Two texts, one spirit
GDPR (General Data Protection Regulation) is the European regulation. The Moroccan Law 09-08, enforced by the CNDP (National Commission for the Protection of Personal Data), is its Moroccan equivalent. Both pursue the same goal: to frame how a company like Finareo can process personal or sensitive data, and to give the people concerned real control.
For you — a finance leader entrusting us with your company’s flows — here’s what that means in practice.
1. Your data never belongs to us
This is the founding principle. You remain the owner of your data at all times. We process it to deliver a service — anomaly detection, analysis, recommendations — but it never becomes our asset.
Concretely, we cannot:
- Resell it to a third party
- Use it for our own commercial or marketing purposes
- Keep it beyond what’s necessary for our service
- Share it with a partner without your explicit consent
2. You have six concrete rights, exercisable at any time
| Right | What it means in practice |
|---|---|
| Access | You can ask us at any time what data we hold about your company. Response within 30 days. |
| Rectification | If something is incorrect, you can ask us to correct it. |
| Erasure | You can request deletion of your data — within 30 days, except for legal retention obligations (invoices, for example, kept for 10 years). |
| Portability | You can export all your data from the portal in Excel, CSV, or PDF — self-service, without our intervention. |
| Objection | You can object to certain processing (notably AI enrichment), though this may then limit the service we can deliver. |
| Restriction | You can ask us to “freeze” certain processing while a point is being discussed. |
3. Fast notification in case of incident
This is a strong legal obligation under GDPR: if an incident affects your personal data, we must notify you within 72 hours maximum from the moment we discover it. Not in a week. Not after our crisis comms. Within 72 hours.
And what we send must be clear:
- What happened
- Which data is affected
- What the possible consequences are for you
- What we’re doing to limit the impact
For Morocco, in parallel, we also notify the CNDP.
4. The DPA — the written guarantee
The DPA (Data Processing Agreement) is the contract that frames our relationship on the data side. It specifies:
- Which data we process
- For what exact purpose
- For how long
- With which subprocessors (our list is public at /subprocessors)
- Your rights and our obligations
This document is available on request, signed by both parties, and protects you legally well beyond commercial promises.
5. The CNDP in Morocco: where we stand
Our declaration with the CNDP is currently being processed. We’re awaiting the receipt, which we’ll share with our clients as soon as we get it. The declaration covers both Finareo and our parent legal entity (TechCircle).
This step isn’t just a formality — it’s what anchors our practices in Moroccan regulation and obligates us to keep them current.
What changes for you, in one sentence
With GDPR and CNDP, you have the written certainty that:
- Your data remains yours
- You can retrieve or delete it at any time
- You’ll be notified quickly in case of incident
- No hidden use is possible without your consent
These aren’t slogans. They’re rights you can exercise starting tomorrow.
Going further
- Our DPA, available on request at security@finareo.io
- The full list of our subprocessors: /subprocessors
- Our Trust Center: /security