Data Protection & Privacy Policy

2.1 Required Data During Alyf Application Operation

When you sign up on the Alyf application, we collect your language preferences and phone number. An automatic message with a verification code is sent to verify your phone number. We gather various data to enhance the service we provide, including:

2.2 Information provided by Users

During registration, Alyf collects the following information directly from Users:

• Name (Optional, Required for level 2 and above)
• First Name (Optional, Required for level 2 and above)
• Phone Number (Required)
• Residential Address (Optional, Required for level 2 and above)
• Date of Birth (Optional, Required for level 2 and above)
• Email Address (Optional)
• National ID Number (Optional, required for Level 2 and above)
• Photo (Optional, required for Level 2 and above)
• Biometric Data: Face Matching (Optional, required for Level 2 and above)
• Gender / Sex (Optional, Required for level 2 and above)

We use this data for marketing studies and targeted promotional campaigns within Alyf. We are committed to ensuring the protection of your personal data in accordance with our privacy policy. Your information is handled with utmost care and is only used in the provision of our services.

3.1 Secure storage

All our users' data is securely stored by our trusted data center partners. Sensitive information is encrypted during transfer and storage, to guarantee confidentiality.

4.1 Encryption

We use robust encryption protocols to protect our users' data:

• Encryption of data in transit: TLS (Transport Layer Security) is used to protect data in transit between our servers and users' devices.
• Encryption of data at rest: Sensitive information stored in our databases is encrypted to prevent unauthorized access.

4.2 Access control

Access to personal data is strictly controlled to guarantee their security:

• Multi-factor authentication (MFA): Use of multi-factor authentication methods to protect access to our internal systems.
• Permission management: only authorized employees who need access to information in order to do their jobs can view users' personal data.

4.3 Monitoring and auditing

We have set up monitoring and auditing systems to detect and respond rapidly to security incidents:

• Continuous monitoring: Our systems are constantly monitored for suspicious or unauthorized activity.
• Regular audits: We carry out regular security audits to assess the effectiveness of our protection measures and identify potential vulnerabilities.

Your Benefits

Once your account is verified, you will enjoy:

• Enhanced protection of your personal data
• Personalized services and offers
• Priority access to our customer service
• If you contact us through the designated form in the application for any complaints, we may collect data to identify you, such as your name, first name, or residential address. We will use this information to process your request. We will retain your personal data for as long as you are registered on Alyf. If you choose to unsubscribe from Alyf, your data will be deleted one year after deactivating your account. You can withdraw your consent for further storage and processing of your data at any time. Any processing of your data before your withdrawal will not be affected and will be covered by your prior consent.

5.1 Banking data

IBAN / Bank Card Details: These details are necessary for transferring funds to a bank account or for funding your Alyf account via credit card. All credit card funding operations for your Alyf account are managed by our partner, the Centre Monétique Interbancaire (CMI). Alyf only receives transaction success or failure data. However, Alyf must retain the IBAN and account holder's name for fund transfers from your Alyf account to your bank account.

Regarding funding your Alyf account via credit card, Alyf does not directly collect card information. This process is handled by our partners CMI. The card transactions are processed through CMI, ensuring the security and confidentiality of your banking data.

6.1. Purposes of Processing

The information we collect is used for the following purposes:

• Providing our services: Processing transactions, managing User accounts, responding to support requests, and improving the functionality of the Application.
• Improving our services: Analyzing the usage of our Application to better understand User needs, developing new features and services, and enhancing the User experience.
• Securing our services: Detecting and preventing fraudulent activities, protecting the security of our systems and User information.
• Communicating with you: Sending important notifications, updates on your transactions, information about our services, promotions, and special offers, subject to your consent.

6.2. Legal Basis of Processing

We process your personal data on the following legal bases:

• Contractual Necessity: The collection and processing of your personal data are necessary for the performance of our contract with you. Where sensitive data such as biometric or location information is collected, explicit consent will be sought prior to processing, and users can withdraw their consent at any time via the Support or Contact Us feature in the More section or by going to https://alyf.ai/ and selecting 'contactez-nous', or going to https://paymob.atlassian.net/servicedesk/customer/portals
• Legitimate Interest: We may process your personal data to serve our legitimate interests, such as improving our services, securing our Application, and preventing fraud.
• Consent: Where required by law, we collect your consent before processing your personal data.

7.1. User privacy

Alyf respects the confidentiality of users and does not share personal data with third parties, unless this is legally required, necessary for the performance of a contractual relationship to process transactions, or if the user has expressly consented to such sharing such as Loyalty programs

As such we may share your personal data with:

• Our Partners: If you subscribe to a loyalty program specific to any of these partners, it will be governed by specific General Terms of Use (GTCU) for each partner.
• Competent Authorities: When required by law or to protect our rights and interests.
• Paymob SARL employees who require it for processing within the scope of their duties.
• Lana Cash: Paymob collaborates closely with Lana Cash, which provides its M-Wallet service.

