Privacy Policy

Privacy Statement – ULTRA HOUSE PLATFORM S.A.

Last updated: June 2025

1. Data Collection

1.1. Data Collected Automatically

When a user visits the Platform, we automatically collect technical data for security purposes, performance improvement, and user experience. This data includes:

• Internet Protocol (IP) address
• Device type and operating system
• Browser type and version
• Pages viewed and date and time of access
• Duration of stay on the Site
• Referrals that led the user to the Platform
• Cookie and other electronic identifier data

This data is stored for security and analytical purposes only and is not directly linked to the user's identity unless the user is logged in.

1.2. Data collected during registration or reservation

When a user creates an account, makes a reservation, or lists a property, we collect:

• Full name
• Email address
• Phone number
• Password (stored encrypted - hashed)
• Image of ID card or passport (for manual or automated verification)
• Date of birth (if age verification is required)
• Residential address
• Profile photo, if uploaded
• Previous transactions (both reservations and financial transactions)

This data is stored in a secure environment in accordance with ISO 27001 standards and is not shared with any third party without the user's explicit consent, unless required by law.

2. Purposes of Data Use

We at ULTRA HOUSE PLATFORM.SA collect and use the personal data of Moroccan and foreign users for the following legitimate, explicit, and specific purpose, in accordance with the provisions of Royal Decree No. 1.09.15 promulgating Law No. 09.08 on the Protection of Individuals with Regard to the Processing of Personal Data.

2.1. Account Management and Service Provision

• Create user accounts (hosts and guests) and enable them to use the platform in a secure manner
• Personalize the user experience based on their profile and browsing behavior
• Allow the user to enter or modify their data, complete reservations, manage properties, or review payment details
• Facilitate communication between the guest and the host within the platform

2.2. Identity Verification and Fraud Control

• Verify identity using official documents (national ID, passport, etc.) using authorized third-party providers
• Detect and combat the use of fake or fraudulent accounts or suspicious bank cards
• Implementing measures to protect against hacking attempts or unusual activity on the platform

2.3. Financial Transaction Processing

• Facilitating electronic payments through our partners (Stripe, PayPal, or licensed Moroccan services)
• Issuing invoices, processing refunds, and tracking payments within the platform
• Maintaining legally required financial records with the General Directorate of Taxes

2.4. Notifications and Communication

• Sending reservation confirmations, cancellations, or modifications via email or text message
• Communicating in the event of account, payment, or complaint issues
• Informing users of urgent updates to the Terms of Use or Privacy Policy

2.5. Marketing and Statistics

We confirm that any use for marketing purposes is only with the user's prior express consent (opt-in), as required by Moroccan law.

• Sending personalized promotions or periodic newsletters to users who have consented
• Analyzing usage data to improve the platform, services, or identify target markets
• Preparing internal statistics without identifying the user for research and decision-making purposes

2.6. Legal and Regulatory Compliance

• Complying with local legal requirements, including the requirements of the CNDP (National Commission for the Control of Personal Data Protection)
• Responding to requests from competent Moroccan judicial or security authorities in the event of legal notices or court orders
• Enforcing the Terms of Service and the Company's rights and protecting it from legal claims or disputes

2.7. Developing and Improving Platform Performance

• Using data to improve the user interface, speed, and overall security of the platform
• A/B testing of new features to understand user needs and improve their experience
• Identifying potential technical bugs or operational difficulties through interaction data and logs

3. Who has access to your data?

The data collected through the ULTRA HOUSE PLATFORM .SA platform is not disclosed or made accessible to third parties, except in legally defined circumstances, within the limits necessary to provide our services, and in accordance with Moroccan Law No. 09-08. We explain below who may have access to your data and the accompanying safeguards:

3.1. ULTRA HOUSE PLATFORM .SA's Internal Staff

Access to personal data is limited only to authorized employees, according to their assigned duties, including:

• Technical Support Team: For system maintenance and troubleshooting
• Customer Service Team: To provide assistance to users within the limits of their job duties
• Legal and Financial Management: When necessary, for compliance or dispute resolution purposes

All employees are bound by strict confidentiality agreements and may not share or use data outside the specified framework.

3.2. External Service Providers (Third-Party Providers)

We deal with a limited number of external providers under contracts that protect data privacy and clearly define the nature of information permitted to be shared. These include:

• Payment Service Providers: Moroccan companies licensed by Bank Al-Maghrib, for payment processing only
• Identity Verification Providers: When requesting verification via national ID card or passport
• Email and SMS Providers: To send booking confirmation messages, alerts, and notifications
• Information Security Providers: To analyze risks and protect us from hacking attempts or cyber attacks

These providers may not, under any circumstances, use the data for their own purposes.

