PRIVACY POLICY

Last Updated: January 1, 2025

1. INTRODUCTION

This Privacy Policy describes how Wellys Pharma ("Company," "we," "us," or "our"), a company incorporated under the laws of Morocco, collects, uses, processes, and protects personal data in connection with the Wellys Pharma software platform ("Service" or "Platform").

This Policy applies to all users of the Service, including pharmacy businesses, pharmacists, staff members, and end customers whose data may be processed through the Platform.

By using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of personal data as described herein.

2. LEGAL FRAMEWORK

2.1 Applicable Law

Data processing activities are governed by:

• Moroccan Law 09-08 concerning the protection of individuals with regard to the processing of personal data
• Applicable regulations issued by the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP)
• Relevant provisions of Moroccan commercial and civil law

2.2 Data Controller

Wellys Pharma acts as the data controller for personal data processed through the Service. The Company determines the purposes and means of processing personal data.

2.3 Customer Responsibilities

Customers using the Service act as independent data controllers with respect to the personal data they collect and input into the Platform. Customers are solely responsible for:

• Obtaining all necessary legal bases and consents for data collection
• Ensuring compliance with Moroccan Law 09-08 and all applicable data protection laws
• Informing their own customers and employees about data processing activities
• Responding to data subject rights requests from individuals whose data they process

The Company assumes no responsibility for the legality of Customer data collection practices.

3. TYPES OF DATA COLLECTED

3.1 Account and Business Data

When you register for the Service, we collect:

• Business name and registration information
• Primary contact information (name, email address, phone number)
• Billing address and payment information
• Authorized user names and email addresses
• Business license or registration numbers (if required)

3.2 Customer Data Inputted by Users

Customers may input the following types of personal data into the Platform:

Client Data:

• Customer names
• Phone numbers
• Email addresses
• Purchase history and transaction records

Employee and Staff Data:

• Pharmacist names and credentials
• Staff member contact information
• User access credentials
• Activity logs and usage records

Inventory and Business Data:

• Product information
• Stock levels and inventory records
• Supplier information
• Sales analytics and reports

3.3 Automatically Collected Data

We automatically collect certain technical data, including:

• IP addresses and device identifiers
• Browser type and operating system
• Access times and usage patterns
• Log files and error reports
• Cookies and similar tracking technologies (see Cookie Policy)

3.4 Communications Data

We retain records of:

• Customer support inquiries and correspondence
• Email communications with users
• System notifications and alerts

4. PURPOSES OF DATA PROCESSING

4.1 Service Provision

We process personal data to:

• Provide, operate, and maintain the Service
• Create and manage user accounts
• Process payments and billing
• Deliver customer support and technical assistance
• Send service-related notifications and updates

4.2 Service Improvement

We may use data to:

• Analyze usage patterns and improve functionality
• Develop new features and services
• Conduct research and analytics
• Detect and prevent bugs, errors, and security vulnerabilities

4.3 Legal and Security Purposes

We process data as necessary to:

• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and policies
• Protect against fraud, abuse, and security threats
• Respond to legal requests and court orders

4.4 Business Operations

We may process data for:

• Accounting and financial reporting
• Business planning and analytics
• Mergers, acquisitions, or asset sales

5. CROSS-BORDER DATA TRANSFER

5.1 Data Storage Location

IMPORTANT NOTICE: All Customer Data is hosted on servers located in Germany (European Union).

By using the Service, you expressly consent to the transfer of personal data outside of Morocco to the European Union for storage and processing.

5.2 Legal Basis for Transfer

Cross-border transfers are conducted pursuant to:

• Your explicit consent to these terms
• Necessity for performance of the contract between you and Wellys Pharma
• Compliance with Moroccan Law 09-08 regarding international data transfers

5.3 Data Protection Standards

The Company maintains appropriate technical and organizational measures to protect data transferred to the European Union. However, data protection standards in the EU may differ from those in Morocco.

5.4 No Disclosure of Hosting Provider

For security and operational reasons, we do not disclose the identity of our third-party hosting providers. These providers operate under strict confidentiality and data protection obligations.

6. DATA SHARING AND DISCLOSURE

6.1 No Sale of Personal Data

We do not sell, rent, or trade personal data to third parties for marketing purposes.

6.2 Service Providers

We may share data with trusted third-party service providers who assist in operating the Service, including:

• Cloud hosting providers (EU-based servers)
• Payment processors
• Email and communication service providers
• Analytics and monitoring tools

These providers access personal data only as necessary to perform their functions and are obligated to maintain confidentiality.

6.3 Legal Requirements

We may disclose personal data when required by law, including:

• Compliance with court orders, subpoenas, or legal processes
• Response to requests from Moroccan regulatory authorities or the CNDP
• Protection of our legal rights and interests
• Prevention of fraud, abuse, or criminal activity

6.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, personal data may be transferred to successor entities. You will be notified of any such transfer.

