1. Introduction
Qleven is a SaaS (Software as a Service) platform designed for the comprehensive management of beauty, aesthetic, and health centers. Our platform provides tools for appointment scheduling, client management, billing, marketing, analytics, and connected equipment control (IoT).
This Privacy Policy describes how Organicare Sarlau SL (hereinafter "Qleven", "we", "our", "us") collects, uses, stores, and protects personal data in connection with the operation of the Qleven platform and its integration with the WhatsApp Business API.
This policy applies to all users of the Qleven platform, including center managers, professionals, administrative staff, and end recipients of communications sent through our platform.
2. Data controller
The data controller for personal data collected through the Qleven platform is:
Organicare Sarlau SL
Al Adarissa 151MM D-9 Magasin N-1 Perles De California, Casablanca, 20460, Morocco
Email: contact@qleven.com
Phone: +212 622742529
Data Protection Officer (DPO): contact@qleven.com
3. Data we collect
3.1 Account data
Full name, email address, phone number, role within the center (administrator, professional, receptionist), information related to the center or clinic (name, address, tax identification number).
3.2 Usage data
Features used, configuration preferences, session logs (login/logout dates, duration), interactions within the platform.
3.3 Technical data
Browser type and version, IP address, operating system, device identifiers, approximate geolocation data (country/region derived from IP address).
3.4 WhatsApp message data
Content of messages sent and received through the WhatsApp Business API, message delivery and read status, phone numbers of recipients, message template identifiers used.
3.5 WhatsApp metadata
Send and receive timestamps, template identifiers, conversation types (user-initiated, business-initiated), conversation session identifiers.
4. How we collect data
4.1 Direct collection
Information provided during registration, account setup, form completion, or direct communication with our support team.
4.2 Automatic collection
Data collected automatically through cookies, server logs, and similar tracking technologies during your use of the platform.
4.3 Third-party sources
Data received from Meta Platforms, Inc. through the WhatsApp Cloud API, including message delivery statuses, read notifications, and conversation metadata.
5. Purpose of processing
- Provision and maintenance of the Qleven platform and its features
- Appointment management and scheduling for centers
- Sending WhatsApp Business messages on behalf of our professional clients (appointment confirmations, reminders, marketing campaigns)
- Billing, package management, and payment processing
- Analytics and report generation to help centers optimize their operations
- Platform security, fraud prevention, and detection of unauthorized access
- Continuous improvement of our services and development of new features
- Compliance with legal and regulatory obligations
6. Legal basis for processing (GDPR)
6.1 Contractual necessity
Data processing is necessary for the performance of the service agreement between Qleven and its professional clients, including account management, appointment scheduling, and the provision of all platform features.
6.2 Consent
We rely on explicit consent for marketing communications, sending WhatsApp messages to end users on behalf of our clients, and the placement of non-essential cookies. Consent may be withdrawn at any time.
6.3 Legitimate interests
We process certain data based on our legitimate interests, including platform security, fraud prevention, service improvement, and the generation of anonymized usage statistics. We systematically assess that these interests do not override your fundamental rights and freedoms.
6.4 Legal obligation
Certain processing activities are necessary to comply with our legal obligations, including the retention of accounting and tax records and compliance with applicable regulatory requirements.
7. WhatsApp Business API disclosures
Qleven operates as a Meta Tech Provider using the WhatsApp Cloud API to enable beauty, aesthetic, and health centers to communicate with their clients through WhatsApp Business.
7.1 Roles and responsibilities
Centers using Qleven are the data controllers for their WhatsApp conversations with end users. Qleven acts as a data processor on behalf of these centers. Meta Platforms, Inc. is a separate sub-processor for the messaging infrastructure.
7.2 Message processing
Message content and metadata are processed through Meta's infrastructure in accordance with the WhatsApp Business API terms of service. Qleven processes this data exclusively to provide the messaging service to its clients.
7.3 End-user consent
Sending WhatsApp messages to end users requires their prior explicit consent (opt-in). Qleven's client centers are responsible for obtaining and managing this consent in compliance with WhatsApp Business Policies and applicable regulations.
7.4 Message templates
Message templates used through Qleven must comply with Meta's WhatsApp Business Policy. All templates are subject to Meta's approval before use.
