Privacy Policy

Version 2.5 · Last updated: 2026-05-14

Short version. This website is a brochure with one optional booking-request form. It has no newsletter, no tracking cookies, no analytics, no advertising pixels. Most visitors get in touch by clicking a WhatsApp, telephone or e-mail link, which opens an app on your own device — conversations then happen off this website. If you prefer, you can instead fill in the booking-request form: it asks only for what is needed to answer a booking enquiry, is sent only after you tick a consent box, and is stored in a small database on our own server — no third-party form service. See section 3 below for the detail.

Scope

This Privacy Policy covers:

  • the Buggy Trip Marrakech brochure website at buggytripmarrakech.com (English, French, Spanish, and Dutch editions); and
  • the internal Buggy Trip Marrakech app, used by SARL Buggy Trip Rak to publish its own promotional content (short videos, photos, captions) to its own official accounts on TikTok, Instagram, Facebook, YouTube and Pinterest, through those platforms' public APIs. This app:
    • is not distributed to the public and is not downloadable;
    • does not allow any third-party user to sign in — only the website operator has access;
    • does not read any direct messages, comments or follower data: it only publishes to the company's own official accounts.

1. Data Controller

The controller under the EU General Data Protection Regulation (GDPR, EU 2016/679) and Moroccan Law n° 09-08 is:

SARL Buggy Trip Rak
Société à Responsabilité Limitée (SARL)
Registered seat: N°205 Saada 6, Mhamid, Marrakech, Maroc
Commercial Register (RC) no. 96159
I.C.E.: 002239620000060
Phone: +212 7 07 01 44 44
Privacy contact: [email protected]

2. What Happens on This Website

When you view a page on buggytripmarrakech.com our reverse proxy (Cloudflare) and our web server (nginx) see the usual technical data any website sees:

  • your IP address;
  • the user-agent string sent by your browser;
  • the URL you requested and the HTTP status returned;
  • the date and time of the request.

This data is processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in keeping the site online and defending it against abuse. Server access logs are size-capped by the container runtime to approximately 30 megabytes in total; once that ceiling is reached the oldest entries are overwritten. The logs are not consulted, exported or correlated with any other data source held by us.

We do not set any cookie for advertising, analytics or tracking. The site uses no third-party analytics (no Google Analytics, no Meta Pixel, no Plausible, no similar tool). Webfonts are self-hosted from our own domain; no request is made to Google Fonts, Adobe Fonts or any other font CDN.

3. Booking-Request Form

The site offers one optional form, at /book/ (and the locale paths /fr/reserver/, /en/book/, /es/reservar/, /nl/boeken/). Submitting it is entirely your choice — the WhatsApp, phone and e-mail links remain available as before.

The form collects only what is needed to answer a booking enquiry: your e-mail (required), an optional name (a nickname is fine) and phone number, one or more vehicles (with a quantity each) and a single 1 h / 2 h ride duration, the date, number of participants and an optional start time and message. An indicative dirham total is computed in your browser and stored for the operator's reference only.

  • Legal basis: your consent (Art. 6(1)(a) GDPR). The form cannot be sent unless you actively tick a box referring to this policy. The time of consent and the policy version in force are stored with the record as proof under Art. 7(1).
  • Purpose: solely to get back to you about the excursion you asked about. Your data is not used for marketing, profiling or automated decisions, and is not sold or shared.
  • Where it is stored: a small SQLite database on our own Hostinger VPS. There is no third-party form service and no new sub-processor — only the providers already listed in section 5. The database file is readable only by the application's own system user and the server is firewalled to Cloudflare.
  • Notification e-mail: each submission also sends a notification to our own Hostinger mailbox so the request is not missed — this stays within Hostinger.
  • Retention: records are kept only as long as needed to handle your enquiry and any booking that follows, and in any case no longer than 12 months, after which they are deleted.
  • Withdrawing consent: you can withdraw consent or ask for erasure at any time by writing to the address in section 7; withdrawal does not affect processing carried out beforehand.

4. External Links You Can Click

The site contains three kinds of click-out links. They are ordinary hyperlinks: nothing is loaded from these third parties until you click, at which point you leave our site and enter theirs.

  • WhatsApp (wa.me/…) — operated by Meta Platforms Ireland Ltd. When you click, a chat opens in your WhatsApp app. The contents of the conversation, your phone number and any data WhatsApp routinely records are processed by Meta under WhatsApp's own privacy policy.
  • Google Maps (link to the business listing) — we do not embed a map; the link simply opens Google Maps in a new tab when you click it. From that point on Google's own privacy terms apply.
  • Instagram (link in the footer) — opens the public Instagram profile. Meta's privacy policy applies once you are on instagram.com.

5. Service Providers (Processors)

The following providers process data strictly on our behalf, in the course of keeping the website online. None receives data for its own purposes.

  • Hostinger International Ltd. (Cyprus / Lithuania) — VPS hosting and business e-mail. EU data centres. Art. 28 GDPR processing agreement in place.
  • Cloudflare, Inc. (USA, with EU edge) — reverse proxy, TLS termination, DDoS protection. Cloudflare's standard Data Processing Addendum and the European Commission's Standard Contractual Clauses (SCCs) apply to any transfer of technical data outside the EU/EEA.
  • Let's Encrypt / ISRG (USA) — issues the TLS certificate used for HTTPS. No personal data of visitors is sent to ISRG.

6. Transfers Outside the EU/EEA

The only processing that may reach outside the EU/EEA is Cloudflare's edge-level technical data. Such transfers are covered by the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. A copy of the relevant clauses is available on request at the address in section 10.

7. Your Rights

Even though we keep almost nothing about you, you have the rights provided by Arts. 15–22 GDPR and by the corresponding provisions of Moroccan Law n° 09-08, in particular:

  • right of access (Art. 15);
  • right to rectification (Art. 16);
  • right to erasure (Art. 17);
  • right to restriction of processing (Art. 18);
  • right to object (Art. 21);
  • right to lodge a complaint with a supervisory authority.

To exercise any right, write to [email protected]. We respond within one month. We may ask for proof of identity if there is reasonable doubt about who is making the request.

8. Complaints

Without prejudice to any other remedy, you have the right to lodge a complaint:

  • with the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP) in Morocco — www.cndp.ma;
  • with the supervisory authority of your EU/EEA Member State — list published by the European Data Protection Board at edpb.europa.eu.

9. Security

  • Encryption in transit: TLS 1.2/1.3 on every page.
  • Origin reachable only through Cloudflare; direct access blocked at the firewall.
  • Administrative access to the server is key-based, over a private mesh VPN, not exposed to the public internet.
  • The only personal-data store is the SQLite booking-request database (section 3): it sits on our own VPS, the file is readable only by the application's unprivileged system user, and the container's outbound network access is firewall-restricted. No copy is sent to any third party.

10. Contact and Changes

For any question about this policy or about data concerning you, write to [email protected].

We will update this policy if our practices change. The current text on this page is always authoritative; substantive changes are reflected in the version number (now 2.5) and in the "last updated" date above.

Book on WhatsApp Book online