Privacy Policy
I-Change Website | CASHLOCK Application | Personal Area
Raz Haim - Currency Services Ltd.
Extended Financial Asset License No. 56795 | Credit License No. 54705
Last updated: June 2026
This Privacy Policy applies to the website, the application, and the personal area. Use of any of them constitutes full consent to the collection and use of information as detailed below.
1. General and Introduction
1.1 Who We Are
This Privacy Policy (the "Privacy Policy") describes the manner in which Raz Haim - Currency Services Ltd., company no. 515329415, operating under the trade name I-Change, holder of Extended Financial Asset License No. 56795 and Basic Credit License No. 54705 issued by the Capital Market, Insurance and Savings Authority, with its address at 3 Ein HaHatul, Government Offices Complex (Shop 108), Eilat (the "Company" / "we") collects, stores, processes, and protects users' personal information.
1.2 To Whom This Policy Applies
This Privacy Policy applies to every person who uses the Company's following platforms:
The website www.i-change.co.il (the "Website")
The CASHLOCK application for smartphones (the "Application")
The personal area on the Website (the "Personal Area")
Any additional digital service that the Company may operate in the future
Your visit to the Website, downloading the Application, logging into the Personal Area, registering for services, or any other use of the platforms constitutes full consent to the collection and use of information as detailed in this Policy.
1.3 The Privacy Policy as Part of the Terms of Use
This Privacy Policy forms an integral part of the Company's Terms of Use. Reading both documents together provides the full picture of each party's rights and obligations.
1.4 Applicable Laws and Regulations
The Company operates in accordance with the following laws and regulations, and this Privacy Policy is based on them:
Protection of Privacy Law, 1981, and the Privacy Protection Regulations (Information Security), 2017
Payment Services Law, 2019
Prohibition on Money Laundering Law, 2000, and the orders issued thereunder
The Spam Law - Communications Law (Telecommunications and Broadcasting), 1982, section 30A
The GDPR (General Data Protection Regulation) - with respect to users residing in the European Union
The California Consumer Privacy Act (CCPA) - with respect to California residents
1.5 Changes to the Policy
The Company reserves the right to update this Privacy Policy from time to time, subject to applicable law. Material changes will be published in the Application and on the Website, and in some cases notice will be sent by email at least 30 days in advance. The policy update date appears at the top of this document. Continued use of the services after changes are published constitutes consent to the updated version.
2. Collection of Information - What We Collect and Why
2.1 Information You Provide to Us Directly
2.1.1 When registering for services
For the purpose of opening an account and complying with KYC/AML requirements, we collect:
Identification details: full name (as it appears on your ID card/passport), gender, date of birth, nationality
Identification documents: Israeli ID number / passport number, copy of a valid ID card / passport (both sides)
Biometric information: a current facial image (selfie) for biometric comparison and identity verification
Contact details: full and current residential address, mobile phone number, email address
Initial financial information: bank account details for transfers, information regarding the source of income (where required)
2.1.2 During the use of the services
When performing actions in the wallet, we collect:
Transaction details: amount, source currency, destination currency, exchange rate, fee, exact date and time, unique transaction ID
Recipient / sender details: name, account number, bank, country, address (for international transfers)
Means of payment: type of payment method used for funding (card, bank, cash), partial card details (last 4 digits)
Full transaction history throughout the engagement period
Customer service inquiries: content of the inquiry, means of inquiry, date of inquiry, and record of the response
2.1.3 For ongoing AML/KYC purposes
For the purpose of complying with legal requirements, we may from time to time collect:
Additional documents to verify source of funds - for actions above the threshold required by law
Responses to enhanced customer due diligence questionnaires
Information regarding the purpose of the transaction and the source of funds in specific transactions
Additional information as required by the regulator
2.2 Information Collected Automatically
2.2.1 Device and browsing data
When you use the Website and the Application, we automatically collect:
Device data: IP address, device type (manufacturer, model), operating system and its version, application version, unique device ID
Website browsing data: pages visited, navigation order, visit duration, links clicked, visit time
Application usage data: screens viewed, features used, usage time, login and logout time
Connection data: type of internet connection (Wi-Fi / cellular), internet provider
2.2.2 Geographic location
We collect approximate location data (based on IP) for security purposes and to identify unusual activity. Exact location (GPS) is collected only subject to your explicit consent, and only for specific purposes that will be detailed when requesting permission.
