Privacy Policy

Last update: Sat 30 Aug 2025

This Privacy Policy (the “Policy”) explains how Nommo Investment (“Nommo”, “the Platform”, “we”, “us”) collects, uses, stores, shares, and protects personal data of users (“User”, “you”) of our digital investment platform and related websites, mobile apps, APIs, and services.

Using our services means you acknowledge this Policy. Where we rely on consent (e.g., non-essential cookies or marketing), you can grant or withdraw it at any time as described below.

1. Scope & Services

Nommo is a Moroccan digital platform dedicated to stock-market investment. The Platform may operate in partnership with an AMMC-licensed brokerage partner. The Platform enables account opening, order placement, portfolio tracking, market analysis, and social features.

2. Definitions

Personal Data: Any information that identifies you directly or indirectly (e.g., name, email, ID number, IP address).

Processing: Any operation performed on Personal Data (collection, storage, use, transmission, deletion, etc.).

Controller / Processor: As per Moroccan Law 09-08; the controller determines purposes and means of processing; the processor processes data on behalf of the controller.

Cookies/Trackers: Small files or technologies stored on your device for functionality, analytics, or advertising.

3. Data Controller & Contacts

Nommo Investment is the data controller for data collected through the Platform, except where otherwise stated.

Email (privacy): privacy@nommo.ma

Address: 10 Rue Chrarda Rdc, Derb Loubila, Bourgogne, Casablanca

Phone: +212 64 278 1968
We appoint a Data Protection Officer (DPO) reachable at privacy@nommo.ma
.

An AMMC-licensed brokerage partner may act:

as an independent controller for brokerage/regulatory obligations (e.g., KYC/AML, account management), and

as a recipient of certain data necessary to perform those obligations.
Such partner will provide its own privacy notices where applicable.

4. Categories of Personal Data We Collect

A. Identification & KYC
Name, national ID/passport, date/place of birth, address, nationality, profession, signatures, proof of address, tax identifiers, PEP status, source of funds, video/voice recordings where KYC requires.

B. Financial & Transactional
Portfolio and cash accounts, orders, executions, balances, income and assets you declare, risk profile, investment objectives, suitability/appropriateness tests.

C. Technical & Usage
Device and browser data, IP address, app version, logs, crash reports, security events, session IDs.

D. Communications & Preferences
Support tickets, call recordings (where lawful and disclosed), in-app messages, email/SMS preferences, marketing consents.

Sources: Directly from you; generated by your use of the Platform; provided by service providers or the AMMC-licensed brokerage partner for compliance; and, where lawful, from public or sanction/PEP lists.

5. Purposes & Legal Bases

We process data to:

Provide the service & fulfill the contract (account creation, onboarding/KYC, order routing/execution, statements, portfolio dashboards, support).

Comply with the law (Law 09-08; AML/CFT; tax; market-abuse prevention; AMMC rules; retention duties; responding to lawful requests).

Legitimate interests (platform security and integrity, fraud prevention, service analytics, product improvement, contact after incomplete onboarding, internal reporting).

Consent (non-essential cookies, optional geolocation, marketing communications, social/public profiles, certain research/personalization features).

You can refuse or withdraw consent at any time without affecting lawful processing already performed.

6. Cookies & Similar Technologies

We use:

Strictly necessary (session management, security, load balancing).

Performance/analytics (traffic metrics, feature usage, error diagnosis).

Functionality (remembering language or preferences).

Advertising/retargeting (optional) (if ever used, they require prior consent).

Social plugins (optional) (share/like buttons may identify you if you are logged into those networks).

A cookie banner lets you accept, refuse, or customize non-essential cookies. You can also manage cookies from your browser settings. Refusing non-essential cookies may limit personalization, not core trading features.

7. Social Trading & Public Profiles

If you opt in:

Public elements may include your username, avatar, selected performance metrics, and community interactions.

You control visibility via Privacy Settings and can opt out at any time; historical public content may remain visible where already shared by others, subject to applicable law.

Never share confidential or identifying data in public areas.

8. Marketing & Communications

We may send service/transactional messages (e.g., execution confirmations, security alerts). You cannot opt out of these.

