Legal

Privacy Policy

Politique de Confidentialité · Version 2.0 — Effective 14 April 2026

Plain-language summary. LallaGo operates a B2B mobility platform for professional business travelers and companies. We collect the minimum data needed to book, bill, and report rides. We do not sell your data, ever. You can request a full copy, correction, or deletion at any time — we respond within the statutory deadlines (30 days under Moroccan Law 09-08, one month under GDPR Art. 12(3)). This policy is fully aligned with Moroccan Law 09-08 and EU Regulation 2016/679 (GDPR).

1. Data Controller

The data controller responsible for processing your personal data is:

Hani Mobility Services LLC
Operating brand: LallaGo / LallaGo.business
Registered office: Casablanca, Kingdom of Morocco
General contact: info@lallago.business
Data protection & privacy requests: privacy@lallago.business
External legal counsel (Data Protection Officer liaison): steiner@middleeastlaw.eu — Middle East Law

2. Who This Policy Covers

This Policy applies to all individuals whose personal data we process in connection with our services, including:

Private Business Travelers — individuals registering personal LallaGo accounts.
Corporate Users — employees, managers, executives, and invited delegates of corporate clients using LallaGo Mobility Credits.
Finance & Administrative Contacts at corporate clients (billing, invoice, ESG reporting recipients).
Transport Partners and Drivers — independent providers connected through our platform.
Website visitors browsing lallago.business.

3. Legal Framework

We process personal data in full compliance with:

Moroccan Law n° 09-08 of 18 February 2009, concerning the protection of individuals with regard to the processing of personal data, and its implementing Decree n° 2-09-165.
EU Regulation 2016/679 (GDPR) where applicable to data subjects located in the European Economic Area, Switzerland, or the United Kingdom.
CNDP decisions (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel) — the Moroccan supervisory authority.
Moroccan commercial, tax, and transport law, including Law 15-95 (Commercial Code), Law 52-05 (Road Transport), and VAT and KYC/AML obligations handled directly by LallaGo in line with Bank Al-Maghrib guidance and Moroccan AML regulation.

4. Personal Data We Collect

We collect only what is strictly necessary to deliver the service. Categories:

4.1. Account & Identification

First name, last name, professional/work email, mobile phone.
Employer / company name and role.
Invoicing email (separate field, may differ from account email).
Preferred language, preferred city of travel, trip frequency.
For KYC at first top-up: scan or photograph of national ID or passport (processed by LallaGo under AML rules; retained per Moroccan banking law, minimum 5 years).

4.2. Booking & Ride Data

Pickup and drop-off addresses, times, dates.
Vehicle class, driver assigned, ride status, mileage, actual route.
Ratings and free-text feedback provided by you.
Special requests (e.g., VIP Meet & Greet, language preference, accessibility needs).

4.3. Payment & Mobility Credits

Top-up amount, method (credit card via LallaGo Business app / bank transfer / cash at LallaGo cash office), date, transaction reference.
Invoice history (VAT identifiers where applicable, company billing address).
We do NOT store your full credit card number. Card data is handled exclusively by our PCI-DSS certified payment processor.

4.4. Sustainability & Reporting Data

Per-ride CO₂ emissions calculated using WLTP-based distance method (GHG Protocol Scope 3, Category 6).
Aggregate reports for corporate CSRD / ESRS E1 submissions.

4.5. Technical & Device Data

IP address, device type, operating system, browser, app version.
Access logs, session identifiers, crash reports.
Approximate location (city-level) and — only when you book, and only for the duration of the ride — precise GPS coordinates of pickup/drop-off.

4.6. Communications

Emails, WhatsApp messages, and support tickets you exchange with us.
Recordings of customer-support calls are not retained unless you explicitly consent at the start of the call.

5. Purposes & Legal Bases

We process personal data only for the following purposes, each supported by a specific legal basis under GDPR Art. 6 and Moroccan Law 09-08 Art. 4:

Purpose	Legal Basis	Retention
Account creation, booking, billing	Contract performance — GDPR Art. 6(1)(b)	Account life + 3 years
KYC / AML / anti-fraud	Legal obligation — GDPR Art. 6(1)(c)	5 years (Moroccan banking law)
VAT invoicing & accounting	Legal obligation — GDPR Art. 6(1)(c)	10 years (Moroccan Commercial Code)
CO₂ reports for CSRD	Contract + legitimate interest — Art. 6(1)(b)(f)	Account life + 5 years
Service quality, driver rating, SLA audit	Legitimate interest — Art. 6(1)(f)	24 months
Platform security & fraud prevention	Legitimate interest — Art. 6(1)(f)	12 months (logs)
Marketing emails & referral program	Consent — Art. 6(1)(a), opt-out anytime	Until consent withdrawn
Analytics cookies (if accepted)	Consent — Art. 6(1)(a)	Max 13 months

6. Who We Share Your Data With

We share personal data only with the following recipients, and only to the minimum extent required:

Transport Partners & assigned drivers — only your first name, phone number (masked via our relay when possible), pickup and drop-off addresses, and ride timing. No payment data.
PCI-DSS card processor — for credit and debit card transactions initiated in the LallaGo Business app.
Our Moroccan banking partner — for bank transfer reception and AML/KYC compliance on top-ups.
Cloud & IT infrastructure providers (hosting, database, email delivery, analytics) under GDPR-compliant Data Processing Agreements. Primary hosting in the EU (Frankfurt); secondary in Morocco.
Professional advisors — legal counsel, external auditors, tax advisors — bound by confidentiality.
Public authorities — only when compelled by valid legal order (court, tax authority, CNDP, police). We log every such request and notify you unless legally prohibited.

