Privacy Policy

1. Introduction

This Privacy Policy (hereinafter the "Policy") sets forth the conditions under which IVVER (hereinafter "IVVER" or the "Data Controller") processes personal data of users of the IVVER mobile application and related services (hereinafter the "Service").

IVVER operates a digital marketplace connecting users seeking services (hereinafter "Renters") with service providers or owners (hereinafter "Providers"). Depending on the User's role and the functionalities used, different categories of data may be processed.

This Policy applies to processing carried out by IVVER as data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (hereinafter "GDPR") and Moroccan Law No. 09-08 on the protection of individuals with regard to the processing of personal data.

Use of the Service constitutes acknowledgment by the User of this Policy. Where required by applicable law, IVVER shall obtain the User's prior consent, in particular before any collection of identity documents.

2. Data Collected

2.1 Data Provided by the User

In the course of creating and using an account, the User may provide IVVER with identification and contact data (including full name and email address) and, where applicable, supplementary account data (including telephone number and profile photograph). Providers may also supply listing-related data, including the vehicle registration number, vehicle photographs, and supporting legal documentation.

Where circumstances require, and subject to the consent mechanism presented within the application, IVVER may collect identity verification documents (such as a national identity card or driving licence). The purpose of such collection is to facilitate regulatory compliance, secure transactions, and establish the contractual relationship. For Providers seeking "Professional Verification", IVVER may collect business information and supporting documents (including, where relevant, registered office address and corporate documentation) as well as identification of the legal representative.

IVVER may also collect, on an optional basis, the User's bank details (IBAN). Such data does not condition access to the Service and may be used for future functionalities, including those related to payouts.

2.2 Automatically Collected Data

During use of the Service, IVVER may automatically collect certain technical and usage data, including IP address, device type, operating system version, diagnostic data, and usage events. IVVER also maintains a history of bookings and searches associated with the User's account.

Subject to activation by the User, IVVER may process precise geolocation data (GPS) during use of the application for the purposes of proximity-based search and related functionalities. The User may disable geolocation permissions at any time in their device settings; certain functionalities may then be unavailable or limited.

2.3 Financial Data

IVVER processes payment data for the purposes of securing transactions (deposits). Card payment processing is carried out by a duly authorised third-party payment provider. IVVER does not store complete card data in clear text on its servers.

IVVER may receive limited transaction metadata (including amount, status, and timestamps) for the purposes of accounting reconciliation, customer support, and regulatory compliance.

Bank details (IBAN) provided on an optional basis are stored separately and are not used for the processing of deposits, which is handled by the payment provider.

2.4 In-App Messaging Data

The Service includes a built-in messaging feature enabling direct communication between Renters and Providers within the platform (hereinafter the "Messaging Feature"). The content of messages exchanged through the Messaging Feature is encrypted in transit and stored on IVVER's servers in accordance with applicable security standards.

Messaging data is retained for the duration of the contractual relationship between the parties to a booking. IVVER reserves the right to access and review message content where reasonably necessary for the purposes of (i) resolving a dispute between Users, (ii) investigating a reported safety or security incident, or (iii) complying with a lawful request from a competent authority.

Upon deletion of the User's account, all associated messaging data shall be deleted or anonymised in accordance with Section 5 of this Policy.

3. Purposes and Legal Bases for Processing

IVVER processes personal data for the following purposes:

• Service Provision: account creation and management, booking processing, connecting Renters and Providers.
• Security and Trust: User identity verification for the purposes of fraud prevention and transaction security.
• Payment Management: processing of deposits and transactions through an authorised third-party payment provider.
• Transactional Communications: sending booking-related notifications (confirmations, reminders) through the designated notification provider.
• Support: processing of complaints and provision of assistance by electronic means.
• Service Improvement: usage analysis for the purposes of improving functionalities and user experience.

Depending on the context and applicable law, the legal bases for the aforementioned processing include: (i) performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR), (ii) compliance with legal obligations to which IVVER is subject (Article 6(1)(c)), (iii) IVVER's legitimate interests, in particular fraud prevention and Service security (Article 6(1)(f)), and (iv) the User's consent where required (Article 6(1)(a)).

IVVER does not sell personal data or make it available to third parties for commercial or advertising purposes.

4. Disclosure of Data to Third Parties

IVVER may disclose personal data to the extent strictly necessary for the operation of the Service, compliance with its legal obligations, and the preservation of the security and integrity of the marketplace.

In particular, and where required for the purposes of contract establishment and legal compliance, IVVER may disclose limited identity information to the relevant Provider for a given booking and, where applicable, the Renter's identity documents strictly necessary for the establishment of the contractual relationship.

IVVER engages third-party service providers acting on its behalf as processors within the meaning of Article 28 GDPR, for the purposes of delivering essential Service functionalities, including hosting and authentication, payment processing, push notification delivery, and mapping services. The identity of such providers may evolve; IVVER maintains appropriate contractual and technical safeguards and shall provide additional information upon request.

IVVER may further disclose data to competent authorities where required by applicable law, or where necessary for the defence of the rights of IVVER, its Users, or its assets.

