Privacy Policy
Politique de Confidentialité
Preamble
This Privacy Policy sets forth the commitments of ReserNova SAS ("ReserNova") regarding the collection, processing, and protection of personal data in connection with the operation of its AI-powered booking automation platform. Processing is carried out in strict compliance with Moroccan Law No. 09-08 (Dahir No. 1-09-15 of 18 February 2009) as enforced by the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP).
ReserNova operates as a WhatsApp Business Solution Provider (BSP), delivering its services exclusively through the WhatsApp Business Cloud API operated by Meta Platforms, Inc. and its affiliates ("Meta"). This policy is drafted in alignment with Meta's WhatsApp Business Terms of Service, Meta's Data Processing Terms, and the requirements of Meta's Tech Provider Program.
Article 1: Identity of the Data Controller
ReserNova SAS, a Société par Actions Simplifiée incorporated under Moroccan law. Commercial Registry of Casablanca No. 728003. ICE No. 003923670000042.
Registered Office: AV DE PARTICIPATION N° 39 APPT N° 3 2EME ETAGE ROCHES NOIRES, Casablanca, Morocco.
General contact: contact@resernova.com
Data Protection Officer: contact@resernova.com (Subject: DPO)
Article 2: Platform Description and Data Processing Roles
ReserNova provides an AI-powered booking automation platform to business clients ("Merchants"). Merchants connect their existing WhatsApp Business number to ReserNova's platform upon registration. ReserNova operates three distinct service modes, each with a specific data processing role:
| Service Mode | How It Works | ReserNova's Role |
|---|---|---|
| Mode 1 — Inbound AI Booking Engine | End-Client sends a message to the Merchant's WhatsApp number. ReserNova's AI handles the conversation, negotiates availability, and confirms bookings. Output is synced to the Merchant's CRM calendar. | Data Processor acting on Merchant's instructions. End-Client initiates contact — no outbound initiation by ReserNova. |
| Mode 2 — Outbound Messaging (Reminders & Marketing Templates) | ReserNova sends pre-approved WhatsApp template messages on behalf of the Merchant — including booking reminders, confirmations, and promotional campaigns. | Data Processor acting on Merchant's instructions. Outbound contact requires prior opt-in consent from the End-Client, obtained and maintained by the Merchant. |
| Mode 3 — Manual Merchant Conversations | The Merchant communicates directly with their clients via the WhatsApp Business app. ReserNova receives and logs the booking outcomes into the CRM — it does not process the conversation content itself. | Limited Data Processor. CRM sync only. Conversation content remains between Merchant and End-Client. |
In all three modes, the Merchant is the Data Controller for their End-Clients' personal data. ReserNova acts exclusively as a Data Processor on behalf of the Merchant, processing data only as instructed by the Merchant and for the purposes defined in Article 3 below.
Article 3: Nature of Personal Data Collected
3.1 — Merchant Data (ReserNova as Data Controller)
Collected directly from Merchants at registration and during the service relationship:
- Identity and corporate information: company name, legal form, commercial registry number, ICE number.
- Contact details: name of authorized representative, professional email address, phone number.
- WhatsApp Business account credentials: linked phone number, WhatsApp Business Account (WABA) ID.
- Billing and financial information: payment method, invoicing address, transaction history.
3.2 — End-Client Data (ReserNova as Data Processor)
Processed strictly on behalf of and under the instructions of the Merchant:
- WhatsApp phone number (used as the primary identifier for the conversation).
- Name and any other identity information shared voluntarily during the conversation.
- Booking details: service requested, preferred date/time, special instructions.
- Conversation content: text messages and voice notes exchanged with the AI booking engine (Mode 1) or used for CRM sync (Mode 3).
- Message delivery metadata: message timestamps, delivery status, read receipts.
Note on Voice Notes:
Voice notes received from End-Clients are processed solely for the purpose of understanding and fulfilling the booking request (speech-to-text transcription). They are not retained beyond the conversation window, and are never used for AI model training without separate, explicit, and informed consent from the End-Client.
Article 4: Purposes and Legal Basis of Processing
4.1 — Merchant Data
- Execution of the SaaS service agreement: account creation, platform access, CRM integration.
- Billing and invoicing operations.
- Technical support and service communications.
- Legal basis: performance of contract (Article 7, Law 09-08).
4.2 — End-Client Data (Inbound AI — Mode 1)
- Understanding and processing booking requests submitted by End-Clients via WhatsApp.
- Confirming, modifying, or cancelling appointments on behalf of the Merchant.
- Syncing confirmed booking data into the Merchant's CRM calendar.
- Legal basis:legitimate interest of the Merchant in automating their customer booking process; the End-Client initiates contact of their own volition with the Merchant's WhatsApp number.
4.3 — End-Client Data (Outbound Templates — Mode 2)
- Sending booking reminders, appointment confirmations, and follow-up messages.
- Sending Merchant-initiated marketing or promotional template messages pre-approved by Meta.
- Legal basis: prior opt-in consent of the End-Client, obtained by the Merchant before any outbound message is sent. The Merchant is solely responsible for obtaining, recording, and honoring this consent.
Outbound Consent Requirement:
ReserNova will only dispatch outbound template messages to End-Clients for whom the Merchant has confirmed that valid prior opt-in consent exists. The Merchant contractually warrants this as a condition of using Mode 2. End-Clients may opt out at any time by replying STOP or by contacting the Merchant directly.
4.4 — AI Model Training (Optional — Requires Explicit Consent)
ReserNova may, entirely separately from service delivery, seek to use anonymized conversation data to improve its proprietary AI language models (Darija and French dialect comprehension). This secondary purpose is subject to:
- A separate, specific, and explicit consent request addressed to the End-Client (not bundled with service consent).
