Privacy policy

1. Data controller

The controller of the data collected on KARVYX is KARVYX DIGITAL, a SARL de droit marocain, whose registered office is located at RUE SOUMAYA RES SHEHRAZADE 3 ETG 5 N 22, Casablanca, Maroc.

Dedicated contact point for data protection: contact@karvyx.com (subject: "Personal data"). KARVYX is not, to date, required to appoint a Data Protection Officer (DPO) within the meaning of art. 37 GDPR; a dedicated contact point nevertheless handles requests.

See also the legal notice for the company's full contact details.

2. Principles applied

KARVYX applies the principles of article 5 GDPR: lawfulness, fairness, transparency, minimisation, accuracy, storage limitation, integrity and confidentiality.

No resale of data to third parties for advertising purposes.
No advertising profiling and no cross-site tracking.
No fully automated decision producing legal effects.
Data minimisation and retention periods limited to what is strictly necessary.

3. Purposes, legal bases & retention

The table below summarises, for each purpose, the categories of data processed, the legal basis, the retention period and whether the requested data is mandatory or optional (art. 13.2.e GDPR). If mandatory data is not provided, the corresponding service cannot be delivered.

Purpose	Data	Legal basis	Retention	Status
Account creation & booking management	First and last name, email, phone, dates and locations of the rental, selected vehicle, booking ID	Performance of the contract / pre-contractual measures (art. 6.1.b GDPR)	Lifetime of the active account + 5 years after the end of the relationship (evidentiary purposes)	Mandatory — the booking cannot be processed without this data.
Connection with the partner rental agency	Strictly necessary details (name, email, phone, booking details). The ID card and driving licence are collected directly by the partner agency at vehicle handover — KARVYX does not keep a copy.	Performance of the contract (art. 6.1.b GDPR)	Duration of the booking + legal obligations (5 years)	Mandatory to perform the booking.
Payment	Transaction ID and status. Banking data (card) is collected and processed directly by a PCI-DSS certified payment provider — KARVYX has no access to it.	Performance of the contract + accounting legal obligation (art. 6.1.b and 6.1.c GDPR)	10 years (accounting and tax obligations)	Mandatory to finalise a paid booking.
Reply to a contact request	Name, email, message content, timestamp	Pre-contractual measures or legitimate interest in answering an enquiry (art. 6.1.b or 6.1.f GDPR)	12 months after the last exchange	Optional — only fields marked mandatory are required to handle your request.
Newsletter and KARVYX commercial communications	Email, subscription date, proof of consent, optional preferences	Consent (art. 6.1.a GDPR)	Until consent is withdrawn or 3 years after the last interaction	Optional — consent freely revocable at any time.
Audience measurement and service improvement	Pages viewed, anonymised usage events, technical data, truncated IP	KARVYX's legitimate interest in understanding usage and improving the service; consent when the tool does not meet exemption conditions (art. 6.1.f or 6.1.a GDPR)	Aggregated statistics up to 25 months	Optional — refusal possible via the cookie banner.
Service security and fraud prevention	Technical logs, IP address, user-agent, security events	Legitimate interest in ensuring service security and preventing abuse (art. 6.1.f GDPR)	Up to 12 months depending on the nature of the event	Mandatory — processing necessary for the secure operation of the site.

Beyond the periods indicated, data may be kept in intermediate archive with restricted access to meet legal, accounting or applicable limitation-period obligations.

4. Retention periods by data type

The table below summarises the retention periods applied by data type, in line with the storage-limitation principle (art. 5.1.e GDPR).

Data type	Main purpose	Retention period	Basis / ground
User account data	Account creation and management, service access, relationship history	Lifetime of the active account + 5 years from the end of the contractual relationship (evidentiary)	Performance of the contract / legal obligations (art. 6.1.b and 6.1.c GDPR)
Booking data	Performance of the rental contract, connection with the partner agency	Duration of the booking + 5 years after the end of the rental contract	Performance of the contract (art. 6.1.b GDPR) / legal obligations
Billing & payment data	Transaction processing, accounting and tax evidence	10 years (Commercial Code, accounting and tax obligations)	Legal obligation (art. 6.1.c GDPR)
Supporting documents (ID card & driving licence)	Identity verification and eligibility for vehicle rental	Not collected by KARVYX; retained by the partner agency under its own legal obligations	N/A — KARVYX is not the controller for this processing
Technical & security logs	Service security, fraud prevention, technical diagnostics	6 to 12 months depending on the nature of the event, then anonymisation	Legitimate interest (art. 6.1.f GDPR) / legal obligations

At the end of these periods, data is either deleted, anonymised, or archived in an intermediate database with restricted access for legal, accounting or limitation-period obligations only.

