logo

Privacy Policy

1. Introduction to the Mobile Application

Welcome to ATAYA APP, a mobile platform specializing in booking leisure activities, guided tours, excursions, and other travel experiences and service provisions. ATAYA APP is published by ATAYA APP SASU, a simplified joint-stock company under Senegalese law.

This Privacy Policy (hereinafter the "Policy") aims to transparently and comprehensively inform users of the ATAYA APP mobile application (hereinafter the "Application") about the nature of personal data collected, the purposes and legal bases of their processing, the recipients and subcontractors to whom this data may be communicated, the conditions of retention and security of this data, as well as all the rights available to users under applicable regulations.

This Policy applies to all processing of personal data carried out by ATAYA APP SASU acting as Data Controller within the meaning of Article 24 of the GDPR and Article 74 of Law No. 2008-12 of January 25, 2008. It is applicable from the use of the Application, whether or not the user has created an account.

2. Identification of the Data Controller

The Data Controller within the meaning of this Policy is:

  • Company name: ATAYA APP SASU
  • Legal form: Simplified joint-stock company (SASU)
  • Registered office: Cite des Enseignants, Guediawaye, villa n D5
  • RCCM: SN-DKR-2023-B-48.054
  • NINEA: 010762715
  • Contact email: contact@ataya.app
  • Phone / WhatsApp: +221 77 102 56 55
  • Data Protection Officer: contact@ataya.app

(ATAYA APP SASU is registered with the Senegal Personal Data Protection Commission (CDP) in accordance with the reporting obligations provided for by Law No. 2008-12 of January 25, 2008.)

3. PERSONAL DATA COLLECTED

ATAYA APP only collects data strictly necessary for the provision of its services, in accordance with the principle of data minimization enshrined in Article 5(1)(c) of the GDPR and Article 35 paragraph 2 of Law No. 2008-12 of January 25, 2008. The categories of data collected are as follows:

3.1 Identification and Account Data

When creating a user account on the Application, ATAYA APP collects the following information:

  • First and last name (mandatory)
  • Email address (optional)
  • Phone number (optional)
  • Profile photo (optional)

This data is strictly limited to user identification and account management. ATAYA APP does not collect or process any data falling under special categories within the meaning of Article 9 of the GDPR (ethnic origin, political opinions, religious beliefs, biometric data, health data, sexual orientation, etc.).

3.2 Geolocation Data

With the explicit prior consent of the user, ATAYA APP collects geolocation data (GPS coordinates) in order to offer activities and experiences available near the user. This collection is only activated during active use of the Application and can be disabled at any time from the user's device settings. Geolocation data is not retained beyond the active usage session.

3.3 Payment Data and Transaction Records

ATAYA APP does not collect or store any user banking information (card number, IBAN, etc.). Payments are processed entirely by certified third-party payment service providers. However, ATAYA APP retains electronic payment records (amount, date, transaction reference, status) for accounting traceability and legal compliance purposes, in accordance with Law No. 2008-08 of January 25, 2008 on electronic transactions in Senegal.

3.4 Browsing and Technical Data

When using the Application, technical data is automatically collected to ensure the proper functioning of services:

  • IP address and device identifier
  • Type and version of operating system (iOS / Android)
  • Timestamped connection logs
  • Pages and features viewed, duration and frequency of sessions
  • Crash data and application error reports

This data is used exclusively for security, performance monitoring, fraud detection, and Application improvement purposes.

3.5 Communication Data

When the user contacts ATAYA APP customer service by email, phone, or via WhatsApp, exchanges are retained for customer relationship management, request tracking, and service quality improvement purposes.

