Skip to main content
DataSouv
Audit

Official document

Privacy policy

Last updated : 12 May 2026

This policy describes how DataSouv collects, uses and protects your personal data. It is drafted with reference to Law 09-08 on the protection of natural persons with regard to the processing of personal data and its implementing decree 2-09-165.

Preliminary document — will be refined and completed as DataSouv's processing activities are deployed and declared to the CNDP.

1. Data controller

DataSouv, whose contact information appears in the legal notice. For any question: contact@datasouv.ma.

2. Data collected and purposes

2.1 Free audit tool

  • URL submitted for audit (retained for 24 months for anonymised statistical follow-up)
  • SHA-256 hash of the IP address with rotating daily salt — the plain-text IP is never stored, the identifier changes every day to prevent any longitudinal correlation
  • User-Agent family (Chrome, Firefox, Safari, Bot…) without version or OS information
  • Country inferred by the host (header provided by Vercel/Cloudflare)
  • Email (only if you request the detailed report)

2.2 Contact form

  • Name, email, phone (optional), company (optional), subject, message
  • SHA-256 hash of the IP, UA family, country — same guarantees as above
  • Purpose: respond to your request and trace the exchange

2.3 Traffic statistics

  • Path of the visited page, referrer host (without parameters), UA family, SHA-256 hash of the IP with daily salt
  • No cookies. The count is strictly server-side via a non-blocking asynchronous beacon
  • Purpose: steer editorial content. The CNDP/CNIL recognise this type of anonymised analytics as exempt from prior consent

2.4 Detailed audit report purchase

  • Buyer's email, attached audit_id, Stripe identifiers (session, payment intent), amount, currency, status, timestamps, SHA-256 hash of the IP, UA family, country
  • No card data is processed or stored by DataSouv. Payment is handled entirely on the Stripe Checkout page hosted by Stripe (PCI-DSS level 1)
  • Purpose: performance of the sales contract, delivery of the PDF by email, accounting records

3. Legal bases

  • Consent (contact form, lead capture after audit)
  • Legitimate interest (security, anti-abuse, anonymised traffic statistics)
  • Performance of a contract (clients under engagement)

4. Retention periods

  • Anonymised audits: 24 months
  • Lead email captured after audit: 24 months after last contact
  • Contact messages: 24 months after last contact (6 months for messages flagged as spam)
  • Paid orders: 24 months (contractual + accounting obligation)
  • Pageviews: 13 rolling months (anonymised aggregates kept indefinitely)
  • Admin login attempts: 90 days
  • Admin sessions: 24 hours maximum
  • Client mission data: applicable statutory accounting period

5. Processors and recipients

Application hosting on Vercel Inc. (functions in EU regions, Standard Contractual Clauses in place for the US control plane), Postgres database on Neon in the Frankfurt region (EU), transactional email on Resend (EU, DPA signed), LLM analysis by Anthropic governed by documented SCCs, payments handled by Stripe Payments Europe (Ireland) with Stripe DPA activated and standard contractual clauses included for intra-Stripe transfers to the United States. No transmission to a commercial third party. The exhaustive and up-to-date list of processors is in our records of processing activities.

6. Cookies

The site uses only a strictly necessary cookie (language preference) and, in the admin area, a strictly necessary session cookie. No advertising cookies, no analytics cookies, no third-party trackers. Details on the Cookies page.

7. Your rights

In accordance with articles 7 to 11 of Law 09-08, you have a right of access, rectification, opposition and deletion of your data. To exercise them: contact@datasouv.ma. Without a satisfactory response, you may refer the matter to the CNDP (cndp.ma).

8. Security

The site applies HSTS preload, a strict CSP policy, TLS 1.3 encryption, COOP/COEP/CORP headers, and a responsible disclosure channel (security.txt).

9. Modification

This policy may be amended. The date of the last update appears at the top of the page. Substantial changes will be announced on the home page for 30 days.