Privacy Policy
Privacy Policy
Last updated: April 27, 2026
EC Intelligence (hereinafter referred to as "we", "our", or "EC Intelligence") places the highest importance on protecting the personal data of individuals who use its services. This privacy policy describes how personal data is collected, used, retained, and protected when using:
- the website
cleoerp.com, - the SaaS portal
app.cleoerp.com, - the Cleo ERP instances hosted by EC Intelligence (
{client}.cleoerp.com), - the Cleo Mobile mobile application (Android and iOS), the public release of which is scheduled for 2026.
1. Data Controller
The data controller is:
EXPERTS COMPUTING INTELLIGENCE — SARL
Address: Casablanca, Morocco
Trade Register: 551503
ICE: 003122764000003
Contact email: infos@ecintelligence.ma
Phone: +212 7 71 55 41 10
For any question regarding personal data protection, you can write to infos@ecintelligence.ma indicating "Data Protection" in the subject line.
2. Scope
Cleo ERP is offered through two deployment modes:
- SaaS mode: EC Intelligence acts as a data processor within the meaning of the GDPR on behalf of the client company (data controller). Business data entered into Cleo ERP (employees, customers, suppliers, invoices, payslips, etc.) belongs to the client company, which defines its purposes.
- Self-hosted mode: the client company hosts Cleo ERP on its own infrastructure. EC Intelligence has no access to any client data.
This policy covers data for which EC Intelligence is the data controller, namely:
- data collected via the
cleoerp.comwebsite (visitors, prospects, demo requests); - technical data necessary for the operation of the Cleo Mobile application and the SaaS instances we host.
3. Data Collected
3.1 Data collected via the cleoerp.com website
| Data | Source | Purpose |
|---|---|---|
| First name, last name, business email, phone, position, company, country | Contact and demo request forms | Response to commercial inquiries |
| Browsing data (pages visited, duration, referrer) | Analytics cookies (Google Analytics) | Anonymized audience measurement |
| IP address | Server logs | Security and fraud prevention |
3.2 Data collected via the Cleo Mobile mobile application
The Cleo Mobile application is a companion application to a Cleo ERP instance. It only operates after user authentication via an access key generated from their web profile.
Data stored locally on the phone (encrypted via the operating system's secure vault — iOS Keychain / Android Keystore):
- URL of the Cleo ERP instance linked to the user,
- JWT authentication tokens (
access_token,refresh_token), - session user information (first name, last name, email, position, employee ID).
Technical data transmitted to the Cleo ERP server:
- Expo push notification token (
ExponentPushToken[...]), - device platform (iOS / Android) and label defined by the user (e.g., "Sandra's POCO X4 Pro"),
- timestamp of last access key usage (
last_used_at).
Business data accessed through the application (property of the client company; EC Intelligence acts as a data processor):
- user's leave balances and requests,
- expense reports and photos of receipts uploaded by the user,
- employment certificate requests,
- grievances (which may be marked anonymous to the internal recipient but remain associated with the user account in the database),
- user's payslips,
- for users with a manager or HR officer role: information regarding pending approval requests (requester name, type, dates, reason),
- for users with an executive role: consolidated financial indicators of the company (revenue, margin, cash flow, etc.).
3.3 Data collected on SaaS instances hosted by EC Intelligence
For clients who have chosen SaaS mode, the client company is the data controller of the business data entered into Cleo ERP. EC Intelligence acts as a data processor within the meaning of Article 28 of the GDPR, under a service contract that defines security and confidentiality commitments.
As such, EC Intelligence does not consult, extract, or use the client's business data for any purpose other than the provision of the contracted service (hosting, backups, technical support upon explicit request).
4. Purposes and Legal Bases for Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Response to commercial inquiries (forms) | Pre-contractual measures at the request of the data subject |
| Website audience measurement | Legitimate interest |
| Authentication and operation of the mobile application | Contract performance |
| Sending push notifications (leave workflow, expenses, etc.) | Contract performance |
| Hosting and operation of SaaS instances | Contract performance (Article 28 GDPR processor) |
| Security and fraud prevention (logs, audit trail) | Legitimate interest and legal obligation |
| Billing and accounting obligations | Legal obligation |
5. Recipients of the Data
Personal data is intended for:
- internal EC Intelligence teams (technical, support, commercial) authorized and bound by a confidentiality obligation;
- the client company employing the user (for business data processed in SaaS mode);
- the technical processors listed in section 6;
- where applicable, administrative or judicial authorities upon legitimate request.
The data is never sold, rented, or transferred to third parties for commercial purposes.
6. Subprocessors and Data Transfers
For the operation of the service, EC Intelligence relies on the following subprocessors:
| Subprocessor | Service provided | Data concerned | Country / Location |
|---|---|---|---|
| Hetzner Online GmbH | Hosting of SaaS instances and backend infrastructure | All business data entrusted by SaaS clients, technical operating data | Germany / Finland (European Union) |
| Expo (Universe Inc.) | Push notification service (Expo Push Service) for Cleo Mobile | Push token, title + body + payload of the notification | United States |
| Apple Inc. | Delivery of iOS push notifications (APNs) | Push token, notification payload | United States |
| Google LLC | Delivery of Android push notifications (FCM); Google Analytics 4 (website) | Push token, anonymized analytics data | United States / European Union |
Transfers to countries outside the European Union (notably the United States) are governed by the Standard Contractual Clauses adopted by the European Commission, in accordance with Article 46 of the GDPR.
