Privacy Policy
Last updated: 31 May 2026 · Effective: 31 May 2026
1. Data Controller
Imourig (“we”, “our”, “us”) is the data controller for personal data collected through this website (imourig.com). We operate a marketplace connecting travelers with local experience operators in Morocco.
Contact: privacy@imourig.com
2. What Data We Collect & Why
| Data | Why We Collect It | Legal Basis |
|---|---|---|
| Name, email address | Account creation, booking requests, newsletter | Contractual necessity / Consent |
| Phone number | Booking requests, operator listings | Contractual necessity / Consent |
| Country of residence | Booking requests (operator needs this) | Contractual necessity |
| Group size, requested date | Processing booking requests | Contractual necessity |
| Special requests / notes | Communicating your needs to the operator | Consent |
| Operator business details (name, city, phone, bio, languages, licence number) | Creating and displaying operator listings publicly | Consent + Contractual |
| Experience listings content (title, description, photos, pricing) | Displaying operator services on the platform | Contractual necessity |
| Booking history | Commission tracking, dispute resolution, operator invoicing | Contractual necessity + Legitimate interest |
| Chat messages (traveler ↔ operator) | Facilitating booking communication | Contractual necessity |
| IP address, browser/device type | Security, fraud prevention, analytics | Legitimate interest (GDPR Art. 6(1)(f)) |
| Pages visited, time on site | Analytics — aggregate only | Consent (via cookie banner) |
| Review content | Displaying verified traveler reviews publicly | Consent |
3. How We Share Your Data
We do NOT sell your personal data. We share data only in the following circumstances:
- With operators: When you submit a booking request, your name, email, phone, date, group size, and special requests are shared with the relevant operator so they can confirm your booking. The operator is an independent third party and has their own privacy obligations.
- With Supabase (our database provider): All data is stored on Supabase infrastructure (AWS EU regions), which is GDPR-compliant. See their privacy policy at supabase.com/privacy.
- With legal authorities: We may disclose data if required by Moroccan law, court order, or to protect safety and prevent fraud.
- In chat messages: Messages exchanged between a traveler and operator via the in-platform chat are visible to both parties and stored securely in our database. They are not visible to any other user.
4. Cookies (Law 09-08 + GDPR)
We use minimal cookies necessary for the platform to function (authentication session cookies). Analytics cookies require your consent, which you can give or withdraw via our cookie banner. Under CNDP guidance, we have filed a simplified notification for cookie processing.
We do not use advertising or cross-site tracking cookies.
5. Data Retention
- Newsletter subscriptions: Until you unsubscribe, then deleted within 30 days
- Account data: Duration of account + 2 years after deletion request (for dispute resolution)
- Booking records: 5 years from booking date (financial and legal compliance)
- Chat messages: 2 years from booking date, then permanently deleted
- Operator listings: Until removed by operator or Imourig + 1 year
- Reviews: Until removed by Imourig or reviewer + 1 year
- Analytics logs (IP): 12 months in aggregate form
6. Your Rights
Under Morocco Law 09-08 and GDPR (EU residents), you have the right to:
- Access — request a copy of your personal data we hold
- Rectification — correct inaccurate or incomplete data
- Erasure (“right to be forgotten”) — delete your data, subject to legal retention requirements
- Object — stop processing based on legitimate interests
- Restrict processing — limit how we use your data
- Portability (EU/GDPR) — receive your data in machine-readable format
- Withdraw consent — at any time, without affecting lawfulness of prior processing
To exercise any right: privacy@imourig.com. We respond within 30 days (Law 09-08) / 1 month (GDPR).
Note: Deleting your account does not automatically delete reviews you have submitted publicly, as these form part of the platform's trust system. Request review removal separately if needed.
7. Cross-Border Data Transfers
Your data is stored on servers operated by Supabase (AWS EU regions, primarily Frankfurt). Supabase is GDPR-compliant and processes data under Standard Contractual Clauses (SCCs). For Morocco Law 09-08, transfers outside Morocco are conducted with appropriate CNDP-notified safeguards.
8. Data Breach Notification (Law 07-26)
Under Morocco Law 07-26, in the event of a data breach that affects your rights, we will:
- Notify the CNDP within 72 hours of discovery
- Notify affected users without undue delay where the breach poses a high risk to their rights and freedoms
- Take immediate steps to contain and remediate the breach
9. Children's Privacy
This platform is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact us immediately and we will delete it.
10. Security
We implement industry-standard security measures including encrypted data transmission (HTTPS/TLS), row-level security on our database (Supabase RLS), hashed passwords managed by Supabase Auth, and regular security reviews. No system is 100% secure; we encourage you to use a strong password and not share your credentials.
11. Complaints
If you believe we have not handled your data correctly:
- Morocco: File a complaint with CNDP at cndp.ma
- EU residents: Contact your national Data Protection Authority (DPA)
12. Changes to This Policy
We may update this policy when the platform changes or new legal requirements arise. Material changes will be notified by email (registered users) or by a prominent notice on this page. The “Last updated” date at the top always reflects the current version.