Privacy Policy

Privacy Policy

Last updated: April 26, 2026

Confirmy helps online sellers confirm cash-on-delivery orders through WhatsApp.

This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and what rights users and customers have under applicable Moroccan data protection law, including Law No. 09-08 on the protection of individuals with regard to the processing of personal data.

1. Who we are

Confirmy is a software service that allows merchants to import cash-on-delivery orders, send WhatsApp confirmation messages, record customer responses, and manage order confirmation status.

For questions about this Privacy Policy or personal data processing, you can contact us at contact@confirmy.ma.

2. Our role

For merchant account data, such as login information, subscription data, billing information, and support requests, Confirmy acts as the data controller.

For customer and order data imported by merchants, Confirmy generally acts as a data processor or service provider. The merchant remains responsible for making sure customer data was collected lawfully and that customers were properly informed that their data may be used for order confirmation.

3. Data we collect and process

We only collect and process data that is necessary to provide, secure, improve, and support the Confirmy service.

3.1 Merchant account data

• Merchant name
• Business name
• Email address
• Phone number
• Login information
• Subscription or billing information
• Support messages
• Technical information related to account usage

3.2 Store and integration data

• Store name
• Store URL or domain
• Store configuration
• API connection status
• Access tokens or technical credentials needed to connect the store
• Order import settings

Access tokens and credentials are used only to provide the requested integration and are protected against unauthorized access.

3.3 Customer and order data

• Customer name
• Customer phone number
• Delivery address
• City or region
• Order reference or order ID
• Order amount
• Payment method
• Ordered products, where needed
• Order status
• Confirmation response
• Confirmation timestamp
• Message delivery or workflow logs

We do not intentionally collect sensitive personal data, such as health data, political opinions, religious beliefs, biometric data, or national identity information.

Merchants must not upload sensitive personal data to Confirmy unless it is strictly necessary, lawful, and agreed with us in advance.

3.4 WhatsApp session and messaging data

• WhatsApp connection or session state
• Message templates
• Message sending status
• Customer replies
• Confirmation logs
• Error logs related to message delivery

We use this data only to operate the confirmation workflow and provide support requested by the merchant.

3.5 Technical and security data

• IP address
• Browser type
• Device information
• Login timestamps
• API request logs
• Error logs
• Security events

This data is used to secure the service, prevent abuse, diagnose technical problems, and improve reliability.

4. How we use personal data

• Creating and managing merchant accounts
• Connecting merchant stores and integrations
• Importing eligible cash-on-delivery orders
• Sending WhatsApp confirmation messages
• Recording customer confirmation, cancellation, or no-response status
• Displaying order confirmation results to merchants
• Providing customer support
• Troubleshooting technical issues
• Preventing fraud, abuse, or unauthorized access
• Maintaining service security
• Meeting legal, accounting, or regulatory obligations

We do not sell customer data. We do not use merchant customer data for unrelated advertising, do not build independent contact lists from it, and do not train AI models on merchant customer or order data unless that is clearly explained, legally allowed, and explicitly agreed in a separate written agreement.

5. Legal basis and merchant responsibility

Merchants are responsible for ensuring that they have a lawful basis to process and share customer and order data with Confirmy for the purpose of confirming orders.

• The customer data uploaded or imported into Confirmy was collected lawfully.
• Customers were properly informed that their data may be used to confirm orders.
• The merchant has the right to contact customers about their orders.
• The merchant will not use Confirmy for spam, illegal marketing, or unauthorized messaging.
• The merchant will comply with applicable ecommerce, data protection, consumer protection, Shopify, WhatsApp, and messaging rules.

6. Data minimization

We try to limit the data we process to what is necessary for the confirmation workflow. We do not require unnecessary data such as national identity numbers, payment card details, personal documents, or sensitive personal information.

7. Data storage and hosting

Confirmy stores production data on servers located in Morocco. Using Moroccan hosting helps keep customer and merchant data within Morocco and reduces the need for international personal data transfers.

If we ever need to use a service provider located outside Morocco, or transfer personal data outside Morocco, we will take the required legal and security measures under applicable law, including any required CNDP declaration, authorization, contractual safeguards, or equivalent protection where applicable.