2.2.3 Technical logs
For security, troubleshooting, and fraud prevention purposes:
Error and crash reports (Crash Reports)
Login and logout logs, including failed login attempts
Action logs - documentation of every action performed in the account with a timestamp
Performance data - response times, loads
2.3 Information from Third Parties
We may receive information about you from the following sources:
Identity verification services (KYC providers) - identity confirmation, document checks, risk score
Government authorities - checks against population registries, tax authorities, and regulators
Sanctions lists - OFAC, the UN, the European Union, and Israeli lists
AML databases - for financial background checks and identification of risk factors
Banks and financial institutions - in connection with carrying out transfers and verifying accounts
Social networks - only if you chose to connect to our services through them, and only details you authorized
You are under no legal obligation to provide all of the information; however, without providing the information required by law (including KYC information), we will not be able to provide the services.
3. Use of Information - Why We Use Information
3.1 Provision of the Services
The primary use of the information is for providing the services you requested:
Opening, managing, and operating your wallet account
Processing payment instructions - transfers, exchanges, top-ups, and withdrawals
Issuing the Max card and managing its balance
Providing full technical support and customer service
Sending transaction confirmations, receipts, and activity reports
Handling complaints and disputes
3.2 Compliance with Legal and Regulatory Obligations
As a company supervised by the Capital Market Authority, we are required to process information for the following purposes:
Identifying and verifying customers' identity (KYC) - upon registration and on an ongoing basis
Prevention of money laundering and terrorist financing (AML) - transaction monitoring and identification of suspicious patterns
Reporting to authorized authorities: suspicious activity reports (SAR), reports of transactions above thresholds
Retention of records under the law - at least 7 years for transaction records and KYC documents
Screening against international sanctions lists - OFAC, UN, EU, OFSI
Reporting to the Tax Authority - in accordance with legal requirements
Responding to regulatory requirements and requests from the authority
3.3 Security and Fraud Prevention
To maintain the safety of the services and their users:
Identifying and preventing misuse, fraud, identity theft, and suspicious activity
Verifying user identity at every login to the Application and when performing sensitive actions
Real-time transaction monitoring to identify unusual patterns
Investigating complaints and security incidents
Preventing unauthorized access to accounts
Retaining security logs for future investigations
3.4 Improving the Services
For the purpose of continually improving the user experience:
Statistical analysis of patterns of use - without personal identification as much as possible
Identification of technical faults and improvement of Application performance
Development of new features based on users' needs
A/B testing to improve the user interface
Research and development of new products and services
3.5 Communication with the User
For the purpose of maintaining contact with users:
Sending essential service notices - transaction confirmations, security alerts, account updates (cannot be opted out of)
Updates regarding changes to the Terms of Use and Privacy Policy
Responses to inquiries and support
Notices regarding changes to the tariff
3.6 Direct Marketing
Direct marketing is carried out only subject to your explicit consent, and only after you have given informed consent:
Information about the Company's new services
Promotions and benefits
Relevant product updates
You may withdraw your consent to direct marketing at any time through the Application, by clicking the unsubscribe link in messages, or by contacting customer service. Withdrawing consent to marketing does not affect the receipt of essential service notices.
4. Legal Basis for Processing Information
The Company processes personal information on the basis of one or more of the following legal grounds. This statement is mainly required for compliance with the GDPR:
4.1 Performance of a contract
Processing of information necessary to provide the services you requested, including opening an account, executing transactions, and managing the wallet. Without such processing, the services cannot be provided.
4.2 Legal obligation
Processing of information required for compliance with AML laws, KYC obligations, regulatory reporting requirements, record retention, and sanctions screening. Such processing is mandated by law and does not depend on your consent.
4.3 Legitimate interest
Processing of information for the purposes of fraud prevention and maintaining system security, improving the services, handling complaints, and statistical analysis. In all cases, the possible effect on privacy is balanced against the legitimate interest.
4.4 Consent
For direct marketing, non-essential cookies, and collection of information that is not necessary for the service. This consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before the withdrawal.
