Privacy

Privacy Policy.

What we collect, why we collect it, who we share it with, and how to ask us to delete it. Compliant with Loi 09-08 (Morocco) and the GDPR (EU). Last updated 17 May 2026.

1. Who we are

PropOS SARL (in formation) is a company being established in Casablanca, Morocco. We operate the PropOS web application at propos.app and the PropOS mobile application available on the App Store and Google Play.

For Loi 09-08 purposes, PropOS is the data processor for your customers' data (residents); you (the syndic) are the data controller. PropOS is the data controller for your own account data.

2. What we collect

Account data (you give us)

  • Email, name, phone number, preferred language
  • Password (stored as scrypt hashes by Firebase Authentication — we never see your cleartext password)
  • Profile photo (optional)
  • Subscription and payment information (handled by Stripe — we store only the customer ID + last 4 digits)

Building data (you upload)

  • Building details: name, address, unit count
  • Resident records: name, email, phone, unit, type
  • Invoices, payment history, expense records, AGM minutes
  • Maintenance tickets with photos and descriptions
  • Documents you upload (bylaws, insurance certificates, contracts)
  • Messages, notices, and chat history within a building

Technical data (collected automatically)

  • IP address, browser type, device type (for security + abuse prevention)
  • Audit log entries: actor + timestamp + action for every administrative change
  • Error logs (stack traces, no PII unless you submit it via a bug report)

What we do NOT collect

  • No third-party trackers on our marketing site (no Google Analytics, no Meta Pixel)
  • No advertising IDs
  • No location data unless you explicitly grant it on the mobile app for visitor passes
  • No biometric data

3. Why we collect it (legal basis)

  • Contract performance (Loi 09-08 art. 12, GDPR art. 6(1)(b)) — to deliver the service you subscribed to
  • Legitimate interest (GDPR art. 6(1)(f)) — security monitoring, abuse prevention, product analytics
  • Legal obligation (Code de Commerce art. 19) — accounting records retained for 10 years
  • Consent — analytics cookies (only if you accept the cookie banner), AI processing of resident data

4. Who we share it with

We use a small set of vetted sub-processors:

  • Google Cloud / Firebase (data hosting in europe-west1, Belgium) — under standard EU SCC contract
  • Vercel (web hosting + Edge functions, europe-west1)
  • Stripe Payments Europe Ltd. (payment processing)
  • OpenAI Ireland Ltd. + DeepSeek (AI engines — prompts are anonymized where possible, customer data is NOT used for training under our enterprise terms)
  • SendGrid (Twilio) (transactional email delivery)
  • Twilio (SMS + WhatsApp Business for notifications)
  • CMI (Centre Monétique Interbancaire — Moroccan card processing, for syndics enrolled with CMI)

We do not sell your data. We do not share it with advertisers. We disclose information to authorities only when legally compelled (court order) or to prevent imminent harm.

5. How long we keep it

  • Active account data: for the lifetime of your subscription
  • After cancellation: 30-day grace period, then deleted
  • Financial records: 10 years (Moroccan Code de Commerce art. 19)
  • Audit logs: 7 years
  • Server access logs: 30 days
  • AI prompts/outputs: not logged with content; only feature + timestamp + uid for rate limiting

6. Your rights

Under Loi 09-08 and the GDPR, you have the right to:

  • Access — download all your data as JSON from settings/security
  • Rectification — edit any account or resident record directly in the app
  • Erasure — request account deletion from settings/security (30-day grace, accounting records exempted)
  • Portability — JSON export is machine-readable and contains every field we store
  • Object — opt out of non-essential cookies via the banner; opt out of analytics
  • Lodge a complaint with the CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel) at cndp.ma, or your local EU supervisory authority

To exercise any of these: privacy@propos.app. We respond within 30 days as required by law.

7. Security

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is role-based and enforced at the database level. Production access by PropOS staff requires a logged break-glass procedure. Daily backups are encrypted and retained 30 days.

Full security architecture: propos.app/security. Responsible disclosure: security@propos.app (90-day coordinated window).

8. Cookies

We use:

  • Essential cookies (no consent required): session cookie for sign-in, role cookie for path gating, locale cookie for language preference, theme cookie for dark/light mode
  • Analytics cookies (only with your consent via the banner): first-party page-view counting. No third-party trackers.

You can change your cookie preferences at any time from the footer banner or settings.

9. International transfers

Customer data is stored in europe-west1 (Belgium). AI prompts may be sent to OpenAI in Ireland or DeepSeek (China) under our enterprise zero-data-retention contracts. Stripe processes payments in the European Economic Area. No transfers to jurisdictions without an adequacy decision occur unless you explicitly enable a third-party integration that requires it.

10. Children

PropOS is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has signed up, email privacy@propos.app and we will delete the account.

11. Changes

We will announce material changes to this policy at least 30 days in advance on this page and via email to active subscribers.

12. Contact & DPO

Data Protection contact: privacy@propos.app
Postal address: Casablanca, Morocco (full registration address pending)
CNDP registration: pending submission

Disclaimer: This policy is a working draft prepared by the PropOS team pending review by a Moroccan-qualified data protection lawyer and CNDP registration. For enterprise data-processing agreements, contact privacy@propos.app for our standard DPA template.