Se connecterRejoindre maghribi.org
Legal

Privacy policy

Last updated: 24 May 2026

This policy explains what personal data maghribi.org collects from you, how we use it, and the rights you have over it. It applies to everyone who uses the platform at maghribi.org and its sub-routes.

Data controller: maghribi.org (referred to below as “we” / “us”). For questions about this policy or to exercise any of your rights, contact privacy@maghribi.org.

1. Data we collect

We only collect data that is necessary to run the product:

  • Account data: name, email address, password (hashed, never stored in plain text), the country space you join, your preferred language, your self-declared identity (Moroccan resident / diaspora / friend-of-Morocco) and optional profile fields you choose to fill in (avatar, bio, city, profession, interests, social links).
  • Content you create: posts, comments, likes, RSVPs, watch-party signups, predictions, page submissions (tryout requests, membership requests, volunteer signups, tips, contact messages), and direct messages.
  • Technical data: the device type and browser used when you sign in (so we can keep your session secure), an IP address for the duration of a session (used solely for rate-limiting and fraud prevention — not stored long-term), and minimal error logs when something breaks.
  • Cookies: see Section 6 below.

We do not collect: payment information (we accept none in-app), precise geolocation, biometric data, or data about your behaviour on websites outside maghribi.org.

2. How we use your data

We use your data only for the following purposes:

  • To run the service — show you your country space, notify you when someone interacts with what you posted, let other members find you in the directory.
  • To keep the service safe — detect spam, harassment, and abuse; enforce the Community Guidelines; respond to legal requests where we are required to.
  • To communicate with you — service emails (welcome, password reset, account changes, weekly digest if you opt in). We do not send marketing emails without your explicit consent.
  • To improve the product — aggregated, anonymous usage patterns (e.g. “X% of members open the Game Time tab”). We never use this data to identify or profile individual members for commercial purposes.

3. Legal bases (GDPR Art. 6)

We process your data under the following legal bases, depending on the activity:

  • Contract (Art. 6(1)(b)) — for everything required to provide the service after you create an account.
  • Legitimate interest (Art. 6(1)(f)) — for safety (anti-spam, anti-abuse) and minimal error logging.
  • Consent (Art. 6(1)(a)) — for non-essential cookies and marketing emails. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — when we are required to respond to a lawful order from a competent authority.

4. Who we share data with

We do not sell your data and we do not share it with advertisers. The only third parties who process data on our behalf are infrastructure providers strictly necessary to run the service:

  • Supabase (database + auth) — data hosted in the EU (Frankfurt). Data Processing Agreement in place.
  • Vercel (application hosting) — edge requests routed to the nearest data centre; database access is region-restricted to EU.
  • Resend (transactional email delivery) — used only to send service emails you have implicitly or explicitly consented to.
  • Sentry (error reporting) — receives anonymised stack traces when the app crashes. No request bodies are sent.

We may also disclose data when legally required by a court or authority with jurisdiction over us. We will notify the affected member where the law permits.

5. How long we keep data

  • Account data: kept while your account is active. If you delete your account, all personally identifying fields are erased within 30 days (some technical logs retain a hashed reference for fraud-prevention purposes for up to 12 months, then deleted).
  • Content: kept until you delete it. After account deletion, your posts become anonymous (your name is replaced with “Former member”) unless you also delete the posts.
  • Direct messages: kept until either party deletes the conversation. Both copies are removed once any party deletes.
  • Backups: rolling 30 days, encrypted at rest.

6. Cookies and similar technologies

We use the absolute minimum:

  • Essential (no consent required — strictly necessary): a session cookie that keeps you signed in (HttpOnly, Secure, SameSite=Lax) and a small cookie that remembers your language preference. These cannot be disabled if you want to use the service.
  • Functional (opt-in via the consent banner): we remember whether you have dismissed certain in-product nudges.

We use no third-party advertising cookies, no analytics that profile individuals, and no fingerprinting. The banner you saw on first visit captures your preference.

7. Your rights (GDPR Arts. 15-22)

If you are in the EU/EEA, UK, or Switzerland (and in many other jurisdictions including Morocco under Law 09-08), you have the right to:

  • Access the personal data we hold about you (Art. 15). Available from Settings → Export my data.
  • Rectify inaccurate data (Art. 16). Most fields are editable directly from your Profile.
  • Erase your data (Art. 17, the “right to be forgotten”). Available from Settings → Delete account.
  • Restrict processing (Art. 18).
  • Data portability (Art. 20): receive your data in a machine-readable format. The export from Settings is JSON.
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time for cookies and marketing emails.
  • Lodge a complaint with your local supervisory authority (e.g. CNIL in France, AEPD in Spain, CNDP in Morocco).

To exercise any of these rights, email privacy@maghribi.org. We respond within 30 days.

8. International transfers

Your data is hosted in the EU. When our providers transfer data outside the EU (e.g. error reporting), they do so under Standard Contractual Clauses adopted by the European Commission, with appropriate supplementary measures (encryption in transit and at rest).

9. Children

maghribi.org is not directed at children under 16. If you become aware that a child under 16 has provided us with personal data, please contact us and we will delete it.

10. Security

We protect your data using industry-standard practices: encrypted at rest, transmitted over TLS, access-controlled at the database level via row-level security policies (RLS), and regular security reviews. Passwords are hashed using bcrypt; we never see them in plain text. Despite our best efforts, no platform is 100% secure — if we learn of a breach affecting your data, we will notify you within 72 hours as required by Art. 33-34 of the GDPR.

11. Changes to this policy

We will update this policy as our practices evolve. Material changes will be announced to signed-in members at least 30 days before they take effect. The “last updated” date at the top of this page always reflects the current version.

12. Contact

Email privacy@maghribi.org for any privacy question. For non-privacy support questions, use /support.