Privacy Policy
Last updated: June 2026
ScanUpGo (Zakaria Zaouat, SIREN 888 077 427) is committed to protecting your personal data in compliance with GDPR (EU 2016/679) and Moroccan Law No. 09-08.
Article 1 — Data Controller
Zakaria Zaouat — ScanUpGo, sole trader, SIREN 888 077 427, Saint-Herblain (44800), France. DPO contact: contact@scanupgo.com. As a micro-enterprise not carrying out large-scale processing of sensitive data, ScanUpGo is not required to designate a DPO under Article 37 of the GDPR.
Article 2 — Data Collected, Purposes and Legal Bases
Merchants (B2B): name, email, phone, establishment, address, logo — for service provision and billing (legal basis: contract performance, Art. 6.1.b GDPR). Players (end customers): first name, email — for game execution and email campaigns (legal basis: consent, Art. 6.1.a GDPR). Technical data: IP address, device, browser, timestamp — for security (legal basis: legitimate interest, Art. 6.1.f GDPR). The game is not intended for persons under 16 years of age.
Article 3 — Processing of Moroccan Players' Data
ScanUpGo acts as a data processor on behalf of the Moroccan merchant (data controller). The merchant is responsible for compliance with Law No. 09-08 and CNDP decisions (www.cndp.ma). Moroccan Players' data is stored on Vercel infrastructure (EU region) and is not transferred to Moroccan entities.
Article 4 — Retention Periods
Merchant data (active account): duration of commercial relationship. After termination: 3 years (civil statute of limitations, Art. 2224 C.civ.). Billing data: 10 years (Art. L123-22 C.com.). Players' data: 1 year after last participation. Vercel logs: 30 days then 12 months (ScanUpGo). Prospecting data: 3 years after last contact. After account deletion: immediate anonymization of personal data.
Article 5 — Sub-processors and Transfers Outside the EEA
Vercel Inc. (hosting, USA, data stored in EU): SCC, SOC 2 Type II, ISO 27001. Stripe Inc. (payments, USA, data in EU): SCC, PCI-DSS Level 1, ISO 27001. GitHub Inc. (source code, USA): SCC, ISO 27001. All transfers to the United States are governed by Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914/EU).
Article 6 — Rights of Data Subjects
Pursuant to Articles 15 to 22 of the GDPR and Articles 7 and 8 of Moroccan Law No. 09-08, you have the rights of access, rectification, erasure, portability, objection and restriction. Response guaranteed within 30 days. Contact: contact@scanupgo.com. CNIL (France): www.cnil.fr. CNDP (Morocco): www.cndp.ma.
Article 7 — Data Security
Minimum TLS 1.2 encryption (mandatory HTTPS), salted password hashing (bcrypt), restricted access to authorized personnel, encryption at rest (Vercel AES-256), regular backups. In case of a data breach, the CNIL will be notified within 72 hours (Art. 33 GDPR) and affected individuals if the risk is high (Art. 34 GDPR).
Article 8 — Cookies
The Platform uses only strictly necessary technical cookies (authenticated session, CSRF token, language preferences). No advertising or tracking cookies. No prior consent required in accordance with CNIL guidelines (deliberation No. 2020-091).