to EEA or UK residents as a commercial matter, and we therefore have not appointed a representative under GDPR Article 27 or UK GDPR Article 27. If this changes, we will publish the representative’s contact details in this Privacy Policy.
9. Security
We maintain a written information-security program with administrative, technical, and physical safeguards appropriate to our size, the sensitivity of the data we hold (email address, display name, session tokens, public community content, and encrypted direct-message bodies), and the nature of our operations, consistent with the New York SHIELD Act (N.Y. Gen. Bus. Law §899-bb), the reasonable-security expectation under Cal. Civ. Code §1798.100(e), and the security-of-processing duty under Article 32 GDPR.
Our safeguards include: designated staff responsible for security; third-party-vendor diligence; TLS in transit; encryption at rest for the accounts, community, and messages database; HttpOnly, Secure, SameSite=Strict session cookies; per-IP rate limits at the edge; a strict Content Security Policy with per-request nonce; origin verification on internal APIs; periodic risk assessments; and prompt handling of security incidents. No system is perfectly secure, and we cannot guarantee absolute security of information transmitted to or stored by us.
9.1 Breach notification
If we discover a security breach that has resulted in, or is reasonably likely to result in, the unauthorized acquisition of personal information about you, we will notify you by email (to the address on file) and post a notice on the Site without unreasonable delay and in any event within the timeframes required by applicable law, including where applicable Delaware’s breach-notification statute at 6 Del. C. §12B-101 et seq., other U.S. state breach-notification laws, and the seventy-two (72)-hour supervisory-authority notification requirement in Article 33 of the GDPR.
10. Third-party links
The Site includes links to external sources (Wikipedia, government sites, news publishers, and others). We do not control those sites and are not responsible for their content or their privacy practices.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The “Effective date” above indicates when it was last revised. If we make material changes, we will provide reasonable notice (for example, a banner on the Site or an email to subscribers).
12. Contact us
Chuppah LLC — Attn: Privacy
Email: admin@thestateofisrael.com