Privacy Policy

Effective Date: January 17, 2026

Version: 2.0

This Privacy Policy ("Policy") describes how Techbay SARL-AU, a company registered under the laws of the Kingdom of Morocco with its registered office in Agadir, Morocco, operating under the brand name Ouech ("we," "us," "our," or "Ouech"), collects, uses, shares, and protects your personal information when you use our mobile application and related services (collectively, the "Services").

We are committed to protecting your privacy and processing your personal data in accordance with applicable data protection laws, including the Moroccan Law 09-08 on the Protection of Individuals with regard to the Processing of Personal Data, the European Union General Data Protection Regulation (GDPR) where applicable, and other relevant international standards.

Data Controller Information
Information We Collect
Legal Basis for Processing
How We Use Your Information
Information Sharing and Disclosure
International Data Transfers
Your Rights and Choices
Shadow Profiles and Non-User Data
Data Retention
Data Security
Children's Privacy
Cookies and Tracking Technologies
Changes to This Policy
Contact Us

1. Data Controller Information

The data controller responsible for processing your personal data is:

Techbay SARL-AU
Operating as: Ouech
Registered Address: Agadir, Morocco
Website: www.thebay.ma
Email: privacy@ouech.co

For data protection inquiries, including requests to exercise your rights under applicable data protection laws, please contact our Data Protection Officer at: dpo@ouech.co

2. Information We Collect

We collect information in several ways to provide and improve our Services:

2.1 Information You Provide Directly

Account and Authentication Data

Phone Number: Required for account creation and SMS-based authentication (OTP verification). This is your primary identifier on Ouech.
Display Name: Optional name you choose to display to your connections.
Profile Photo: Optional image you upload to personalize your profile.

Profile and Identity Data

Pro Cards: Professional capabilities and skills you create (e.g., "Lawyer," "Plumber," "Designer").
Passion Cards: Personal interests and expertise you share (e.g., "Photography," "Cooking," "Gaming").
Card Details: Descriptions, categories, and metadata associated with your Cards.

Network and Relationship Data

Connections: Records of your trusted connections, including how you connected (import, physical tap, brokered introduction, or direct request).
Closeness Settings: Your designation of connections as "Close" or "Regular."
Private Tags: Personal labels you assign to connections (visible only to you).

Activity and Content Data

Pulses: Requests you create (Hire or Ask), including category, location scope, and audience settings.
Suggestions: Contacts you recommend in response to Pulses.
Vouches: Endorsements you provide for others' Cards.
Introduction Requests: Requests you make or receive for brokered introductions.

Contact Data (With Your Permission)

Phonebook Contacts: With your explicit consent, we access names and phone numbers from your device's contact list to help you build your trust network. We do not upload or store your entire contact list on our servers without your action.

2.2 Information Collected Automatically

Device and Technical Data

Device Identifiers: Unique device identifiers, device type, operating system version.
Network Information: IP address, mobile carrier, connection type.
App Information: App version, installation date, update history.

Usage and Analytics Data

Feature Usage: Which features you access, frequency of use, navigation patterns.
Performance Data: App load times, errors, crashes (via Firebase Crashlytics).
Interaction Data: Taps, swipes, and other interactions within the app.

Location Data (With Your Permission)

Location Scope: Your selected location preference (neighborhood, city, or global) for Pulse routing.
Approximate Location: With your consent, we may collect approximate location to provide location-relevant recommendations. We do not continuously track your precise location.

2.3 Information from Third Parties

Referral Information: If you join via an invitation link, we receive information about who invited you and the context of the invitation.
Suggested Information: When another user suggests you for a Pulse, they may provide your name and phone number along with a proposed capability Card.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6 and equivalent provisions under Moroccan Law 09-08:

3.1 Performance of Contract (Article 6(1)(b) GDPR)

Processing necessary to provide the Services you have requested:

Account creation and authentication
Core functionality: Pulses, connections, introductions, Cards, and vouching
Communication about your account and activity
Customer support

3.2 Consent (Article 6(1)(a) GDPR)

Processing based on your explicit, informed consent:

Access to your device's contact list
Collection and use of location data
Push notifications
Optional analytics and personalization

You may withdraw consent at any time through your device settings or by contacting us, without affecting the lawfulness of processing prior to withdrawal.

