en English
  • arArabic
  • enEnglish
  • frFrench
Sign in

Privacy Policy

E‑lumy Privacy Policy

Last edited 09.09.2025

E‑lumy (the “Platform”) is operated by E-lumy S.A.R.L, registered in Morocco. We are committed to protecting your personal data in accordance with Moroccan Law n° 09‑08 on the protection of individuals with regard to the processing of personal data and the rules and guidance of the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP).

Important (Morocco/CNDP): Where required, we notify the CNDP of our processing activities and, if applicable, seek prior authorization (including for international data transfers) before starting the relevant processing.

1) Scope

This policy applies to all users of E‑lumy (learners, tutors, administrators, partners and website visitors) and to all personal data collected online or offline in connection with the Platform.

2) Key Definitions (Law 09‑08)

  • Personal data: any information relating to an identified or identifiable person.
  • Processing: any operation performed on personal data (collection, recording, storage, use, transmission, etc.).
  • Controller: the entity that determines the purposes and means of processing.
  • Processor: a third party processing data on behalf of the Controller.

3) What Data We Collect

Depending on how you use the Platform, we may collect:

  • Identification & contact: name, national ID/passport (where required), date of birth, phone, email, address.
  • Account & profile: username, password, profile photo, language preferences.
  • Education data: course enrollments, progress, assignments, assessments, certifications, internship forms and employer reports.
  • Payment data: billing details, transaction IDs, partial card info (tokenized by our payment provider Tap Payments); we do not store full card details on our servers.
  • Support & communications: messages, emails, tickets, call recordings (where applicable).
  • Usage & device: log data, IP address, pages viewed, device/browser information, cookies and similar technologies (see Section 11).
  • Marketing preferences: newsletter opt‑in/opt‑out, consent logs.
  • Special categories (only when strictly necessary and with explicit consent or legal basis): health‑related notes for learning accommodations; we avoid collecting sensitive data unless required for a clear, lawful purpose.

4) Purposes and Legal Bases (Law 09‑08)

We process personal data for the following specific, explicit and legitimate purposes:

  1. Account creation & Platform operation (e.g., delivering courses, tracking progress, issuing certificates) — necessary for the performance of services you request and/or on the basis of your consent.
  2. Payments & invoicing — necessary for contract performance and legal/accounting obligations.
  3. Verification & security (fraud prevention, access controls, platform safety) — legitimate interests and/or legal obligations.
  4. Customer support & communications — necessary for service provision or based on your consent.
  5. Marketing (emails/SMS/push) — only with your prior, specific and informed consent; you can withdraw consent at any time (see Section 7).
  6. Improvement & analytics — legitimate interests to enhance the Platform, using aggregated or pseudonymized data where possible.
  7. Legal compliance — to comply with legal or regulatory requirements or enforce our terms.

Where Moroccan law requires consent (e.g., marketing or certain optional data fields), we will request free, specific, informed and unambiguous consent, separate from the terms of service, and we will record proof of consent. Consent is not a condition to receive the core educational service unless strictly necessary.

5) CNDP Notifications, Authorizations & Records

  • We notify the CNDP of processing operations subject to prior declaration and retain CNDP receipts/acknowledgements.
  • If a processing requires prior authorization (e.g., certain categories of data, specific purposes), we will obtain it before starting the processing.
  • We maintain records of processing activities, including purposes, categories of data/recipients, retention periods, security measures and international transfers.

6) Recipients & Processors

We share data only with:

  • Service providers/Processors (hosting, LMS features, email/SMS, payments, proctoring, analytics, customer support) under written contracts that impose confidentiality, security and CNDP‑compliant obligations.
  • Educational partners/employers strictly as needed to manage internships, assessments and certification workflows (see Section 3), based on your instructions or applicable law.
  • Authorities where legally required or to protect rights, users, or the Platform. We do not sell your personal data.

7) Your Rights (Law 09‑08)

You have the rights to:

  • Information (clear notice at collection time);
  • Access your personal data;
  • Rectification of inaccurate or incomplete data;
  • Opposition to processing for legitimate reasons, and opt‑out of marketing at any time;
  • Withdrawal of consent at any time for processing based on consent, without affecting prior lawful processing.