5. Legitimate interests pursued

When KARVYX relies on legitimate interest (art. 6.1.f GDPR), a balancing test is carried out between that interest and the rights and freedoms of the data subjects. The main interests pursued are:

ensuring the security, availability and integrity of the service;
preventing fraud, abuse and intrusion attempts;
measuring audience anonymously to improve the user experience;
responding to incoming enquiries (contact, support).

You may at any time object to processing based on legitimate interest for reasons relating to your particular situation (see section 11).

6. Recipients & processors

Your data may be transmitted, within the strict limit of what is necessary and under a confidentiality undertaking, to the following recipients:

The partner rental agency you selected, acting as a separate controller for the performance of the rental contract;
PCI-DSS certified payment providers for transaction processing;
Hosting provider: Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA);
Technical processors: transactional emailing, customer support, analytics tools, application monitoring;
Competent authorities in the event of a legal obligation or a judicial / administrative request.

Each processor acts under a contract compliant with article 28 GDPR, governing the purpose, duration, security and confidentiality of the processing.

7. Transfers outside the EU / Morocco

Some technical processors, including the host Cloudflare, Inc. (United States), may process data from countries located outside the European Economic Area or Morocco. In that case, KARVYX ensures that such transfers rely on an appropriate legal mechanism:

an adequacy decision of the European Commission; or
standard contractual clauses (SCCs) approved by the Commission; or
any other recognised safeguard (binding corporate rules, etc.).

A copy of the applicable safeguards can be requested at contact@karvyx.com.

8. Security & data breach

KARVYX implements technical and organisational measures appropriate to the risk: encryption of exchanges (HTTPS/TLS), role-based access control, logging, regular backups, password policy and periodic access review.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, KARVYX will carry out the required notifications to the competent supervisory authority within 72 hours (art. 33 GDPR) and, where applicable, to the persons concerned (art. 34 GDPR).

9. Minors

KARVYX is not intended for minors under 16. Account creation and vehicle booking also require the minimum age set by the rental agency (generally 21, with a driving licence held for at least 1 to 2 years depending on the rental conditions).

If you believe that a minor has submitted data without authorisation, please contact contact@karvyx.com : the data will be deleted without delay.

10. Automated decisions & profiling

KARVYX does not take any fully automated decision producing legal effects on you or significantly affecting you within the meaning of article 22 GDPR. No advertising profiling is carried out.

11. Your rights & how to exercise them

Under the GDPR and Moroccan law 09-08, you have the following rights regarding your personal data:

Right of access: Obtain confirmation that your data is being processed and a copy of that data.
Right to rectification: Have inaccurate or incomplete data corrected or completed.
Right to erasure: Request deletion of your data when one of the conditions of art. 17 GDPR applies.
Right to restriction: Request the restriction of processing in the cases provided for in art. 18 GDPR.
Right to portability: Receive your data in a structured, commonly used and machine-readable format.
Right to object: Object to processing based on legitimate interest for reasons relating to your particular situation.
Right to withdraw consent: Withdraw your consent at any time, without affecting the lawfulness of prior processing.

Procedure: write to contact@karvyx.com specifying the nature of your request. In case of reasonable doubt about your identity, supporting evidence may be requested.

Response time: one month from receipt of the request, extendable by two months for complex or numerous requests (art. 12.3 GDPR), with prior notice.

You may also leave instructions concerning the fate of your data after your death, in accordance with applicable national laws.

12. Complaint to a supervisory authority

If, after contacting us, you consider that your rights have not been respected, you may lodge a complaint with the data protection authority of your country of residence:

Morocco — CNDP (National Commission for the Control of Personal Data Protection): cndp.ma
France — CNIL: cnil.fr
European Union — supervisory authority of your Member State (list at edpb.europa.eu);
United Kingdom — ICO: ico.org.uk

13. Cookies

The management of cookies and trackers is detailed in the cookies policy (categories, purposes, durations, consent mechanism).

14. Changes to this policy

This policy may be updated to reflect changes to the service, regulations or the processors used. The date of last update is shown at the top of the page. In the event of a substantial change, visible information will be displayed on the site and, where applicable, communicated to the users concerned.

15. Contact

For any question regarding your personal data: contact@karvyx.com or by post to: KARVYX DIGITAL, RUE SOUMAYA RES SHEHRAZADE 3 ETG 5 N 22, Casablanca, Maroc.