Privacy policy

Spavon, with its registered office in Casablanca, Morocco, is the data controller for all personal data collected and processed via the website spavon.com and the Spavon SaaS platform.

Spavon is committed to processing personal data in accordance with Moroccan Law 09-08 of 18 February 2009 on the protection of individuals with regard to the processing of personal data (as supervised by the CNDP), and, where applicable, with Regulation (EU) 2016/679 (GDPR) when processing data of individuals located in the European Union.

For any question relating to this policy or to the exercise of your rights, contact us at: contact@spavon.com.

Identity and contact data: first name, last name, professional email address, phone number, job title and business name, collected when you register, contact us or use the platform.

Account and usage data: login credentials (stored in hashed form), subscription plan, feature usage logs, session metadata and browser/device information collected automatically when you use the platform.

Billing and transaction data: invoicing details, payment method type (no raw card numbers are stored by Spavon), transaction history and VAT information.

End-customer data: personal data relating to your own clients (names, contact details, appointment history, health notes) that you upload or generate within the Spavon platform. For this category, you act as data controller and Spavon acts as data processor on your behalf.

Communication data: content of support requests, feedback forms and emails exchanged with Spavon.

Provision and management of the service (legal basis: performance of contract) — creating and managing your account, delivering the features included in your subscription, processing payments and issuing invoices.

Customer support and communication (legal basis: legitimate interest / contract performance) — responding to support requests, sending service notifications, security alerts and product updates.

Improvement of the platform (legal basis: legitimate interest) — analysing aggregated and anonymised usage data to identify bugs, prioritise features and improve the user experience.

Legal and compliance obligations (legal basis: legal obligation) — retaining accounting records, responding to regulatory requests and complying with applicable tax and data-protection law.

Marketing communications (legal basis: consent) — sending newsletters or promotional offers only with your explicit prior consent, which you may withdraw at any time.

Personal data is accessible only to Spavon employees and contractors who need it to perform their duties. All such persons are bound by confidentiality obligations.

We may share data with trusted sub-processors (cloud infrastructure, payment processor, email delivery, analytics) under contracts that impose equivalent data-protection obligations. An up-to-date list of sub-processors is available on request.

We do not sell, rent or trade your personal data to any third party for marketing or advertising purposes.

Data transfers outside Morocco to countries that do not offer an adequate level of protection are governed by standard contractual clauses or equivalent safeguards recognised under Law 09-08 and/or the GDPR, as applicable.

Account and platform data is retained for the duration of the active subscription plus a period of five (5) years following termination, in compliance with applicable commercial and accounting law.

Billing and invoicing records are kept for ten (10) years in accordance with Moroccan accounting obligations.

End-customer data you store within Spavon is retained according to your own retention policy; upon request we will delete it within thirty (30) days of account closure.

Inactive accounts with no subscription and no activity for more than twelve (12) months may be permanently deleted after prior notice of at least thirty (30) days sent to the registered email address.

Under Law 09-08 and, where applicable, the GDPR, you have the right to: access the personal data we hold about you; rectify inaccurate or incomplete data; object to processing based on legitimate interest; request erasure of data no longer necessary for the purposes for which it was collected; request restriction of processing in certain circumstances; receive a portable copy of your data in a structured, machine-readable format.

To exercise any of these rights, send a written request to contact@spavon.com, including proof of identity. We will respond within thirty (30) days. If you consider that your rights have not been respected, you may lodge a complaint with the Moroccan CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) or, for EU residents, the competent supervisory authority in your country of residence.

The website spavon.com and the platform use cookies and similar technologies for the following purposes: strictly necessary cookies (session management, security tokens, user preferences) — these cannot be disabled without impairing the service; analytical cookies (aggregated traffic statistics, feature-usage measurement) — deposited only with your prior consent; marketing cookies — not currently used on the Spavon platform.

You may manage your cookie preferences at any time via the cookie banner or your browser settings. Withdrawing consent for analytical cookies does not affect the functioning of the core service.

We do not use cookies to build advertising profiles or share behavioural data with advertising networks.

Spavon implements appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration or destruction. These measures include: data encryption in transit (TLS) and at rest; access controls based on the principle of least privilege; regular security audits and penetration testing; incident response procedures with mandatory breach notification.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, Spavon will notify the affected parties and, where required, the competent supervisory authority within the timeframes prescribed by applicable law.

Spavon reserves the right to update this privacy policy at any time to reflect changes in the law, our data practices or the features of the platform. The updated version will be posted on spavon.com with the date of the most recent revision.

For material changes that affect your rights, we will notify registered users by email at least thirty (30) days before the new version takes effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

For any question, request or complaint relating to this privacy policy or the processing of your personal data, contact our data-protection contact at: contact@spavon.com.

Registered office: Casablanca, Morocco.