Privacy Policy

How your data is collected, used and protected when you add a loyalty card to your wallet.

Last updated: 2 June 2026.

Who we are

Wafiy is a wallet-native loyalty platform currently operated by an individual under the trading name "Wafiy" (the legal-entity details will be added once it is incorporated). We let Moroccan merchants issue loyalty cards, campaigns and gift cards that live in Apple Wallet and Google Wallet.

When you add a merchant's card, two parties are involved. The merchant you enrolled with decides the purposes of the programme: it is the data controller. Wafiy provides the technology and processes data on its behalf: it is the processor. For its own purposes — the waitlist, dashboard accounts, aggregate platform analytics — Wafiy acts as a data controller.

For any question about your data, write to our data point of contact (direction@wafiy.ma) or contact the merchant directly.

Data we collect

We collect the minimum needed to run your card.

  • At enrollment — your name and phone number (required). Your phone is your card's primary identifier. It lets staff recognise you at the counter, triggers birthday offers, and recovers your card if you change phones.
  • Date of birth — optional. Without it, you won't receive a birthday offer. No merchant can require it.
  • WhatsApp consent — your choice whether to receive promotional WhatsApp messages.
  • Device platform — at enrollment, we detect whether you're on iOS or Android. This lets us deliver the right card (Apple Wallet or Google Wallet) and the right notification channel.
  • Programme activity — your stamps, points, cashback, rewards, tiers and gift-card balance, attached to your card.
  • Technical data — only what's strictly necessary to operate and secure the service (for example an enrollment-page session identifier). See our cookie policy.

We do not collect bank payment data through your loyalty card, your continuous location, or the contents of your wallet.

How passes work — and what's on them

The card in your wallet contains no personal data.

Your loyalty card lives in Apple Wallet or Google Wallet — no app to install, no account to create. It updates remotely and can appear on your lock screen.

The pass holds only counters (stamps, points, balance), display labels and a barcode. No personal data appears on it. The link from the pass serial number to your name or phone exists only in our secured systems, never on the device. Someone looking at your phone would see a card with stamps — not your contact details.

Lawful basis and consent

The grounds on which we process your data.

  • Performance of the service — we need your name and phone to manage your card and provide the loyalty programme you join.
  • Consent — we send WhatsApp marketing messages only if you consented at enrollment. You can withdraw that consent at any time (see "Your rights"). It does not affect your card's transactional notifications.
  • Legal obligation and performance of the service — security, fraud prevention and retention of audit records required by law, within the limits of Law 09-08.

Notification channels

How we send you updates.

Depending on your device and the type of message, notifications reach you through Apple Wallet, Google Wallet or WhatsApp. Card-related messages (stamp added, reward unlocked) are transactional. Promotional WhatsApp messages go out only if you have consented, and you can withdraw that consent at any time.

Sharing your data

Who we share your data with, and why.

  • The partner merchant — the establishment you enrolled with is the data controller and accesses its own customers' data. It never sees another merchant's customers.
  • Apple and Google — issuing and updating passes runs through the Apple Wallet and Google Wallet services, as technical processors.
  • Meta / WhatsApp — WhatsApp message delivery runs through Meta's infrastructure and, where applicable, a partner WhatsApp solution provider (BSP) established in the European Union — 360dialog (Germany) — bound by a data-processing agreement.
  • Hosting and infrastructure providers — only to run the service securely.

These sharing arrangements rest on written processing agreements (Articles 24-25 of Law 09-08): our providers process your data only on our instructions and for the purposes described.

We do not sell your personal data, and we do not share it for third-party advertising.

Retention

We keep your data only as long as the purposes described here require. As a guide: your customer record (name, phone, date of birth) stays while your card is active, then for 24 months after your last activity, before deletion or anonymisation; transaction records are kept for merchant audit but scrubbed of all personal data; proof of marketing consent is kept for the duration of that consent and the applicable limitation period. When you request deletion, we delete your customer record and deactivate the pass.

Hosting and data residency

Your data is hosted in the European Union (Frankfurt, Germany). The transfer from Morocco is subject to the CNDP's prior authorization under Articles 43-44 of Law 09-08. Personal data is encrypted at rest (AES-256) and in transit (TLS), with strictly limited access.

Your rights (Law 09-08)

You stay in control of your data.

Under Moroccan Law 09-08 on the protection of individuals with regard to the processing of personal data, you have the following rights:

  • Access — obtain a copy of the data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Objection — object to a processing activity, in particular marketing. When you object or the purpose ends, we deactivate your card and delete or anonymise your record, subject to retention the law requires.

To exercise them, use our Data access & control page or write to direction@wafiy.ma. We may ask you to confirm your identity, to protect your account. We aim to respond within 30 days of verifying your identity.

Cookies

Wafiy's marketing site uses a limited number of cookies. Public enrollment pages run without marketing tracking. See our cookie policy.

Children

The service is not intended for minors. As the legal age of majority is 18, we do not knowingly collect a minor's data without their legal guardian's consent.

Changes

We may update this policy. The last-updated date appears at the top. For important changes, we will take reasonable steps to inform you.

Contact

Data point of contact: direction@wafiy.ma. You may also contact the merchant you enrolled with directly.