Privacy Policy
Last updated: 21 June 2026
The essentials in plain language
- Your private contact details (phone, email, address) are never displayed on your public profile.
- We only process the data necessary for the account, listings, transactions, trust and security.
- Identity documents, the KYC selfie and the IMEI benefit from restricted, encrypted and logged access.
- We do not sell your data and we do not use third-party advertising trackers.
- You may manage your consents, export your data and exercise your rights; however, certain data is retained where the law or proof of a transaction so requires.
- You remain responsible for the accuracy of the information you provide and the content you publish.
Damji (hereinafter “Damji”, “we”, “our”) operates a mobile-first marketplace dedicated to the purchase, sale and verification of second-hand or refurbished phones and electronic devices in Morocco. This Privacy Policy describes, in accordance with Law No. 09-08 on the protection of natural persons with regard to the processing of personal data, its implementing texts and the requirements of the National Commission for the Control of the Protection of Personal Data (CNDP), what data we collect, why and on what legal basis we process it, with whom we share it, how long we retain it, how we secure it, as well as the rights available to you and how to exercise them. It supplements our Terms of Use, with which it forms a contractual whole. In the event of a discrepancy on a point relating to personal data, this policy prevails. For any question, you may write to us at support@damjitech.com.
Your privacy controls
Retention benchmarks
| Type of data | Stated duration |
|---|---|
| Identity documents and KYC selfie | Up to 90 days after the final decision, then deletion or anonymisation |
| Account, profile and preferences | For the lifetime of the account, then deletion subject to legal retention obligations |
| Messages and communications | For the lifetime of the account and the limitation period for disputes |
| Orders, payments and items of proof (reports, timestamped photos, seals) | 10 years (accounting obligations and obligation to retain correspondence — Articles 22 and 26 of the Code of Commerce — and tax obligations — Article 211 of the General Tax Code) |
| Encrypted IMEI and anti-fraud / anti-theft signals | For as long as necessary to combat theft and fraud, then deletion or anonymisation |
| Consents (selfie, geolocation, push, communications) | Until consent is withdrawn or the account is deleted |
1.1. Data controller and point of contact
The controller of the data collected on the Damji platform is Damji, which alone determines the purposes and means of the processing described in this policy. Until these particulars are provided, this policy may not be regarded as definitively published.
The point of contact dedicated to data protection and to the exercise of your rights can be reached by email at support@damjitech.com. We reserve the right to designate a point of contact or a data protection officer and to publish their details by way of an update to this policy.
Where partners act on our behalf (hosting, payment, logistics, verification, artificial intelligence, notifications), they act as processors or service providers governed by contract. Each remains responsible for compliance with its own legal obligations; Damji is not liable for breaches specific to such third parties beyond what the law imposes.
2.2. Scope and acceptance
This policy applies to all processing of personal data carried out by Damji in connection with the platform (application, website and associated services), for users, visitors, buyers, sellers and service providers.
In the relationship between private buyers and sellers, Damji acts as a technical intermediary and trusted third party, and not as a party to the sale. When a seller publishes data or exchanges messages, the seller remains responsible at its own level; when Damji acts as a seller (for example “Sold by Damji”) or as a verification service provider, it acts in that capacity.
By creating an account or using the service, you acknowledge that you have read this policy. Processing based on your consent (in particular the biometric selfie, geolocation, notifications) is only carried out after that specific and revocable consent has been obtained.
3.3. Data we collect
Account and authentication data: the phone number and/or email address used to create the account and log in (in particular via one-time code or social login), and technical session data. These contact details are stored in our authentication system and are never published.
Public profile data: display name, city, profile photo where applicable, and reputation information (ratings, response time, badges). Only this data identifies you publicly on the platform.
Listing and catalogue data: the model, declared condition (grade), description, photos, price, specifications and passport of the device you publish, as well as the messages and offers exchanged.
Identity verification (KYC) data: a copy of a government-issued identity document (CIN, passport, driving licence or residence permit) and a biometric selfie captured live, when you request to become a verified seller or for certain payments. This collection is only carried out after obtaining the prior authorisation of the CNDP (see section 24).
