Privacy Policy

Who We Are

Gateway2Morocco Travel ("Gateway2Morocco," "we," "us," or "our") is a Canadian-registered travel agency and Destination Management Company based in Burnaby, British Columbia. We are licensed by the British Columbia Business Practices and Consumer Protection Authority (BPCPA) under registration #80460. Under Canadian federal privacy law, Gateway2Morocco Travel is the "organization" responsible for the personal information described in this Policy.

If you need to reach our Privacy Officer for any reason — to request your information, correct it, delete it, withdraw consent, or file a privacy concern — contact details are in Section 17.

Scope of This Policy

This Policy applies to personal information we collect through:

• Our website at gateway2morocco.com and any sub-domains we operate;
• Quote forms, contact forms, and booking documents;
• Email, telephone, WhatsApp, and other direct communication with our team;
• Trip operations — including information shared with the drivers, guides, riads, hotels, and other suppliers we coordinate on your behalf;
• Marketing communications and customer-care follow-up after travel.

This Policy does not apply to the privacy practices of independent third parties — for example, airlines you book through us, embassies you submit visa applications to, or hotels you contact directly outside our trip planning. Those organizations operate under their own privacy policies.

Information We Collect

The information we collect falls into a few broad categories. We collect only what is reasonably necessary to plan and operate your trip, comply with our legal obligations, and stay in touch when you've agreed to hear from us.

Where applicable, we may also collect emergency contact details, insurance details you choose to share with us, special-event participation (anniversary, birthday), and feedback or testimonials after travel.

We do not knowingly collect "sensitive" information categories such as racial or ethnic origin, religious beliefs, or sexual orientation. The only health-related information we collect is what you choose to share so we can plan a safe itinerary — for example, a mobility limitation, dietary restriction, or medical condition that affects activity selection.

How We Collect It

Most personal information comes directly from you when you contact us, request a quote, complete a booking form, communicate during planning, or interact with our website. Some information is collected automatically when you browse our site, through standard web technologies described in Section 9. Occasionally we receive information from third parties — for example, an airline confirming a ticketed name, an insurance broker confirming a policy, or the lead booker submitting traveler details on behalf of family or group members.

When a lead booker provides personal information about other travelers, that lead booker confirms they have the authority of every named traveler to share the information with us for trip-planning purposes, and that all travelers have been made aware of this Policy.

Why We Use Your Information

We use the personal information we collect for the following purposes:

• Trip planning and delivery. Preparing quotes, confirming reservations, coordinating drivers and guides, securing hotel and riad rooms, arranging restaurant bookings and activities.
• Communication. Responding to inquiries, sending itineraries and pre-trip information, providing in-trip support, and following up after travel.
• Payments. Processing deposits and balances, issuing invoices, handling refunds where due, maintaining accounting records.
• Customer care and service improvement. Reviewing past communications to improve future trips, handling complaints, supplier feedback.
• Marketing communications. Sending newsletters, seasonal updates, special offers, and travel inspiration — only where you have given consent or have an existing customer relationship with us, and always with a clear option to unsubscribe.
• Legal and regulatory compliance. Maintaining records required by Canadian tax law, BPCPA consumer-protection obligations, and anti-money-laundering rules.
• Safety and security. Protecting our systems, preventing fraud, responding to lawful requests from authorities.
• Analytics and website improvement. Understanding which pages and tours are most useful so we can improve the website experience.

Legal Bases for Processing

Under Canadian federal privacy law (PIPEDA), we rely primarily on your consent — either express (when you complete a booking form or sign up for our newsletter) or implied (when the use is consistent with the reasons you originally shared the information). Where the law allows, we may also rely on:

• Contract performance — we need certain information to actually plan and deliver the trip you've booked.
• Legal obligation — we are required to keep certain records by tax, accounting, BPCPA, and anti-money-laundering law.
• Legitimate business interest — for purposes such as fraud prevention, system security, customer-care improvement, and limited internal analytics.

For travelers resident in the European Union, United Kingdom, or other GDPR-equivalent jurisdictions, the same six lawful bases under Article 6 GDPR apply (consent, contract, legal obligation, vital interests, public task, legitimate interest), and we apply whichever is appropriate to each processing activity.

Who We Share Information With

To deliver the trip you book with us, we need to share certain information with the third parties who operate the underlying services. We share only what is necessary for the specific purpose, and we never sell personal information.

Moroccan suppliers

Drivers, licensed guides, riads, hotels, restaurants, and activity operators receive your name, travel dates, group composition, special dietary or mobility needs relevant to their service, and any specific arrangement details. They do not receive your passport number, payment information, or any data beyond what is needed for them to deliver their service.

Airlines and travel insurers

When we ticket flights or arrange travel insurance on your behalf, we share the full booking-name, date of birth, passport details, and travel dates as required by the airline or insurer.

Payment processors

Stripe Payments Inc. handles all credit-card transactions on our behalf as a PCI-DSS Level 1 certified processor. When you pay by credit card, your card details go directly to Stripe and are never seen, stored, or processed by Gateway2Morocco Travel. We receive only the transaction reference, last four digits of the card, brand, and confirmation status. Stripe processes data under its own privacy policy. Wire and e-transfer payments are received directly into our Canadian bank account.

Technology service providers

We use the following primary providers to operate our business:

• Zoho Corporation — for CRM (Zoho CRM), business email and marketing email (Zoho Mail, Zoho Campaigns), contact forms (Zoho Forms), and live-chat conversations on our website (Zoho SalesIQ). Zoho stores data in compliance with its own privacy commitments and is GDPR- and CCPA-compliant.
• Google LLC — for Google Analytics and Google Ads conversion measurement on our website.
• Stripe Payments Inc. — for credit-card processing (as described above).
• Cloud hosting and website platform providers — for the website itself and related infrastructure.

Legal and regulatory bodies

We may disclose personal information when required to do so by law, court order, valid subpoena, BPCPA inquiry, anti-money-laundering rule, or in response to lawful requests from public authorities.

Successors and advisors

In the event of a business transition (merger, acquisition, asset sale) personal information may be transferred to the successor entity, subject to the same protections. We may share information with our professional advisors (lawyers, accountants, insurers) where reasonably necessary.

What we never do

We do not sell, rent, or trade personal information to data brokers, list-rental services, or unrelated third parties. We do not share traveler data with advertisers other than through standard, anonymized conversion-measurement signals to Google Ads.

International Data Transfers

Because we are a Canadian agency operating tours in Morocco using global technology providers, your personal information will necessarily be transferred and processed outside Canada — primarily in Morocco (where our local suppliers operate), the United States (where Stripe processes payment data and where Google stores analytics and ads data), India and other Zoho data-centre locations (where Zoho CRM, Zoho Mail, and Zoho SalesIQ host data), and occasionally elsewhere depending on supplier location.

Morocco is not currently the subject of an "adequacy decision" by the Office of the Privacy Commissioner of Canada or the European Commission, meaning Moroccan data-protection law differs from Canadian and EU standards. Despite this, we believe these transfers are necessary to deliver the trip you have booked, and we take reasonable steps to protect your information through:

• Sharing only the minimum information needed for each supplier to perform their specific service;
• Contractual expectations of confidentiality with our regular suppliers;
• Avoiding transfer of sensitive categories of data wherever possible;
• Working primarily with established suppliers in regulated sectors (licensed hotels, registered drivers, licensed guides) rather than informal contractors.

By proceeding with a booking, you understand and accept that delivering your trip requires this cross-border data transfer. If you would prefer not to have your information transferred internationally, please contact us before booking — we will discuss whether and how the trip can still be arranged.

Cookies and Tracking

Our website uses cookies and similar technologies — small data files placed on your device by your browser. We use them for three purposes:

Strictly necessary cookies

Required for the website to function — for example, session cookies that remember your form entries while you complete a quote request. These cookies cannot be turned off without breaking core website functionality.

Analytics cookies

We use Google Analytics to understand how visitors find and use our site, which pages are useful, and where the site can be improved. Google Analytics receives a pseudonymized identifier, your truncated IP address, and information about your browser and pages visited. We have configured Google Analytics for IP-anonymization where supported.

Advertising cookies

When you visit our site, we may set conversion-measurement cookies for Google Ads so that if you arrived from a Google search or display advertisement, we can understand whether the campaign was effective. These cookies do not share your direct identifying information with Google for advertising profiling beyond Google's standard ad services.

Live chat (Zoho SalesIQ)

Our website includes a live-chat widget powered by Zoho SalesIQ. When you visit our site, SalesIQ collects technical information about your visit — IP address, browser, approximate location, pages viewed, referring website, and time on site — so we can identify when a visitor would like to start a chat and respond to chat requests promptly. If you start a chat, the conversation transcript is stored in our Zoho account along with any contact details you provide during the chat (name, email, phone). You can browse our site without engaging SalesIQ; the widget operates passively until you click to chat. Zoho SalesIQ operates under Zoho's privacy policy.

Managing cookies

Most browsers let you block or delete cookies through their settings. You can also opt out of Google Analytics specifically at tools.google.com/dlpage/gaoptout and manage Google's ad personalization at adssettings.google.com. If you would prefer your visit not be tracked by Zoho SalesIQ, you can use your browser's "do not track" setting or contact us directly by email instead.

Data Retention

We keep personal information only as long as needed for the purposes described in this Policy and any longer period required by law.

