This Privacy Policy explains how personal data is collected, used, and protected when you visit www.mementomorocco.com and use our travel planning and booking services.
This policy complies with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the UK Data Protection Act 2018.
The controller responsible for data processing on this website is:
Memento Universe Ltd
27 Old Gloucester Street, London, WC1N 3AX
United Kingdom
Company registered in England and Wales
Email: contact@mementomorocco.com
Director: Mr. Badr-Eddine Rachadi
This website is hosted on dedicated servers provided by Hetzner Online GmbH. Data is stored exclusively on servers located in Finland (European Union).
This ensures an adequate level of data protection in accordance with EU and UK data protection laws. Hetzner implements appropriate technical and organisational security measures.
We have concluded a Data Processing Agreement (DPA) with Hetzner in accordance with Article 28 UK GDPR / EU GDPR.
This website uses WordPress as a content management system. Personal data is processed only to the extent necessary to ensure website functionality and security.
We use Elementor Pro and Crocoblock for website design and functionality. These tools are configured to operate without transmitting personal data to third parties.
We use WooCommerce and JetBooking to manage bookings and process payments on this website.
When you make a booking, the following personal data is collected and hosted on our servers:
Legal basis: Article 6(1)(b) UK GDPR / EU GDPR (performance of a contract).
Payments are securely processed through third-party providers:
We do not store or have access to your full payment details (such as credit card numbers). These are processed directly by the payment providers.
PayPal and Stripe may process your data in accordance with their own privacy policies and may transfer data outside the UK or European Economic Area (EEA). Appropriate safeguards, such as Standard Contractual Clauses (SCCs), are used to protect your data.
We have concluded Data Processing Agreements (DPAs) with both PayPal and Stripe.
We use Brevo (formerly Sendinblue), provided by Brevo SAS, 55 rue d’Amsterdam, 75008 Paris, France, to send transactional emails such as booking confirmations and contact responses.
Brevo acts as a data processor under a Data Processing Agreement in accordance with Article 28 UK GDPR / EU GDPR.
Data processed may include:
Emails are saved as logs for a duration of 1 month and are deleted after 1 month.
Brevo processes data primarily within the European Union. Where data transfers occur outside the EU, appropriate safeguards such as SCCs are applied.
When you submit a contact form on our website:
Legal basis: Article 6(1)(b) UK GDPR / EU GDPR (pre-contractual communication).
Retention for non-booking inquiries
If your inquiry does not result in a booking or ongoing client relationship, your personal data will be deleted no later than one year after the last communication, unless a longer retention period is required by law.
We use ALTCHA, a self-hosted, open-source spam protection service, to protect our website from automated submissions and spam. ALTCHA operates entirely on our own servers and does not send any personal data to third parties.
ALTCHA works by generating a cryptographic challenge in your browser, which your device solves locally using a proof-of-work algorithm. This process:
The verification happens in real time and no data is retained on our servers after verification is complete. The cryptographic challenge expires automatically after one hour.
ALTCHA is fully compliant with GDPR, WCAG 2.2 AA accessibility standards, and the European Accessibility Act (EAA). For more information, visit altcha.org.
We use the services of Cloudflare Inc. (USA) and Cloudflare Germany GmbH to protect our website against DDoS attacks, bot attacks, and other forms of abuse. Cloudflare acts as our data processor. A Data Processing Agreement (DPA) has been concluded in accordance with Article 28 UK GDPR / EU GDPR.
As part of these security functions, Cloudflare processes the following data:
The processing is based on our legitimate interest in the security and operational reliability of our website (Article 6(1)(f) UK GDPR / EU GDPR). No data is shared with third parties for their own purposes.
Cloudflare stores security‑related log data typically between 7 and 30 days. Data is compared with other Cloudflare services only for security purposes.
International data transfers: Cloudflare is a US‑based company. Data transfers to the USA are based on the EU-U.S. Data Privacy Framework (DPF), for which Cloudflare is certified (DPF certificate). In addition, the EU Standard Contractual Clauses (SCCs) apply.
Further information: Cloudflare Privacy Policy.
To deliver your travel services, we may share your personal data with trusted third-party partners, including:
This data is shared solely for the purpose of fulfilling your booking and delivering the agreed services.
Legal basis: Article 6(1)(b) UK GDPR / EU GDPR (performance of a contract).
Where your booking requires services to be provided in Morocco, your data may be transferred to partners located in Morocco. Morocco is not the subject of an adequacy decision by the EU or UK.