3.3 Legitimate Interests (Article 6(1)(f) GDPR)

Processing necessary for our legitimate interests, balanced against your rights:

Service Improvement: Analyzing usage patterns to enhance the user experience
Security and Fraud Prevention: Detecting and preventing abuse, spam, fake accounts, and manipulation of the vouching system
Rate Limiting: Enforcing usage limits to maintain platform integrity
Business Operations: Internal analytics, reporting, and service optimization

3.4 Legal Obligations (Article 6(1)(c) GDPR)

Processing required to comply with legal obligations:

Responding to valid legal requests from authorities
Tax and accounting requirements
Compliance with applicable regulations

4. How We Use Your Information

4.1 Core Service Delivery

Authenticate your identity and secure your account
Enable you to create and manage your profile, Cards, and connections
Route your Pulses to relevant connections based on your audience settings
Facilitate introductions between users through our brokered introduction protocol
Display aggregated reputation signals (vouch counts, Card tiers) while protecting privacy
Enable search and discovery within your trusted network

4.2 Communication

Send authentication codes (OTP) via SMS
Notify you of relevant activity (new Pulses, introduction requests, vouches)
Deliver weekly digests summarizing your network activity
Provide customer support and respond to inquiries
Send important service announcements and updates

4.3 Safety, Security, and Integrity

Detect and prevent fraudulent activity, fake accounts, and abuse
Enforce rate limits on invitations, suggestions, and Pulses
Protect against vouch manipulation and reputation fraud
Investigate and respond to reports of violations
Maintain the integrity and trustworthiness of the network

4.4 Analytics and Improvement

Understand how users interact with our Services
Identify and fix technical issues and crashes
Measure the effectiveness of features
Develop new features and improvements
Conduct research and analysis (using aggregated or anonymized data where possible)

We do not sell your personal information. We share your information only in the following circumstances:

5.1 With Other Users (Based on Your Actions and Settings)

Connections: Your connections can see your profile, Cards, and certain activity based on your privacy settings.
Shielded Information: Non-connections can see aggregated reputation signals (e.g., "10+ vouches," tier badges) without seeing your identity or contact details.
Pulses: Your Pulses are visible to your chosen audience (Connections, Close connections, or Direct recipients).
Introductions: When you approve an introduction, relevant information is shared with the parties involved.

5.2 Service Providers

We engage trusted third-party service providers who process data on our behalf:

Firebase (Google LLC): Authentication, analytics (Firebase Analytics), crash reporting (Crashlytics), and cloud messaging. Firebase Privacy Policy
Supabase Inc.: Database hosting, backend services, and edge functions. Supabase Privacy Policy
Cloud Infrastructure: Amazon Web Services (AWS) and/or Google Cloud Platform for hosting and storage.

These providers are contractually bound to protect your data and may only process it for the purposes we specify.

5.3 Legal and Safety Disclosures

We may disclose your information if required to:

Comply with applicable laws, regulations, or legal processes
Respond to valid requests from law enforcement or government authorities
Protect the rights, property, or safety of Ouech, our users, or the public
Detect, prevent, or address fraud, security issues, or technical problems
Enforce our Terms of Service

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.5 With Your Consent

We may share your information for other purposes with your explicit consent.

6. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those of your country.

6.1 Safeguards for International Transfers

When we transfer personal data internationally, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers for transfers to countries without an adequacy decision.
Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission or relevant authorities.
Data Processing Agreements: All service providers are bound by data processing agreements that require them to protect your data.

6.2 Specific Transfer Disclosures

Firebase/Google: Data processed in the United States under Google's Data Processing Terms and SCCs.
Supabase: Data may be processed in the United States or EU regions based on project configuration, subject to Supabase's DPA.

By using our Services, you acknowledge and consent to the transfer of your information as described herein.

7. Your Rights and Choices

Depending on your location and applicable laws, you have certain rights regarding your personal data. We honor these rights for all users to the extent practicable, regardless of jurisdiction.

7.1 Your Data Protection Rights

Right of Access

You have the right to request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in the app.

Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes collected.

Right to Restriction of Processing

You have the right to request that we limit how we use your data in certain circumstances, such as while we verify the accuracy of your data.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, including:

Morocco: Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP)
EU: Your local Data Protection Authority

7.2 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@ouech.co with:

Your request and the right you wish to exercise
Sufficient information to verify your identity (typically your phone number associated with your account)

We will respond to your request within 30 days (or sooner if required by law). We may need to verify your identity before processing your request.

7.3 App-Level Controls

You can manage certain data and permissions directly:

Profile Information: Edit your name, photo, and Cards in the app
Contacts Permission: Revoke in your device settings
Location Permission: Revoke in your device settings
Notifications: Manage in your device settings or app notification preferences
Account Deletion: Request through the app or by contacting us

8. Shadow Profiles and Non-User Data

Our Services allow users to suggest people who may not yet be on Ouech. When this happens, we create a "Shadow Profile" to facilitate potential introductions. We take this responsibility seriously and provide robust protections for non-users.