3.3. Moroccan Legal and Regulatory Parties

ULTRA HOUSE PLATFORM .SA may share user data only if legally requested by the competent Moroccan authorities, such as:

• Public Prosecutor's Office
• Relevant security authorities in cases of forgery or fraud
• Government departments in accordance with clear legal orders
• CNDP (National Commission for the Protection of Personal Data) as part of legal monitoring and prosecution

No data will be transferred to any foreign or non-legally recognized entity within Morocco.

3.4. Hosts or Guests (as applicable)

Upon completion of a reservation, the other party to the transaction (host or guest) has access only to the following information:

• Full name
• Phone number (optional depending on the settings)
• Profile photo
• Arrival and departure dates
• Notes relevant to the reservation (such as arrival time)

Exchanging banking details, official documents, or additional personal data outside the platform is strictly prohibited.

3.5. Affiliates or in the event of a merger/acquisition

In the event of a merger, acquisition, or legal restructuring of ULTRA HOUSE PLATFORM .SA:

• Some data may be transferred to the successor company
• However, this will be done with prior notice to users and the right to object or have their data deleted

3.6. General Public (Public Information Only)

Some information is publicly available when using the Platform:

• User reviews
• Property description
• Profile photo if set to "Public"

However, email addresses, phone numbers, or any sensitive information will never be publicly available.

4. Storage and Protection

ULTRA HOUSE PLATFORM.SA is committed to ensuring that user data is stored in a secure and reliable manner, respecting the principle of privacy protection as stipulated in Moroccan Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data. This chapter explains all storage and protection procedures, both technical and organizational.

4.1. Data Storage Location

All data is stored on highly secure servers located either:

• within Moroccan territory with providers recognized and licensed by the National Commission for the Protection of Personal Data (CNDP)
• Or on foreign servers (such as France or Germany) with companies compliant with the European GDPR, subject to the signing of data processing agreements

Data will never be stored in countries that do not provide adequate legal protection for data, such as some countries that do not recognize digital rights.

4.2. Data Retention Period

• We retain data for the period necessary to provide our services, or until the user deletes the account
• Some data may be retained after account deletion for legal, accounting, or security purposes for a period not exceeding 5 years, as stipulated by Moroccan law

4.3. Technical and Security Measures for Data Protection

Data Encryption:

All data sent or received through our platform passes through the SSL/TLS protocol to encrypt communications.

Encrypted Storage:

Passwords are stored using strong encryption technologies (such as bcrypt or Argon2) and are inaccessible to any employee.

Firewalls:

Digital firewalls are used to prevent external attacks on databases.

Continuous Monitoring:

We constantly monitor access to systems to detect any unauthorized access attempts.

Backup:

We periodically backup all data to prevent loss in the event of a digital disaster, and backups are stored in separate locations.

4.4. Access and Authorization Management

• Access to data is restricted by each department within the company
• Every access to the system is logged and monitored to ensure transparency

4.5. Security and Penetration Tests

• We periodically conduct penetration tests conducted by specialized cybersecurity companies
• We also rely on periodic review of the source code by our developers to avoid security vulnerabilities

4.6. Handling Data Breach

In the event of any security breach that may compromise user privacy, the company is committed to:

• Notifying the affected users within 72 hours of discovery
• Informing the National Data Protection Commission (CNDP) when necessary
• Taking urgent measures to contain and investigate the breach

4.7. Account Protection

The company is committed to providing account protection methods such as:

• Two-factor authentication (2FA) at later stages
• Notifying users when they attempt to log in from an unusual location or device

The user is responsible for maintaining the confidentiality of their password and not sharing it.

4.8. Limitation of Liability

The company makes every technical and organizational effort to protect data. However, it is not liable for any damage resulting from:

• The user's negligence in protecting their data
• The user's use of unsecured devices (for example, a hacked or unprotected phone)
• Force majeure or a highly sophisticated cyberattack that exceeds normal technical capabilities

5. User Rights

ULTRA HOUSE PLATFORM.SA is committed to respecting the legal rights of all users, Moroccans and foreigners, who use its services within Moroccan territory. In accordance with the provisions of Moroccan Law No. 09-08, any user has the right to exercise the following rights regarding their personal data:

5.1. Right to Access Data

• Any user may request a copy of the data we collect from the platform
• This data will be provided to the user within a maximum of 30 days from the date of the request, after verifying the identity of the requester
• Data will be sent electronically in a readable format (such as PDF or JSON)

5.2. Right to Correct Data

• If the user discovers that their data is inaccurate or incomplete, they have the right to request that it be corrected or supplemented
• This request can be submitted via the designated email address or from within their personal account

5.3. Right to Deletion of Data ("Right to Be Forgotten")

• The User may at any time request the deletion of all or part of their personal data
• However, the Platform retains certain data necessary to comply with laws (e.g., reservation invoices, security records, accounting obligations) for a legal period not exceeding 5 years
• In the event of a legal or commercial dispute between the User and the Platform, the deletion may be postponed until the dispute is resolved

5.4. Right to Object to Data Processing

• The User has the right to object to the use of their data for marketing purposes (e.g., sending offers or promotional messages)
• You can easily unsubscribe from promotional messages via the "Unsubscribe" link at the bottom of each email
• The User cannot object to processing necessary to provide the service (e.g., booking confirmation, accommodation communication, etc.)