6.5 No Other Third-Party Sharing

Except as described above, we do not share personal data with third parties without your explicit consent.

7. DATA RETENTION

7.1 Retention Periods

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

• Account data: Retained for the duration of the active subscription plus applicable legal retention periods
• Customer Data: Retained as long as the Customer maintains an active account
• Transaction records: Retained in accordance with Moroccan accounting and tax law requirements (typically 10 years)
• Support communications: Retained for up to 3 years

7.2 Deletion Upon Termination

Upon termination or expiration of your subscription:

• We may delete Customer Data without prior notice
• Account data may be retained for legal, accounting, or security purposes
• You are solely responsible for exporting data before termination

7.3 No Obligation to Retain Data

The Company has no obligation to retain, back up, or provide access to Customer Data following account termination. You are solely responsible for maintaining independent backups.

8. DATA SECURITY

8.1 Security Measures

We implement industry-standard technical and organizational measures to protect personal data, including:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Employee training on data protection practices
• Incident response and breach notification procedures

8.2 No Absolute Security

IMPORTANT: No method of transmission or storage is completely secure. Despite our security measures, we cannot guarantee absolute security of personal data.

8.3 Disclaimer of Liability for Breaches

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE COMPANY SHALL NOT BE LIABLE FOR ANY DATA BREACHES, UNAUTHORIZED ACCESS, OR SECURITY INCIDENTS, INCLUDING ANY RESULTING DAMAGES, LOSSES, OR REGULATORY CONSEQUENCES.

You acknowledge that use of the Service involves inherent security risks, and you assume all such risks.

8.4 Customer Security Responsibilities

You are responsible for:

• Maintaining the confidentiality of your account credentials
• Implementing appropriate security measures for your own systems
• Promptly notifying us of any suspected security incidents

9. DATA SUBJECT RIGHTS

Under Moroccan Law 09-08, individuals whose personal data is processed may have certain rights, subject to legal limitations.

9.1 Rights of Individuals

Data subjects may have the right to:

• Access: Request confirmation of whether we process their personal data and obtain a copy
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of personal data in certain circumstances
• Objection: Object to certain types of data processing
• Restriction: Request restriction of processing in certain circumstances

9.2 Exercising Rights

To exercise data subject rights, individuals should contact:

Wellys Pharma
Email: [Data Protection Contact to be inserted]

We will respond to requests in accordance with Moroccan Law 09-08 and applicable regulations.

9.3 Verification and Limitations

We may require verification of identity before fulfilling data subject requests. Certain requests may be denied or limited pursuant to legal exceptions or overriding legitimate interests.

9.4 Customer Responsibility for Employee/Client Requests

Customers are solely responsible for responding to data subject rights requests from their own employees, clients, or other individuals whose data they have inputted into the Service.

The Company is not responsible for facilitating such requests. Customers must independently manage data subject rights for data they control.

10. CHILDREN'S PRIVACY

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete such information.

11. INTERNATIONAL USERS

The Service is currently offered exclusively within Morocco. Users accessing the Service from outside Morocco do so at their own risk and are responsible for compliance with local laws.

12. COOKIES AND TRACKING TECHNOLOGIES

The Service uses cookies and similar tracking technologies. For detailed information, please refer to our Cookie Policy.

13. CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time. Changes will be effective upon:

• Posting the updated Policy on our website
• Sending email notification to registered users

The "Last Updated" date at the top of this document indicates when the Policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated Policy.

14. THIRD-PARTY DEVELOPER

14.1 Independent Development

The Software was developed by an independent freelance developer who has no ongoing relationship with users and is not a party to this Privacy Policy.

14.2 No Developer Liability

The developer bears no responsibility or liability for data processing, security, privacy compliance, or data breaches. All data protection obligations rest solely with Wellys Pharma.

14.3 Termination of Developer Involvement

All developer obligations and involvement definitively ended on January 1, 2025. The developer has no access to personal data and no role in data processing activities.

15. CONTACT INFORMATION

15.1 Privacy Inquiries

For questions about this Privacy Policy or our data processing practices, contact:

Wellys Pharma
Email: contact@wellys.ma

15.2 Data Protection Authority

If you believe your data protection rights have been violated, you may file a complaint with:

Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP)
Avenue Annakhil, Hay Riad
Rabat, Morocco
Website: www.cndp.ma

16. DISCLAIMER OF LIABILITY

TO THE MAXIMUM EXTENT PERMITTED BY MOROCCAN LAW:

• The Company provides no warranties regarding data security or privacy protection
• The Company shall not be liable for data breaches, unauthorized access, or data loss
• The Company shall not be liable for Customer non-compliance with data protection laws
• The Service is provided "AS IS" with respect to data protection and security

Customers assume all risks associated with data processing through the Service.

By using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of personal data as described herein.