4. PURPOSES AND LEGAL BASES OF PROCESSING

In accordance with Articles 35 of Law 2008-12 and 6 of the GDPR, all processing of personal data is based on an explicit legal basis. Here is the detail of the purposes pursued by ATAYA APP as well as the corresponding legal basis:

  • Creation and management of user account: Identification, email, phone, photo (Legal basis: Contract performance Article 33 Law 2008-12 and 6(1)(b) GDPR)
  • Identity verification: Identification (Legal basis: Contract performance Articles 33 Law 2008-12 and 6(1)(b))
  • Processing of reservations and payments: Identification, transaction records (Legal basis: Contract performance Articles 33 Law 2008-12 and 6(1)(b))
  • Geolocation for activity search: GPS coordinates (Legal basis: Consent Articles 33 Law 2008-12 and 6(1)(a) GDPR)
  • Customer relationship management and assistance: Identification, communication (Legal basis: Contract performance Articles 33 Law 2008-12 and 6(1)(b))
  • Sending newsletters and marketing communications: Email, phone (Legal basis: Consent Articles 33 Law 2008-12 and 6(1)(a))
  • Personalized advertising: Browsing, identification (Legal basis: Consent Articles 33 Law 2008-12 and 6(1)(a))
  • Security, fraud and cybercrime prevention: Technical data, browsing (Legal basis: Legitimate interest Articles 33 Law 2008-12 and 6(1)(f))
  • Statistics and Application improvement: Technical data, browsing (Legal basis: Legitimate interest Articles 33 Law 2008-12 and 6(1)(f))
  • Compliance with legal and accounting obligations: Transaction records (Legal basis: Legal obligation Articles 33 Law 2008-12 and 6(1)(c))
  • Application management (recruitment): Application data (Legal basis: Consent / Pre-contract Articles 33 Law 2008-12 and 6(1)(a)(b))

5. RECIPIENTS AND DATA COMMUNICATION

ATAYA APP does not sell or rent users' personal data to third parties. Data may only be communicated in the following cases, and after verification of compliance with data protection obligations:

5.1 ATAYA APP Company Entities

Data may be shared with companies with which ATAYA APP SASU has a partnership, strictly to the extent necessary for the provision of services.

5.2 Service Providers and Technical Subcontractors

ATAYA APP uses rigorously selected providers and subcontractors for the provision of technical and operational services. These providers only act on documented instructions from ATAYA APP and are contractually bound to respect a level of security and confidentiality equivalent to the requirements of the GDPR and Law No. 2008-12. They are in no way authorized to use the data for their own purposes. These subcontractors include notably cloud hosting and infrastructure providers (AWS).

5.3 Commercial Partners

Data is only transmitted to ATAYA APP commercial partners with the prior, free, specific, informed, and unambiguous consent of the user. This consent may be withdrawn at any time.

5.4 Authorities and Legal Obligations

ATAYA APP may be required to communicate certain personal data to competent authorities (judicial, administrative, or regulatory) when required by law, particularly in cases of judicial requisition, administrative injunction, or legal reporting obligation.

6. MAIN SUBCONTRACTOR: AMAZON WEB SERVICES (AWS)

ATAYA APP uses Amazon Web Services (AWS) as its main subcontractor for all its cloud infrastructure. This use is formalized by a Data Processing Agreement (DPA) compliant with Articles 4-16 of Law 2008-12 and Article 28 of the GDPR, which requires AWS to comply with all obligations applicable to subcontractors.

6.1 Subcontractor Presentation

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. In Europe, AWS operates under the responsibility of Amazon Web Services EMEA SARL, established at 38 Avenue John F. Kennedy, L-1855 Luxembourg. AWS is one of the world leaders in cloud infrastructure services and is certified according to ISO 27001 and SOC standards.

6.2 AWS Services Used and Data Concerned

Amazon Web Services (AWS) (Headquarters: United States) Service provided: Cloud hosting, data storage, server infrastructure, network security; Hosting region: EU (Paris); Legal basis for transfer: Standard Contractual Clauses (SCC) Decision 2021/914/EU. The entire ATAYA APP infrastructure is hosted in the AWS Europe (Paris) region, which means that user data is stored and processed within the European Union, in accordance with GDPR requirements.