5.5. Right to Restrict Processing

• In specific cases, such as a dispute over the accuracy of the data, the User has the right to request a temporary suspension of data processing
• During the restriction period, the data will not be used for any further operations until it is reviewed or the dispute is resolved

5.6. Right to Data Portability

• The user has the right to retrieve their data or transfer it to another platform
• This is achieved by providing an electronic copy of the data in a standard format

5.7. Right to File a Complaint

If the user feels that their data protection rights have not been respected, they can:

• Contact the platform's legal support team via the designated email address
• Or file a complaint directly with the National Data Protection Commission (CNDP)

5.8. Proof of Identity

To maintain data security and prevent fraud, the platform reserves the right to request proof of the user's identity (such as a copy of their national ID card or passport) before executing any request related to the above rights.

6. Cookies

ULTRA HOUSE PLATFORM.SA uses cookies and similar technologies to improve user experience, ensure platform security, analyze site usage, and display personalized content and advertisements to users. We are committed to using cookies in a legal and transparent manner, in compliance with Moroccan law, particularly Law 09-08 on the Protection of Personal Data.

6.1. What are cookies?

Cookies are small text files stored on a user's device (computer, phone, tablet) when they visit our website. These cookies allow us to:

• Remember login information
• Save preference settings
• Track browsing behavior to improve performance
• Provide personalized content based on the user's interests

6.2. Types of cookies we use

A. Strictly Necessary Cookies:

• Necessary for the proper functioning of the platform
• Enables the user to navigate the website and use basic functions
• They do not require user consent

B. Performance and Analytics Cookies:

• Used to understand how users interact with the Platform
• They help us improve the interface and user experience
• Example: number of visits, most frequently used pages

C. Personalization Cookies:

• Allows the display of content relevant to each user
• Includes preferred language, geographic location, etc.

D. Marketing and Advertising Cookies:

• Used to deliver personalized ads
• Sometimes shared with third-party partners (such as Google Ads or Meta)
• Express user consent is required before activation

6.3. User Consent

• Upon first accessing the Site, a pop-up window appears informing the user of the use of cookies
• The user can accept, customize, or decline certain cookies
• Settings can be changed at any time through the "Privacy Settings" page

6.4. Cookie Management

The user can control cookies via:

• Browser settings (delete, block, or partially allow)
• Privacy management tools we provide on the platform

Legal notice: Some parts of the platform may not function properly if the user decides to disable necessary cookies.

6.5. Third Parties

• We may use analytics or advertising services from third-party companies (such as Google Analytics). These parties place their own cookies and are subject to their own privacy policies
• We only work with partners who comply with Moroccan and international data protection laws (such as the GDPR and CNDP)

7. Data Retention Period

We at ULTRA HOUSE PLATFORM.SA are committed to not retaining users' personal data for longer than necessary. We balance operational requirements, legal obligations, and users' privacy rights, in accordance with Moroccan Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data.

7.1. Criteria for Determining the Retention Period

We rely on the following criteria to determine the appropriate data retention period:

• Purpose of data collection (recording, payment, audits, security, etc.)
• Applicable laws and regulations in Morocco (e.g., the retention period for invoices or tax data)
• Contractual obligations with users or platform partners
• Data Minimization Principle: We retain only what is necessary

7.2. Data Retention Periods by Data Type

7.3. Data Deletion

• You can request the deletion of their account and data at any time, and we will do so unless we are legally required to retain it (for example, billing data)
• Deletion is secure and irretrievable using approved technologies

7.4. Data Archiving for Security or Legal Purposes

• We temporarily retain some data after account deletion for security purposes (such as fraud prevention or record keeping in the event of complaints)
• This data is not used for any marketing or commercial purposes

7.5. Our Commitments

• We are committed to periodically reviewing this data retention policy
• We ensure that our systems are technically capable of deleting or archiving data within the specified timeframes
• We will notify users of any material changes to this policy

8. Data Transfer Outside Morocco

As part of the operation of the Ultra House Platform SA, certain technical functions and services may require the transfer of some users' personal data outside of Morocco, particularly if we use cloud storage services, international payment solutions, or specialized service providers based outside of Morocco.

