Menu
+212676729680

Privacy Policy for Hayya Morocco

At Hayya Morocco, we are committed to safeguarding the privacy of our users and ensuring the confidentiality and security of the personal information we collect. Our privacy policy is meticulously aligned with Moroccan Law No. 09-08 (Dahir no. 1-09-15 of 2009), which governs the protection of individuals’ personal data, as well as international standards such as those outlined in the General Data Protection Regulation (GDPR) principles, ISO/IEC 27001 for information security, and the OECD Privacy Guidelines. This policy ensures compliance with both domestic and international obligations, reflecting our dedication to ethical data practices.

1. Legal Framework and Compliance

1.1 Moroccan Legal Requirements

  • Law No. 09-08: This law establishes the foundation for data protection in Morocco, granting individuals rights to access, correct, and object to the processing of their personal data. It mandates that data controllers implement technical and organizational safeguards to prevent unauthorized access or misuse.

  • Constitutional Protections: Article 17 of the Moroccan Constitution enshrines the right to privacy, stating that “the domicile is inviolable” and that searches may only occur under strict legal conditions.

  • Tourism-Specific Regulations: The Moroccan tourism sector is governed by laws regulating institutions such as hotels, restaurants, and travel agencies. Hayya Morocco ensures compliance with these regulations when handling data related to tourism services.

1.2 International Standards

  • GDPR Alignment: While not legally required under Moroccan law, Hayya Morocco voluntarily adheres to GDPR principles for cross-border data transfers and transparency.

  • Data Protection by Design: We incorporate privacy safeguards into our systems from development to deployment, as recommended by international frameworks.

2. Collection of Personal Information

2.1 Types of Data Collected

  • Identification Information:

    • Full name, date of birth, gender, nationality, and contact details (address, phone number, email).

    • For international bookings, passport details and visa information may be required.

  • Payment Information:

    • Credit/debit card numbers, expiration dates, and CVV codes, processed via SSL/TLS encryption to meet PCI-DSS standards.

  • Usage Information:

    • Browser type, device information, IP address, cookies, and analytics data (e.g., page views, session duration).

    • Data collected via third-party tools like Google Analytics (pseudonymized to comply with privacy laws).

2.2 Data Collection Methods

  • Direct Submission: Through forms, bookings, or customer support interactions.

  • Automated Tracking: Cookies and pixels for analytics and personalized marketing.

  • Third-Party Services: Partners such as payment gateways and hotel booking platforms, which are vetted for compliance.

3. Use of Information

3.1 Primary Purposes

  • Service Provision:

    • Processing reservations, confirming bookings, and coordinating with hotels, airlines, and transportation providers.

    • Providing customer support and resolving disputes.

  • Site Improvement:

    • Analyzing user behavior via anonymized data to refine interfaces and optimize performance.

    • Conducting A/B testing and user surveys to enhance user experience.

  • Marketing Communications:

    • Sending newsletters, promotional offers, and service updates via email or SMS. Users may opt-out at any time.

3.2 Secondary Uses

  • Legal Compliance:

    • Retaining records for tax and accounting purposes (e.g., payment receipts stored for 7 years as per Moroccan fiscal laws).

  • Security Monitoring:

    • Detecting and preventing fraud or unauthorized access through behavioral analysis.

3.3 Data Retention

  • Personal Data: Retained only as long as necessary for the stated purposes, typically 3–5 years post-transaction, unless legally required to keep it longer (e.g., financial records).

  • Usage Data: Aggregated analytics data is retained for up to 12 months for trend analysis.

4. Sharing Information

4.1 Third-Party Recipients

  • Service Providers:

    • Airlines, hotels, and payment processors are contractually obligated to adhere to Moroccan data protection laws and our privacy standards.

    • Example: Stripe (payment processor) uses AES-256 encryption and complies with PCI-DSS.

  • Legal Authorities:

    • Data may be disclosed to Moroccan courts, law enforcement, or regulatory bodies upon a valid legal request.

  • Mergers & Acquisitions:

    • In the event of a corporate sale or merger, user data may transfer to the acquiring entity, with prior notice provided.

4.2 Cross-Border Transfers

  • International Transfers:

    • Data may be transferred to countries outside Morocco, provided adequate safeguards are in place (e.g., EU Standard Contractual Clauses or equivalent agreements).

