Up Network Maroc – Privacy Policy
Last updated: March 2026
Regulatory Compliance Basis
This policy has been drafted in compliance with:
- Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
- Loi n° 09-08 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel (Morocco)
- Decree n° 2-09-165 implementing Loi n° 09-08
ePrivacy Directive 2002/58/EC (as amended) regarding cookies and electronic communications
1. Introduction and Scope
Up Network Maroc (“we”, “our”, “us”, or the “Company”) operates the website located at www.upnetworkmaroc.com and associated digital services. We are committed to processing personal data lawfully, fairly, and transparently.
This Privacy Policy applies to all individuals (“data subjects”) who:
- Visit or interact with our website
- Use our products or services
- Submit inquiries, orders, or contact forms
- Receive communications from us
By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of our services.
2. Identity of the Data Controller
The data controller responsible for processing your personal data is:
|
Company Name |
Up Network Maroc |
|
Country |
Kingdom of Morocco |
|
Privacy Contact |
privacy@upnetworkmaroc.com |
|
Supervisory Authority |
Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP) |
3. Legal Basis for Processing
We process personal data only when a valid legal basis under Article 6 GDPR and Loi n° 09-08 exists. Each processing activity is mapped to one or more of the following bases:
|
Legal Basis |
Article Reference |
Processing Activities |
|
Consent |
Art. 6(1)(a) GDPR / Art. 4 Loi 09-08 |
Marketing communications, non-essential cookies |
|
Contract Performance |
Art. 6(1)(b) GDPR / Art. 4 Loi 09-08 |
Order processing, service delivery, account management |
|
Legal Obligation |
Art. 6(1)(c) GDPR / Art. 4 Loi 09-08 |
Tax records, accounting, compliance reporting |
|
Legitimate Interests |
Art. 6(1)(f) GDPR / Art. 4 Loi 09-08 |
Security monitoring, fraud prevention, service improvement |
4. Categories of Personal Data We Collect
4.1 Data You Provide Directly
We collect data you voluntarily submit through forms, registrations, or communications:
- Full name and professional title
- Email address
- Phone number
- Company name and business address
- Billing and/or shipping address
- Payment information (processed via PCI-DSS compliant third-party processors — we do not store raw card data)
- Messages submitted via contact or support forms
- Account credentials (passwords are stored in hashed form only)
4.2 Data Collected Automatically
When you interact with our website, we may automatically collect technical and usage data, including:
- IP address (stored in anonymised or pseudonymised form where possible)
- Browser type, version, and language settings
- Operating system and device type
- Pages visited, time on page, and click paths
- Date and time of visits (UTC-recorded)
- Referring URL and exit URL
- Session identifiers and cookie identifiers
4.3 Data We Do Not Collect
Unless explicitly required by a specific service and documented separately, we do not intentionally collect:
- Special categories of personal data (Art. 9 GDPR) — including health data, biometric data, racial or ethnic origin, political opinions, or religious beliefs
- Personal data of children under 16 years of age (see Section 13)
- Financial account numbers or raw payment card data
5. Purposes of Processing
We process personal data for the following specified, explicit, and legitimate purposes:
|
Purpose |
Legal Basis |
|
Operating and maintaining the website and services |
Legitimate Interests |
|
Responding to inquiries and support requests |
Contract / Legitimate Interests |
|
Processing orders and transactions |
Contract Performance |
|
Sending transactional communications (order confirmations, receipts) |
Contract Performance |
|
Improving website functionality and user experience |
Legitimate Interests |
|
Analysing website traffic and performance metrics |
Legitimate Interests / Consent (analytics cookies) |
|
Sending marketing communications and offers |
Consent |
|
Complying with legal and regulatory obligations |
Legal Obligation |
|
Preventing fraud, abuse, and maintaining security |
Legitimate Interests / Legal Obligation |
|
Resolving disputes and enforcing agreements |
Legitimate Interests / Legal Obligation |
6. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies in accordance with the ePrivacy Directive. Cookies are small text files placed on your device to enable website functionality and analytical insights.
