Privacy Policy

Last updated: June 2026

ScanUpGo (Zakaria Zaouat, SIREN 888 077 427) is committed to protecting your personal data in compliance with GDPR (EU 2016/679) and Moroccan Law No. 09-08.

Article 1 — Data Controller

Zakaria Zaouat — ScanUpGo, sole trader, SIREN 888 077 427, Saint-Herblain (44800), France. DPO contact: contact@scanupgo.com. As a micro-enterprise not carrying out large-scale processing of sensitive data, ScanUpGo is not required to designate a DPO under Article 37 of the GDPR.

Article 2 — Data Collected, Purposes and Legal Bases

Merchants (B2B): name, email, phone, establishment, address, logo — for service provision and billing (legal basis: contract performance, Art. 6.1.b GDPR). Players (end customers): first name, email — for game execution and email campaigns (legal basis: consent, Art. 6.1.a GDPR). Technical data: IP address, device, browser, timestamp — for security (legal basis: legitimate interest, Art. 6.1.f GDPR). The game is not intended for persons under 16 years of age.

Article 3 — Processing of Moroccan Players' Data

ScanUpGo acts as a data processor on behalf of the Moroccan merchant (data controller). The merchant is responsible for compliance with Law No. 09-08 and CNDP decisions (www.cndp.ma). Moroccan Players' data is stored on Vercel infrastructure (EU region) and is not transferred to Moroccan entities.

Article 4 — Retention Periods

Merchant data (active account): duration of commercial relationship. After termination: 3 years (civil statute of limitations, Art. 2224 C.civ.). Billing data: 10 years (Art. L123-22 C.com.). Players' data: 1 year after last participation. Vercel logs: 30 days then 12 months (ScanUpGo). Prospecting data: 3 years after last contact. After account deletion: immediate anonymization of personal data.

Article 5 — Sub-processors and Transfers Outside the EEA

Vercel Inc. (hosting, USA, data stored in EU): SCC, SOC 2 Type II, ISO 27001. Stripe Inc. (payments, USA, data in EU): SCC, PCI-DSS Level 1, ISO 27001. GitHub Inc. (source code, USA): SCC, ISO 27001. All transfers to the United States are governed by Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914/EU).

Article 6 — Rights of Data Subjects

Pursuant to Articles 15 to 22 of the GDPR and Articles 7 and 8 of Moroccan Law No. 09-08, you have the rights of access, rectification, erasure, portability, objection and restriction. Response guaranteed within 30 days. Contact: contact@scanupgo.com. CNIL (France): www.cnil.fr. CNDP (Morocco): www.cndp.ma.

Article 7 — Data Security

Minimum TLS 1.2 encryption (mandatory HTTPS), salted password hashing (bcrypt), restricted access to authorized personnel, encryption at rest (Vercel AES-256), regular backups. In case of a data breach, the CNIL will be notified within 72 hours (Art. 33 GDPR) and affected individuals if the risk is high (Art. 34 GDPR).

Article 8 — Cookies

The Platform uses only strictly necessary technical cookies (authenticated session, CSRF token, language preferences). No advertising or tracking cookies. No prior consent required in accordance with CNIL guidelines (deliberation No. 2020-091).