Privacy Policy

Welcome to CODOS (EGROW) ("CODOS", "we", "our", or "us"). We are a Software-as-a-Service (SaaS) platform designed to help Moroccan e-commerce merchants automate Cash-On-Delivery (COD) order management, including WhatsApp-based order confirmations, courier integrations, and business analytics.

This Privacy Policy explains how we collect, use, disclose, store, and protect information about you when you use our platform at https://codos.ma, including all related subdomains, APIs, and services (collectively, the "Service").

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

CODOS (EGROW) is the data controller for merchant account data and a data processor for end-customer data processed on behalf of merchants.

3.1 Information You Provide Directly (Merchant Data)

• Account registration: full name, business name, email address, phone number, password (stored as bcrypt hash)
• Business profile: store name, logo, store URL, platform type (Shopify, YouCan, WooCommerce)
• Payment and subscription information (processed by our payment provider — we do not store full card numbers)
• Team member information: names, email addresses, and assigned roles
• Support communications: messages, attachments, and inquiry details sent to our support team
• Survey responses and feedback submitted voluntarily

3.2 Information Collected Automatically

• Device and browser information: IP address, browser type, operating system, device identifiers
• Usage data: pages visited, features used, actions taken, session duration, click paths
• Log data: server logs, error reports, API request logs with timestamps
• Authentication events: login timestamps, IP addresses, user agents (for security monitoring)
• Performance data: response times, error rates (used for service improvement only)

3.3 Order and Customer Data (Processed on Behalf of Merchants)

When merchants use CODOS to manage their orders, the following end-customer data is processed on the merchant's behalf:

• Customer name and phone number (required for WhatsApp confirmation)
• Delivery address: city, region, and full address
• Order details: product names, quantities, prices, order reference numbers
• Order status history and delivery tracking information
• WhatsApp message exchange records (sent and received messages related to order confirmation)
• Call log records when call center agents interact with customers
• Risk assessment scores derived from order and behavioral patterns

3.4 Integration Data

• Shopify / YouCan / WooCommerce: store access tokens (encrypted at rest), product catalog, order data
• WhatsApp Business API: phone number ID, business account ID, access tokens (encrypted), message delivery status
• Courier APIs: API credentials (encrypted), shipping manifests, tracking data

We use the information we collect for the following purposes, each grounded in a lawful basis:

5.1 Permitted Uses of WhatsApp / Meta Data

CODOS uses the WhatsApp Business API exclusively for the following permitted purposes:

• Sending transactional order confirmation messages to end customers on behalf of merchants
• Receiving and processing customer replies to order confirmation messages
• Sending order status updates (e.g., "Your order has been shipped")
• Providing customer support related to specific orders
• Enabling merchants to manually respond to customer inquiries within the WhatsApp interface

5.2 Prohibited Uses — Strict Compliance

CODOS strictly prohibits and technically prevents the following uses of WhatsApp Business API data:

• Using WhatsApp data for advertising, marketing, or promotional purposes without explicit customer opt-in
• Sharing WhatsApp conversation data with third parties for profiling or targeting
• Storing or using WhatsApp phone numbers for purposes unrelated to the originating order
• Re-using customer phone numbers obtained via WhatsApp to contact customers outside of WhatsApp
• Scraping or bulk-exporting customer phone numbers from WhatsApp conversations
• Using WhatsApp data to train AI or machine learning models without explicit consent
• Any use that violates Meta's Platform Policies, Terms of Service, or Community Standards

5.3 Data Processed via WhatsApp Business API

• Customer phone numbers (used solely to send order confirmation messages)
• Message content of confirmations sent and replies received
• Message delivery status (sent, delivered, read)
• WhatsApp Business Account metadata (phone number ID, business account ID)
• Webhook events received from Meta (message status updates, incoming messages)

5.4 Meta as a Data Processor

When CODOS sends messages via the WhatsApp Business API, Meta Platforms, Inc. acts as a sub-processor and processes message data according to Meta's own Privacy Policy and Data Processing Terms. CODOS has entered into the required Data Processing Addendum with Meta.

