How we handle your data

The data controller for personal data processed through this site is Wecon, operating the Wecon Blog at wecon.dev. Identification and registration details are published on the Legal notice page.

For any question related to your personal data you can reach us at our contact form.

Our processing activities are declared to the Moroccan Data Protection Authority (CNDP) under reference [declaration or authorisation N°]. If you believe your rights have been infringed, you may file a complaint with the CNDP. Visitors from the EU may additionally lodge a complaint with their local supervisory authority.

We only collect data that is strictly necessary to run the blog and deliver the features you use. Concretely:

• Account data — first and last name, email address, and password hash (never the password itself). Provided when you sign up or sign in with email/password.
• OAuth data — if you choose to sign in with Google, we receive your name, email, and the Google-issued unique identifier associated with your account.
• Reading activity — which articles you read, how far you scrolled, which ones you bookmarked or liked. Linked to your account only when you are signed in; otherwise not recorded.
• Comments — the text you write, your display name, the timestamp, and your user identifier.
• Technical logs — IP address, user agent, HTTP referrer, and timestamps, kept for security and abuse prevention.

We do not sell your data. We do not run third-party advertising networks. We do not profile you for marketing purposes.

Each purpose below is justified under Moroccan Law n° 09-08 (consent or legitimate interest / contract performance) and, for EU visitors, the matching GDPR Art. 6 lawful basis:

• Providing the service (account, bookmarks, likes, comments, reading history) — contract performance, Art. 6(1)(b).
• Keeping the service secure (abuse detection, rate-limiting, audit trails) — legitimate interest, Art. 6(1)(f).
• Email verification and transactional emails — contract performance, Art. 6(1)(b).
• Analytics on aggregate traffic (page views, reading time, retention) — legitimate interest, Art. 6(1)(f), with data kept in aggregate form without re-identification.
• Compliance with legal obligations (responses to authorities, content-takedown requests) — Art. 6(1)(c).

Your data stays within the Wecon platform. We share it only with the processors strictly necessary to operate the site, each bound by a data processing agreement:

• Hosting — the server that runs this site and our API, located within the European Union.
• Email delivery — transactional email provider for verification codes and password resets.
• Authentication provider — Google, only if you choose to sign in with Google. Governed by Google’s privacy policy.

When data crosses borders (for example, hosting in the European Union, Google authentication, or CDN caching), we ensure appropriate safeguards are in place. Transfers out of Morocco follow the rules set by the CNDP; transfers out of the EEA for EU visitors follow the GDPR (adequacy decision or standard contractual clauses).

• Account data — as long as your account exists, plus 30 days after deletion for backup purposes.
• Reading activity and bookmarks — until you delete them or close your account.
• Comments — kept with the article unless you delete them. When your account is closed, your comments are anonymised (display name replaced with “Deleted user”).
• Security logs — up to 12 months.
• Abuse evidence — retained as long as legally required, typically up to 3 years.

We use a very small number of cookies, all first-party:

• app.sid — HttpOnly session cookie that keeps you signed in. Strictly necessary. 24-hour lifetime. No consent needed under the ePrivacy Directive because it is required to deliver the service you asked for.
• theme preference — remembers light/dark mode on your device. Functional. Set only when you change the theme.

No tracking cookies. No third-party cookies (Google OAuth uses a pop-up window and does not leave tracking cookies on our domain).

Under Moroccan Law n° 09-08 (Articles 7 to 11) and — for EU visitors — the GDPR (Articles 15 to 22), you have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Rectify — ask us to correct inaccurate or incomplete data (most fields can be edited directly in Settings).
• Erase — ask us to delete your account and associated data (“right to be forgotten”).
• Restrict — ask us to pause processing in specific circumstances.
• Port — receive your data in a structured, machine-readable format.
• Object — oppose processing based on our legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting past processing.

To exercise any of these rights, email us at our contact form from the address linked to your account, with a copy of an identity document if required to verify your identity. We will respond within the delays set by applicable law — typically one month.

Passwords are hashed with a modern algorithm (argon2id / bcrypt). Session cookies are HttpOnly, Secure, and SameSite=Lax. All traffic is served over HTTPS. We apply the security measures recommended by the CNDP and, where applicable, by the European Data Protection Board.

If a data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify affected users and the competent supervisory authority (CNDP and, for EU-located users, their local authority) without undue delay.

We do not use automated decision-making (including profiling) that produces legal effects on you. Content ranking on the home page and in “Further reading” is based on editorial and engagement signals and is not personalised based on personal data.

The Wecon Blog is not directed at minors under 16. We do not knowingly collect data from children. If you believe a minor has signed up without parental authorisation, contact us at our contact form and we will delete the account.

We may update this policy to reflect changes in our practices or legal obligations. The “Updated” date at the top of this page shows when the latest version was published. Substantial changes will be announced on the blog and, when relevant, by email.