8.1. Moroccan Legal Framework

Transfer of personal data abroad is subject to:

• Article 43 of Law 09-08, which prohibits the transfer of data to countries that do not provide adequate protection, except with special authorization from the National Commission for the Control of the Protection of Personal Data (CNDP)
• The platform is required to obtain prior authorization from the CNDP before any permanent or regular transfer of user data outside of Morocco

8.2. Situations in which we may need to transfer data

Global Cloud Hosting Services:

If services such as AWS, Google Cloud, or Azure are used, data may be stored in data centers outside of Morocco, but only if these countries provide an equivalent or better level of protection than the Moroccan system.

Email and Notification Services:

Some messaging service providers such as SendGrid, MailChimp, or Twilio may process data outside of Morocco.

International Payment Providers (PayPal, etc.):

It may be necessary to transfer data related to financial transactions, but always within the scope of the service and under strict conditions.

Data Analysis and Statistics:

If we use artificial intelligence or external analytics tools, the data is protected with strict encryption and anonymization procedures, where possible.

8.3. Legal Safeguards We Use Before Any Transfer

Legal Assessment of the Recipient Country:

We verify that the receiving country guarantees a level of protection equal to or higher than that required by Moroccan law, based on CNDP decisions or the list of recognized countries.

Encryption and Data Minimization:

• We never transfer sensitive data directly (such as ID, phone number, address, etc.) unless the transfer is necessary, and full data encryption is used
• We practice a "minimal data" policy, meaning we only transfer the minimum amount required to operate the function in question

Strict Contractual Agreements:

Every third-party service provider we work with must sign a Data Processing Agreement (DPA), which states:

• A commitment not to sell or reuse data
• A commitment to comply with European, Moroccan, or equivalent protection laws (such as the GDPR)
• Indemnify Ultra House for any legal damages resulting from a data breach or misuse

User Notification and Consent Request When Necessary:

When the transfer is ongoing or substantial, we clearly inform users in the Terms of Use, and direct consent may be requested in sensitive cases.

8.4. Company Protection from Legal Liability

• We do not transfer any data outside Morocco unless approved by the National Commission (CNDP), or after legal verification that the service used is certified and complies with Moroccan and international standards
• In the event of a security breach by a third-party provider, legal liability is limited according to the contracts, and the third party is directly liable before the law
• All of these procedures are documented in a legal compliance file within the company, which is updated periodically

9. Updates to the Privacy Statement

9.1. Possibility of Amendment and Updating

Ultra House Platform SA may update or amend this Privacy Statement periodically, based on developments in:

• local or international laws (particularly new legislation from the CNDP or amendments to Law 09-08)
• new regulatory requirements
• changes in the Platform's services or technical partnerships (such as the adoption of a new external data processing service)
• or as a result of user feedback or complaints

9.2. How Users Are Notified of Updates

Users will be notified of any material amendment to the Privacy Statement prior to its entry into force via:

• a notice on the website or application
• or an email to registered users

Amendments become effective 15 days after notification to users, unless users are required to expressly opt in for material changes.

9.3. User Rights in the Event of Rejection of Amendments

If the user does not agree to the amendments, they have the right to:

• Request the deletion of their account and personal data (in accordance with Clause 7)
• Or continue using the platform with the previous version of the Terms, if possible, but without guaranteeing the same services or technical functionality

9.4. Company Protection from Disputes

• This clause is included in the Terms of Use, and users' acceptance of it is a necessary condition for using the platform
• Each amendment is documented with its date and time stamp to ensure legal protection in the event of a dispute

10. Communication and Inquiries

10.1. Company Data Protection Officer

Ultra House Platform SA has appointed an internal Data Protection Officer (DPO) whose duties include:

• Overseeing the implementation of the Privacy Policy
• Receiving complaints and inquiries
• Coordinating with the CNDP, if necessary

10.2. Official Contact Methods

Users can contact us via:

10.3. Types of Requests that Can Be Submitted

Users can submit the following inquiries or requests:

• Request access to their personal data stored with us
• Request correction or deletion of data
• Request objection to a specific use of their data (e.g., promotional advertising)
• File a complaint about a potential privacy breach

10.4. Response and Processing Timeline

• Ultra House is committed to responding to any privacy request within a maximum of 30 days from the date of receipt
• If a response is delayed for technical or organizational reasons, the user will be informed of the estimated response timeline

10.5. Company Protection from Claims

• Ultra House assumes no responsibility for delays in responding if a request is inaccurate or incomplete
• The company is not obligated to respond to duplicate or abusive requests
• All requests and responses are documented to protect the platform legally