Meta's Privacy Policy is available at: https://www.facebook.com/privacy/policy/

5.5 Customer Opt-Out from WhatsApp Messages

End customers who no longer wish to receive WhatsApp order confirmation messages may opt out by replying "STOP" to any message. Upon receiving this reply, CODOS will:

• Immediately flag the customer's number as opted-out in our system
• Stop sending automated WhatsApp messages to that number
• Notify the merchant of the opt-out status
• Retain the opt-out record to prevent future messages (legitimate interest to honor the opt-out)

5.6 Message Templates

All message templates used with the WhatsApp Business API are pre-approved by Meta before use. CODOS ensures all templates comply with Meta's Message Template Guidelines and do not contain misleading, promotional, or prohibited content.

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

6.1 Service Providers (Sub-Processors)

6.2 Merchant-to-Customer Data Flows

Merchants who use CODOS are themselves data controllers for their customers' data. CODOS acts as a data processor on behalf of the merchant. Merchants are responsible for ensuring they have a lawful basis to process their customers' data through CODOS, including obtaining any necessary consents.

6.3 Legal Disclosures

We may disclose personal data if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to:

• Comply with applicable law or legal process
• Protect the rights, property, or safety of CODOS, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Enforce our Terms of Service

6.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of CODOS's assets, personal data may be transferred as part of that transaction. We will notify affected users via email or prominent notice on our website prior to any such transfer.

We retain personal data only for as long as necessary for the purposes described in this policy, and in accordance with applicable law.

When data is no longer needed, we securely delete or irreversibly anonymize it. Deletion requests are processed within 30 days.

Depending on your jurisdiction, you may have the following rights regarding your personal data. We honor these rights for all users regardless of location.

How to Exercise Your Rights

To exercise any of these rights, submit a request to privacy@codos.ma. Merchants may also access most rights directly from the dashboard under Settings → Account → Export / Delete.

We will respond within 30 days. We may ask you to verify your identity before processing the request. If you are dissatisfied with our response, you have the right to lodge a complaint with the Moroccan Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) or your local data protection authority.

We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, loss, destruction, or alteration.

Technical Measures

• All data transmitted over HTTPS with TLS 1.2+ encryption
• Data at rest encrypted using AES-256-GCM
• Sensitive fields (API keys, TOTP secrets, tokens) individually encrypted in the database
• Passwords stored as bcrypt hashes (never stored in plaintext)
• Refresh tokens stored as SHA-256 hashes with expiration and revocation support
• Two-factor authentication (TOTP) available for all merchant accounts
• IP-based rate limiting on all authentication endpoints
• Suspicious login detection with email alerts for new locations
• Session management with per-device revocation capability
• Automated daily encrypted database backups to secure cloud storage
• Admin portal access restricted to allowlisted IP addresses in production

Organizational Measures

• Principle of least privilege — employees access only data required for their role
• All team members with data access are bound by confidentiality obligations
• Security incident response procedure with 72-hour GDPR notification timeline
• Regular security dependency audits

CODOS uses a minimal set of cookies and local storage entries to operate the Service. We do not use advertising cookies or third-party tracking pixels.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking scripts on our platform.

CODOS is a business-to-business (B2B) service intended exclusively for adults operating e-commerce businesses. We do not knowingly collect personal data from individuals under the age of 18.

If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@codos.ma and we will promptly delete that information.

CODOS is based in Morocco. Our primary data storage infrastructure is located in Morocco and the European Union (EU-based cloud regions where applicable).

When we engage sub-processors located outside Morocco (such as Meta Platforms, Inc., headquartered in the United States), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with each sub-processor
• Adequacy decisions where recognized by the European Commission
• Binding Corporate Rules where applicable

By using CODOS, you acknowledge that your data may be processed in countries outside Morocco or your home country. We ensure all such transfers comply with Moroccan Law 09-08 and, where applicable, GDPR Chapter V requirements.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last updated" date at the top of this page
• For material changes: send an email notification to all active merchant accounts at least 14 days before the changes take effect
• For significant changes affecting your rights: display a prominent notice within the CODOS dashboard
• Maintain an accessible version history of prior policy versions upon request

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should delete your account before the effective date.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: