Legal · Privacy
Path58 Privacy Policy
§ 1 Who we are
Path58 Consultancy is the service-business arm of Path58 — a revenue and GTM consultancy operating from Israel. We work with B2B SaaS revenue leaders adopting multi-agent operations. We are a small, founder-led firm; Tsvika Vagman is the founder, principal consultant, and primary data controller. Contact for privacy questions: [email protected].§ 2 What we collect
Three categories of data. (1) Qualifier intake data — first name (and optionally last name), email, LinkedIn URL, role/title (optional), current ARR, target ARR, timeframe to target (months/quarters/years), and a free-text note describing what's breaking in your revenue motion. Submitted voluntarily via /contact. For spam-audit only, we compute a salted SHA-256 hash of the submitter's IP address (truncated to 16 characters) — we do NOT store the raw IP address. (2) Engagement substrate — methodology canon records, operating-layer artifacts, agent-runtime logs, AX-Engine measurement output. Generated during client engagements; jointly controlled per engagement-specific terms. (3) Site-analytics data — anonymized page-view counts, referrer source, session duration. No third-party advertising trackers. No cross-site tracking.§ 3 Why we collect (with GDPR Article 6 lawful-basis tags)
Qualifier intake: to route inquiries in writing within two business days [Art 6(1)(f) legitimate interest — assessing fit for a service inquiry submitted voluntarily]. Engagement substrate: to deliver the engagement; ship methodology canon (Path58-OS) and runtime workflows; honor active NDAs [Art 6(1)(b) contract performance]. Site-analytics: to understand which content lands and where buyers bounce [Art 6(1)(f) legitimate interest — aggregate-only, no tracking].§ 4 Who we share data with — subprocessors and international transfers
Subprocessors: Notion (workspace + storage), Supabase (database), n8n (workflow runtime), Anthropic Claude (LLM provider), NotebookLM (research), Google Workspace (email + calendar + storage), Cloudflare (site hosting via Pages, bot verification via Turnstile — Turnstile processes IP address transiently for challenge issuance; no persistent storage), Resend (transactional email for intake notifications and confirmations). Each subprocessor has its own data-handling policy and DPA. We do not sell data. We do not share with third-party advertising networks. International transfers: Israel benefits from an EU adequacy decision (2011). US-based subprocessors (Anthropic, Google, Supabase, Notion, Cloudflare, Resend) operate under Standard Contractual Clauses and/or EU-US Data Privacy Framework certifications.§ 5 AI and agent disclosure (long-form)
Path58 ships content authored primarily with AI assistance. We operate a multi-agent stack across consultancy and product surfaces — Path58-OS methodology canon, p58-n8n MCP runtime, AX-Engine measurement, Multi-Agent OS orchestration. Per-asset attribution rides in standard metadata — every page, post, deliverable, and runtime artifact carries an authoring-attribution record. EU AI Act compliance posture: Article 50 (transparency for AI-generated content, effective Aug 2, 2026) — standing declaration in page footers plus per-asset metadata. Articles 11+12+14 (documentation, logging, oversight for high-risk AI systems) — agent-augmented operational systems as system-classes warranting documentation and replay. Deployer vs Provider classification — Path58 acts as both; we honor both. Additional frameworks: Israeli PPL Amendment No. 13 (2025), GDPR Article 35 DPIA (internal for high-risk classes), GDPR Article 5(1)(e) storage limitation.§ 6 Retention
Qualifier intake data (including current/target ARR, LinkedIn URL, and all other fields collected via /contact): 24 months from form submission, or until earlier deletion request. The IP-address hash retains the same 24-month window and is deleted with the parent record. Engagement substrate: 7 years from engagement close per GDPR Article 5(1)(e) operational-records requirement; client-specific substrate returned or destroyed per engagement-specific terms. Site-analytics: 13 months rolling.§ 7 Your rights
Access, correction, deletion (subject to retention obligations), objection to processing, portability, and complaint to supervisory authority (Israeli Privacy Protection Authority; or your EU member-state DPA if you are an EU resident). Email [email protected] for any rights request. Response within 30 days.§ 8 Security
Standard-discipline practices: encrypted-at-rest storage for engagement substrate; TLS-everywhere for data in transit; multi-factor authentication on administrative surfaces; quarterly access-control reviews; subprocessor SOC 2 / ISO 27001 verification at onboarding. We do not claim a formal SOC 2 certification ourselves; we are a small founder-led firm. We do honor the discipline. The /contact form is protected by Cloudflare Turnstile — a privacy-preserving bot-verification challenge that does not track users across sites and does not use browser fingerprinting for advertising or profiling.§ 8a Breach notification
Personal-data breach affecting rights or freedoms of data subjects: notification to the supervisory authority within 72 hours of becoming aware, per GDPR Article 33 and Israeli PPL Amendment No. 13 Section 22. Affected data subjects notified without undue delay where high risk to their rights per GDPR Article 34.§ 9 Children
We do not knowingly collect data from anyone under 18. Path58 services are for B2B revenue leaders.§ 10 Updates to this policy
Material changes posted here with a revised Last-updated date. Substantive changes affecting data-subject rights emailed to addresses on file.§ 11 Compliance posture summary
EU AI Act Article 50 (transparency): standing declaration in footer + per-asset metadata. EU AI Act Articles 11+12+14 (high-risk systems): internal discipline; agent-runtime audit-and-replay. GDPR Article 5(1)(e) (storage): 7-year operational-records retention. GDPR Article 35 (DPIA): conducted internally for high-risk classes. Israeli PPL Amendment No. 13 (2025): honored; Path58 operates from Israel.§ 12 Contact
Email [email protected]. Response time: within 30 days. Languages: English or Hebrew. For general engagement inquiries: /contact form. If you are in the EU and unsatisfied, you have the right to complain to your supervisory authority. The Israeli Privacy Protection Authority is the supervisory body in Israel.
Send privacy questions to [email protected].
Email for any rights request, data-handling question, or complaint. Response within 30 days. Languages: English or Hebrew.
Path58 ships content authored primarily with AI assistance. Per-asset attribution rides in standard metadata. Full disclosure.