EC Intelligence regularly evaluates the possibility of migrating its hosting to a provider operating a datacenter in Morocco, as the local market matures.
7. Retention Periods
| Data category | Retention period |
|---|---|
| Prospect data (website forms) | 3 years from the last contact |
| Active mobile access keys | As long as the user does not revoke them |
| Expo push tokens | As long as the corresponding mobile access key remains active; automatic deletion upon detected uninstallation |
| JWT tokens (access / refresh) | Access: 1 hour. Refresh: 30 days. |
| Connection data (logs, audit trail) | 12 months |
| Business data (SaaS mode) | According to the durations defined contractually with the client company, and at minimum the applicable legal durations (payroll: 5 years in France and Morocco; accounting: 10 years in OHADA countries and Morocco) |
| EC Intelligence billing data | 10 years (legal obligation) |
Once applicable durations have elapsed, data is securely deleted or anonymized when retained for statistical purposes.
8. Data Security
EC Intelligence implements appropriate technical and organizational measures to ensure data security:
- Encryption in transit: all exchanges between the mobile application, the website, and the servers are encrypted via TLS 1.2+ (HTTPS).
- Local encryption on the mobile application: authentication tokens are stored in the operating system's secure vault (iOS Keychain / Android Keystore) via the
expo-secure-storelibrary. - Secret hashing: secrets associated with mobile access keys are hashed in SHA-256 server-side; the cleartext secret is shown to the user only once at generation time.
- Session isolation: mobile and web JWT tokens are strictly separate (it is impossible to use a web token to access the mobile API or vice versa).
- Backups: encrypted daily backups, retained for 30 days.
- Audit trail: traceability of connections and sensitive modifications.
- Staff awareness: regular training of EC Intelligence teams on data protection.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of the data subjects, EC Intelligence will notify the competent supervisory authority within 72 hours and inform the data subjects without undue delay, in accordance with Articles 33 and 34 of the GDPR.
9. Rights of Data Subjects
In accordance with the European Union's General Data Protection Regulation (GDPR) and the applicable national legislation in the countries where we operate, you have the following rights regarding your personal data:
- Right of access: obtain confirmation that your data is being processed and obtain a copy.
- Right to rectification: have any inaccurate or incomplete data corrected.
- Right to erasure ("right to be forgotten"): request the deletion of your data in cases provided for by law.
- Right to restriction of processing: request the temporary suspension of processing.
- Right to data portability: receive your data in a structured, machine-readable format.
- Right to object: object to processing on grounds related to your particular situation.
- Right to withdraw your consent at any time when processing is based on consent.
- Right to define directives regarding the fate of your data after your death.
To exercise these rights, write to infos@ecintelligence.ma with "Rights exercise — Data Protection" as the subject line and include proof of identity. We will respond within one month from receipt of the request, extendable by two additional months for complex requests, in accordance with Article 12 of the GDPR.
Special case for users employed by a SaaS client: for business data processed in Cleo ERP in SaaS mode, your employer is the data controller. Your requests should first be directed to your employer (typically your HR department). EC Intelligence will forward the request to your employer in its capacity as data processor.
Complaint to a supervisory authority:
- In Morocco: National Commission for the Protection of Personal Data (CNDP), www.cndp.ma.
- In France: National Commission on Informatics and Liberty (CNIL), www.cnil.fr.
- In OHADA countries: relevant national authority where it exists (e.g., ARTCI in Côte d'Ivoire, CDP in Senegal).
10. Minors' Data
Cleo Mobile and Cleo ERP are professional tools intended for use in a workplace setting. They are not intended for minors and we do not knowingly collect personal data concerning persons under 18 years of age. If you believe a minor has transmitted data to us, contact us at infos@ecintelligence.ma for deletion.
11. Cookies (website)
The cleoerp.com website uses cookies for the following purposes:
| Type | Purpose | Duration |
|---|---|---|
| Technical cookies | Operation of the site (session, language, consent) | Session or 12 months |
| Audience measurement cookies | Anonymized statistics (Google Analytics 4) | 14 months |
Audience measurement cookies are only deposited after your explicit consent via the consent banner displayed on your first visit. You can change your choice at any time from the website footer.
The Cleo Mobile mobile application does not use cookies.
12. Modifications to this Policy
This policy may be modified at any time to reflect legal, technical, or organizational developments. The date of last update is indicated at the top of the document. In the event of substantial modification, users will be informed by email or by notification within the application.
13. Contact
For any question regarding this policy or the protection of your personal data:
EXPERTS COMPUTING INTELLIGENCE — SARL
Email: infos@ecintelligence.ma
Postal address: Casablanca, Morocco
Phone: +212 7 71 55 41 10
Cleo ERP, Cleo Mobile, and the Clouder logo are trademarks of EC Intelligence. All rights reserved.