Privacy Policy

Privacy Policy – Zviran Group

Last updated on 30.03.2026

This Privacy Policy (the ‘Policy’) describes how the Zviran Group, including its subsidiaries – Gaido Zviran, Gonen & Glazner, JTG HR Consulting, JTG Pension Insurance Agency (2016), and Zviran Consulting & Surveys (collectively: ‘Zviran’, ‘the Company’, ‘we’) – collects, uses, processes, stores, shares, and protects Personal Data across all its online and offline activities. This Policy applies to all company operations, including pension and health‑insurance advisory services, compensation and benefits surveys, compensation consulting, digital platform operations (ComProcess, Aequitas), Pay Data and BeneFits activities, analytical and professional services, and interactions with users, clients, suppliers, and professional partners.

Zviran complies with the Israeli Privacy Protection Law (1981), the Privacy Protection Regulations (Data Security) (2017), and internationally recognized data‑protection principles, as applicable to the nature of services and to Zviran’s Data Processing Agreements (DPA) which applies for engagements with corporate clients.

The document uses the masculine form for convenience only and applies to all genders.

  1. Introduction

The Zviran Group provides advanced services in the field of compensation and rewards, including salary analyses, compensation‑model design, gender pay‑equity testing, pension advisory, health‑insurance advisory, data analytics, and the operation of dedicated digital systems.

In these activities, Zviran processes Personal Data in multiple contexts: data collected via Zviran’s websites, data provided during business or private engagement, data originating from enterprise clients, and operational data required for system functionality.
Zviran places high importance on protecting the privacy and the confidentiality of the data, ensuring proportional and purpose‑limited processing, and implementing strong information‑security and transparency measures.

  1. Definitions

Personal Data – any information relating to an identified or identifiable person, directly or indirectly.

Client Data – Personal Data provided to Zviran for the purpose of performing services to a corporate client, where the client acts as the Data Controller and Zviran serves as the Data Processor or Data Holder.

Data Processing – any operation on data, including collection, receipt, storage, use, disclosure, sharing, adaptation, deletion, or destruction.

Data Controller – the entity determining the purposes and means of processing.

Data Processor / Data Holder – the entity processing data on behalf of the Data Controller.

Producer – a financial institution licensed by the Israel Capital Market, Insurance and Savings Authority to manage pension products.

SubProcessor – a third party providing professional, technological, or operational services to Zviran.

Severe Security Incident – as defined in the Privacy Protection Regulations.

  1. Purpose of this Policy

This Policy aims to define:

  • Types of data collected.
  • Explain processing purposes.
  • Outline data‑sharing – to whom and under what conditions.
  • Describe key protection and security measures.
  • Clarify retention and deletion periods of Personal Data.
  • Inform data subjects of their rights.
  • Supplement the DPA which applies for engagements with corporate clients.
  1. Types of Data Collected

4.1 Data collected through Zviran’s websites:

  • IP address, technical device and browser information.
  • Usage and browsing patterns.
  • Form submissions (name, role, organization, email, phone, inquiry content)
  • Cookie‑based data.

Website data collection is subject to this Policy and the Terms of Use.

In any case where a discrepancy arises between the Terms of Use and this Policy with respect to the website’s operation, the provisions set out in the company’s Terms of Use shall prevail

4.2 Data collected during consulting services:

  • job data, tenure, seniority level.
  • Salary and compensation information.
  • Spreadsheets or files received from clients or third parties (producers, pension managers).
  • Organizational structures.
  • Analytical data files.
  • Pension contribution data, family status, insurance coverage.
  • Producer‑provided claims data.

4.3 Data in digital platforms:

4.3.1 ComProcess (SaaS/OnPrem)

Employees and compensation data needed for compensation‑cycle management (for On‑Prem environments, data is stored exclusively at the client).

4.3.2 Aequitas (Payequity)

Employees names, gender, salary, organizational and job data required for pay‑gap testing. Zviran accesses the data only when support is needed.