Such transfers are made on the basis of Article 49(1)(b) GDPR (transfer necessary for the performance of a contract between you and us, or for pre-contractual measures taken at your request).
We ensure that appropriate safeguards (such as confidentiality agreements) are in place with our local partners.
We use cookies to ensure proper website functionality and, where applicable, to analyse website usage.
Cookie consent is managed through Complianz.
You may withdraw or modify your consent at any time via our cookie banner.
This website uses Google Analytics, provided by Google Ireland Ltd.
Google may transfer data to the United States. Such transfers are protected using:
We have concluded a Data Processing Agreement with Google for Google Analytics.
We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy.
| Type of data | Retention period |
|---|---|
| Booking-related data | Up to 10 years to comply with legal and tax obligations (e.g. invoices, contracts) |
| Contact form submissions (no booking) | 1 year after last communication |
| Email correspondence | Manually deleted – no fixed retention but subject to your right to erasure |
| Transactional email logs (Brevo) | 1 month |
We implement appropriate technical and organisational measures, including:
GDPR compliant · 8‑hour auto‑deletion · EU hosting (Ireland)
When you use the Chatbot, we collect:
We do not collect payment details, passport numbers, or health information via the Chatbot.
We process conversation data solely to provide a coherent, context‑aware conversation during your active session. The Chatbot needs to remember what you previously said (e.g., “4‑day desert tour from Marrakech”) to give relevant answers.
Legal basis (GDPR Art. 6(1)(f)): Legitimate interest – offering a helpful, personalised assistant that improves user experience. Data is limited, short‑lived, and not used for any other purpose.
Your conversation data is automatically deleted after 8 hours.
All conversation data is stored in a Supabase database located in Ireland (eu‑west‑1). The data never leaves the European Economic Area (EEA).
We use Supabase, Inc. as our data processor. Supabase hosts the database and provides infrastructure (servers, backups, network).
contact@mementomorocco.com.No. The Chatbot only replies to your messages. No automated decisions (e.g., credit checks, tour pricing) are made based on your conversation history.
You have the following rights regarding your personal data:
To exercise your rights, email privacy@mementomorocco.com. We will respond within one month.
We and Supabase implement industry‑standard security measures:
Our Chatbot is not intended for children under 16. We do not knowingly collect personal data from minors. If you believe a child has provided us with conversation data, please contact us and we will delete it immediately.
International transfers: Conversation data is primarily processed within the EU. However, if you request human assistance via email, your data may be transferred to providers outside the EEA (e.g., Google). Such transfers are protected by Standard Contractual Clauses (SCCs) in accordance with GDPR.
Data Controller: Memento Universe Ltd – 27 Old Gloucester Street, London WC1N 3AX, UK
Technical summary: Database hosted on Supabase (Ireland) · Auto‑deletion via Edge Function (cleanup-chatbot) running daily at 02:02 UTC · Signed DPA + SCCs with Supabase · No third‑party advertising or profiling.
We do not use automated decision-making or profiling that produces legal or significant effects concerning you.
The Chatbot responses are generated using a locally hosted large language model (LLM) running on our own server infrastructure.
We also use a self-hosted automation system (n8n) running on our own server to manage workflows such as routing inquiries.
Your data is only processed further if you explicitly request contact or assistance (e.g., asking to speak with a human tour expert).
If you request to be contacted or ask for human assistance, your conversation details may be forwarded to our team via email.
This may involve a transfer of data outside the European Economic Area (EEA). Google processes data under Standard Contractual Clauses (SCCs) in accordance with GDPR requirements.
We only share the minimum necessary information required to respond to your request (e.g., travel preferences or itinerary details).
Under UK GDPR and EU GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Obtain confirmation whether your data is processed and request a copy |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data (“right to be forgotten”) |
| Restriction (Art. 18) | Limit processing in certain circumstances |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interests |
| Withdraw consent (Art. 7) | Withdraw any consent you have given at any time |
To exercise any of these rights, please contact us at contact@mementomorocco.com.
You also have the right to lodge a complaint with a supervisory authority, in particular:
Where personal data is transferred outside the UK or European Economic Area (EEA) to a country that has not received an adequacy decision, we rely on one or more of the following safeguards:
We reserve the right to update this Privacy Policy at any time. The “Last updated” date at the top of this page indicates when the latest changes were made. Continued use of the website after changes are posted constitutes acceptance of the revised policy.
If you have any questions or wish to exercise your rights, please contact:
Memento Universe Ltd
Email: contact@mementomorocco.com
© 2026 Memento Universe Ltd — Data protection compliant with UK & EU GDPR