Device IMEI number: collected for verification and anti-theft purposes; it is stored in encrypted, hashed form and is never displayed in plain text.
Transaction and payment data: orders, offers, handover method, payment status and metadata (the details of payment instruments are processed by authorised payment service providers), delivery addresses when you choose verified shipping.
Messages and communications: the content of conversations exchanged through the platform's messaging, appointment proposals, and support tickets.
Diagnostic and trust data: technical verification results for the device, quality, risk and anti-fraud signals (for example detection of risky wording, duplicate photos, duplicate IMEIs) necessary for the reliability and security of the service.
Geolocation data: approximate location, only if you enable the “nearby” feature. This location is stored locally on your device and is transmitted to our servers only transiently (see section 19).
Technical and usage data: favourites, saved searches, recently viewed items, technical connection identifiers, access logs, device data and security data necessary for the proper functioning and protection of the service.
4.4. Purposes and legal bases of processing
In accordance with Articles 3 and 4 of Law 09-08, each processing operation pursues a specific, explicit and legitimate purpose, and relies on a precise legal basis.
Account creation, connecting buyers and sellers, management of listings, offers, orders and messaging: legal basis = performance of the contract formed by our Terms of Use, which you accept.
Securing transactions and the verified flow (verified handover, escrow where operational, order tracking): legal basis = performance of the contract and Damji's legitimate interest in ensuring the reliability and security of the platform.
Identity verification (KYC), fraud prevention, anti-theft measures, content moderation, visibility and risk scoring: legal basis = legal obligation and Damji's legitimate interest in protecting users, preserving the integrity of the service and preventing unlawful use, while respecting your fundamental rights.
Processing of the biometric selfie, “nearby” geolocation, web push notifications and promotional communications: legal basis = your free, specific, informed consent, revocable at any time.
Accounting and tax retention and dispute management: legal basis = legal obligation and legitimate interest in establishing and retaining proof in the event of a claim, in accordance with section 12.
Service improvement, internal audience measurement and statistics: legal basis = legitimate interest; these processing operations are carried out as far as possible on aggregated or anonymised data (see section 15).
We do not reuse your data for purposes incompatible with those stated without a new legal basis and, where applicable, without completing the required CNDP formalities.
Personalisation of discovery and recommendations (for example the "for you" suggestions, recent and saved searches, favourites and recently viewed items): legal basis = Damji's legitimate interest in presenting you with relevant content, facilitating your browsing and improving the service experience, excluding any third-party advertising tracker. You may object to this processing on legitimate grounds under the conditions of the section relating to your rights.
5.5. IMEI and sensitive data: enhanced protection
The device's IMEI number is processed for security purposes: verification of the device by a technician and combating theft (search by encrypted hash and blacklist). It is stored encrypted in a dedicated vault, is never displayed in plain text and is accessible only to the strictly necessary verification and security processing operations.
The biometric selfie collected during identity verification is processed under a strengthened regime. In accordance with Articles 12 and 21 of Law 09-08 and CNDP Deliberation No. 478-2013 relating to biometric processing, its processing is subject to the prior authorization of the CNDP and is based on your specific consent, distinct from the general acceptance of the Terms, and revocable. It is activated only once this authorization has been obtained.
Access to this sensitive data is restricted, logged and audited: only authorised persons holding the dedicated identity-verification capability may access it, and only for the purpose of anti-fraud control and combating impersonation. All access is traced and may be subject to an internal audit.
6.6. Identity verification (KYC): restricted access, audit and limited retention
When you request verification of your identity, your official document and your live-captured biometric selfie are deposited in a private storage area, access to which is restricted to authorised persons only and systematically logged.
This data is used exclusively to verify that you are indeed the person declared and to prevent fraud and identity theft. It is never made public or shared for commercial purposes.
KYC retention: we undertake to delete or anonymise the identity documents and the biometric selfie no later than 90 days after the final decision on your request (approval or rejection), and in any event no later than the definitive deletion of your account. This period may be adjusted in accordance with the requirements of the CNDP. The decision metadata (date, outcome) may be retained as proof of the control carried out.