    • Users from non-Moroccan jurisdictions retain rights under their local laws, such as the GDPR.

5. Information Protection

5.1 Technical Safeguards

  • Encryption:

    • All sensitive data (e.g., payment info) is encrypted using AES-256 during transmission and at rest.

  • Access Controls:

    • Role-based access ensures only authorized personnel can view or modify data. Multi-factor authentication (MFA) is mandatory for administrative accounts.

  • Network Security:

    • Firewalls, intrusion detection systems (IDS), and regular vulnerability assessments mitigate cyber threats.

5.2 Organizational Measures

  • Employee Training:

    • Annual data protection workshops and simulations of breach scenarios are conducted to reinforce compliance.

  • Incident Response Plan:

    • A documented protocol outlines steps to contain breaches, notify authorities within 72 hours (if required by international standards), and inform affected users promptly.

5.3 Physical Security

  • Server facilities are housed in secure data centers with biometric access controls and 24/7 surveillance.

6. User Rights Under Moroccan Law No. 09-08

6.1 Right of Access

  • Users may request a copy of their data by emailing privacy@hayyamorocco.com. Responses are provided within 30 days, free of charge.

6.2 Right to Rectification

  • Inaccurate or incomplete data can be corrected upon request. Users must provide proof of identity and the specific correction required.

6.3 Right to Object

  • Users may object to data processing for marketing purposes at any time. Opt-out links are included in all promotional emails.

6.4 Right to Erasure (“Right to Be Forgotten”)

  • Requests to delete data will be honored unless retention is legally mandated (e.g., for tax purposes).

6.5 Data Portability

  • Users can request their data in a machine-readable format (e.g., CSV) to transfer to another service provider.

6.6 Right to Lodge a Complaint

  • Disputes can be escalated to Morocco’s Data Protection Authority (if established) or international bodies like the OECD.

7. Cookies and Tracking Technologies

7.1 Cookie Types and Purposes

  • Session Cookies: Temporarily store login details for seamless navigation.

  • Persistent Cookies: Remember user preferences (e.g., language) for up to 12 months.

  • Third-Party Cookies: Used by analytics tools like Google Analytics (with user consent).

7.2 Consent Management

  • A cookie consent banner is displayed upon first visit, requiring explicit opt-in. Users can manage settings via their browser or our privacy dashboard.

8. Modifications to the Privacy Policy

  • Updates: Changes are posted on our website, with summaries of material revisions emailed to registered users. Historical versions are archived for reference.

  • Grandfathering: Existing users’ data will continue to be processed under the terms in effect at the time of collection unless they provide renewed consent.

9. Contact and Support

Primary Channels
Dispute Resolution

  • Complaints are investigated within 30 days. Escalation to Moroccan courts or international arbitration (per user jurisdiction) is permitted.

10. Additional Protections for Vulnerable Groups

10.1 Children’s Privacy

  • Users under 18 must obtain parental consent for data collection. Minors’ data is stored separately and deleted upon request.

10.2 Data Subject Vulnerability

  • Extra safeguards are applied for sensitive data (e.g., health information for medical tourism bookings), requiring explicit consent and encryption.

11. Certifications and Audits

  • Annual Audits: Conducted by third-party firms to verify compliance with Moroccan and international standards.

  • Certifications:

    • ISO 27001 for information security.

    • GDPR-compliant certification from the International Association of Privacy Professionals (IAPP).

12. Cross-Border Compliance

  • Multi-Jurisdictional Compliance:

    • Data processing agreements with international partners incorporate clauses meeting both Moroccan and EU requirements.

    • Users from the EU retain GDPR rights, including the right to data portability and objection.

13. Data Mapping and Transparency

  • Data Flow Diagrams: Available upon request, detailing how data moves between systems and partners.

  • Transparency Reports: Published quarterly, summarizing data requests from authorities and breach incidents.

Hayya Morocco’s privacy policy reflects our unwavering commitment to legal compliance, ethical data practices, and user trust. By integrating Moroccan regulations, international standards, and cutting-edge security measures, we ensure that every interaction with our platform is secure and transparent.

    wpChatIcon