Privacy Policy
Version 3.1 · Effective: April 5, 2026
S2 Tikshuv Ltd ("Company", "we", "us"), a company registered in Israel, is the data controller responsible for your personal data when you use E2LLM products and services.
This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use the E2LLM Extension, E2LLM MCP Server, and our website (together, "Services"). It also describes your privacy rights and how to exercise them.
E2LLM consists of two products with different data models. We describe each separately so you know exactly what applies to you.
1. Collection of Personal Data
E2LLM Extension
The E2LLM Extension processes all data locally in your browser. DOM capture and SiFR generation happen entirely on your device. We do not receive, transmit, or store any page content, URLs, or captured snapshots.
We collect anonymous, aggregated usage data only:
- Whether a capture was full-page or partial (element-level)
- Capture frequency (how often the extension is used)
- Extension version and browser type
We do NOT collect: URLs you visit, page content or DOM data, SiFR snapshot content, personal identifiers, cookies, or browsing history. The extension works fully offline and does not require an account.
E2LLM MCP Server
The MCP Server is an authenticated service. We collect two categories of data:
Interaction metadata: who performed what action, when, and how. This includes:
- Identity and contact data: email address, authentication credentials
- Usage data: operation types (capture, action, diff), timestamps, session identifiers
- URLs accessed through the MCP Server
- Technical information: IP address, browser type, connected AI client type
Session data: the full content of MCP interactions, including:
- SiFR captures (structured page content, which may include visible text, form values, and page structure)
- Action payloads (click targets, typed values, scroll positions)
Both metadata and session data are retained for 30 days, encrypted at rest with client-side encryption, and purged after the retention period. Access to session data is strictly controlled — it requires a lawful request, explicit user consent (e.g., a support ticket), or a triggered safety review. We do not access session data for product development, analytics, or any purpose other than safety, compliance, and dispute resolution.
A 30-day retention window is standard practice for AI platforms. This retention is required for compliance obligations, safety monitoring, and dispute resolution ("I did not authorize that action").
Special Category Data
Session data captured through the MCP Server may incidentally contain special category data as defined by GDPR Article 9 — for example, content from health portals, political forums, or religious websites visited during a session. We do not intentionally collect or process special category data. Where such data is incidentally captured as part of session recordings, it is processed under Article 9(2)(f) (establishment, exercise, or defence of legal claims) and Article 9(2)(g) (substantial public interest — safety monitoring obligations). The same encryption, access controls, and retention limits that apply to all session data apply to any incidental special category data.
Payment Data
All paid transactions are processed by Paddle.com Market Ltd ("Paddle"), which acts as the Merchant of Record. We do not have any direct financial relationship with our customers. Paddle is the seller for all paid transactions and handles all billing, invoicing, sales tax, and payment processing. We do not collect, process, or store any payment information (credit card numbers, billing addresses, bank details). Paddle handles all payment data in accordance with their Privacy Policy.
We receive from Paddle: your email address, subscription status, and transaction identifiers. We use this solely to manage your subscription tier and provide the corresponding service level.
Data we receive automatically
When you visit e2llm.com or use our Services, we may automatically receive:
- Device and Connection Information: device type, operating system, browser type, IP address, time zone
- Usage Information: pages viewed, time of access, referral source
- Cookies: we use minimal, functional cookies only. We do not use advertising or tracking cookies. See Section 7 below.
2. How We Use Personal Data
We use your personal data for the following purposes:
- To provide, maintain, and improve our Services
- To create and administer your MCP Server account
- To manage your subscription and facilitate payments through Paddle
- To communicate with you about service updates, security notices, and support
- To prevent and investigate fraud, abuse, and violations of our Terms of Service, including automated safety monitoring of session data for predefined markers
- To improve product quality based on aggregated, de-identified usage patterns
- To enforce our Terms of Service
We do not use your data to train AI models. We do not sell, rent, or share your personal data with third parties for marketing purposes.
Our automated safety monitoring may result in restrictions on your account (such as rate limiting or feature restrictions). These decisions are based on interaction patterns, not content inspection. If you believe your access was restricted in error, contact info@e2llm.com — we will review your case with human oversight and typically respond within 5 business days.
3. How We Disclose Personal Data
We disclose personal data only in the following circumstances:
- Paddle (Merchant of Record): email address and subscription data as described above. Paddle acts as Merchant of Record and is the seller for all paid transactions. Paddle handles all billing, invoicing, refunds, and payment processing. For billing inquiries and refund requests, contact Paddle directly at paddle.net.
- Infrastructure providers: hosting and server infrastructure necessary to operate the MCP Server. All stored data is encrypted before reaching infrastructure providers. Encryption keys are managed by S2 Tikshuv Ltd. Data processing agreements are in place with all providers.
- Legal requirements: when required by law, regulation, legal process, or governmental request.
- Safety and rights: when we believe disclosure is necessary to protect the rights, safety, or property of our users, our company, or the public.