4.5 Protection of vital interests
In exceptional cases, information may be processed for the protection of a person's life, health, or safety.
5. Disclosure of Information to Third Parties
The Company does not sell your personal information to third parties for marketing purposes. We share information only in the cases detailed below.
5.1 Service providers acting on our behalf
We share information with external service providers acting as processors on our behalf, for the following purposes:
Identity verification (KYC): providers specializing in digital identification, document verification, and biometric analysis
Payment processing: payment processors, money transfer networks, international banking correspondents
Cloud services: providers of secure data storage (AWS, Google Cloud, or equivalents)
Information security: providers of fraud prevention, threat monitoring, and intrusion prevention
Customer service: CRM systems and customer communication management tools
Data analytics: analytics tools for improving the user experience (such as Firebase, Mixpanel)
Marketing: digital marketing tools - only after your consent and to the minimum extent necessary
All service providers are contractually bound to keep the information confidential, use it only for the purpose for which it was transferred, and comply with the relevant information security standards.
5.2 Legal and regulatory obligation
We are required by law to provide information to the following entities:
The Capital Market, Insurance and Savings Authority - as the Company's direct regulator
The Financial Intelligence Unit - suspicious activity reports and reports of transactions above thresholds
The Israel Tax Authority - according to legal reporting requirements
Israel Police and law enforcement authorities - pursuant to a valid court order
Courts - in accordance with a judicial decision
Foreign regulators - in connection with international transfers, pursuant to treaties and applicable law
In these cases, we will provide only the minimum necessary according to the legal requirement, and we will seek to notify you of the disclosure subject to legal restrictions.
5.3 Max IT Finance
For the purpose of issuing and managing the Max card, we transfer to Max IT Finance Ltd. the information necessary for that purpose, including full name, identification details, address, and contact details. This information is also subject to Max's privacy policy, which we recommend reviewing separately.
5.4 Transfer of activity
In the event of a merger, acquisition, sale of assets, or transfer of all or part of the Company's activity to another entity, personal information may be transferred as part of the transaction. In such case: (a) the acquiring entity will be bound by the terms of this Privacy Policy; (b) you will receive prior notice; (c) you will have the option to close your account before the transfer.
5.5 Your consent
In any other case not listed above, transfer of personal information to a third party will be made only with your explicit and informed consent, after you have been provided with full information regarding the purpose of the transfer and the identity of the recipient.
6. Transfer of Information Outside Israel
Some of our service providers are located outside Israel, and therefore your personal information may be transferred to other countries. In any such transfer:
6.1 Protection safeguards
Recognized country - information is transferred only to countries recognized as having an adequate level of protection by the Privacy Protection Authority and/or the European Commission.
Standard Contractual Clauses (SCC) - where transfers are made to entities not located in recognized countries, we contractually require protection terms equivalent to those required under Israeli law.
Data Processing Agreements (DPA) - we sign data processing agreements with every third-party provider to whom information is transferred.
6.2 Main destination countries
Our service providers are located primarily in the following countries: the United States, the European Union, the United Kingdom, Israel, and Georgia. Full information regarding the specific destination countries can be obtained by contacting us.
6.3 Rights in international transfers
Residents of Israel: the protections established under Israeli privacy law continue to apply to your information even after it is transferred abroad.
Residents of the European Union: your rights under the GDPR (Articles 44-49) apply to any international transfer of your information.
7. Retention of Information and Retention Periods
We retain personal information as long as it is required for the purposes for which it was collected and subject to legal requirements. Below are the retention periods by type of information:
7.1 Customer identification information (KYC)
Identification documents, biometric images, customer due diligence questionnaires, and identity verification documentation: at least 7 years from the end of the engagement with the Company, in accordance with anti-money laundering law. In certain cases - up to 10 years as required by the regulator.
7.2 Transaction records
Documentation of all payment instructions, transfers, exchanges, and any financial activity: at least 7 years from the date of the transaction, in accordance with the Payment Services Law and Tax Authority requirements.
7.3 Correspondence and customer service inquiries
Documentation of all customer service inquiries, complaints, and disputes: 5 years from the date of the inquiry, for protection in possible legal proceedings.
7.4 Security logs
Login logs, failed login attempts, and action logs: one year, for security and incident investigation purposes.