Marketing (newsletters, product updates, offers) is consent-based. You can unsubscribe via links in messages or Settings → Notifications.

9. Sharing & Recipients

We share data only when necessary and with safeguards:

AMMC-licensed brokerage partner (account opening, order execution, regulatory duties).

Service providers/processors (hosting, security, KYC/AML, analytics, communications, customer support, payment, cloud infrastructure) under written contracts and confidentiality.

Authorities/regulators/courts when legally required or to protect rights, safety, or compliance.

Professional advisors (auditors, lawyers) under confidentiality.
We do not sell personal data.

We do not allow processors to use your data for their own purposes. Where we offer partner features, we’ll name the partner and basis, and obtain consent when required.

10. International Data Transfers

Some providers may be located outside Morocco. When we transfer data internationally, we use contractual safeguards (e.g., appropriate contractual clauses) and conduct risk assessments to ensure a level of protection substantially equivalent to Moroccan standards. You may request details of relevant safeguards.

11. Retention Periods

We keep data only as long as necessary for the purpose collected and applicable law. Typical periods (subject to legal change):

KYC/AML files, account records, transactions: 5 to 10 years after account closure or last transaction, as required by finance/AML laws.

Contracts, consents, support interactions, call recordings: 5 years (or longer if needed for legal defense).

Analytics logs: up to 13 months (aggregated or anonymized thereafter).

Marketing preferences: until you withdraw consent or after inactivity rules we set (with periodic re-permissioning).
If litigation, audit, or investigation is ongoing, relevant data may be retained until the matter resolves.

12. Security Measures

We implement organizational, physical, and technical measures aligned with industry good practices:

Encryption in transit (TLS) and at rest where applicable.

Role-based access control, strong authentication, least-privilege policies.

Network segmentation, firewalls, anti-bot/anti-abuse, vulnerability management.

Monitoring, logging, and audits, third-party assessments where appropriate.

Backups & disaster recovery with tested restore procedures.
No system is infallible; we continuously improve controls.

Incident Notification

If a data breach likely to harm you occurs, we will notify you and, where required, the CNDP and/or other authorities, in line with legal timelines.

13. Automated Decisions & Profiling

We may use automated processing to:

perform fraud/risk checks,

run suitability/appropriateness logic, and

produce personalized insights (if consented).
Where an automated decision produces legal or similarly significant effects, you may request human review, express your point of view, and contest the decision, unless law permits automated measures (e.g., AML).

14. Your Rights (Law 09-08)

You may:

Access the personal data we hold about you;

Rectify inaccurate or incomplete data;

Erase data where permitted by law (“right to be forgotten”);

Object to processing for direct marketing at any time, and to other processing on legitimate grounds;

Restrict processing in specific cases (e.g., contesting accuracy);

Port data you provided to us in a structured, commonly used, machine-readable format, where technically feasible.

How to Exercise Your Rights

Email privacy@nommo.ma
with: full name, account identifier, request type, and a valid proof of identity. For security, we may ask for additional verification limited to what is necessary.

Complaints to the CNDP

If we cannot resolve your concern, you may lodge a complaint with the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) in Morocco.

15. Minors

Nommo is for users 18+. We do not knowingly collect data from minors. If you believe a minor has provided data, contact privacy@nommo.ma
; we will promptly delete such data where required.

16. Account Closure

You can request account closure via in-app or support. Operational or legal obligations (e.g., AML/retention rules) may require Nommo and/or the AMMC-licensed brokerage partner to retain certain records for statutory periods after closure.

17. Third-Party Sites & Social Plugins

Our site/app may contain links or plugins (e.g., “Share”/“Like”). Third-party sites have their own privacy practices; we are not responsible for them. If you are logged in to a social network, it may track your browsing on our pages—consider logging out if you do not want this.

18. Changes to This Policy

We may update this Policy to reflect legal, technical, or business changes. We’ll post the new version with the effective date and, where required, notify you in-app or by email. If the update requires new consent, we will ask for it.

19. Contact

Nommo Investment

Privacy & DPO: privacy@nommo.ma

Support: support@nommo.ma

Address: 10 Rue Chrarda Rdc, Derb Loubila, Bourgogne, Casablanca

Phone: +212 64 278 1968