Privacy policy
Last updated: April 29, 2026
This policy describes how Belarfaoui Zakaria (sole proprietor, SIRET 838 779 270 00027), operating the SuperLoc service at app.superloc.ma, processes personal data, in accordance with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the French Data Protection Act.
1. Data controller
The data controller is Belarfaoui Zakaria, sole proprietor (EI), registered office B15, 10 Rue Hortense, 33100 Bordeaux, France. SIRET 838 779 270 00027. Contact: [email protected].
2. Data Protection Officer
No DPO has been formally designated, which is permitted given the size of the activity. Data protection requests must be sent to [email protected]; responses are provided within one month.
3. Data we process
We process the following categories of personal data:
- Account data: first name, last name, email address, hashed password, language preference.
- Business data (when you create or join a rental agency): business name, legal name, SIRET, VAT number, address, phone, email, business hours, photos.
- Data your agency uploads about its end customers: name, contact, photos of identity documents and driving licenses (analyzed automatically by an AI service β see section 7), bookings, payments.
- Technical data collected automatically: IP address, browser, device, session identifiers, audit logs.
- Messages exchanged through integrated channels (WhatsApp, email).
4. Purposes and legal bases
Each category of processing has a specific legal basis:
- Providing the service (account creation, booking management, billing): contract performance β Art. 6(1)(b) GDPR.
- Legal compliance (accounting, anti-fraud, tax, requests from authorities): legal obligation β Art. 6(1)(c) GDPR.
- Security, audit logs, fraud detection: legitimate interests of the controller β Art. 6(1)(f) GDPR.
- Service-related communications (transactional emails, product updates): legitimate interests, with right to object at any time.
- AI-assisted document verification (identity / license): consent of the rental agency that activates the feature β Art. 6(1)(a) GDPR β and contract performance with the end customer.
5. Sub-processors
We rely on the following sub-processors. Each processes personal data only on our behalf and within the limits of the contract that binds them.
| Provider | Service | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (servers, database) | Germany (EU) |
| S3-compatible object storage | File storage (vehicle photos, contracts, identity documents) | European Union β current provider: Hetzner Object Storage |
| Mailgun (Sinch) | Transactional email delivery | European Union, with possible transfers to the United States under Standard Contractual Clauses |
| Meta Platforms Ireland Ltd | WhatsApp Business messaging | Ireland / United States (Standard Contractual Clauses) |
| Google Ireland Ltd / Google LLC | Gemini AI β automated identity-document analysis | United States (Standard Contractual Clauses, EU-U.S. Data Privacy Framework) |
| Stripe Payments Europe Ltd | Payment processing (when payments are activated) | Ireland / United States (Standard Contractual Clauses) |
6. Automated decision-making
Identity documents and driving licenses uploaded through the platform are analyzed by Google Gemini to extract fields (name, expiration date) and surface warnings (expiry, type mismatch, low confidence). The result is informational: the agency makes the final decision to accept or reject the document. No fully automated decision producing legal effects is made (Art. 22 GDPR). You can request human review at any time by contacting the agency or [email protected].
7. International transfers
Some sub-processors are located in the United States (Mailgun, Google, Stripe, Meta). These transfers are protected by Standard Contractual Clauses (Decision 2021/914) and/or the EU-U.S. Data Privacy Framework where applicable.
8. Retention
We retain data for the periods strictly necessary for the stated purposes:
- Active account data: throughout the duration of the contract, then 3 years after the last login.
- Bookings, contracts, invoices: 10 years (Art. L123-22 of the French Commercial Code).
- Identity documents and driving licenses: 5 years after the end of the rental, then deletion (insurance and litigation needs).
- Payment records: 10 years (accounting obligations).
- Technical logs and audit logs: 6 months by default, up to 1 year for security incidents.
- Service emails: until you object.
9. Your rights
Under the GDPR you have the following rights, which you can exercise at any time:
- Right of access β obtain a copy of your data.
- Right to rectification β correct inaccurate data.
- Right to erasure ("right to be forgotten") β request deletion, including by closing your account directly from your account settings.
- Right to restriction of processing.
- Right to portability β receive your data in a machine-readable format.
- Right to object β particularly to legitimate-interest processing.
- Right to withdraw consent at any time, without affecting the lawfulness of past processing.
- Right to define directives concerning the fate of your data after death.
To exercise these rights, write to [email protected]. Proof of identity may be requested in case of doubt. We respond within one month, extendable to three months for complex requests.
You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des LibertΓ©s), 3 Place de Fontenoy, 75007 Paris β https://www.cnil.fr/fr/plaintes.
10. Account deletion
You can delete your account at any time from "Settings β Account β Delete my account". Deletion is final: account data is anonymized within 30 days. Bookings, contracts, and accounting documents are retained for the legally required periods (see section 8) but disconnected from your direct identity.
11. Cookies
We only use strictly-necessary cookies (session, language). No analytics or advertising cookies. See our cookies policy.
12. Security
We implement technical and organizational measures appropriate to the risk: TLS encryption in transit, AES-256 encryption at rest for sensitive credentials, password hashing (bcrypt), role-based access, audit logs, automatic backups. In the event of a personal data breach, we notify the CNIL within 72 hours and inform affected individuals where the breach is likely to result in a high risk.
13. Changes to this policy
This policy may be updated to reflect changes to the service or applicable regulations. The "Last updated" date is revised on each modification. Material changes are notified by email.
14. Contact
Questions about this policy: [email protected].