• Active client files — retained for the duration of the trip-planning, the trip itself, and for seven (7) years thereafter, in line with Canadian tax-record retention and BPCPA file-keeping expectations.
• Inactive prospects — quote-only inquiries that do not result in a booking are typically deleted after twenty-four (24) months of inactivity.
• Marketing-email subscribers — retained until you unsubscribe, at which point your email address is suppressed (kept only on a do-not-mail list to honour your preference).
• Website analytics data — retained per Google Analytics' standard retention settings (currently 14 months by default).
• Customer-care correspondence — retained as long as the related booking file, then deleted with the file.

When the retention period ends, we delete or anonymize the information so it can no longer be associated with you.

Data Security

We take reasonable, industry-appropriate steps to protect personal information from unauthorized access, loss, misuse, or alteration. These include:

• Encryption of website traffic using TLS (the "https" you see in our URL);
• Access controls on our CRM, email, and accounting systems so that only authorized team members can see client data;
• Selection of established vendors (Zoho, Google, our payment processor) that maintain their own published security programs;
• Limiting the amount of data shared with suppliers to what each genuinely needs;
• Multi-factor authentication on our key business accounts.

No system is perfectly secure, and we cannot guarantee that information transmitted online or stored electronically can never be accessed by unauthorized parties. If a breach occurs that meets the reporting threshold under PIPEDA (a "real risk of significant harm"), we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by law.

Your Privacy Rights

Privacy law gives you specific rights over the personal information we hold about you. The exact rights available depend on where you reside.

To exercise any of these rights, contact our Privacy Officer at the address in Section 17. We will respond within thirty (30) days of receiving a verifiable request, or sooner where required by law. We may need to verify your identity before responding to protect against unauthorized disclosure. Most requests are handled at no cost to you; in unusual cases involving extensive duplicate requests we may charge a reasonable fee or decline excessive requests as permitted by law.

If you are not satisfied with how we have handled your privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or with the regulator in your jurisdiction. We ask, as a matter of fairness, that you contact us first so we have a chance to address the concern directly.

Marketing Communications

We comply with Canadian Anti-Spam Legislation (CASL) and the equivalent rules in the jurisdictions where our subscribers live. We send commercial email only where we have implied or express consent — typically because you have requested a quote, completed a booking, or actively subscribed to our newsletter.

Every marketing email contains a clear unsubscribe link. You may also email our Privacy Officer to be added to our do-not-mail list. Once you unsubscribe, you will continue to receive only transactional, trip-related communications (itineraries, confirmation invoices, in-trip support, post-trip practical follow-up) directly tied to a booking — unless you ask us to delete your file entirely.

Children's Privacy

Our website and services are not directed at children under the age of 13, and we do not knowingly collect personal information from children directly. When parents or guardians book family trips, they share information about minor travelers in their care for the legitimate purpose of arranging the trip. We treat this information with the same care as any other client data and only collect what is needed (name, age, dietary requirements, mobility needs relevant to the itinerary). If you believe we have inadvertently collected information directly from a child under 13, please contact our Privacy Officer and we will delete it.

Third-Party Websites

Our website contains links to third-party sites — airlines, embassies, insurance brokers, government travel-advisory pages, and various references in our Terms and Conditions. We provide these for your convenience but do not control how those sites collect or use personal information. Each third-party site operates under its own privacy policy, which we encourage you to review separately.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in the services we offer, or in the legal landscape. The current version will always be available at gateway2morocco.com/privacy-policy with the "Last updated" date shown at the top. Material changes will be brought to your attention through our website and, where appropriate, by direct email to active clients. By continuing to use our services after a change, you accept the updated Policy.

Contact Our Privacy Officer

Under Canadian privacy law, every organization is required to designate an individual responsible for compliance. At Gateway2Morocco Travel, that person is:

• Privacy Officer: Brahim Jounh, Founder
• Email:[email protected]
• Telephone: +1 604-338-9087 (24-hour emergency line)
• Postal: Gateway2Morocco Travel, Burnaby, British Columbia, Canada

Please use the email address above and put "Privacy Request" in the subject line so we can route your message to the Privacy Officer directly. We aim to acknowledge privacy requests within five business days and to respond substantively within thirty (30) days, in line with PIPEDA, GDPR, and applicable U.S. state-law timelines.

If you remain dissatisfied with our response, you have the right to file a complaint with the privacy regulator in your jurisdiction — for Canadian residents, the Office of the Privacy Commissioner of Canada at priv.gc.ca; for British Columbia residents, the Office of the Information and Privacy Commissioner of BC at oipc.bc.ca; for EU/UK residents, your national data-protection authority; for California residents, the California Attorney General or California Privacy Protection Agency.