4.3.3 PayData

Salary and job data without personal identifiers; in certain single‑role cases, some data items may constitute Personal Data.

4.3.4 BeneFits

Does not include Personal Data; contains organizational benefits policies only.

Certain Zviran services involve the processing of more sensitive data (detailed salary data, full employment data, pension data), as required by the service and client instructions. Full details appear in the DPA; in case of conflict, the DPA prevails.

4.4 Businessengagement information

  • Client‑representative details.
  • Meeting summaries.
  • Order and project details.

4.5 Supplier and consultant information

  • supplier details.
  • Contractual documents.

4.6 Minors

Zviran does not collect data on minors.

  1. Purposes of Processing

5.1 Professional Services

Compensation advisory, benchmarking, salary analysis, pay‑gap testing, professional reporting.

5.2 System Operation and Improvement

Performance monitoring, technical support, access‑management, product improvement.

5.3 Client Communications

Responding to inquiries, coordination, professional updates (subject to consent).

5.4 Analytics and Research

Data processing for market research and professional enhancement.

5.5 Regulatory Compliance

Documentation, responses to authorities.

  1. Data Sharing with Third Parties

6.1 SubProcessors

Zviran uses sub processors for:

  • cloud and hosting providers.
  • IT services.
  • SaaS platforms.
  • Security services.
  • Professional services.
  • Technical support.

Sub‑processors commit to:

  • Confidentiality
  • Limited use of data
  • Adequate security measures
  • Deletion/return of data as required.
  • Full compliance with the DPA.

Zviran may update, replace or add sub-processors according to its business needs.

6.2 IntraGroup Transfers

Zviran operates as an integrated group. Employees are assigned to projects and areas of activity based on their expertise and client needs, irrespective of their formal corporate affiliation. Accordingly, the group’s companies collaborate on an ongoing basis in the execution of projects, system operations, professional support, and service delivery.

Personal Data may be shared across the group for service delivery, strictly under the principles of:

  • data‑
  • Need‑to‑know basis.
  • Purpose limitation.
  • Confidentiality/security principles.

All group employees are subject to a unified information‑security policy, confidentiality obligations, and mandatory privacy training. Data transfers between group companies are carried out in accordance with applicable law and the contractual DPA in place with the client, where relevant.

6.3 Transfers to Clients

For Client Data, Zviran acts per client instructions and returns or deletes data or deliverables in accordance with the DPA (excluding data retained for legal defense if required).

6.4 Transfers to Authorities

When legally required.

6.5 Structural Changes

In case of mergers, acquisitions, or business transfers, subject to privacy protections.

 

  1. Information Security and Incident Management

Zviran employs access controls, encryption, logging, periodic security assessments, backups, restoration capabilities, risk monitoring, and reporting.

In a Severe Security Incident, Zviran will contain, remediate, and notify clients and authorities as required.

  1. Data Subject Rights

Data subjects may submit written requests for: access, correction, deletion (subject to law), restriction of processing, and information on the use of their data.

When Zviran processes data for a client, any request must be submitted to the client, who serves as the Data Controller and is responsible for determining how the request is handled. Zviran will act in accordance with the instructions received from the Data Controller.

In the context of personal advisory services, any information collected directly from the data subject or obtained following the data subject’s execution of a power‑of‑attorney agreement with the company, will be deleted upon the data subject’s request.

  1. Use of Cookies

Zviran websites use cookies for site operation, security, analytics, and—subject to consent—personalization and marketing. Details appear in the Terms of Use.

  1. Data Retention

Zviran adheres to data‑minimization principles anchored in the Israeli Privacy Protection Law (1981). Retention periods are defined in the DPA.

  1. Record of Processing Activities (ROPA)

Includes data types, sources, purposes, legal bases, security measures, cross‑border transfers (excluding automatic cloud backups), and retention.

  1. Updates

This Policy may be updated periodically. The latest update date appears at the top.

Material changes will be communicated to clients.

  1. Contact

Email: [email protected] | Address: Devorah HaNevia 121, Atidim Park, Building 8, Tel Aviv.