8.1 What is a Shadow Profile?

A Shadow Profile is a minimal record created when an existing Ouech user suggests you for a Pulse or saves you in their rolodex. It contains:

Name (as provided by the suggesting user)
Phone number (as provided by the suggesting user)
Context: The capability or request for which you were suggested
Provenance: Who suggested you and when
Proposed Card(s) and any pending vouches

A Shadow Profile is not a user account. You have not agreed to our Terms of Service, and we do not treat you as a user until you choose to join.

8.2 How Shadow Profile Data is Used

To send you a single invitation message (SMS or messaging app) on behalf of the suggesting user
To preserve context if you later choose to join Ouech
To display pending reputation (Cards, vouches) if you claim your profile

8.3 Your Rights as a Non-User

If you have been suggested on Ouech but have not joined, you have the following rights:

Opt-Out: You can opt out of receiving further invitations for a specific request by following the opt-out link in the invitation or contacting us.
Deletion: You can request deletion of your Shadow Profile by contacting privacy@ouech.co with your phone number.
Information: You can request information about what data we hold in your Shadow Profile.

8.4 Anti-Spam Protections

We send a maximum of one invitation per request context
Rate limits prevent any user from sending excessive invitations
Your opt-out preferences are permanently respected
We do not share Shadow Profile data with third parties for marketing

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy:

9.1 Retention Periods

Data Category	Retention Period
Active Account Data	Duration of account + 3 years after deletion
Shadow Profiles	Until claimed, or 90 days after opt-out request
Authentication Logs	12 months
Analytics Data	26 months (Firebase Analytics default)
Crash Reports	90 days
Support Communications	3 years after resolution
Legal/Compliance Records	As required by applicable law

9.2 Account Deletion

When you delete your account:

Your profile, Cards, and personal information are permanently deleted
Your connections will no longer see your profile
Vouches you gave to others are anonymized (count preserved, your identity removed)
Historical introduction records may be retained in anonymized form for integrity purposes
Some data may be retained for legal compliance or fraud prevention as noted above

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

10.1 Technical Measures

Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2 or higher.
Encryption at Rest: Sensitive data is encrypted using industry-standard AES-256 encryption.
Secure Authentication: Phone-based OTP authentication; tokens stored in secure device storage.
Access Controls: Role-based access controls limit employee access to personal data on a need-to-know basis.

10.2 Organizational Measures

Security Training: Team members receive regular security awareness training.
Vendor Assessment: Service providers are evaluated for their security practices.
Incident Response: We maintain incident response procedures to address potential data breaches.
Regular Review: Security measures are periodically reviewed and updated.

10.3 Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.

Important: While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

11. Children's Privacy

Our Services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

If you believe we have collected information from a child under 16, please contact us immediately at privacy@ouech.co.

12. Cookies and Tracking Technologies

Our mobile app uses the following technologies:

12.1 Firebase Analytics

We use Firebase Analytics (Google) to understand how users interact with our app. This includes:

Screen views and navigation patterns
Feature usage and engagement metrics
App performance and stability data

Firebase Analytics uses device identifiers. You can opt out of analytics collection in app settings.

12.2 Firebase Crashlytics

We use Crashlytics to identify and fix app crashes and errors. This collects:

Crash reports and stack traces
Device state at time of crash
App version and device information

12.3 Website Cookies

Our website (ouech.co) uses minimal cookies:

Essential: Required for basic site functionality
Analytics: To understand website traffic (can be declined)

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 Notification of Changes

Material Changes: We will notify you via in-app notification, email, or prominent notice on our website at least 30 days before the changes take effect.
Minor Changes: We will update the "Effective Date" at the top of this Policy.

13.2 Your Choices

If you disagree with any changes, you may close your account before the new terms take effect. Continued use of our Services after the effective date constitutes acceptance of the updated Policy.

13.3 Version History

Previous versions of this Policy are available upon request.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries

Email: privacy@ouech.co

Data Protection Officer

Email: dpo@ouech.co

Postal Address

Techbay SARL-AU
Attn: Privacy Team
Agadir, Morocco

Parent Company

Website: www.thebay.ma
General Contact: contact@ouech.co

Document Information
Version: 2.0
Effective Date: January 17, 2026
Last Reviewed: January 17, 2026
Governing Law: Kingdom of Morocco