Privacy Policy

Last updated: 4 September 2025
Who we are: Dirassa (Othman BOULAL — Auto-Entrepreneur, Morocco)
Contact: [email protected]
Applies to: dirassa.ma (and subpages).

1. What data we collect

• Account: name, e-mail, password hash.
• Profile: country/region, language (and optional avatar).
• Age check & minors: date of birth; if <18, parent/guardian full name and phone number for consent.
• Billing: invoice address, business name, TVA number (if provided).
• Payments: processed by Payzone/PayPal; we do not store card numbers — we store payment tokens/IDs and status.
• Usage & progress: lessons viewed, timestamps, viewing/progress signals (to issue certificates and apply refund rules).
• Technical logs/security: IP address, device/browser info, approximate location (country), time stamps, error logs.
• Support: messages you send to [email protected] (and, later, WhatsApp).
• Marketing: newsletter opt-ins and preferences (if enabled).

2. Why we process data (legal bases)

• Contract: provide courses, manage your account/access, issue certificates, take payments, and support you.
• Legitimate interests: service security, fraud prevention, analytics (outside the EU, see Cookies), service improvement, anti-piracy enforcement.
• Legal obligations: accounting/TVA, responding to lawful requests.
• Consent: email marketing (if used), parental consent for minors, cookies where required.

3. Cookies & tracking

• In the EU/EER, we only use essential cookies; GA4 is off by default there.
• Elsewhere, we may use limited analytics consistent with local law.
• Consent logs (where applicable) are retained 13 months.

4. Video embeds (YouTube)

We use privacy-enhanced mode (youtube-nocookie.com) with click-to-load. A placeholder is shown; only after you click do we load YouTube, which may set its own cookies under its policies. This approach is designed to avoid non-essential cookies by default in the EU/EER.

5. Hosting & vendors

• Hosting: StellarWP infrastructure, server in Amsterdam (EU).
• Email (transactional): Google Cloud Platform.
• Payments: Payzone (cards, Payzone CASH) and PayPal.
  We share data with these providers only as needed to run the service (e.g., process payments, deliver emails).
  For Payzone CASH, we may send the info required to generate/validate your cash payment token and reconcile your order. Payzone

6. International transfers

Your data may be processed in Morocco and the EU (Netherlands) and by providers that may have other locations. We use contractual safeguards where appropriate.

7. Data retention

• Account data: kept until account deletion.
• Minor/parent data: until the account is deleted or the user reaches majority (whichever is earlier, unless we must retain longer for legal reasons).
• Progress/usage: until account deletion (or shorter if you request deletion and law allows).
• Invoices & accounting (TVA): 10 years (or longer if required by law).
• Security logs: 12 months.
• Support messages: 24 months.
• Consent logs: 13 months.

8. Your rights (Morocco & EU/EER)

• Morocco (Law No. 09-08): right to access, rectify, oppose processing for legitimate reasons, and, where applicable, delete personal data; oversight by the CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel). dgssi.gov.ma
• EU/EER (GDPR): rights of access, rectification, erasure, restriction, objection, and data portability, plus the right to lodge a complaint with your local supervisory authority. If you’re in the EU/EER, contact us at [email protected] for GDPR requests.

9. Children & parental consent

Service is 18+; under-18s require parental consent. We may verify consent (e.g., collecting parent/guardian name and phone number). We will not knowingly collect more data from minors than necessary.

10. Security

We implement technical and organizational measures appropriate to risk (encryption in transit, access controls, logging). No system is 100% secure.

11. Sharing & disclosures

We may disclose data: (a) to processors listed above; (b) to comply with law or enforce our rights (e.g., anti-piracy notices/takedowns under Law 2-00); (c) in connection with corporate changes (if any in future).

12. Anti-piracy & enforcement

We monitor unusual access patterns and may issue takedown notices or take legal action. Moroccan law 2-00 provides for civil remedies (damages, injunctions, destruction/confiscation) and criminal penalties for willful commercial infringement; courts may also order publication of judgments or temporary closure of establishments. WipoLex

13. Changes to this Policy

We may update this Policy; we’ll post the new date above. Material changes will be highlighted where possible.

14. Contact

Data controller: Dirassa — Othman BOULAL (Auto-Entrepreneur)
RES AL ABRAR, n°2, Boulevard Ibn Tachfine, Assoukhour Assawda 20320, Casablanca, Morocco
Email: [email protected]
Support: 24/7, typical response ≤ 48h.