We do not sell, rent, or trade personal data to third parties for their own marketing purposes. Ever.

7. International Data Transfers

Some of our sub-processors are located outside Morocco and outside the EEA. For every such transfer we rely on one of:

An adequacy decision of the European Commission (GDPR Art. 45), or
EU Standard Contractual Clauses 2021/914 (GDPR Art. 46), or
CNDP prior authorization under Moroccan Law 09-08 Art. 43.

A list of current sub-processors and their locations is available on request at privacy@lallago.business.

8. Your Rights

You have the following rights regarding your personal data. To exercise any right, email privacy@lallago.business from the email address registered on your LallaGo account. We respond within 30 days (Moroccan Law 09-08) / one month (GDPR Art. 12(3)), extendable by 2 months for complex requests.

Right of access — obtain a copy of all personal data we hold on you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — see Section 9 below.
Right to restriction of processing — pause processing while a dispute is resolved.
Right to data portability — receive your data in a structured, machine-readable format (JSON / CSV).
Right to object — object to processing based on legitimate interest, including direct marketing.
Right to withdraw consent — at any time, without affecting the lawfulness of past processing.
Right not to be subject to automated decision-making — we do not make decisions with legal or similarly significant effects based solely on automated processing.
Right to lodge a complaint — see Section 13.

We do not charge a fee for a first request. Manifestly unfounded or repetitive requests may incur a reasonable administrative fee (GDPR Art. 12(5)).

9. Deletion & Account Closure

You can close your LallaGo account and request erasure of your personal data at any time. The procedure:

Request. Email privacy@lallago.business with "Deletion request" in the subject. We accept requests in English, French, German, Spanish, or Arabic.
Identity verification. We will ask you to confirm the request from the account email.
Outstanding obligations. If you have unsettled invoices, unused prepaid Mobility Credits, or an active corporate contract, we will clarify reconciliation before deletion.
Execution. Within 30 days of confirmation, we irreversibly delete or anonymize your personal data from our active systems. Backup copies are overwritten in our next backup rotation cycle (maximum 90 days).
Confirmation. You receive a written confirmation by email.

Statutory exceptions. We are legally required to retain some data beyond deletion of your active account:

VAT invoices and accounting records — 10 years (Moroccan Commercial Code Art. 19).
KYC / AML records — 5 years (Moroccan banking and anti-money-laundering law).
Tax records for corporate clients — 10 years.
Records subject to a live dispute, court order, or CNDP investigation — until the matter is fully resolved.

Retained records are accessible only to the finance, legal, and compliance functions, segregated from all operational systems.

10. Security Measures

We apply appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction. These include:

TLS 1.3 encryption for all data in transit.
AES-256 encryption for data at rest (database, object storage, backups).
Role-based access control, principle of least privilege, mandatory two-factor authentication for staff.
Quarterly penetration testing and annual third-party security review.
Data minimization in logs (pseudonymization of identifiers after 30 days).
Signed Data Processing Agreements with all sub-processors.
Documented incident response plan. Personal data breaches notifiable to the CNDP within 72 hours and to affected data subjects where high risk (GDPR Art. 33, 34).

11. Cookies & Tracking

Our website uses three categories of cookies. A consent banner lets you accept or refuse each non-essential category on first visit, and change your choice at any time via the "Cookie settings" link in the footer.

Strictly necessary (always on): session, authentication, security, language preference.
Analytics (consent): aggregated and anonymized usage statistics, max 13-month retention.
Advertising / conversion tracking (consent): limited to anonymous conversion events for the LallaGo early-access campaign. No cross-site profiling.

12. Children

Our services are strictly for professional / business use. We do not knowingly process the personal data of individuals under 18. If we discover that an account belongs to a minor, we will delete it.

13. Supervisory Authorities & Complaints

You always have the right to lodge a complaint with a supervisory authority. We kindly ask you to contact us first so we can resolve the matter directly, but this is your choice.

Morocco — CNDP (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel): www.cndp.ma
European Union — your national Data Protection Authority. Directory: edpb.europa.eu/about-edpb/members
Germany — Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), www.bfdi.bund.de
France — CNIL, www.cnil.fr
Spain — AEPD, www.aepd.es

14. Changes to This Policy

We may update this Policy to reflect legal or operational changes. Material changes are communicated by email to registered account holders at least 30 days before they take effect. The effective date at the top of this page always reflects the current version. Previous versions are archived and available on request.

15. Contact Summary

For any privacy matter:
Privacy / Deletion / GDPR requests: privacy@lallago.business
General contact: info@lallago.business
External legal counsel: steiner@middleeastlaw.eu — Middle East Law