Privacy Policy

The data controller for the Services is Elyra Technologies SARL, registered in the Kingdom of Morocco. Address: UIR Campus, Technopolis, Sala Al Jadida, Rabat-Salé-Kénitra, Morocco.

For privacy inquiries: privacy@elyraride.com. For general support: support@elyraride.com.

Name, email, phone number, and password (hashed). For campus/municipal deployments (e.g., UIR campus), we may collect a University/Student ID to verify eligibility for student rates.

Payment data needed to process ride fees and wallet top-ups (e.g., payment token, last 4 digits, transaction ID). Card details are processed by our PCI-DSS compliant payment provider (Stripe). We do not store full card numbers.

Device location to show nearby vehicles, start/track rides, and enforce geofences. Vehicle location to ensure operational and safety rules (no-ride zones, parking zones).

During rides, Elyra vehicles may collect high-frequency signals (vibration/accelerometer readings, road impact metrics) to detect road conditions such as potholes. We design telemetry data to be separated from your direct identity whenever feasible (aggregation, pseudonymization, and removal of direct identifiers before sharing reports).

Device identifiers, app version, IP address, logs, analytics events, and crash reports.

Messages you send to support and any information you choose to provide.

Account creation, unlocking vehicles, ride tracking, pricing, processing transactions, and refunds.

Anonymized ride data feeds our hazard mapping system. Individual rides are never identifiable in the swarm dataset. We generate aggregated heatmaps, road quality signals, and "City Health" indicators.

Ride receipts, service updates, safety alerts, and policy updates. Marketing emails only with explicit opt-in consent.

Improve safety, prevent fraud/theft, enforce our Terms, and respond to lawful requests per Moroccan Law 09-08.

Providing rides, processing payments, and managing your account.

Security, fraud prevention, service improvement, and infrastructure analytics.

Where you enable optional features such as marketing notifications or certain location permissions.

Accounting, tax, regulatory compliance, and responding to lawful authority requests.

We do not sell your personal information to anyone, ever.

Trusted vendors under contract that help us operate: Stripe (payments, PCI-DSS Level 1, EU), Mapbox (map rendering, anonymous tile requests), HiveMQ (real-time MQTT broker, encrypted telemetry), and select hosting/support providers.

We may share aggregated and anonymized infrastructure reports (pothole heatmaps, road quality summaries) with universities/cities for maintenance planning. We do not share your name, direct contact details, or raw route history with these partners.

We may disclose information if required by law or to protect rights, safety, and security of Elyra, our users, or the public.

Site performance, security, and session management (including State-Sync Cookies for your live dashboard).

Self-hosted analytics to understand site usage and measure real-time latency. We do not serve ads or use third-party ad trackers.

You can control cookies through your browser settings and our cookie banner. See our full Cookie Policy for details.

Retained while your account is active. Deleted or anonymized after you request deletion, subject to legal requirements.

Retained as required for accounting, tax, dispute resolution, and legal compliance (up to 10 years for financial records per Moroccan commercial law).

Retained for ride history, safety, support, and compliance. Raw GPS data is anonymized after 90 days.

Raw telemetry aggregated and stripped of identifiers within 30 days. Aggregated/anonymized data may be retained indefinitely for infrastructure analytics.

Retained for up to 12 months to maintain security and reliability, then purged.

All data in transit uses TLS 1.3. Data at rest is encrypted with AES-256. Database access requires multi-factor authentication.

Role-based access with least-privilege principle. Employee access is logged and audited quarterly.

No system is 100% secure, but we work to protect your information. In the unlikely event of a data breach, affected users will be notified within 72 hours per Moroccan and EU best practices.

Request a copy of all personal data we hold about you. Delivered within 30 days.

Update or correct any inaccurate personal information through the app or by contacting privacy@elyraride.com.

You have the right to object to certain processing of your personal data, including processing based on legitimate interests.

Request complete deletion of your account and associated data. Processed within 30 days, subject to legal retention obligations.

Request your data in a machine-readable format for transfer to another service.

If you believe your privacy rights are not being respected, you may file a complaint with Morocco’s data protection authority: Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP) — www.cndp.ma.

Some of our service providers (cloud hosting, payment processing) operate outside Morocco. When we transfer personal data internationally, we apply appropriate safeguards consistent with Moroccan Law 09-08, including contractual protections and selecting providers with equivalent data protection standards (e.g., EU/EEA-based infrastructure).

Application hosted on European infrastructure with GDPR-equivalent protections.

Our Services are not intended for children under 18. You must be at least 18 years old to create an account and operate an Elyra vehicle. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Effective Date." For material changes, we will notify you via email or in-app notification.