Last updated: May 8, 2026
Data Controller
Protecting your personal data is a priority for AvocatLib. This policy describes, in accordance with Moroccan law 09-08 on the protection of individuals with regard to the processing of personal data and its implementing decree 2-09-165, how we process the data you entrust to us when using the avocatlib.ma platform.
Depending on your status on the platform, we collect the following categories of data: • Visitors (without an account): IP address, browser type, pages viewed, referring page, visit duration. This data is collected via analytics cookies only with your prior consent. • Registered individuals: first name, last name, email address, password (encrypted), phone number (optional), information strictly necessary to initiate contact (identifier of the selected lawyer, date and time of the requested appointment, optional reason provided by the individual). • Registered lawyers: first name, last name, professional photo, bar registration number, city of practice, legal specialties, years of experience, biography, languages spoken, consultation modes, pricing, office address, phone, professional email, links to professional networks. Fields marked with an asterisk in our forms are mandatory; others are optional and not providing them has no consequence on the use of the service.
Your data is used exclusively for the following purposes: • Manage your account (creation, authentication, password recovery). • Connect individuals with lawyers (search, booking, initial exchange). • Send you strictly necessary notifications (booking confirmations, email verification, security alerts). • Measure platform audience anonymously and in aggregate (Google Analytics, subject to your consent). • Detect and prevent fraud or abusive use. • Respond to your requests submitted via the contact form. Your data is never used for commercial prospecting by third parties.
In accordance with article 4 of law 09-08, each processing operation relies on one of the following legal bases: • Performance of contract: account management, lawyer matching, bookings. • Explicit consent: analytics cookies, optional communications. • Legitimate interest: platform security, fraud prevention, anonymized audience measurement. • Legal obligation: accounting retention and response to judicial requests.
Your data is accessible only by: • The data controller (see header). • Registered lawyers, but only for individuals who have booked with them and within the strict scope of that relationship. • Our technical processors, bound by a contractual confidentiality undertaking compliant with article 23 of law 09-08 (security of processing): – Vercel Inc. — frontend hosting (cdg1 region, Paris, EU) – Railway Corp. — API and database hosting (currently us-west2, USA; planned migration to europe-west4) – Cloudinary Ltd. — image hosting and delivery – Resend Inc. — transactional email delivery – Google LLC — anonymized audience measurement and authentication (Google Sign-In) We do not sell, rent or share your data with advertisers or data brokers.
AvocatLib's frontend runs in the European Union (Vercel, cdg1 region — Paris). The API and database are currently hosted in the United States (Railway, us-west2 region). A migration to europe-west4 (Netherlands, European Union) is planned. In the meantime, these transfers are governed by the sub-processor's standard contractual clauses and declared to the CNDP under article 43 of law 09-08. Secondary sub-processors (Cloudinary, Resend, Google) may also process data from the United States. These transfers are governed by standard contractual clauses and declared to the CNDP.
Your data is retained for as long as your account is active. You may at any time request the deletion of your account and all associated data by writing to contact@avocatlib.ma — deletion takes effect within a maximum of 30 days. For visitors without an account, technical logs (IP address, navigation) are retained according to the default durations of our hosting providers (Vercel, Railway), generally between 7 and 90 days. Analytics cookies (Google Analytics) are configured for a maximum duration of 14 months, in line with the service's default. Emails received via the contact form are retained to allow the request to be processed and followed up; they may be deleted on request at any time. In accordance with article 7 of law 09-08, these periods are proportionate to the purposes described in section 2.
In accordance with article 23 of law 09-08, we implement the following technical and organizational measures: • TLS 1.2+ encryption for all communications between your browser and our servers. • Passwords stored in encrypted form (bcrypt algorithm) — never in plaintext. • Strict Content Security Policy to limit third-party script injection. • HTTP security headers compliant with OWASP recommendations (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) — Mozilla Observatory grade: A+. • Automatic, encrypted backups at the hosting layer (Vercel, Railway). • Production data access limited to identified and authenticated administrators. Booking-related data benefits from reinforced protection: access restricted to identified and authenticated administrators, and encryption at rest at our database hosting layer. The legal specialty requested is not correlated to any identified individual in our analytics exports. No system being infallible, we cannot guarantee absolute security. In case of a data breach likely to result in a risk to your rights and freedoms, you will be informed as soon as possible.
In accordance with articles 7 to 9 of law 09-08, you may exercise the following rights over your personal data at any time: • Right of access: obtain a copy of all data concerning you. • Right to rectify: correct inaccurate or incomplete data. • Right to object: refuse processing on legitimate grounds. • Right to erasure: request deletion of your data. • Right to portability: retrieve your data in a structured, reusable format. • Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.
Send your request to contact@avocatlib.ma specifying: • Your first name, last name, and account email. • The exact nature of the request (access, rectification, deletion, etc.). • A copy of an identity document (identity verification required by article 8). We undertake to respond within a maximum of 30 days from receipt of a complete request. If you have an individual account, you may also exercise most of these rights directly from your personal area. You have the right to lodge a complaint with the National Commission for the Control of the Protection of Personal Data (CNDP, www.cndp.ma) if you believe your rights are not respected.
Our platform uses three categories of cookies: • Strictly necessary (always active, no consent required): authentication session cookie, language preference cookie (NEXT_LOCALE), consent memory cookie (avocatlib-consent). • Analytics (disabled by default, subject to your consent): Google Analytics — anonymized audience measurement. • Marketing: no advertising or retargeting cookies are placed. You may change your preferences at any time via the cookie banner accessible in the footer, or by deleting the consent cookie in your browser settings.
We reserve the right to modify this policy to reflect legal, technical or organizational changes. Any substantial change will be notified to you via the platform and by email for registered users, at least 30 days before it takes effect. The applicable version is always the one accessible at this URL, dated at the top of the page.
For any question regarding this policy or your personal data: • Dedicated email: contact@avocatlib.ma • Postal address: Khémisset, Morocco Competent supervisory authority: National Commission for the Control of the Protection of Personal Data (CNDP) Avenue Al Arz, Sector 4, M1, Hay Riad – Rabat, Morocco Short number: 3020 — Website: www.cndp.ma
For any question about your personal data, write to us at contact@avocatlib.ma