Skip to content

Privacy

Privacy policy

Last updated: May 17, 2026

This policy describes how Barbaria Morocco ("Barbaria") collects and processes personal data of visitors and professional clients of its website, in accordance with the EU General Data Protection Regulation (2016/679, "GDPR") and Moroccan law No. 09-08.

1. Controller

Barbaria, Barbaria Morocco, registered office: Rue Soumaya, Immeuble 82, 2ème étage N°04, Quartier Palmier, Casablanca, Morocco. RC, ICE and IF as stated in our legal notice.

Dedicated contact for data protection: privacy@barbariamorocco.com.

2. Data Protection Officer

Given the nature and volume of processing (B2B site, no sensitive data, no large-scale monitoring), Barbaria is not required to appoint a Data Protection Officer under GDPR Article 37. For any question, use the contact address above.

3. Data Collected

We collect:

  • Inquiry form data: first name, last name, professional email, company, role, country, phone (optional), message content, buyer type (hotel, spa, corporate, retail).
  • Technical data, auto-collected: IP address (truncated by our host before logging), user agent, referrer URL, pages visited, country-level approximate location, timestamp.
  • Performance data: Core Web Vitals (LCP, INP, CLS) collected by Vercel Speed Insights, aggregated, no direct identifiers.
  • Cookies and similar: see our cookie policy.

No special-category data (health, opinions, origin, biometrics) is collected. No automated decision-making is performed.

4. Purposes

  • Respond to your inquiry and prepare a commercial proposal (quote).
  • Manage our prospect and client relationship (B2B CRM).
  • Improve the site through aggregated audience analytics.
  • Comply with accounting and legal obligations.
  • Maintain site security and prevent abuse.

5. Legal Basis

  • Responding to a quote request: pre-contractual measures at your request (GDPR art. 6.1.b; law 09-08 art. 4).
  • CRM: legitimate interest of Barbaria in maintaining a B2B commercial relationship (GDPR art. 6.1.f).
  • Non-essential audience measurement: your consent collected via the cookie banner (GDPR art. 6.1.a; law 09-08 art. 4).
  • Accounting and invoicing: legal obligation (GDPR art. 6.1.c).
  • Site security: legitimate interest (GDPR art. 6.1.f).

6. Recipients and Processors

Your data may be shared with our technical providers acting as processors under GDPR Article 28:

  • Vercel Inc. (hosting, CDN), 440 N Barranca Avenue, #4133, Covina, CA 91723, USA. Safeguards: EU-US Data Privacy Framework certification and Standard Contractual Clauses (SCCs) in Vercel's DPA.
  • Supabase Inc. (database, admin authentication), 970 Toa Payoh North #07-04, Singapore 318992. Safeguards: Supabase DPA including SCCs; storage region: eu-west-1 (Francfort / Frankfurt).
  • Barbaria internal team, Casablanca, accessing inquiry data to handle prospects and clients.

7. Transfers Outside Morocco and Outside the EU

Some of our providers are located in the United States. Transfers rely on the EU-US Data Privacy Framework adequacy decision (where the provider is certified) and on Standard Contractual Clauses adopted by the European Commission (decision 2021/914 of 4 June 2021).

8. Retention Periods

  • Prospect inquiries without follow-on: 3 years from last contact.
  • Client data: duration of the commercial relationship, then archived for 10 years for accounting obligations (Moroccan Code de commerce art. 22).
  • Hosting logs (Vercel): approximately 30 days, per our host's policy.
  • Audience measurement: rotating session hash expiring within 24 hours.
  • Cookie consent record: 12 months, then re-prompted.

9. Your Rights

Under GDPR and Moroccan law 09-08, you have the following rights:

  • Right of access (GDPR art. 15; law 09-08 art. 7).
  • Right to rectification (GDPR art. 16; law 09-08 art. 8).
  • Right to erasure (GDPR art. 17; law 09-08 art. 9).
  • Right to restriction of processing (GDPR art. 18).
  • Right to data portability (GDPR art. 20).
  • Right to object (GDPR art. 21; law 09-08 art. 10).
  • Right to withdraw consent at any time (GDPR art. 7.3).
  • Right to give post-mortem instructions (French Loi Informatique et Libertés art. 85, for residents of France).

To exercise these rights, write to privacy@barbariamorocco.com with a copy of identification. We respond within one month.

10. Complaints

You may lodge a complaint with:

  • CNDP, Morocco, Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel, Angle Boulevard Annakhil et Avenue Mehdi Ben Barka, Immeuble Les Patios, 3rd floor, Hay Riad, Rabat. Phone +212 5 37 57 11 24. Email: contact@cndp.ma. Site: www.cndp.ma.
  • Your local EU supervisory authority. France example: CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07. www.cnil.fr.

11. Security

We implement appropriate technical and organisational measures: HTTPS/TLS encryption, hashed admin passwords, row-level security policies in Supabase, AES-256 encryption at rest, regular backups, restricted admin access.

12. Updates

This policy may be updated to reflect changes to the site or to applicable law. Material changes will be signalled via the cookie banner or by email to known contacts. The last update date is shown at the top of this page.

To exercise your rights, write to privacy@barbariamorocco.com. See also our legal notice, our terms of use and our cookie policy. The French version of this policy prevails in case of discrepancy.