- Business transfers: in the event of a merger, acquisition, or sale of assets, user data may be transferred. You will be notified of any such change.
We do not disclose personal data for advertising or marketing purposes.
4. Your Rights and Choices
Depending on where you live and applicable laws, you may have the following rights regarding your personal data:
- Right to know: what personal data we process about you and why
- Access and portability: request a copy of your personal data
- Correction: request correction of inaccurate data
- Deletion: request deletion of your data, subject to legal obligations
- Objection: object to processing based on legitimate interests
- Restriction: request that we restrict processing in certain circumstances
- Withdrawal of consent: where processing is based on consent, withdraw it at any time
To exercise these rights, contact us at info@e2llm.com. We will respond within 30 days, extendable by 60 days for complex requests. We will not discriminate against you for exercising your privacy rights.
You also have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
5. Data Transfers
S2 Tikshuv Ltd is based in Israel. Israel has been recognized by the European Commission as providing an adequate level of data protection under Article 45 GDPR. If you are located outside Israel, your data may be transferred to and processed in Israel in connection with providing the Services.
Where data is transferred to countries without an adequacy decision (for example, to infrastructure providers in the United States), we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission.
6. Data Retention and Security
Retention
- Extension analytics: aggregated, anonymous — retained indefinitely (no personal data involved)
- MCP account data: retained while your account is active and for 30 days after deletion
- MCP interaction metadata: retained for 30 days, then purged
- MCP session data (SiFR captures, action payloads): retained for 30 days, encrypted at rest, then purged
- Payment records: retained by Paddle per their retention policy. We do not store payment records.
Aggregated and De-Identified Data
We may process personal data in an aggregated or de-identified form to analyze usage patterns and improve our Services. For example, we analyze capture frequency and operation types across all users to inform product development. This information does not identify individual users.
Security
We implement appropriate technical and organizational security measures to protect your personal data, including:
- All connections encrypted in transit
- Session data encrypted before storage — infrastructure providers cannot read it
- Encryption keys managed by S2 Tikshuv Ltd
- Detected password fields are redacted before storage — we make best-effort to avoid storing plaintext passwords
- Strict internal access controls — session data access requires lawful request, user consent, or triggered safety review
- Internal access to session data is audit-logged
- For external sign-in (Google, Microsoft, GitHub), your password is handled by the provider — we never see it. For E2LLM accounts, passwords are stored as secure hashes
- Regular security reviews
However, no method of transmission over the internet is 100% secure.
Extended Retention
We may extend the 30-day retention period for specific accounts in the following circumstances: legal hold or court order (as specified by the order), active investigation of a Terms of Service violation (up to 90 days), or reasonable suspicion of illegal activity (up to 180 days). Extensions beyond 180 days require documented legal justification. Extended retention is subject to the same access controls and encryption as standard retention. Users are notified of extended retention unless notification is prohibited by law.
7. Cookies and Similar Technologies
Our website (e2llm.com) uses minimal, functional cookies only:
- Session cookies: to maintain your session when logged in to the MCP Server dashboard
- Preference cookies: to remember your settings
We use first-party performance monitoring (Elastic APM) as a functional component of our service — it detects errors, monitors service health, and supports our compliance and operational obligations. This data is processed entirely on our own infrastructure and is not shared with third parties. No personal identifiers are collected through performance monitoring.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in ad networks or retargeting programs.
You can control cookies through your browser settings. Disabling cookies may affect the functionality of authenticated features.
8. Children
Our Services are not directed towards, and we do not knowingly collect personal data from, children under the age of 18. If you become aware that a child under 18 has provided personal data to us, please contact us at info@e2llm.com and we will investigate and, if appropriate, delete the data.
9. Legal Bases for Processing
Where applicable (for example, under GDPR), we rely on the following legal bases:
| Purpose | Data | Legal Basis |
|---|---|---|
| Provide and maintain Services | Identity, Contact, Usage, Technical | Contract performance |
| Create and manage accounts | Identity, Contact | Contract performance |
| Process payments | Identity, Contact (via Paddle) | Contract performance |
| Communicate service updates | Identity, Contact | Contract; Legitimate interest |
| Prevent fraud and abuse | Identity, Usage, Technical, Session data | Legitimate interest; Legal obligation |
| Safety monitoring and compliance | Session data (SiFR captures, actions) | Legitimate interest; Legal obligation |
| Dispute resolution | Session data, Metadata | Legitimate interest; Contract performance |
| Improve Services (aggregated analytics) | Usage, Technical (de-identified) | Legitimate interest |
| Enforce Terms of Service | Identity, Usage, Technical | Contract; Legitimate interest |
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify account holders by email and post a notice on our website at least 14 days before changes take effect. The effective date at the top of this page indicates the latest revision.
11. Contact
If you have questions about this Privacy Policy, or wish to exercise your privacy rights, contact us at:
S2 Tikshuv Ltd
Email: info@e2llm.com
Website: e2llm.com
Data Protection Officer: Alexey Sokolov
DPO contact: info@e2llm.com