7.5 Usage and browsing data
Analytics data and usage patterns (at a statistical level): one year.
7.6 Marketing materials
Consent to direct marketing and records of delivery of marketing materials: until withdrawal of your consent, and for an additional 3 years for the purpose of proving compliance with spam law.
7.7 Deletion and anonymization
After the relevant retention period expires, the information will be permanently deleted or anonymized in a way that does not permit personal identification, according to available technology. Information that must be retained by law will not be deleted until the mandatory retention period ends, even if you requested deletion.
8. Cookies and Tracking Technologies
8.1 What are cookies
Cookies are small text files stored in your browser or on your device when you visit the Website. They enable the Website to remember your actions and preferences over time and improve the browsing experience.
8.2 Types of cookies we use
8.2.1 Essential Cookies
These are necessary for the Website's basic functionality. Without these cookies, the Website will not function properly. They cannot be disabled.
Session cookies - to maintain your login state
Security cookies - to prevent CSRF and other attacks
Language preference cookies
8.2.2 Performance Cookies
These measure Website performance and how it is used for improvement purposes. The information is collected in aggregated and anonymous form. Includes: Google Analytics, Firebase Analytics.
8.2.3 Functional Cookies
These preserve user preferences such as language, display settings, and previously entered details. They improve browsing convenience.
8.2.4 Marketing Cookies
These are used to display personalized advertising content. They are collected only subject to your explicit consent.
8.3 Managing cookies
You may manage cookie settings in the following ways:
Through the browser: every browser allows management, blocking, and deletion of cookies. See your browser settings.
Through the Website: upon your first visit to the Website, a cookie consent banner allowing choice will be displayed.
Management tools: tools such as optout.networkadvertising.org may be used to disable advertising tracking.
Disabling essential cookies may significantly impair the Website's operation. Disabling other cookies will not affect the basic service.
9. Information Security
9.1 Our security measures
The Company implements advanced technical and organizational security measures, in accordance with the Privacy Protection Regulations (Information Security), 2017, and international standards:
Technical security:
Encryption of data in transit: TLS 1.3 for all communications
Encryption of data at rest: AES-256 for all sensitive data
Two-factor authentication (2FA) for login and sensitive actions
Role-Based Access Control
Real-time security monitoring (SIEM)
Periodic vulnerability scans and penetration testing
Encrypted and secure backups with periodic restoration tests
Organizational security:
Employee training on information security and privacy - upon onboarding and on an ongoing basis
Minimum access policy - each employee accesses only the information necessary for their role
Confidentiality agreements for every employee and contractor
Security incident handling procedures
Periodic internal and external security audits
9.2 Security limitations
Despite the above measures, we cannot guarantee absolute security of digital information. Security breaches may occur due to factors beyond our control. We recommend that you maintain appropriate security measures on your side (strong password, software updates, preventing unauthorized access to your device).
9.3 Notification of a security breach
In the event of a security breach affecting your personal information and likely to harm your rights, we will act in accordance with the reporting obligations established under privacy law:
Report to the Privacy Protection Authority - within 72 hours from discovery of the breach
Personal notice to you - when the breach is likely to materially affect your privacy
Publication of a notice on the Website - in the event of a large-scale breach
10. Your Rights Regarding Personal Information
In accordance with Israeli privacy law and the GDPR (for residents of the European Union), you have the following rights:
10.1 Right of Access
The right to know whether we hold personal information about you, what information we hold, for what purpose, who had access to it, and where it came from. You may request a copy of all personal information we hold about you. We will respond within 30 days.
10.2 Right to Rectification
The right to request correction of personal information that is incorrect, incomplete, inaccurate, or outdated. You may update some information yourself through the Application. To correct information not available for self-update - contact us.
10.3 Right to Erasure
The right to request deletion of your personal information. It is important to know:
Information that must be retained by law cannot be deleted (for example: transaction documentation - 7 years; KYC documents - 7 years).
Deletion of information may result in closure of your account, since some of the information is required for provision of the service.
Information that may lawfully be deleted will be deleted within 30 days from receipt of the request.
10.4 Right to Restriction of Processing
The right to request restriction of the use of your information in certain cases - for example, while a request for correction is being examined, or when you object to certain processing. During the restriction period, the information will be retained but not processed.
