Legal

Privacy Policy

Last updated: June 2, 2026

We are BPAUS Ltd. (Israel, company registration number 516145908), and we built Mila — a WhatsApp-based developmental screening for children. This page explains, in plain language, what personal data we collect from you when you use Mila, how we use it, who else sees it, and what rights you have over it.

If anything here is unclear, email support@bpaus.net and a real person will get back to you.

What we collect

We collect only what we need to deliver the screening and run our business.

  • From you at checkout: first name, last name, email address, and mobile phone number (so we can reach you on WhatsApp).
  • During the screening: your answers to the developmental questions about your child, your child's first name and age that you provide, and any free-text notes you send to Mila in the WhatsApp conversation.
  • From your device automatically: standard server logs (IP address, browser user-agent, timestamps, the pages you visited on our site) and a small set of cookies — see our Cookie Policy.
  • From our payment processors: a confirmation that payment succeeded, the masked last four digits of the card, and the transaction ID. We never see, store, or have access to your full card number.

We do not ask for and do not store: the child's full legal name, surname, date of birth, address, school name, medical records, photos, video, or any identifying information beyond the child's first name and age that the parent provides to receive the screening.

How we use it

  • To run the screening — send the WhatsApp messages, score your answers, and generate your PDF report.
  • To email you a receipt and the final report.
  • To improve Mila over time, but only on aggregated, anonymized data — never on identifiable individual records.
  • To send you transactional messages (receipt, "your screening is ready", "your screening is about to expire"). We do not send marketing email unless you opt in separately.
  • To handle customer support when you write to us.
  • To meet legal and accounting obligations (tax records, refund disputes, fraud prevention).

Our legal bases under the EU General Data Protection Regulation (GDPR) and the Israeli Privacy Protection Law are: contract (delivering the screening you paid for), legitimate interest (security, fraud prevention, improving the service), legal obligation (tax and accounting), and consent (optional analytics cookies and marketing).

Who we share it with

We use a small set of trusted vendors to run Mila. Each one only receives the data it needs to do its job, under a contract that limits how it may use that data.

  • Z-Credit — processes credit card payments for orders billed in Israeli Shekels.
  • PayPal — processes PayPal payments.
  • GoHighLevel (GHL) — our messaging and contact-management platform; your order details and WhatsApp conversation state are stored here to run the screening (United States).
  • n8n — the workflow automation that orchestrates the screening logic (European Union — Germany).
  • Anthropic — provides the AI language model that interprets your answers and phrases Mila's messages and your final summary; your screening answers and messages are processed here to generate the conversation and report (United States).
  • DocRaptor — generates your PDF report from the screening results (United States).
  • Neon — the encrypted database that stores your screening data (European Union — Frankfurt).
  • WhatsApp (Meta) — delivers the screening conversation itself. Once a message reaches WhatsApp, Meta's terms also apply to that message.
  • Email delivery provider — sends transactional email (receipt, report delivery).

We do not sell your data. We do not share it with advertisers, data brokers, or any third party for marketing.

We may share data when required by law — for example, in response to a valid court order or comparable legal demand. We assess every such request for legal validity, disclose only the minimum necessary, and will tell you unless we are legally barred from doing so.

Where we store it

Your data is encrypted in transit and encrypted at rest. Our core database and workflow automation are hosted in the European Union (Frankfurt and Germany).

Some of our vendors process data in the United States — specifically GoHighLevel (messaging and contact storage), Anthropic (AI language processing), and DocRaptor (report generation). Where your data is transferred to the United States or another country outside the EEA/UK, we rely on appropriate safeguards required by law, such as the European Commission's Standard Contractual Clauses, and — where applicable — a vendor's certification under the EU–U.S. Data Privacy Framework. Copies of the relevant safeguards are available on request by emailing support@bpaus.net.

How long we keep it

  • Order records (name, email, phone, receipt, transaction ID): 7 years, to comply with Israeli tax-record retention rules.
  • Screening answers and PDF reports: 24 months from the screening date, so you can come back and re-download. After that, we anonymize them.
  • Server access logs: 90 days.
  • Cookie consent record: until you clear your browser storage.

You can ask us to delete your data sooner — see "How to delete your data" below. We will do so, except for records we must keep by law (typically the order receipt).

Your rights

If you are in the European Union, the European Economic Area, the United Kingdom, or California, you have the right to:

  • See what data we hold about you.
  • Correct any data that is wrong or out of date.
  • Ask us to delete your data (subject to legally required retention).
  • Receive your data in a portable, machine-readable format.
  • Object to specific uses of your data.
  • Withdraw any consent you previously gave us, at any time.
  • Lodge a complaint with your local data protection authority.

If you are in Israel, the Privacy Protection Law gives you broadly the same rights, including the right to inspect and correct data we hold about you.

To exercise any of these, email support@bpaus.net with "Privacy request" in the subject line and tell us which right you want to exercise. We will respond within 30 days.

How to delete your data

You can ask us to delete your data at any time.

How to request it: email support@bpaus.net with "Data deletion" in the subject line, from the email address you used at checkout (or include your WhatsApp number so we can find your record).

What we delete: your contact details (name, email, phone), your WhatsApp conversation and screening answers, your child's first name and age, and your generated PDF report — across all our systems, including our messaging platform (GoHighLevel), our database (Neon), and the report generation service (DocRaptor).

What we may keep: records we are legally required to retain — primarily your order receipt and transaction details, which Israeli tax law requires us to hold for 7 years. These are kept access-restricted and are not used for any other purpose.

Timeframe: we complete deletion requests within 30 days and email you to confirm once it's done.

Request data deletion

Children's data

Mila screens developmental milestones in children, but our customer is the parent or legal guardian. We ask only for your child's first name (used to personalize the conversation — you may enter a nickname or initial if you prefer) and the child's age. We do not ask for the child's full legal name, surname, date of birth, photo, video, school, address, or any other identifier. The screening is structured around the child's age and observable behaviors.

You must be at least 18 years old to purchase a screening. If you are under 18, please ask a parent to use Mila on your behalf.

Cookies

We explain our cookie use, and how to refuse non-essential cookies, in our Cookie Policy.

Security

We use TLS encryption in transit, encrypted storage at rest, access controls that limit data access to a small operations team, and audit logging on every database read. No system is perfectly secure, but we treat your data the way we would want a service to treat data about our own children.

If we ever discover a breach affecting your personal data, we will notify you and the relevant data protection authority within the timeframes required by law (under GDPR, that is 72 hours).

Changes to this policy

If we change anything material in this policy, we will email everyone with an active account and post a notice at the top of this page for at least 30 days. The "Last updated" date at the top is always current.

Who is responsible

The data controller for Mila is BPAUS Ltd., registered in Israel (company registration number 516145908, registered office Moshe Sharett St 6, Rishon LeZion, 7570427, Israel). You can reach our privacy contact at support@bpaus.net.