Privacy policy

Last updated: April 2026

At React Box we take the protection of your personal data very seriously. This policy explains what data we collect, on what basis, how we use it, where it is hosted, and what your rights are under Moroccan Law 09-08 on the protection of personal data.

Data controller and DPO

The data controller is React Consulting SARL AU, ICE 003399449000060, with registered office at Boulevard My Hassan 1er, Imm Siam Block A, 3rd floor N°10, Marrakech, Morocco. You can contact our Data Protection Officer (DPO) at dpo@react-box.com.

Our role: data controller and processor

React Box acts in two distinct capacities. (1) Data controller for the data needed to operate the service: user accounts, organisations, security logs, notifications, usage statistics. (2) Data processor under article 21 of Law 09-08 for the documents you upload: those documents remain under your responsibility or that of your accounting firm. We strictly limit our role to hosting them in private access, without ever consulting or analysing their content.

Data we collect

We collect the information you provide when you sign up (first name, last name, email address, profile picture), the information about your organisation (legal name, ICE, IF, RC, TP, address, logo), the documents you upload to your vault (the content remains private and is never analysed by our systems), and activity logs (actions performed in the application, IP address, user agent).

Purposes and legal bases

Your data is used to provide the service (performance of the contract), to ensure security and traceability (legal obligation and legitimate interest), to send you transactional notifications (performance of the contract), and to improve the product through anonymised usage statistics (consent, managed via the cookie banner).

Hosting and transfers

Our primary servers are located in the European Union (Frankfurt, Germany) — Neon database (eu-central-1, AWS), application on Vercel (region fra1), files on Cloudflare R2 (EU jurisdiction), email through Resend (EU). The level of protection there is recognised as adequate by the CNDP. The WorkOS Inc. authentication service operates from the United States under standard contractual clauses. You are informed of these transfers when you sign up and when you create your organisation.

Technical subprocessors

We rely on the following subprocessors, all contractually committed to GDPR compliance: Neon (database, EU), Cloudflare (file storage, EU), Vercel (application hosting, EU), Resend (transactional email, EU), and WorkOS (authentication, USA — under standard contractual clauses).

Retention

Account data is retained as long as your account is active, then deleted within 30 days after closure. The documents you upload are retained under your responsibility — you decide when to delete them. Security audit logs are kept for 5 years, activity logs for 2 years, read notifications for 6 months. Data exports are kept for 30 days.

Your rights

Under Law 09-08 you have the right to access, rectify, object, delete, restrict and port your personal data. To exercise these rights, write to dpo@react-box.com or use our online form available from the footer ("Exercise my rights"). For the data contained in your documents, your direct counterpart is your accounting firm or your business (data controller). You also have the right to file a complaint with the CNDP (www.cndp.ma).

Cookies

Our site uses cookies that are essential to operation (session, language, consent preferences) and, subject to your explicit consent, audience measurement cookies. You can adjust your preferences at any time via the "Cookie preferences" link in the footer. See our cookie policy for details.

Security

We implement appropriate technical and organisational measures: end-to-end TLS encryption, AES-256 encryption at rest on Cloudflare R2, access control via WorkOS (SSO and MFA available), short-lived signed URLs (5 minutes for downloads, 10 minutes for uploads), exhaustive access logging, and least-privilege principle — our operational teams never access the content of your documents.

CNDP reference