7.5 Encryption
End-to-end encryption is maintained for messages between users and businesses in accordance with the WhatsApp security protocol.
8. Data sharing and third parties
We share personal data only with the following third parties, strictly as necessary for the provision of our services:
8.1 Meta Platforms, Inc.
WhatsApp Cloud API infrastructure for professional messaging. Shared data is limited to message content, recipient phone numbers, and delivery metadata.
8.2 Vercel Inc.
Application hosting (European Union region). Vercel processes HTTP request data in connection with providing hosting infrastructure.
8.3 Supabase Inc.
Database hosting and file storage (European Union region). Supabase processes stored data in connection with providing database services.
We never sell personal data to third parties. We do not share data for third-party advertising purposes.
9. International data transfers
Personal data is primarily hosted within the European Union (Vercel EU and Supabase EU infrastructure).
Where data transfers to the United States are necessary (notably through Meta's infrastructure for WhatsApp messaging), such transfers are governed by the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses (SCCs), in accordance with Articles 46 and 47 of the GDPR.
We regularly assess the data protection safeguards provided by each of our sub-processors to ensure that an adequate level of protection is maintained.
10. Data retention
We retain personal data for as long as necessary to fulfill the purposes described in this policy, according to the following retention periods:
| Data type | Retention period | Justification |
|---|---|---|
| Account data | Duration of service + 3 years | Contractual obligation and legitimate interest for post-contractual follow-up |
| WhatsApp messages | 90 days (configurable by the center) | Operational necessity; centers can configure a custom retention period |
| Usage logs | 12 months | Platform security, analytics, and service improvement |
| Financial records | 10 years | Legal obligation (tax and commercial legislation) |
Upon expiration of these periods, data is securely deleted or irreversibly anonymized.
11. User rights (GDPR Articles 15-22)
In accordance with the General Data Protection Regulation (GDPR) and Moroccan Law No. 09-08 on the protection of individuals with regard to the processing of personal data, you have the following rights:
Right of access
You may obtain confirmation that your personal data is being processed and access a copy of that data.
Right to rectification
You may request the correction of inaccurate or incomplete personal data.
Right to erasure
You may request the deletion of your personal data (right to be forgotten), subject to legal retention obligations.
Right to restriction of processing
You may request the restriction of the processing of your data under certain circumstances provided by applicable regulations.
Right to data portability
You may receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another data controller.
Right to object
You may object to the processing of your personal data based on legitimate interest, including profiling.
Right to withdraw consent
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint
You have the right to lodge a complaint with the Commission Nationale de controle de la protection des Donnees a caractere Personnel (CNDP) in Morocco, or with the competent data protection authority in your EU country of residence.
To exercise any of these rights, please contact us at contact@qleven.com. We will respond to your request within 30 calendar days.
12. Data security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- TLS (Transport Layer Security) encryption for all data in transit
- AES-256 encryption for data stored at rest
- Strict role-based access controls (RBAC) and multi-tenant isolation by system identifier
- Regular security audits and vulnerability testing
- Documented security incident response procedures
- Access logging and monitoring for detection of anomalous behavior
13. Cookies
The Qleven platform uses cookies to ensure proper service operation (essential authentication and session cookies) and to collect anonymized analytics data aimed at improving user experience.
For detailed information about the types of cookies used, their purposes, and their retention periods, please consult our Cookie Policy.
14. Children's privacy
The Qleven platform is intended for professional use by beauty, aesthetic, and health centers. Our service is not directed at individuals under the age of 16.
We do not knowingly collect personal data from children under 16 years of age. If we discover that we have inadvertently collected data from a minor, we will take the necessary steps to delete such data promptly.
15. Changes to this policy
We reserve the right to modify this Privacy Policy at any time. In the event of a material change, we will notify users by email and through an in-platform notification.
Continued use of the platform following notification of a change constitutes acceptance of the updated policy. We encourage you to review this page regularly to stay informed of any updates.
16. Contact
For any questions regarding this Privacy Policy or the protection of your personal data, you may contact us:
Email: contact@qleven.com
Phone: +212 622742529
Address: Al Adarissa 151MM D-9 Magasin N-1 Perles De California, Casablanca, 20460, Morocco
Data Protection Officer: contact@qleven.com