Privacy Policy

Overview

EXXING GROUP S.à.r.L. ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring transparent data practices. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and engage with our services.

We comply with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection laws. This policy is effective as of March 2026 and may be updated periodically to reflect changes in our practices or legal requirements.

                    Please read this policy carefully. By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.
                

Data Controller Information

Who We Are

Company Name: EXXING GROUP S.à.r.L.
Legal Form: Société à Responsabilité Limitée (Limited Liability Company)
Registered Address: Greenwork B4, 91 Route de Bouskoura, Casablanca 20000, Morocco
Additional Offices: France, European Union
Contact Email: contact@exxing.group
Data Protection Officer: contact@exxing.group

Our Role

EXXING GROUP S.à.r.L. is the data controller for personal information collected through our website, marketing communications, and business engagement. As the data controller, we determine the purposes and means of processing your personal data and are responsible for compliance with data protection laws.

Information We Collect

We collect personal information in various ways depending on your interaction with us. The types of information we may collect include:

Information You Provide Directly

Contact Information: Name, email address, phone number, company name, job title, and physical address
Professional Information: Industry, sector, business focus, company size, and professional background
Communication Data: Records of correspondence, inquiries, feedback, and communication preferences
Service Engagement Data: Information provided in engagement letters, service agreements, and advisory requests
Transaction Information: Details related to potential or actual business transactions, valuations, and deal analysis
Payment Information: Billing address, invoice records, and payment method details (processed by secure third parties)

Information Collected Automatically

Website Usage Data: Pages visited, time spent on pages, links clicked, and navigation patterns
Device Information: Device type, operating system, browser type, and device identifiers
Network Information: IP address, Internet Service Provider, and general geographic location (country/region level)
Cookies & Tracking Technologies: Information from cookies, pixels, and similar technologies (see Cookies section below)
Performance Data: Login frequency, feature usage, and service interaction patterns

Information from Third Parties

Service Providers: Information from hosting providers, analytics services, and IT vendors
Business Partners: Information shared by transaction counterparties, financial advisors, and legal counsel
Public Sources: Publicly available professional information from LinkedIn, business registries, and industry databases
Regulatory Bodies: Information required for compliance with anti-money laundering and know-your-client regulations

Legal Basis for Processing

Under the GDPR, we process personal information only when we have a lawful legal basis. The legal bases for our processing activities include:

1. Legitimate Interest (Article 6(1)(f) GDPR)

We process personal information for our legitimate business interests, including:

Improving and optimizing our website and services
Conducting analytics and measuring service effectiveness
Preventing fraud, security threats, and illegal activity
Managing business relationships and communications
Direct marketing and business development (with consent where required)

We balance our legitimate interests against your rights and freedoms and will not process data where your interests override ours.

2. Consent (Article 7 GDPR)

We obtain your explicit consent for:

Marketing communications (newsletters, promotional emails, event invitations)
Optional profiling and personalized service recommendations
Non-essential cookies and tracking technologies
Processing sensitive personal data (if applicable)

You may withdraw consent at any time by contacting us at contact@exxing.group or using the unsubscribe link in marketing communications.

3. Contractual Necessity (Article 6(1)(b) GDPR)

We process personal information necessary to:

Execute engagement letters and service agreements
Provide advisory and consulting services
Process payments and manage billing
Fulfill contractual obligations and deliver contracted services

4. Legal Obligation (Article 6(1)(c) GDPR)

We process personal information to comply with:

Anti-money laundering (AML) and know-your-client (KYC) regulations
Tax and financial reporting requirements
Data protection and privacy laws
Court orders, regulatory requests, and law enforcement

Data Retention

We retain personal information only as long as necessary for the purposes outlined in this policy and as required by applicable law. Retention periods vary depending on the type of data and processing purpose:

Retention Schedules

Engagement & Service Data: Retained for 7 years following service completion to comply with legal and regulatory obligations
Contact Information (Prospects): Retained for up to 5 years from last interaction or until consent withdrawal
Marketing Communications: Retained until consent is withdrawn or contact relationship ends
Website Analytics: Aggregated data retained indefinitely; individual tracking data deleted after 26 months
Account Login Information: Retained for the duration of account activity plus 2 years
Payment & Billing Records: Retained for 7 years per financial and tax regulations
Cookies: Session cookies deleted at end of browser session; persistent cookies retained per cookie policy
Access Logs & Security Data: Retained for 1 year for security and audit purposes

Data Deletion

When data is no longer needed, we securely delete or anonymize it within 30 days of the retention period expiration, unless legal obligations require continued retention. You may request deletion of your personal data at any time (subject to legal and contractual exceptions).

Your Rights Under GDPR & Data Protection Law

You have the following rights regarding your personal information:

1. Right of Access (Article 15 GDPR)

You have the right to request a copy of the personal data we hold about you in a structured, commonly-used, and machine-readable format. We will provide this information within 30 days of your request.

2. Right to Rectification (Article 16 GDPR)

You have the right to correct inaccurate or incomplete personal information. We will make necessary corrections and inform relevant recipients of the rectification where applicable.

3. Right to Erasure (Article 17 GDPR)

You have the right to request deletion ("right to be forgotten") of your personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful. We will delete data within 30 days unless legal obligations require retention.