6.1 Cookie Categories
|
Type |
Purpose |
Consent Required |
|
Essential |
Session management, security, authentication, shopping cart |
No (strictly necessary) |
|
Analytics |
Traffic measurement, user journey analysis (Matomo) |
Yes |
|
Performance |
Page load optimisation, CDN behaviour (Cloudflare) |
No (technical) |
|
Functional |
User preferences, language settings, personalisation |
Yes |
|
Marketing |
Remarketing, conversion tracking (if applicable) |
Yes |
Users may manage, restrict, or withdraw cookie consent at any time via the cookie consent banner displayed upon first visit, or through browser settings. Withdrawing consent for non-essential cookies will not affect website accessibility for core functionality.
7. Third-Party Processors and Service Providers
We engage third-party data processors to support our operations. All processors are bound by written Data Processing Agreements (DPAs) in accordance with Article 28 GDPR. Processors may only act on our documented instructions and may not use data for their own purposes.
|
Processor |
Service Category |
Data Processed |
Location |
|
Cloudflare, Inc. |
CDN / Security / DDoS Protection |
IP addresses, request metadata |
USA (SCCs applied) |
|
Matomo |
Web Analytics |
Anonymised usage data, IP (truncated) |
Self-hosted / EU |
|
WordPress / WooCommerce |
CMS / E-Commerce Platform |
Order data, user accounts |
Depends on hosting |
|
Hosting Provider |
Web Hosting |
All site data |
Morocco / EU |
|
Payment Processor |
Payment Processing |
Payment card data (PCI-DSS) |
As per processor |
|
Email Service Provider |
Transactional Email |
Email address, name |
EU or SCCs |
8. Data Sharing and Disclosure
We do not sell, rent, or trade personal data to third parties for commercial purposes.
Data may be disclosed in the following limited circumstances only:
- To service providers: Trusted processors under DPA, strictly as necessary to deliver services (see Section 7).
- To comply with legal obligations: In response to a valid court order, regulatory request, or statutory requirement under Moroccan or applicable EU law.
- To protect rights and safety: Where disclosure is necessary to prevent fraud, protect the rights, property, or safety of Up Network Maroc, our users, or the public.
- In a business transfer: In the event of a merger, acquisition, or asset sale, data subjects will be notified in advance.
9. International Data Transfers
Some of our service providers are located outside Morocco and the European Economic Area (EEA). Where personal data is transferred internationally, we ensure adequate protection through the following mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission (for EEA-originating transfers)
- Adequacy decisions recognised by the CNDP (Morocco) or applicable supervisory authority
- Article 49 GDPR derogations where applicable and documented
- Binding Corporate Rules (BCRs) where the processor operates under approved BCRs
Transfer impact assessments are conducted for high-risk third-country transfers. Records are maintained in our internal processing register.
10. Data Retention
Personal data is retained only for as long as necessary for the stated purpose or as required by law. Our retention schedule is as follows:
|
Data Category |
Retention Period |
Basis |
|
Customer / order records |
7 years |
Legal obligation (Moroccan Commercial Law) |
|
Contact / inquiry forms |
3 years after last contact |
Legitimate interests |
|
User account data |
Duration of account + 3 years |
Contract |
|
Marketing consent records |
Until consent withdrawn + 3 years |
Compliance audit trail |
|
Server / access logs |
12 months |
Security / Legitimate interests |
|
Cookie consent records |
13 months |
ePrivacy compliance |
|
Analytics data |
13 months (rolling, anonymised) |
Consent / Legitimate interests |
After the applicable retention period, data is securely deleted or anonymised in accordance with our data deletion procedures.
