UniFlow

UniFlow

Privacy Policy

Last updated: February 25, 2026

1. Introduction

This Privacy Policy describes how UniFlow, a brand of Ezekr SARL ("UniFlow", "we"), headquartered in Casablanca, Morocco, collects, uses, stores, and protects your personal data.

UniFlow acts as a Data Controller for account holder (Client) data and as a Data Processor for End User data processed on behalf of Clients.

This policy is governed by Morocco's Law No. 09-08 on the protection of individuals with regard to personal data processing, and by the GDPR (General Data Protection Regulation) for EU/EEA data subjects.

2. Data We Collect

2.1 Data from Clients (Account Holders)

We collect the following data types from our Clients:

• Registration data: name, email, phone, company name, role — for account creation and management. • Verification data: trade register, tax ID, business license — for WABA provisioning and Meta KYC requirements. • Billing data: card details (tokenized via payment processor), billing address — for payment processing. • Usage data: login times, features accessed, API call volumes, error logs — for security and product improvement. • Technical data: IP address, browser type, device info — for security and fraud prevention.

2.2 Data Processed on Behalf of Clients

As a BSP, UniFlow processes End User data solely as a Data Processor acting on Client instructions:

• End User phone numbers and WhatsApp IDs • Message content (text, images, audio, documents, video) sent and received via WhatsApp • Contact profile information (name, custom fields added by Client) • Conversation metadata (timestamps, delivery status, read receipts) • Message template content submitted by Client • Broadcast campaign audience lists

UniFlow does NOT use this data for its own purposes. Clients remain the Data Controller for all End User data.

3. Message Data Processing

All messages between End Users and UniFlow's servers are encrypted in transit using TLS. Messages between End Users and WhatsApp are end-to-end encrypted per WhatsApp's protocol; UniFlow as a BSP receives decrypted message content via the Cloud API for routing to the Client's dashboard.

Message content is stored in UniFlow's infrastructure for 90 days to enable inbox functionality, then archived or deleted. Media files are stored for 30 days.

UniFlow does not read, analyze, sell, or use message content for any purpose other than delivering the service. In line with Meta's terms, UniFlow does not use Customer Data to train AI models.

4. Legal Bases for Processing

We process personal data on the following legal bases:

• Contractual necessity: processing account data, payment data, WABA provisioning. • Legal obligation: business verification for BSP compliance, CNDP reporting obligations, tax records. • Legitimate interest: platform security, fraud detection, product analytics, support. • Consent: marketing emails, newsletters, analytics and advertising cookies.

5. Data Sharing and Third-Party Disclosure

5.1 Meta Platforms / WhatsApp

UniFlow transmits Client and End User data to Meta as required to operate the WhatsApp Business API. Meta processes data under its own Terms and Privacy Policy.

5.2 Sub-Processors (Service Providers)

We use sub-processors for cloud hosting, payment processing, email service, analytics, and customer support. We commit to maintaining an updated sub-processor list and notifying Clients of changes with 30 days' notice.

5.3 Legal Disclosure

UniFlow may disclose data to Moroccan authorities (CNDP, law enforcement, courts) when legally required. We will attempt to notify the affected Client unless prohibited by law.

5.4 No Sale of Data

UniFlow does not sell, rent, or trade personal data to any third party for their own commercial purposes.

6. International Data Transfers

UniFlow's data processing may occur in Morocco and in the cloud regions of our hosting providers. Where data is transferred outside Morocco, UniFlow relies on Standard Contractual Clauses (SCCs) for EU-origin data and Morocco's Law 09-08 adequacy mechanisms for Moroccan data transfers. Data Processing Agreements are in place with all sub-processors.

7. Data Retention

• Account data: duration of subscription + 5 years (Moroccan legal/tax obligations) • Billing and invoicing records: 10 years (Moroccan commercial code requirements) • WhatsApp message content: 90 days from message date • Media files (images, audio, video): 30 days • Conversation metadata: duration of subscription + 1 year • Support tickets: 3 years • Marketing data: until consent is withdrawn • Business verification documents: duration of WABA + 5 years • Server and access logs: 90 days

Upon termination, Client data is available for export for 30 days, then permanently deleted.

8. Data Security

We implement the following measures: TLS encryption in transit, AES-256 encryption at rest, access controls, role-based permissions, API authentication (OAuth, API keys). Staff receive data protection training and are bound by confidentiality agreements.

In the event of a data breach, UniFlow will notify affected Clients within 72 hours of becoming aware of the breach. Clients are responsible for notifying their End Users and the CNDP/relevant supervisory authority as required.

9. Data Subject Rights

Under Law 09-08 and the GDPR (where applicable), you have the following rights:

• Right to Information: know what data is held and how it is used. • Right of Access: request a copy of personal data processed. • Right to Rectification: correct inaccurate or incomplete data. • Right to Erasure: request deletion of personal data. • Right to Restriction of Processing: request processing be paused. • Right to Data Portability: receive data in a machine-readable format (GDPR only). • Right to Object: object to processing based on legitimate interest or for direct marketing.

To exercise your rights, contact: privacy@uniflow.ma. We will respond within 30 days. You have the right to lodge a complaint with the CNDP (www.cndp.ma).

End Users whose data is processed by UniFlow on behalf of a Client should direct their requests to the Client.

10. Cookies and Tracking Technologies

Our website and dashboard use:

• Strictly Necessary Cookies: session management, login, security (cannot be disabled). • Functional Cookies: user preferences, language, interface settings. • Analytics Cookies: to understand platform usage (opt-out available). • Marketing Cookies: retargeting pixels on marketing website only, with consent.

A cookie consent banner is displayed on first visit. No non-essential cookies are set before consent. Cookie preferences can be updated at any time.

11. Children's Privacy

UniFlow's services are directed exclusively to businesses (B2B) and not to individuals under the age of 18. UniFlow does not knowingly collect personal data from children. If we become aware that data of a minor has been collected, it will be promptly deleted.

12. Morocco-Specific Provisions (Law 09-08)

UniFlow is registered with the CNDP as required by Law No. 09-08 of February 18, 2009. UniFlow processes personal data of Moroccan residents in compliance with Law 09-08 and Decree No. 2-09-165. Cross-border transfers of Moroccan resident data require CNDP authorization or fall under recognized transfer mechanisms.

13. GDPR-Specific Provisions

UniFlow complies with Regulation (EU) 2016/679 (GDPR) when processing personal data of EU/EEA residents. Data subjects may lodge a complaint with the data protection authority in their EU member state. EU-Morocco transfer mechanisms rely on Standard Contractual Clauses.

14. Changes to This Policy

UniFlow reserves the right to update this policy. Material changes will be notified by email with at least 30 days' advance notice. Continued use after the effective date constitutes acceptance.

15. Contact

For privacy-related questions:

UniFlow (Ezekr SARL) Casablanca, Morocco Email: privacy@uniflow.ma

Moroccan supervisory authority: CNDP — www.cndp.ma