How to exercise your rights: Email privacy@e‑lumy.com with proof of identity and details of your request. We will respond within the legal timeframe. If you believe your rights are infringed, you may lodge a complaint with the CNDP (see Section 15).

8) Retention

We keep data only as long as necessary for the purposes described and to meet legal/accounting obligations. Typical periods:

  • Account & learning records: for the duration of your account and up to 5 years thereafter (for certificate verification/disputes).
  • Payment/tax records: 10 years.
  • Support tickets and communications: 2 years.
  • Marketing consent logs: for the period of active marketing plus 3 years. After expiry, data are securely deleted or anonymized.

9) Security

We implement appropriate technical and organizational measures (access controls, encryption in transit/at rest where applicable, backups, logging, employee confidentiality, secure development practices and vendor due diligence) to protect data against unauthorized access, alteration, disclosure or destruction.

10) International Data Transfers (Morocco / CNDP)

Personal data may be hosted or accessed outside Morocco only in compliance with Law 09‑08:

  • Transfers are made to countries recognized by the CNDP as providing adequate protectionor subject to CNDP authorization and appropriate safeguards.
  • We document transfer mechanisms and keep related CNDP approvals and contractual clauses with processors/partners.
  • Where required, we will provide you with information about the destination countrylegal basis, and safeguards used.

11) Cookies & Similar Technologies

We use cookies and similar technologies for:

  • Essential functions (authentication, security, session management);
  • Preferences (language, UI settings);
  • Analytics (under legitimate interests, using aggregated/pseudonymized data where possible);
  • Marketing (only with your prior consent where required).

Cookie Consent: On your first visit, our banner explains purposes and allows you to accept, refuse, or customize non‑essential cookies. You can change your preferences at any time via Cookie Settings in the footer. Essential cookies cannot be refused as they are necessary for the service.

12) Children’s Privacy

Our Platform is intended only for users who are 18 years of age or older. We do not knowingly collect personal data from individuals under 18. If we discover that we have collected personal data from someone under 18, we will delete such data and close the related account.

13) Direct Marketing

We will send you newsletters and promotional messages only if you have given prior consent. You can unsubscribe at any time using the link in our emails or by contacting us (Section 7). Refusing or withdrawing consent does not affect access to the core learning services.

14) Changes to This Policy

We may update this policy from time to time to reflect legal, technical or business changes. We will post the updated policy and change the effective date; for material changes, we will provide clear notice and seek renewed consent where required by law.

15) Contact & Complaints

Controller: E-LUMY S.A.R.L

Email: privacy@e‑lumy.com

CNDP (Morocco): Commission Nationale de contrôle de la protection des Données à caractère Personnel. You may contact the CNDP or file a complaint if you believe your rights under Law 09‑08 are violated. See www.cndp.ma for contact methods and complaint procedures.

16) Consent Collection Statement (for forms/UI)

When you sign up, enroll in a course, or opt‑in to communications, we will present a clear consent request in plain language, separate from the Terms.

We log the date/time, user, source (web/app), and the exact text of the consent, as well as subsequent withdrawals or changes to preferences.

17) Data Hosting & Localization

Our Platform is hosted on GoDaddy servers, which may be located outside Morocco (e.g., in the European Union or the United States). When personal data are hosted or accessed outside Morocco, the rules in Section 10 (International Data Transfers) apply. We ensure that GoDaddy, as our hosting provider, signs and complies with contractual obligations on confidentiality, security, and data protection consistent with Law n° 09-08 and CNDP guidance.

18) Processor Instructions & Confidentiality

All processors only act on our documented instructions, ensure authorized staff are bound by confidentiality, implement appropriate security, assist with rights requests and CNDP compliance, and delete/return data at the end of services.

19) Accountability & DocumentationWe take responsibility for complying with Law n° 09-08 and CNDP requirements and can demonstrate this compliance at any time. In particular, we:

  • Maintain internal policies and procedures governing data protection and security.
  • Provide staff training to ensure that employees and contractors handle personal data appropriately.
  • Keep records of processing activities and copies of CNDP declarations/authorizations.
  • Conduct risk assessments and Data Protection Impact Assessments (DPIAs) where required.
  • Maintain incident response and breach notification procedures.
  • Periodically review and update our compliance program to reflect changes in law, technology, or business operations.