7.7. Data accuracy and user undertakings
You warrant that the data you provide (identity, contact details, listings, photos, descriptions, declared condition of the device) is accurate, up to date and lawful, and that you hold the necessary rights over the content you publish, in particular the photographs.
Damji may not be held liable for the consequences arising from inaccurate, misleading, incomplete or unlawful information that you have provided, nor from the use of your account by a third party due to a failure to protect your credentials. You undertake to hold Damji harmless, within the limits permitted by law, against third-party claims arising from content you have published or from a breach on your part.
You are responsible for keeping your data up to date. You may correct it at any time from your account settings or by contacting us.
8.8. Recipients and processors
Your data is accessible only to the persons and service providers who need it for the purposes described, under contractual undertakings of confidentiality and security (Articles 23 to 25 of Law 09-08).
Infrastructure host (Supabase): storage and technical operation of the data necessary for the functioning of the platform.
Artificial intelligence providers (Anthropic Claude, DeepSeek or an equivalent provider): assistance and translation features. For writing-assistance features, the text transmitted is first stripped of contact details (phone, email, social networks). The on-demand translation feature, however, transmits the text of the message exactly as you entered it: therefore do not include in it any contact details or information that you do not wish to be processed by these providers.
Authorised payment service providers: processing of online and escrow payments, when that method is used.
Logistics partners and carriers: shipment of devices as part of verified shipping, from the delivery address.
Technicians and verification points: independent service providers (auto-entrepreneurs, Law 114-13) carrying out the inspection of the device.
Web push notification service (VAPID): sending notifications if you have consented to them.
Public and judicial authorities: under the conditions set out in section 9.
We do not sell your personal data to third parties and we do not rent it for advertising purposes.
We may update the list of our processors and service providers, in particular to replace a provider with an equivalent one offering at least comparable guarantees of confidentiality and security. The list of categories of recipients set out in this section is kept up to date; such a change, provided it does not broaden the described purposes, does not constitute a substantial amendment of this policy. Any international transfers remain subject to CNDP authorisations.
9.9. Cooperation with authorities and legal requisitions
We may be required to disclose certain of your data to administrative, judicial, police, customs, tax authorities or to the CNDP, where the law so requires or in response to a requisition, a court decision or a legally founded request, in particular in the context of combating theft (IMEI searches), fraud or money laundering.
Such disclosures, where legally justified, do not constitute a breach of this policy and do not engage Damji's liability. We limit the disclosure to the data strictly required by the request.
Where the law permits, we may inform you of such a request; we refrain from doing so where the communication of information is prohibited or liable to compromise an investigation.
10.10. Hosting and international data transfer
Our hosting infrastructure (Supabase) and some of our artificial intelligence providers (Anthropic, DeepSeek) may process or store data outside Moroccan territory [hosting country/region to be specified by Damji]. These operations constitute an international transfer of data within the meaning of Articles 43 and 44 of Law 09-08.
In accordance with Law 09-08, this transfer is subject to the prior authorisation of the CNDP, regardless of its internal legal basis. It is only carried out after obtaining that authorisation and under the conditions it sets, taking into account the level of protection ensured in the destination country.
We limit the data transferred to what is strictly necessary and govern these transfers by appropriate contractual undertakings. In particular, the writing-assistance features transmit to the AI providers only text stripped of contact details; the on-demand translation feature transmits the text of the message exactly as you entered it, of which you are informed before using it.
11.11. Retention period
We retain your data for the period necessary for the purposes for which it was collected, in accordance with the proportionality requirement of Article 3 of Law 09-08, and then we delete it or anonymise it irreversibly.
Account and profile data: for the entire period during which the account exists. When you request deletion, your public profile is immediately anonymised; the definitive deletion of the associated data then takes place in accordance with the process described in section 20, subject to legal retention obligations.
KYC data (document and biometric selfie): deleted or anonymised no later than 90 days after the final decision, and in any event no later than the definitive deletion of the account.