11. Your Rights as a Data Subject
Depending on your jurisdiction and the applicable law, you have the following rights regarding your personal data. We respond to all verified requests within 30 days (extendable by a further 60 days for complex cases, with prior notice).
|
Right |
Description |
Legal Reference |
|
Right of Access |
Obtain confirmation and a copy of your personal data |
Art. 15 GDPR / Art. 7 Loi 09-08 |
|
Right to Rectification |
Correct inaccurate or incomplete data |
Art. 16 GDPR / Art. 8 Loi 09-08 |
|
Right to Erasure |
Request deletion of your data (‘right to be forgotten’) |
Art. 17 GDPR / Art. 9 Loi 09-08 |
|
Right to Restrict Processing |
Limit how we use your data in certain circumstances |
Art. 18 GDPR |
|
Right to Data Portability |
Receive your data in a machine-readable format |
Art. 20 GDPR |
|
Right to Object |
Object to processing based on legitimate interests or for direct marketing |
Art. 21 GDPR |
|
Right to Withdraw Consent |
Withdraw consent at any time without affecting prior processing |
Art. 7(3) GDPR / Art. 4 Loi 09-08 |
|
Right to Lodge a Complaint |
File a complaint with the CNDP or relevant supervisory authority |
Art. 77 GDPR / Art. 26 Loi 09-08 |
To exercise any of the above rights, contact us at: privacy@upnetworkmaroc.com
We may need to verify your identity before processing your request. No fee is charged for exercising your rights, except where requests are manifestly unfounded or excessive.
12. Data Security Measures
We implement appropriate technical and organisational measures (TOMs) in accordance with Article 32 GDPR and applicable Moroccan standards to ensure a level of security appropriate to the risk:
12.1 Technical Measures
- TLS/SSL (HTTPS) encryption for all data in transit
- AES-256 encryption or equivalent for data at rest where applicable
- Cloudflare DDoS protection and Web Application Firewall (WAF)
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication (MFA) on administrative interfaces
- Regular security patching and vulnerability management
- Automated backup systems with tested recovery procedures
12.2 Organisational Measures
- Staff confidentiality agreements and privacy training
- Internal data protection policies and procedures
- Vendor due diligence and DPA review before engagement
- Documented incident response and data breach notification procedure
- Regular internal audits of data processing activities
- Maintenance of Records of Processing Activities (RoPA) per Art. 30 GDPR
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the CNDP within 72 hours of becoming aware, and affected individuals without undue delay, in accordance with Articles 33–34 GDPR and Loi n° 09-08.
13. Marketing Communications
We will only send direct marketing communications where we have obtained your explicit prior consent (opt-in), or where we rely on the soft opt-in exemption for existing customers regarding similar products and services.
Every marketing communication includes a clear and free unsubscribe mechanism. Opt-out requests are processed within 5 business days.
Withdrawal of marketing consent does not affect the lawfulness of processing carried out prior to withdrawal.
14. Children’s Privacy
Our website and services are not directed to, and we do not knowingly collect personal data from, individuals under the age of 16. This threshold is consistent with Article 8 GDPR.
If we become aware that personal data has been collected from a child under 16 without verified parental consent, we will take immediate steps to delete such data. If you believe we may have collected data about a minor, please contact privacy@upnetworkmaroc.com.
15. Automated Decision-Making and Profiling
We do not currently carry out automated decision-making or profiling activities that produce legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. Should this change, this policy will be updated accordingly, and appropriate safeguards and opt-out mechanisms will be implemented.
16. Supervisory Authority and Complaints
You have the right to lodge a complaint with the competent supervisory authority:
|
Morocco |
EU / EEA Users |
|
Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP) www.cndp.ma |
The data protection authority of your EU Member State of habitual residence, place of work, or the place of the alleged infringement |
We encourage you to contact us first at privacy@upnetworkmaroc.com so we may resolve any concern directly.
17. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. Any material changes will be communicated by:
- Updating the “Last Updated” date at the top of this document
- Displaying a prominent notice on our website prior to the change taking effect
- Sending an email notification to registered users where the changes materially affect their rights
Your continued use of our services after the effective date constitutes acceptance of the updated policy. We recommend reviewing this page periodically.
18. Contact Us
For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact:
|
Up Network Maroc — Data Privacy Email: privacy@upnetworkmaroc.com Website: www.upnetworkmaroc.com Country: Kingdom of Morocco |