1. Who we are

StaySafe Morocco is a Moroccan-based travel safety platform operating the website staysafemorocco.com and the StaySafe mobile app for iOS and Android. For the purposes of data protection law, we are the “data controller” of personal information collected through the Service.

Contact: hello@staysafemorocco.com

2. Data we collect

We only collect what we need to run the Service. Specifically:

Information you provide

• Contact & billing — name, email, billing address, phone (optional), country.
• Payment — payment card details are entered directly into Stripe’s PCI-compliant form. We never see or store your full card number. We do store the last 4 digits and card brand for receipts.
• Account credentials — if you create an account, your username and a hashed password.
• User content — reviews, community posts, support messages.

Information collected automatically

• Device & technical data — IP address, device type, operating system, browser, language, screen size, referrer URL.
• Usage data — pages visited, features used, links clicked, time on page, error logs.
• Location data — only when you use SOS or the hospital/pharmacy finder, the app requests your GPS coordinates to find the nearest help. Location is used in the moment and not stored on our servers after the request.
• Cookies — see Section 5.

Information from third parties

• Stripe — payment confirmation, last 4 digits, card brand, country.
• Mobile carrier partners — eSIM activation status, data consumption, validity dates (no call/message content).

3. How we use your data

We use your data to:

• Deliver the eSIM you purchased (send the QR code, manage activation).
• Provide the StaySafe app features (SOS calls, hospital finder, city guides).
• Process payments and refunds.
• Respond to your customer support requests.
• Improve the Service through analytics (which features are used, where users get stuck).
• Send essential transactional emails (order receipts, eSIM expiry reminders, refund updates).
• Send marketing emails — only if you have opted in. You can unsubscribe at any time.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with our legal obligations.

4. Legal basis under GDPR

If you are in the European Economic Area, the United Kingdom, or other jurisdictions with similar laws, we rely on the following legal bases:

• Contract performance — to deliver the eSIM and app features you have asked for.
• Legitimate interest — for analytics, fraud prevention, and improving the Service. We balance this against your privacy rights and you may object at any time.
• Consent — for marketing communications, non-essential cookies, and (in the app) location access for SOS/hospital finder. You can withdraw consent at any time.
• Legal obligation — for tax records, fraud reporting, and lawful disclosure requests.

5. Cookies & tracking technologies

We use cookies and similar technologies to make the Service work and to understand how it’s used. Categories of cookies we set:

• Strictly necessary — login session, shopping cart, security tokens. These cannot be switched off.
• Analytics — Google Analytics (anonymised IP) measures aggregate site usage.
• Advertising — Meta (Facebook) Pixel and TikTok Pixel measure conversion of ads. Set only if you accept marketing cookies.
• Preferences — language preference (English / French / Spanish) and currency.

You can manage cookies through your browser settings or by clearing your browser data. Note that disabling strictly necessary cookies will break parts of the site (login, checkout).

6. Third-party services we use

To run the Service, we share limited data with carefully selected providers:

• Stripe (Ireland / USA) — payment processing. Stripe privacy policy.
• Google Maps & Analytics (USA) — mapping and usage measurement. Google privacy policy.
• Meta (Facebook) (Ireland / USA) — ad attribution. Meta privacy policy.
• TikTok (Ireland / USA) — ad attribution. TikTok privacy policy.
• WhatsApp Business (Meta) — customer support messaging.
• WordPress hosting (Hostinger) — Moroccan / European servers.
• Local Moroccan mobile carriers — eSIM data & voice provisioning (carrier-specific privacy practices apply once data is on their network).

7. Sharing your data

We do not sell your personal data. We share data only with:

• Service providers listed above, under data processing agreements.
• Public authorities, when legally required (court orders, valid law-enforcement requests, tax authorities).
• A successor entity in the event of a merger, acquisition, or restructuring — and only under equivalent privacy commitments.

8. International data transfers

Some of our service providers (notably Stripe, Google, Meta) are based in the United States. Where data is transferred outside of Morocco or the EEA, we rely on Standard Contractual Clauses or equivalent safeguards approved by the relevant data-protection authorities.

9. How long we keep your data

• Order & payment records — 7 years (Moroccan tax law requirement).
• Account data — for as long as your account is active, plus 12 months after deletion.
• Support messages — 24 months.
• Marketing data — until you unsubscribe, then deleted within 30 days.
• Analytics — anonymised and aggregated; retained 26 months in Google Analytics.
• Cookies — typically 1–24 months depending on type; see your browser cookie inspector for specifics.

10. Your rights

Subject to applicable law, you have the right to:

• Access — request a copy of your data we hold.
• Rectify — correct inaccurate data.
• Erase — ask us to delete your data (“right to be forgotten”), subject to legal retention obligations.
• Restrict / object — limit how we process your data, or object to processing based on legitimate interest.
• Portability — receive your data in a machine-readable format and transfer it to another provider.
• Withdraw consent — for marketing, cookies, or location at any time.
• Lodge a complaint — with the CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) in Morocco, or with your local data-protection authority.

To exercise any of these rights, email hello@staysafemorocco.com. We respond within 30 days.

11. Children’s privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal information, please contact us so we can delete it.

12. How we protect your data

We use technical and organisational measures to protect your data, including:

• HTTPS / TLS encryption across the entire site and app.
• PCI-compliant payment processing via Stripe (we never see your full card number).
• Encrypted databases for sensitive at-rest data.
• Role-based access — only authorised team members can see customer data, and only to the extent needed for their job.
• Regular security reviews and dependency updates.

No system is 100% secure. If a data breach affects you, we will notify you and the relevant authorities as required by law (within 72 hours under GDPR).

13. Changes to this policy

We may update this policy from time to time. The latest version will always be at this URL, with a “last updated” date at the top. Material changes will be announced by email (for active customers) and prominently in the app.