Data Processing Agreement (DPA)

Last updated 30 April 2026.

This Data Processing Agreement (“DPA”) describes how passenger personal data is processed when Morocco Tour Transfer (commercial brand) provides private transfers and tours, including when bookings are received from OTAs (online travel agencies) or hotel partners.

1. Parties

2. Scope

This DPA applies to the processing of personal data for:

  • Airport transfers and intercity rides
  • Multi-day tours and hourly disposition
  • Support operations (WhatsApp, email)
  • OTA integrations (e.g., booking and incident webhooks)

3. Categories of personal data

  • Passenger details: name, phone number, email
  • Trip data: pickup/drop-off addresses, date/time, number of guests
  • Flight data (airport pickups): flight number, scheduled/estimated/actual times
  • Operational data: driver assignment, meeting point messages, incident notes
  • Payment data: payment method and invoice data (card numbers are processed by payment providers, not stored by us)

4. Purposes and legal basis

  • Contract performance: provide the booked transport service.
  • Legal obligation: accounting and invoicing per applicable law.
  • Legitimate interest: fraud prevention, safety, and service improvement.
  • Consent: analytics/marketing cookies where required (see cookie preferences banner).

5. Retention

  • Booking and operational logs: up to 24 months for quality control (placeholder; adjust as needed).
  • Invoices and tax records: up to 10 years where legally required.
  • Incident logs: up to 24 months.

6. Subprocessors

We may use the following categories of subprocessors:

  • Messaging: Meta / WhatsApp Business (for support coordination).
  • Maps: Google Maps / Places API (address autocomplete).
  • Payments: Stripe / PayPal (PCI-DSS compliant).
  • Hosting: web hosting / CDN provider (to be listed in legal notice).
  • OTA platforms: booking platforms that transmit passenger details for service fulfilment.

7. International transfers

Some subprocessors may store data outside Morocco (e.g., EU/UK/US). Where applicable, transfers are protected by contractual safeguards (e.g., Standard Contractual Clauses).

8. Security measures

  • HTTPS encryption for web services and APIs
  • Access control (least privilege) for operations staff
  • Logging and incident tracking
  • Periodic vehicle/driver compliance checks

9. Data subject rights

Passengers may request access, correction, deletion, restriction, or objection. Contact privacy@moroccotourtransfer.com. We respond within 30 days.

Complaints may be lodged with the Moroccan CNDP (Commission Nationale de Contrôle de la Protection des Données) and, where applicable, EU/UK supervisory authorities.

10. Contact

For DPA questions: privacy@moroccotourtransfer.com · WhatsApp +212 614 14 16 14.

Data Processing Agreement (DPA) — Morocco Tour Transfer