8. Data sharing

We do not sell personal data. We may share personal data only when necessary with service providers and partners involved in hosting, infrastructure, ecommerce integrations, messaging, billing, technical support, and legal or regulatory compliance.

Any service provider that processes personal data on our behalf must process it only according to our instructions and must apply appropriate security and confidentiality measures.

9. Shopify and ecommerce integrations

If a merchant connects Shopify or another ecommerce platform, Confirmy may use the integration to access only the data needed to provide the order confirmation workflow. We aim to request only the permissions needed for the service, such as reading relevant orders and updating confirmation-related information where necessary.

Merchants can disconnect an integration from their Confirmy account. After disconnection, Confirmy will stop importing new data from that store.

10. WhatsApp communications

Confirmy is used to send order-related WhatsApp messages, such as confirming or cancelling cash-on-delivery orders. Messages should be transactional and related to the order confirmation workflow.

Merchants must make sure they have the right to contact customers through WhatsApp or other messaging channels, and they must not use Confirmy to send spam, unrelated advertising, illegal messages, or messages to people whose contact details were not collected lawfully.

11. Demo data and screenshots

Screenshots, previews, and examples shown on Confirmy marketing pages may use demo data. They do not show real customer records unless this is clearly stated and legally authorized.

12. Data retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

• Merchant account data: kept while the account is active.
• Customer and order confirmation data: kept only as long as needed for confirmation history, support, fraud prevention, or legal obligations.
• Message and workflow logs: kept for a limited period needed for troubleshooting and proof of service.
• Technical and security logs: kept for a limited period needed for security and diagnostics.
• Billing and accounting data: kept for the period required by applicable accounting and tax laws.
• Deleted or disconnected integration tokens: removed or disabled when no longer needed.

13. Account deletion and disconnection

Merchants may request to disconnect an ecommerce store, delete imported orders, delete WhatsApp session data, delete their Confirmy account, or export available account data.

When an account is deleted, we will delete or anonymize personal data that is no longer necessary, unless we are legally required or allowed to keep it for a limited period.

14. Security

We apply technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

• HTTPS encryption in transit
• Access control for internal tools
• Restricted access to production data
• Protection of API keys and access tokens
• Secure storage of credentials
• Database backup protection
• Monitoring of suspicious activity
• Separation between production and development environments
• Avoiding the use of real customer data in development where possible
• Internal confidentiality rules

No online service can guarantee absolute security, but we work to protect personal data with reasonable and appropriate safeguards.

15. Confidentiality

Confirmy team members, contractors, and service providers who may access personal data are required to respect confidentiality and process data only for authorized purposes.

16. Customer rights

Under applicable Moroccan data protection rules, individuals may have the right to be informed about how their personal data is processed, access their personal data, request correction of inaccurate data, object to certain processing, request deletion or blocking where applicable, and object to the use of their data for commercial prospecting.

If you are a customer of a merchant using Confirmy, you should first contact the merchant because the merchant controls the order relationship. You may also contact Confirmy at contact@confirmy.ma.

17. CNDP and Moroccan data protection compliance

Confirmy aims to process personal data in accordance with Moroccan Law No. 09-08 and applicable CNDP requirements. Where required, Confirmy and or the merchant may need to complete declarations, authorizations, or other formalities with the CNDP before or during personal data processing.

18. International transfers

Confirmy production data is hosted in Morocco. If personal data is transferred outside Morocco in the future, we will take appropriate measures required by applicable law, which may include verifying the recipient country's level of protection, signing appropriate contractual safeguards, or obtaining any required CNDP authorization.

19. Children's data

Confirmy is a business tool for merchants and is not intended for use by children. Merchants should not intentionally upload data relating to children unless they have a lawful basis and all required permissions.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make important changes, we may notify merchants through the dashboard, email, or website. The last updated date at the top of this page shows when the latest version was published.

21. Contact

For privacy questions, data requests, or complaints, contact us at contact@confirmy.ma. We will review privacy requests and respond within a reasonable period according to applicable law.

22. Important note

This Privacy Policy is intended to explain how Confirmy handles data. It does not replace the merchant's own privacy policy, checkout notice, customer consent process, or legal obligations.

Merchants using Confirmy should inform their customers that order data may be processed by a service provider for the purpose of confirming cash-on-delivery orders through WhatsApp or similar communication channels.