- The right to refuse or withdraw consent at any time without impact on service delivery.
- Prior authorization from the CNDP where required under Law 09-08.
Article 5: WhatsApp Business Cloud API and Meta's Role
ReserNova delivers its services via the WhatsApp Business Cloud API operated by Meta Platforms, Inc. ReserNova has accepted Meta's WhatsApp Business Terms of Service and the WhatsApp Business Data Processing Terms, which constitute a binding Data Processing Agreement between ReserNova and Meta.
Under this agreement, the following applies:
- Meta acts as a sub-processor of End-Client personal data, processing it solely to enable message delivery on ReserNova's instructions.
- Meta does not use WhatsApp Business Cloud API message content for advertising, ad targeting, or training Meta's consumer AI models.
- Messages transmitted via the Cloud API are protected by the Signal Protocol (end-to-end encryption in transit) and encryption at rest.
- Meta automatically deletes message content from its Cloud API infrastructure within a maximum of 30 days following delivery.
ReserNova, as a WhatsApp Business Solution Provider (BSP) in process of obtaining Meta Tech Provider status, assumes full compliance responsibility for its use of the API and for ensuring that Merchant use of the platform is consistent with Meta's Business and Commerce Policies.
AI Disclosure to End-Clients
In compliance with Meta's platform policies and emerging best practices, ReserNova requires Merchants to disclose to their End-Clients that conversations may be handled by an AI assistant. This disclosure must be made available at or before the first AI-handled interaction.
Article 6: Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Merchant account data | Duration of contract + 5 years | Legal obligation (Moroccan commercial law) |
| Merchant billing records | 10 years | Tax and accounting obligations |
| End-Client booking records (CRM sync) | 24 months from last interaction, or as set by Merchant | Merchant instruction as Data Controller |
| End-Client conversation content (AI) | 30 days maximum on Meta infrastructure; purged from ReserNova systems after booking confirmation | Meta Cloud API terms + data minimization |
| Voice notes | Deleted immediately after transcription and booking processing | Data minimization principle |
Article 7: Security, Hosting and Cross-Border Transfers
ReserNova implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, and regular security assessments.
Data is hosted on secure cloud infrastructure. Given that the WhatsApp Business Cloud API routes data through Meta's global server network (including infrastructure in the United States and the European Union), cross-border data transfers are inherent to the service. ReserNova ensures that:
- All cross-border transfers are covered by Meta's standard contractual clauses (SCCs) incorporated into the WhatsApp Business Data Processing Terms.
- Any additional cross-border transfers outside Meta's infrastructure are subject to prior CNDP authorization and governed by equivalent contractual protections.
Article 8: Personal Data Breach Notification
In the event of a personal data breach affecting End-Client or Merchant data, ReserNova will:
- Notify affected Merchant partners without undue delay and no later than 72 hours after becoming aware of the breach.
- Include in the notification: the nature of the breach, data categories and approximate number of individuals affected, likely consequences, and remedial measures taken.
- Cooperate fully with Meta and Merchant partners in investigating any breach involving data processed through the WhatsApp Business Cloud API.
Merchant partners, as Data Controllers, remain responsible for notifying the CNDP and their End-Clients in accordance with Moroccan Law 09-08.
Article 9: Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Meta Platforms, Inc. (WhatsApp Business Cloud API) | Message routing and delivery for all three service modes | USA / Global (SCCs apply) |
| Cloud Infrastructure Provider | Platform hosting, data storage, CRM infrastructure | Region specific |
| AI / Speech-to-Text Providers | Voice note transcription for booking processing (Mode 1 only) | Cloud-based |
ReserNova will provide Merchants with advance notice of any material changes to its sub-processor list.
Article 10: Rights of Data Subjects
Pursuant to Chapter II of Law 09-08, all individuals whose data is processed by ReserNova enjoy the following rights:
- Right of Access: Obtain confirmation of whether personal data is being processed and access that data.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion of personal data no longer necessary for its original purpose, or upon withdrawal of consent.
- Right to Object: Object to processing on legitimate grounds, including AI model training or outbound marketing.
- Right to Withdraw WhatsApp Outbound Consent: End-Clients may opt out of outbound template messages at any time by replying STOP or by contacting the Merchant. Withdrawal does not affect inbound AI booking assistance (Mode 1).
Requests from End-Clients should be directed to the Merchant (as Data Controller). Requests from Merchants or direct requests may be submitted to: contact@resernova.com. ReserNova will respond within 30 days.
Article 11: Merchant Obligations
By registering on the ReserNova platform and connecting their WhatsApp Business number, Merchants contractually undertake to:
- Inform their End-Clients that their WhatsApp conversations may be handled by an AI booking assistant operated by ReserNova.
- Obtain valid prior opt-in consent from End-Clients before any outbound template message (Mode 2) is sent on their behalf.
- Maintain records of End-Client consents and honor all opt-out requests promptly.
- Comply with Meta's WhatsApp Business Policy and Commerce Policy in their use of the platform.
- Not instruct ReserNova to process End-Client data in any manner that would violate applicable law or Meta's platform policies.
Article 12: Policy Updates and Contact
This Privacy Policy may be updated to reflect changes in our services, applicable law, or Meta's platform requirements. Material changes will be communicated to Merchants at least 15 days in advance by email. The current version is always published at resernova.com/privacy.
General Enquiries
Email: contact@resernova.com
Registered Office
AV DE PARTICIPATION N° 39 APPT N° 3 2EME ETAGE ROCHES NOIRES, Casablanca, Morocco
ReserNova SAS — ICE No. 003923670000042 — RC Casablanca 728003