7.2 Lana Cash

The Service provided by Paymob relies on the expertise, know-how, and partnership with the mobile wallet service (the "M-Wallet") of Lana Cash. Lana Cash is a Moroccan joint-stock company with a share capital of Thirty-five million MAD (35,000,000) and its registered office located at 3, Rue Abou Dhabi Oasis, 20103, registered with the Casablanca Trade Register under number 434227 and a subsidiary of the CIH banking group. Lana Cash specializes in Payment operations as a payment institution authorized by Bank-Al-Maghrib.

The personal data collected may be transmitted to our partner Lana Cash.

7.3 Authorities and legal competent courts

The collected data may be transmitted to competent administrative and judicial authorities, national and foreign fund transfer partners, conventional service providers in case of disputes (lawyers, experts), relevant services or authorized agents of the General Tax Directorate, the Customs and Indirect Taxes Administration, Bank Al Maghrib, UTRF, the Office of Changes, and various public bodies authorized to receive them. Control services (statutory auditors, auditors and services in charge of internal or external control procedures) may also receive the data per the transfer request filed with the CNDP.

7.4 Data controllers and access to collected data

All of Paymob's databases, including those containing data related to the Application's Users, are hosted in a cloud in Morocco, thanks to Paymob's partner, N+one

Furthermore, the attention of the User is drawn to the following facts:

- Paymob collaborates with the payment institution Lana Cash, a subsidiary of CIH Bank, which holds the mobile wallet.

- Per Circular C-6-W-16 issued by Bank-Al-Maghrib concerning payment institutions, funds held on the mobile wallet created by Lana Cash are segregated within a credit institution, in this case, CIH.

Thus, the User's name, first name, date of birth, phone number, as well as all information related to the balance and transactions of the User are effectively shared with Lana Cash. Paymob and Lana Cash jointly define the purposes and means of these processing operations. The personal data of Users is only shared with these joint data controllers for the purpose of executing contracts established with Paymob.

Paymob and Lana Cash are bound by mutual information obligations, particularly with regard to any violation of Users' personal data.

Moreover, like Paymob, Lana Cash has committed to complying with the prerogatives of the CNDP.

To guarantee the secrecy, security, and confidentiality of data, and in compliance with the provisions of Law No. 09-08 relating to the protection of individuals with regard to the processing of personal data, Paymob and Lana Cash have committed to:

• Take all necessary precautions to preserve the security of data, particularly to prevent them from being distorted or damaged, and to prevent any unauthorized access not previously authorized by them.
• Ensure the lawfulness of the processing carried out within the framework of the entrusted mission;
• Respect their obligation of secrecy, security, and confidentiality, during any maintenance and remote maintenance operations carried out within their respective premises;
• Take all security measures, particularly material and logistical, to ensure the preservation and integrity of the processed data;
• Take all measures to prevent any misuse, malicious or fraudulent use of the processed data.

7.5 Use of collected information

The collection and processing of User Data by Paymob are carried out to ensure the best quality of service on Paymob while protecting and preventing fraud. More specifically, the objectives are:

• To enforce our commitments to you according to our Terms of Service (TOS/CGU);
• To manage the account and provide services subscribed by Users;including identity verification through biometric processes (e.g., face matching);
• To keep Users informed about ongoing, completed, and upcoming transactions;
• To inform Users that some of their contacts use Paymob;
• To evaluate the effectiveness of messages sent by Paymob and adapt them;
• To ensure smooth communication with customer support/service;
• To manage reward programs or promotional events;
• To calculate reward levels and rights based on payment transactions made with Paymob;
• To detect and prevent fraud, abuse, security incidents, and other unauthorized activities (detailed in the TOS);ensuring biometric data is processed temporarily and securely deleted immediately after verification.
• To understand and analyze Users' usage to offer and/or develop new offers in line with their needs;
• To ensure compliance with current regulations and TOS;
• To request feedback or ask Users to leave a review or respond to a survey;
• To notify Users of changes to the application, our General Terms of Use, or our Privacy Policy.

7.6 Consent

Following the reading of this Data Privacy Policy, the User expressly and unreservedly acknowledges having been fully informed beforehand of:

- all the data collected by Paymob and the partner Payment Institution Lana Cash;

- the purposes for which the processing of their personal data is intended, including biometric data (e.g., face matching) where applicable;

- the temporary nature of biometric data processing and the guarantee that no raw biometric data will be stored;

- their rights conferred by law n°09-08, including the right to withdraw consent and opt out of biometric data processing at any time through the application's settings or by contacting support.

- Users are informed before any biometric data is collected or processed, ensuring explicit consent is obtained. Users may withdraw consent and opt-out of biometric data processing at any time by contacting our support team.Users may withdraw consent and opt-out of biometric or other sensitive data processing at any time via the support feature in the 'More' menu of the app or by contacting support.

The Client expressly and unreservedly gives their free, specific, and informed consent for the aforementioned processing, including being directly prospected by automated phone call, fax, email, or any other means employing the same technology to inform them of other offers of products and services similar to those subscribed to in the Agreement.