Messages and communications: retained for the period necessary for the follow-up of transactions and the limitation period for disputes, and at the latest for the period during which the account exists, subject to the items retained as proof.
Encrypted IMEI and anti-fraud / anti-theft signals: retained for as long as necessary to combat theft and fraud, then deleted or anonymised.
Order and payment data and records necessary as evidence (in particular verification reports, time-stamped photos, numbered seals, logs): retained for 10 years, in accordance with the obligations to retain accounting documents and correspondence (Articles 22 and 26 of the Code of Commerce) and tax records (Article 211 of the General Tax Code). This period also covers the limitation period for disputes (5 years in commercial matters, Article 5 of the Code of Commerce; 15 years under ordinary law, Article 387 of the DOC (Dahir of Obligations and Contracts)), at the end of which the data are deleted or anonymized.
Inactive accounts. In order to respect the principle of proportionality (Article 3 of Law 09-08), an account that has remained inactive — with no login or activity — for a prolonged period [for example thirty-six (36) months] may be anonymised or deleted, after prior notice sent, where possible, to the contact address associated with the account. Data that must be retained under legal or evidential obligations are kept until the end of the applicable periods.
12.12. Retention for evidentiary purposes and probative value
In order to protect users and to be able to establish the reality of transactions, verifications and consents, we retain, on the basis of our legal obligation and our legitimate interest in proof, certain data for the applicable limitation periods, even after a deletion request relating to other data.
The following are retained on this basis in particular: connection and action logs, timestamps, verification reports, timestamped photographs, numbered seals, proof of acceptance of the Terms and consents, as well as order and payment data.
In accordance with Law No. 53-05 on the electronic exchange of legal data, the electronic writings, logs and evidence retained by Damji under conditions capable of guaranteeing their integrity have probative value between the parties. You acknowledge this probative value, without prejudice to your right to provide evidence to the contrary.
13.13. Data security
We implement technical and organizational measures intended to protect your data, in accordance with Articles 23 to 26 of Law 09-08: encryption of the IMEI in a dedicated vault, private storage areas with restricted and audited access for KYC, strengthened measures for sensitive data (Article 24), separation of private data (phone, email) from public data, access control at the database level, logging, contractual oversight of subcontractors (Article 25) and the obligation of professional secrecy of staff and service providers (Article 26).
This security obligation is an obligation of means: since no transmission or storage of data can be guaranteed entirely infallible, Damji cannot be held liable for an incident resulting from an external cause, an event of force majeure, the act of a third party unconnected with the performance of the service, or a failure on your part to protect your credentials. Damji nevertheless remains responsible for its processors acting on its instructions, under the conditions of Article 25 of Law 09-08.
You are responsible for the confidentiality of your login credentials and undertake to notify us without delay of any unauthorised use of your account. We recommend that you use a robust authentication method.
14.14. Limitation of liability relating to data
Within the limits permitted by Moroccan law, Damji's liability in respect of the processing of your data is limited to direct, certain and foreseeable damage, and is capped under the conditions set out in our Terms of Use. In particular, indirect or intangible damage (loss of opportunity, loss of recoverable data, commercial loss) is excluded.
These limitations do not apply in the event of Damji's gross negligence or wilful misconduct, nor to personal injury, nor to non-material harm resulting from an infringement of privacy or of personal data, in particular sensitive data, attributable to Damji, nor to the public-order rights afforded to data subjects by Law 09-08, including the right to compensation, which remain fully applicable. In particular, the liability cap may not deprive the data subject of effective compensation for the harm resulting from such an infringement where it is attributable to Damji. Any clause deemed unwritten does not affect the validity of the other provisions.
Damji is not responsible for processing carried out autonomously by third parties (another user, payment service provider, public authority) outside its instructions.
15.15. Anonymised data and statistics
We may aggregate and anonymise data irreversibly, so that it no longer allows you to be identified. Once anonymised, this data no longer constitutes personal data within the meaning of Law 09-08.
Damji may retain and use this aggregated or anonymised data without time limit for the purposes of service improvement, market analysis, statistics, research and development, including for commercial purposes, without this affecting your rights.