10.5 Right to Data Portability
For residents of the European Union: the right to receive the information you provided to us in a structured, commonly used, and machine-readable format (JSON, CSV), and to transfer it to another service provider. This right applies to information whose processing is based on your consent or on a contract.
10.6 Right to Object
The right to object to the processing of your information:
For direct marketing purposes - such objection is absolute, and we will cease immediately.
For processing based on legitimate interest - we will examine your request and cease the processing unless we have compelling legitimate grounds.
10.7 Right to Withdraw Consent
Whenever your consent is the basis for processing information, you may withdraw your consent at any time, without affecting the lawfulness of the processing performed before the withdrawal. Withdrawal of consent to marketing may be done through the Application, through the link in messages, or by direct contact.
10.8 Right not to be subject to an automated decision
The right not to be subject to a decision based solely on automated processing (without human involvement) where it has a significant effect on you. If automated systems affect decisions concerning you (such as rejection of registration or freezing of an account), you may request human review of the decision.
10.9 How to exercise your rights
To exercise any of the above rights, contact us by one of the following means:
Email: info@i-change.co.il - state in the subject line: "Request under the Privacy Protection Law"
Phone: 08-8557300
WhatsApp: 050-4207770
Address: 3 Ein HaHatul, Government Offices Complex (Shop 108), Eilat
For the purpose of identity verification, we will ask you to provide basic identifying details. We will respond within 30 days. In complex cases - within 60 days with prior notice. Handling requests is free of charge unless the requests are repetitive and excessive.
Some information is not available for electronic review due to security considerations. In such cases, we will allow you to review it at the Company's offices by prior appointment.
11. Minors
The services are intended for persons aged 18 and over only. We do not knowingly collect personal information from minors (under the age of 18). If you are a parent or guardian and discover that a minor under your responsibility has provided us with information, please contact us immediately at info@i-change.co.il. We will delete the information as soon as possible and close the account.
If it becomes apparent that an account was opened by a minor, the Company reserves the right to close the account and return the accumulated balance to the parent/guardian after carrying out the required checks.
12. Privacy-Related Inquiries
For any inquiry, question, request, or complaint regarding the way the Company handles your personal information - including the exercise of your rights under the Privacy Protection Law - you may contact us directly:
Email: info@i-change.co.il (state in the subject line: "Privacy Inquiry")
Phone: 08-8557300
WhatsApp: 050-4207770
Address: 3 Ein HaHatul, Government Offices Complex (Shop 108), Eilat
We undertake to get back to you within 5 business days and to handle your request within no more than 30 days.
12.1 Contacting the Privacy Protection Authority
If you are not satisfied with the way we handled your inquiry, you may contact the Privacy Protection Authority in Israel:
Website: www.gov.il/he/departments/units/privacy_protection_authority
Phone: 02-5196700
13. Links to External Websites
The Website and the Application may include links to external websites not operated by the Company. We do not control the content and privacy policy of those websites and are not responsible for them. We recommend reviewing the privacy policy of every external website before providing personal information to it.
14. Changes to the Privacy Policy
We may update this Privacy Policy from time to time for the following reasons:
Changes in laws and regulations
Changes in services and platforms
Improvements in security practices
Expansion of activity into new markets
When we make material changes, we will publish notice in the Application and on the Website at least 30 days before the changes take effect, and in some cases we will send notice by email. The policy update date will be updated at the top of this document.
If you do not agree to the changes, you may close your account before they take effect. Continued use of the services after the changes take effect constitutes consent to the updated version.
15. Contact Us
For any question, inquiry, request, or complaint regarding this Privacy Policy or the way we handle your personal information:
Email: info@i-change.co.il
Phone: 08-8557300
WhatsApp: 050-4207770
Address: 3 Ein HaHatul, Government Offices Complex (Shop 108), Eilat
Website: www.i-change.co.il
Business hours: Sunday-Thursday 09:00-17:00, Friday 09:00-13:00
We undertake to respond to every inquiry within no more than 5 business days.
Raz Haim - Currency Services Ltd. | I-Change | CASHLOCK
info@i-change.co.il | www.i-change.co.il | 08-8557300 | 050-4207770
Call us