4. Right to Restrict Processing (Article 18 GDPR)

You may request that we limit the processing of your personal data while we verify its accuracy, assess the lawfulness of processing, or during other specified circumstances. We will not process your data beyond storage until the restriction is lifted.

5. Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a portable, machine-readable format and to transmit it to another data controller without hindrance. We will provide your data in a standard format (e.g., CSV, JSON) within 30 days.

6. Right to Object (Article 21 GDPR)

You have the right to object to processing based on legitimate interest or direct marketing. We will cease processing within 30 days unless we can demonstrate compelling reasons for continued processing that override your interests.

7. Right Against Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not engage in this type of processing.

8. Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your data protection rights. Contact information for data protection authorities is available at the European Data Protection Board website.

Exercising Your Rights

To exercise any of these rights, please submit a written request to contact@exxing.group with:

Your full name and contact information
Specific right you wish to exercise
Sufficient detail to identify the data in question
Proof of identity (copy of ID for verification)

We will respond within 30 days. If your request is complex or we receive multiple requests, we may extend this period by up to 60 additional days, notifying you of the extension.

Cookies & Tracking Technologies

What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They allow us to recognize you, remember your preferences, and understand how you use our site. We also use similar technologies like pixels, web beacons, and local storage.

Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for our website to function properly. They enable core features like navigation, form submission, and security. These are deployed without consent as they are functionally required.

Session cookies (authentication, login)
Security cookies (fraud prevention, CSRF protection)
Functional cookies (language preference, accessibility settings)

Analytics Cookies (Consent Required)

We use analytics tools to understand website traffic, user behavior, and service performance. This helps us improve our website and deliver better services. These cookies collect anonymized data and do not personally identify you.

Marketing Cookies (Consent Required)

We may use cookies to deliver targeted marketing content and measure campaign effectiveness. These cookies allow us to track your interaction with marketing materials (if you have consented).

Third-Party Cookies

Third-party service providers may set cookies for analytics, hosting, and functionality. See the Third-Party Services section below for details.

Cookie Consent Management

When you first visit our website, you will be presented with a cookie consent banner. You can:

Accept all cookies
Accept only essential cookies
Customize your preferences
Withdraw consent at any time via cookie settings

Managing Cookies

You can control cookies through your browser settings:

Chrome: Settings → Privacy and Security → Cookies
Firefox: Preferences → Privacy & Security → Cookies & Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Privacy → Cookies & Site Permissions

Note: Disabling essential cookies may impair website functionality. Visit allaboutcookies.org for more information.

Third-Party Services & Data Sharing

Cloudflare

Our website is hosted and secured through Cloudflare. Cloudflare processes your data to:

Provide content delivery and website hosting
Protect against DDoS attacks and security threats
Analyze website performance and traffic

Privacy Policy: Cloudflare Privacy Policy
Data Processing: Cloudflare is a Data Processor operating under a Data Processing Agreement (DPA) compliant with GDPR.

Website Analytics

We use analytics tools to understand website usage and improve user experience. Analytics providers process aggregated, anonymized data that does not personally identify you.

General Data Sharing Principles

We do NOT sell, trade, or share personal information with third parties for marketing purposes. We may share data with:

Service Providers: IT vendors, hosting providers, payment processors operating under Data Processing Agreements
Legal & Professional Advisors: Lawyers, accountants, and auditors under confidentiality obligations
Regulatory Authorities: Law enforcement, tax authorities, and regulators as legally required
Transaction Parties: With your explicit consent, to counterparties in business transactions
Successor Organizations: In case of merger, acquisition, or asset sale, personal data may be transferred to the successor entity

Data Processing Agreements

All service providers who process personal data on our behalf are bound by Data Processing Agreements (DPAs) that include:

Strict confidentiality and security obligations
Prohibition on unauthorized processing or sharing
Your rights regarding data access and deletion
GDPR compliance and standard contractual clauses

International Data Transfers

Locations of Processing

EXXING GROUP S.à.r.L. operates in Morocco and France. Personal information may be processed in any location where we maintain operations or where our service providers are located.

Cross-Border Transfers

When your personal data is transferred outside the European Economic Area (EEA), we implement appropriate safeguards including:

Standard Contractual Clauses (SCCs): Legally binding contractual terms approved by the European Commission
Adequacy Decisions: For countries deemed to have adequate data protection (e.g., certain jurisdictions with GDPR-equivalent laws)
Supplementary Measures: Additional security and contractual safeguards where necessary

Your Consent

By providing personal information, you acknowledge and consent to the transfer, storage, and processing of your data in the jurisdictions where we operate, subject to the safeguards described above.

Contacting Us & Complaint Procedures

Data Protection Inquiries

For questions about this Privacy Policy or to exercise your data protection rights, please contact:

Email: contact@exxing.group
Mailing Address:
EXXING GROUP S.à.r.L.
Greenwork B4, 91 Route de Bouskoura
Casablanca 20000, Morocco

Data Protection Authority Complaints

If you believe we have violated your data protection rights, you have the right to lodge a complaint with your national data protection authority:

European Union: European Data Protection Board
France: CNIL (Commission Nationale de l'Informatique et des Libertés)
Morocco: CNDP (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel)

Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. Material changes will be posted on this page with an updated effective date. Your continued use of our website or services constitutes acceptance of updated terms.

Last Updated

Effective Date: March 2026
Version: 1.0

Contents