16.16. Cookies, local storage and trackers
To ensure the functioning of the service, we use strictly necessary cookies and local storage: maintaining your session, remembering your language, your display preferences and usage items (favourites, recently viewed items, location choice).
We do not use third-party analytics or advertising trackers to monitor your browsing.
Push notifications are only enabled with your consent, which you may withdraw at any time from your device or browser settings. Disabling the strictly necessary cookies and storage may prevent the platform from functioning properly.
17.17. Messaging: retention and detection of contact details
The messages exchanged through the platform's messaging are retained to ensure the follow-up of transactions, dispute resolution and security, for the durations indicated in sections 11 and 12.
The platform automatically detects the presence of contact details (phone, email, social networks) in messages for fraud prevention and protection of the verified flow. This detection does not block your message: it is transmitted, accompanied by a security warning, and the detection constitutes only an internal moderation signal. This feature relies on Damji's legitimate interest in preventing fraud and circumvention of the secure flow.
Circumventing the verified flow deprives you of the protections described in our Terms of Use; Damji is not responsible for the consequences of an exchange or transaction carried out outside the platform.
18.18. Automated decisions: visibility, moderation, scoring and anti-fraud
To ensure the quality of the catalogue and the security of the platform, we apply partially automated processing: a visibility ranking of listings, a reputation and risk scoring, assisted content moderation, as well as mechanisms for detecting fraud and suspicious listings (for example detection of risky wording, duplicate IMEIs or duplicate photos). These processing operations rely on our legitimate interest in offering a reliable catalogue and a safe environment.
The ranking and visibility of listings fall within an editorial and commercial choice of Damji; they do not produce a legal effect on you and may not be challenged solely on the basis of the position obtained.
Measures producing a real effect on you (for example the removal of a listing or the restriction of an account) are not taken solely on the basis of automated processing: they are subject to human intervention by our teams. You may request explanations regarding a decision concerning you and request a review by a person, by writing to us at support@damjitech.com.
19.19. “Nearby” geolocation
The “nearby” feature uses your approximate location, only if you enable it, to offer you geographically nearby listings. Your consent is required and revocable at any time from your device or application settings.
This location is stored locally on your device in order to retain your display preference. It is transmitted to our servers transiently, only for the time needed to filter and order search results, and is not retained durably on Damji's side after the search has been performed.
20.20. Your rights and how to exercise them
In accordance with Law 09-08, you have a right of access to your data (Article 7), a right of rectification, updating, erasure or blocking (Article 8), a right to object on legitimate grounds, including to commercial solicitation and free of charge (Article 9), a right to deletion or anonymization, as well as the right to withdraw at any time your consent to the processing operations that depend on it.
You may exercise some of these rights directly from your account settings (profile modification, address management, export of your data, account deletion). For any other request, write to us at support@damjitech.com.
In order to protect your data against fraudulent requests, we may ask you to prove your identity before acting on a request to exercise rights. We respond within the time limits provided for by law.
Where a request is manifestly unfounded, excessive or repetitive, we may, within the limits permitted by law, refuse to act on it or make its processing subject to the payment of reasonable fees corresponding to the costs incurred; we then state the reasons for our decision.
Account deletion: when you request it, your public profile is immediately anonymised and your listings are removed. The definitive deletion of the account and associated data (phone, email, messages, addresses) is then carried out, subject to legal retention obligations (accounting and tax obligations, anti-fraud measures, proof in the event of a dispute described in section 12).
The withdrawal of consent (push notifications, geolocation, biometric selfie) does not affect the lawfulness of the processing carried out before that withdrawal. Certain data may be retained despite a deletion request where the law so requires or on the basis of the legitimate interest in proof.
In the event of a persistent disagreement, you have the right to refer the matter to the CNDP (see section 25).
Ratings, reviews and reputation signals concerning you come from other users or result from use of the service and contribute to the integrity and reliability of the platform. As such, they may be retained and continue to be used, where appropriate in a form dissociated from your public identity, notwithstanding a deletion request relating to your other data, the review being the expression of a third party and its retention falling within our legitimate interest in preserving trust between users, without prejudice to your right to object on legitimate grounds under the conditions of this section.
