Legal

Privacy Policy

Last updated: 30 April 2026 · Version 1.0 · Compliant with loi 09-08 (Morocco)

This policy explains what data ILMI collects about you, why we collect it, where it's stored, and how you can delete it. We process personal data under Moroccan law (loi 09-08 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel) and have registered our processing with the CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel).

The short version: We collect your name, email, and what you study so ILMI can teach you. We send your messages to AI providers (Anthropic, Google) to generate replies. We don't sell your data. You can delete everything by emailing privacy@ilmi.ma.

1. Who we are

Data controller: ILMI — auto-entrepreneur registered in Morocco
Location: Marrakech, Morocco
Privacy contact: privacy@ilmi.ma
CNDP registration: Pending / on file

2. What we collect

2.1 Account data (you give us this)

Email address — for sign-in and important notifications
Password — stored hashed (we never see the plaintext); managed by Supabase Auth
Display name — shown to you only
University, semester, filière, group — to scope your subjects and group features

2.2 Study data (generated as you use ILMI)

Chat messages between you and ILMI
Topic mastery records (what you've studied, what you've mastered, what you're struggling with)
Session summaries (short auto-generated recaps of each study session)
Exam dates you tell us about
Schedule entries you create
Practice answers (flashcard "knew/missed", MCQ correct/wrong)
Files you upload (PDFs, slides, notes) and their text content
Feedback you give (thumbs up/down on ILMI replies)

2.3 Technical data (collected automatically)

IP address (used briefly for rate limiting; not stored long-term)
Browser type and version, device type
Pages visited, features used, anonymous usage events
Timestamps of activity
Authentication tokens (so you stay logged in)

2.4 What we do NOT collect

National ID (CNIE) numbers
Phone numbers (unless you opt in for WhatsApp reminders in the future)
Payment card numbers (handled entirely by our payment processor)
Voice recordings (currently — would change with future voice features, with separate opt-in)
Location / GPS data

3. Why we collect it (legal basis)

Under loi 09-08, we process your data on these legal bases:

Performance of contract — to deliver the service you signed up for (account, study tools, AI chat)
Your consent — for analytics, optional features, marketing emails (you can withdraw consent anytime)
Legitimate interest — for security, fraud prevention, debugging, improving the product
Legal obligation — to comply with tax, accounting, and law-enforcement requests where mandatory

4. Who we share data with

We share data only with these third-party processors, all under signed Data Processing Agreements:

Anthropic (Claude AI): Receives your chat messages to generate replies. Stored up to 30 days for safety review, then deleted. Privacy policy
Google (Gemini): Receives course material text to generate embeddings for search. Privacy policy
Supabase: Hosts our database, file storage, and authentication. Servers in the EU/US. Privacy policy
Railway: Hosts our backend application servers. Privacy policy
Sentry (optional): Captures error logs for debugging. May incidentally include user IDs but no message content. Privacy policy

We do NOT:

Sell your data to advertisers
Share your data with other students except where you explicitly chose to (e.g. uploading a file to your group's library)
Share your data with your professors or university unless legally compelled
Use your data to train AI models we publish

5. Cross-border data transfers

Some of our processors (Anthropic, Google, Supabase) are based outside Morocco, primarily in the United States and European Union. By using ILMI, you consent to your data being transferred to these jurisdictions. We ensure each processor provides adequate protection equivalent to loi 09-08 standards through contractual clauses.

6. How long we keep your data

Account data — until you delete your account
Chat messages — until you delete your account or 24 months after last activity, whichever is sooner
Study data (mastery, sessions) — until you delete your account
Uploaded files — until removed by you, by takedown request, or 24 months of inactivity
Technical / log data — 90 days max
Payment / billing records — 10 years (legally required for tax)

7. Your rights

Under loi 09-08, you have the right to:

Access — get a copy of all data we hold about you
Rectification — correct inaccurate data
Deletion — request your account and data be deleted ("right to be forgotten")
Object — refuse certain processing (e.g. analytics, marketing)
Portability — receive your data in a machine-readable format
Withdraw consent — at any time, for processing based on consent
Lodge a complaint — with the CNDP (www.cndp.ma)

To exercise any of these rights, email privacy@ilmi.ma. We respond within 30 days.

8. Security

We protect your data with:

HTTPS encryption for all traffic
Hashed passwords (bcrypt, via Supabase Auth)
JWT-based authentication with short expiry
Database access controls — only the service has access, not random employees
Regular security review of code changes
Rate limiting and abuse detection

If we ever discover a data breach affecting you, we'll notify you and the CNDP within 72 hours of confirming it.

9. Cookies and similar technologies

ILMI uses minimal cookies:

Session cookies (essential) — keep you logged in
Functional storage (essential) — remember your last subject, theme preferences
Anonymous analytics (optional) — counts of feature usage, no tracking across sites

We don't use third-party advertising cookies or cross-site trackers.

10. Children's data

ILMI is for university students aged 18 and over. We don't knowingly collect data from anyone under 18. If you discover that a minor has signed up, please email privacy@ilmi.ma and we'll delete the account.

11. Changes to this policy

We may update this policy. Material changes will be announced by email and a banner in the app at least 14 days before taking effect. The effective date is shown at the top.

12. Contact

For any privacy question or to exercise your rights:

Privacy email: privacy@ilmi.ma
General contact: hello@ilmi.ma
Regulator: CNDP — www.cndp.ma