5. Retention Periods

Personal data shall be retained for the following periods:

• Account Data: retained for the duration of account activity. Upon account deletion, personal data shall be immediately anonymised or deleted, subject to legal retention obligations.
• Identity Documents: retained for the duration of the service and up to thirty (30) days following its conclusion, for the purposes of managing potential disputes.
• Professional Verification Documents: retained while the Provider's professional verification status remains approved and active, and for as long as necessary for trust and fraud-prevention purposes. Upon revocation of status or account deletion, such data shall be deleted or anonymised, unless a longer retention period is required by law.
• Bank Details (IBAN): where provided, retained only for the period necessary for the intended purpose or until removed by the User, subject to applicable legal obligations.
• Financial Data: retained for a period of five (5) years in accordance with applicable legal and tax obligations.

Without prejudice to the foregoing, IVVER may retain certain data beyond the periods indicated where necessary for compliance with applicable law, the management of litigation, or the defence of its rights.

6. Data Security

IVVER implements appropriate technical and organisational measures, in accordance with Article 32 GDPR, to ensure a level of security appropriate to the risk, including:

• Encryption: sensitive data is encrypted at rest and in transit.
• Authentication and Access Control: implementation of secure authentication mechanisms and access controls for the purposes of account protection and restriction of access to authorised persons only.
• Secure Storage: access tokens are stored securely on the User's device.

International data transfers, including to service providers established within the European Union, are covered by appropriate safeguards, including where applicable standard contractual clauses adopted by the European Commission.

7. Data Subject Rights

In accordance with applicable data protection legislation (including Moroccan Law No. 09-08 and GDPR for Users located in the European Union), the User has the following rights:

• Right of Access and Rectification: the User may view and modify their personal data directly within the application.
• Right to Erasure: the User may request the complete deletion of their account and data via the application settings, subject to legal and contractual retention obligations.
• Right to Object: the User may object, on legitimate grounds, to the processing of their data by contacting IVVER at the details provided in Section 11.
• Right to Restriction of Processing: the User may request the restriction of processing of their data in the cases provided for by applicable law.
• Right to Data Portability: the User may request the transmission of their data in a structured, commonly used, and machine-readable format.
• Withdrawal of Consent: where processing is based on consent, the User may withdraw such consent at any time, without affecting the lawfulness of processing based on consent given prior to its withdrawal.

IVVER undertakes to acknowledge receipt of any request relating to the exercise of the aforementioned rights and to provide a substantive response within thirty (30) calendar days of receipt. Where the complexity or volume of requests necessitates an extension, IVVER shall inform the data subject within the initial period and may extend the response period by a further sixty (60) calendar days, in accordance with Article 12(3) GDPR.

8. Cookies and Tracking Technologies

The Service does not employ cookies, advertising identifiers, or cross-application tracking technologies for the purposes of behavioural advertising or User profiling.

IVVER utilises standard platform application programming interfaces (APIs), including local storage mechanisms and device preference APIs, solely for the following purposes: (i) maintaining User session continuity, (ii) persisting User preferences and application settings, and (iii) delivering push notifications through the designated notification provider.

No device identifiers or usage data are disclosed to third-party advertisers. The processing of technical identifiers described herein is based on the legitimate interest of IVVER in ensuring the proper functioning of the Service, in accordance with Article 6(1)(f) GDPR where applicable.

9. Age and Eligibility

The Service is accessible to persons of all ages for the purposes of browsing, discovery, and general consultation of available services.

However, the creation of a user account and access to transactional functionalities (including, without limitation, booking, listing, and payment services) are subject to specific eligibility conditions set forth in the Terms of Service. Such conditions may include, depending on the nature of the service, the holding of a valid driving licence, the completion of identity verification procedures, or the satisfaction of any other requirement imposed by applicable law.

In accordance with Article 8 GDPR and applicable national legislation, the processing of personal data of a person under the age of sixteen (16) years shall be lawful only to the extent that consent is given or authorised by the holder of parental responsibility.

In the event that IVVER becomes aware that personal data has been collected from a person under the age of sixteen (16) without the requisite parental consent, IVVER shall take all reasonable steps to delete such data without undue delay. Any person having knowledge of such a situation is invited to notify IVVER at the contact details specified in Section 11.

10. Amendments to this Policy

IVVER reserves the right to amend or update this Policy at any time in order to reflect changes to its data processing practices, the introduction of new functionalities, or developments in the applicable legal and regulatory framework.

In the event of a material amendment, IVVER shall inform Users by means of a notification within the application or, where appropriate, by electronic communication to the email address associated with the User's account. The date of the most recent update shall be indicated at the head of this Policy.

Continued use of the Service following notification of an updated Policy shall constitute acceptance of the revised terms. Users who do not agree with the amendments may discontinue use of the Service and request the deletion of their account in accordance with Section 7.

11. Contact

For any questions relating to this Policy or to exercise the rights referred to in Section 7, the User may address their request to:

• Email: support@ivver.ma
• Data Controller: the data controller designated by IVVER