Webance

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 2026-05-09

This document is a working draft pending counsel review. Questions? Email legal@webance.net.

Webance ("we", "us", "our") is a managed WordPress hosting and maintenance service operated from Morocco. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our website (webance.net) and related services.

We comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and Morocco's Loi 09-08 on the protection of personal data.

1. Who we are

Service operator: Hamass El Goumri, sole operator, Casablanca, Morocco.

Contact for privacy questions: privacy@webance.net

2. Data we collect

2.1 Information you give us directly

  • Inquiry / account info: first name, last name, email address, WhatsApp / phone number, country, city, business type, business description, plan preference.
  • Authentication: hashed password (we never see your plaintext password — we store only a bcrypt hash).
  • Onboarding assets (post-payment, optional): your logo, photos, brand color preferences, services list, business hours, special requests.
  • Support communications: the content of any emails or WhatsApp messages you send us.

2.2 Information collected automatically

  • Technical data: IP address, browser user agent, approximate country (geolocated from IP), device type, referring URL.
  • Audit log: timestamps of significant account events (account creation, password changes, login, status updates) — used for security investigation and customer support.
  • Cookies: see Section 8 below.

2.3 Information from third parties

  • Payment processors (Stripe, PayPal): payment confirmation status. We do not receive or store your card or bank details — those are handled entirely by the processor.
  • Bank transfer notifications (CIH Bank, for Morocco customers): payment receipt notifications. Account number is published on our payment page; the bank, not Webance, holds your banking data.

3. How we use your data

We use your personal data only for these purposes:

  • Provide the service — set up and manage your WordPress site, host it, deliver maintenance updates, send transactional emails (welcome, password reset, payment receipts, invoices).
  • Communicate with you — respond to your inquiry, align on project scope, resolve support requests. We may contact you via email, WhatsApp, or phone — using the channels you provided.
  • Process payments — relay your payment to Stripe, PayPal, or our bank, then mark your account paid in our database.
  • Security — detect and prevent fraud, abuse, and unauthorized access (rate limiting, audit log, anomaly review).
  • Legal compliance — keep records required by tax, accounting, or other applicable law.

We do not use your data for advertising. We do not sell your data. We do not profile you for behavioral marketing.

  • Contract performance — to provide the service you signed up for (account info, billing data, onboarding assets).
  • Legitimate interest — security, fraud prevention, audit logs, technical telemetry. We have evaluated that these interests do not override your rights.
  • Legal obligation — accounting and tax records (Morocco / EU as applicable).
  • Consent — for any optional marketing communications (you opt in explicitly via a checkbox; you can withdraw consent at any time from your account or by emailing privacy@webance.net).

5. Who we share your data with

We share your data only with carefully selected service providers (sub-processors) acting on our behalf:

  • Hosting: Hetzner Online GmbH (Falkenstein, Germany, EU). Stores your account database and your WordPress site files. Hetzner is a GDPR-compliant infrastructure provider.
  • Email delivery: Sendinblue / Brevo (France, EU). Sends transactional emails (welcome, password reset, notifications).
  • Payment processing: Stripe Payments Europe Ltd (Ireland, EU) and PayPal (Europe) S.à r.l. (Luxembourg, EU). Process card and PayPal payments respectively. Each is independently a data controller for the payment data they handle.
  • Bank transfers: CIH Bank (Morocco) — for customers paying by Moroccan bank transfer.

We do not share your data with anyone else, including marketers, advertisers, or data brokers, without your explicit consent — unless required by law (court order, regulatory request) or to protect our legal rights.

6. International data transfers

Your data is stored on EU-based servers (Hetzner, Falkenstein, Germany). Webance operates from Morocco; processing of your data on Webance's servers in the EU and access by the operator from Morocco constitute international transfers under GDPR.

Morocco is recognized as having an adequate level of protection under Loi 09-08 (CNDP-supervised). Where applicable, we rely on the European Commission's Standard Contractual Clauses (SCCs) for transfers from EU sub-processors to Webance.

7. How long we keep your data

  • Active customer accounts: for the duration of your subscription plus 7 years (legal accounting retention requirement under Moroccan / EU tax law).
  • Inactive inquiries (you submitted but never paid): 12 months, then anonymized.
  • Audit log entries: 24 months minimum, longer where required by legal obligation.
  • Backups: retained for 14 days locally (rolling) + 30 days offsite copy.
  • Account deletion request: we soft-delete + anonymize your record within 30 days. Audit logs and accounting records are retained per legal requirements (anonymized where possible).

8. Cookies

We use only essential cookies — those strictly necessary for the service to function:

  • Session cookie (after you log in): a signed JWT stored as an HTTP-only cookie. Lifetime: 30 days, refreshed on use. Deleted on logout.
  • CSRF protection token: prevents cross-site request forgery on form submissions. Session-scoped.

We do not use advertising cookies, third-party tracking pixels, or social-media share trackers. We will introduce privacy-friendly analytics (Plausible, EU-hosted, no personal identifiers) in a later release; you will be given an opt-in choice before any analytics begin.

9. Security

We protect your data through:

  • HTTPS everywhere (TLS 1.2+, automated certificate renewal via Let's Encrypt).
  • Passwords hashed with bcrypt (cost 10) — we never store or log plaintext passwords.
  • AES-256-GCM encryption at rest for sensitive operational credentials (e.g. WordPress admin and database passwords for the sites we manage).
  • SSH-key-only server access. No password logins to our servers.
  • UFW firewall + Fail2ban + rate limiting on public endpoints.
  • Daily backups, 14-day rolling retention, plus offsite copy.
  • Security monitoring + audit log of all account-significant events.

No system is 100% secure. If a security incident affects your data, we will notify you and the relevant supervisory authority within 72 hours of discovery, as required by GDPR.

10. Your rights

Under GDPR / Loi 09-08, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data — directly in your account dashboard for most fields, or by contacting us.
  • Erase("right to be forgotten") — request deletion of your account. We will soft-delete and anonymize your record within 30 days, retaining only what we are legally required to keep (accounting records, audit log).
  • Restrict processing while a dispute is being resolved.
  • Object to processing based on legitimate interest.
  • Data portability — request a structured, machine-readable export of your data.
  • Withdraw consent at any time, where consent is the legal basis (e.g. marketing emails — opt out from any email or via your account settings).
  • Lodge a complaintwith a supervisory authority — your local EU Data Protection Authority, the UK Information Commissioner's Office, or Morocco's CNDP.

To exercise any of these rights, email privacy@webance.net. We will respond within 30 days.

11. Children

Webance is a B2B service intended for business owners. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted personal data to us, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest version. For material changes (new categories of data collected, new sub-processors, changes to your rights), we will notify active customers by email at least 30 days before the change takes effect.

13. Contact

Questions, requests, or complaints about this Privacy Policy: privacy@webance.net

For all other support: see our contact page.