The right of access and the ability to export are exercised within the limits set by law: they concern only the personal data relating to you and cannot extend to data relating to third parties, to information covered by a legally protected secret, or to elements whose disclosure would compromise the security of the platform or the effectiveness of our fraud-prevention and anti-theft mechanisms, in particular the detailed logic of our detection and risk-scoring mechanisms. In these cases, we provide you with the information that can be disclosed without prejudice to those rights and interests.
21.21. Notifications and communications
We send you communications related to the functioning of the service (messages, offers, order tracking, security, appointment reminders) on the basis of the performance of the contract and our legitimate interest; these communications are necessary for the use of the service.
Promotional communications and web push notifications are only sent with your consent, which you may withdraw at any time from your account, device or browser settings, without this affecting service communications.
22.22. Minimum age and minors
The Damji platform is intended for adults. By creating an account and using the service, you declare that you have the legal age required to enter into a contract.
We do not knowingly collect data concerning minors. If we become aware that an account has been created by a minor or that a minor has transmitted data to us, we may suspend or delete the account concerned and proceed to delete the data. If you believe that a minor has transmitted data to us, contact us at support@damjitech.com.
23.23. Data breach
In the event of a personal data breach likely to give rise to a risk to your rights, we take the appropriate measures to remedy it and carry out, where applicable, the notifications required by law and by the CNDP, under the applicable conditions and time limits.
Any information communicated to you on this basis is intended to enable you to take the appropriate measures; it does not constitute an acknowledgement of liability on the part of Damji, which is assessed in light of its legal obligations.
24.24. CNDP formalities and declaration
The processing operations described in this policy are subject to the formalities provided for by Law 09-08 before the CNDP: prior declaration of the processing operations (Articles 12 and 13; a receipt is issued, in principle, within twenty-four hours allowing processing to begin, Article 19) and prior authorization for processing operations subject to a strengthened regime — the biometric KYC selfie (Articles 12 and 21 and CNDP Deliberation No. 478-2013) and the international transfer of data (Articles 43 and 44).
The collection of the biometric selfie and international data transfers are only activated after obtaining the corresponding authorisations from the CNDP.
Declaration receipt reference and CNDP authorization number(s): [to be completed by Damji once the formalities are done].
25.25. Complaints and prior resolution
For any complaint relating to the processing of your data, we invite you to contact us first at support@damjitech.com: we endeavour to provide a response within a reasonable time.
This prior amicable step does not deprive you of your right to refer the matter to the CNDP at any time or to exercise the remedies provided for by law.
26.26. Amendment of this policy
We may amend this Privacy Policy in order to reflect changes to our service or to the regulations. The date of the last update appears at the top of the document.
In the event of a substantial amendment, we will inform you by an appropriate means and, where required, obtain your acceptance or your consent. Continued use of the service after a non-substantial amendment constitutes acknowledgement of the version in force.
27.27. Governing law and jurisdiction
This policy is governed by Moroccan law, in particular Law 09-08 and its implementing texts.
Any dispute relating to its interpretation or performance falls within the jurisdiction of the competent Moroccan courts, without prejudice to the mandatory consumer-protection provisions and the right to refer the matter to the CNDP.
28.28. Contact
For any question relating to this policy or to the processing of your personal data, and for the exercise of your rights, contact us at support@damjitech.com.
Data controller: Damji.
29.29. Data transfer in the event of a corporate operation
As part of the development of its business, Damji may carry out a restructuring, merger, contribution, total or partial transfer of assets, transfer of goodwill or change of control. In such a case, the personal data processed within the platform form part of the assets that may be transferred to the acquirer or beneficiary entity, which then becomes the data controller in place of Damji and remains bound to comply with this policy and with Law 09-08. We will inform you of such a transfer by an appropriate means where the law so requires, and the beneficiary will, where applicable, complete the formalities required with the CNDP. Your rights over your data remain unchanged and enforceable against the beneficiary.