6.3 Contractual Guarantees and Security Measures

Data processing by AWS is governed by the following guarantees:

  • Data Processing Agreement (DPA) signed between ATAYA APP and AWS, compliant with Articles 4-16 of Law 2008-12 and Article 28 of the GDPR
  • Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914/EU of June 4, 2021) for any transfer outside the EU
  • Encryption of data in transit via TLS 1.2 minimum protocol and at rest via AES-256
  • Strict access control through AWS IAM (Identity and Access Management)
  • Complete logging of access and operations via AWS CloudTrail and CloudWatch
  • Compliance with ISO 27001, SOC (cloud security) certifications
  • SOC 2 Type II audit reports available on request
  • AWS Privacy Policy available at: https://aws.amazon.com/privacy/

6.4 Respective Responsibilities

Within the framework of this subcontracting, ATAYA APP SASU remains the sole Data Controller and retains full responsibility for the lawfulness of processing, user information, and the exercise of their rights. AWS acts exclusively as a subcontractor, according to documented instructions from ATAYA APP, without being able to access the data for other purposes or use it for its own account.

7. INTERNATIONAL DATA TRANSFERS

All personal data of ATAYA APP users is hosted in the AWS Europe (Paris) region, located within the European Economic Area. Consequently, there is no transfer of data to third countries in the normal operations of ATAYA APP, only storage.

In the exceptional event that a transfer of data to a third country (located outside the EU or Senegal) becomes necessary, ATAYA APP undertakes to authorize this transfer only under the following strict conditions:

  • Existence of an adequacy decision by the European Commission recognizing an equivalent level of protection (Art. 45 GDPR);
  • Implementation of Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914/EU);
  • Binding Corporate Rules (BCR) approved by a competent supervisory authority;
  • Explicit consent of the user, after information on the potential risks of the transfer (Art. 49.1(a) GDPR).

In all cases, ATAYA APP ensures that the destination country or organization guarantees an adequate level of protection substantially equivalent to that offered by the GDPR and Senegalese Law No. 2008-12 of January 25, 2008 on the protection of personal data.

8. DATA RETENTION PERIODS

In accordance with the principle of storage limitation set out in Articles 72 of Law 2008-12 of January 25, 2008 and 5(1)(e) of the GDPR, personal data is retained for a period strictly limited to what is necessary for the purposes for which it was collected. The applicable retention periods are as follows:

  • Active account data: Duration of the contractual relationship (Justification: Service provision)
  • Post-account termination data: 10 years after termination (Justification: Accounting and tax obligations (Art. L. 123-22 Commercial Code)) and provisions of Law 2008-12 of January 25, 2008
  • Prospect data: 3 years after last contact (Justification: Commercial prospecting Article 6(1)(f) GDPR)
  • Application data (HR): 2 years after submission or last contact (Justification: Recruitment management)
  • Electronic payment records: 10 years (Justification: Law No. 2008-09 of January 25, 2008 on electronic transactions)
  • GPS geolocation data: Duration of active session (Justification: Minimization - non-permanent collection)
  • Connection logs: 12 months (Justification: Security, fraud detection legal obligation)
  • Communication data (customer service): 3 years after request closure (Justification: Customer relationship management, evidence in case of dispute)

At the expiration of these periods, personal data is either permanently and irreversibly deleted or anonymized so as to no longer allow identification of the data subject, in accordance with current technical standards.

9. DATA SECURITY

ATAYA APP implements all appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data, in accordance with Article 32 of the GDPR and Articles 70 to 74 of Law No. 2008-12. These measures include:

Technical Measures

  • Encryption of all communications between the Application and servers via TLS 1.2/1.3 (HTTPS) protocol
  • Encryption of data at rest via AES-256 on AWS infrastructure
  • Strong user authentication (AWS Cognito) with secure session management
  • Environment isolation (production, staging, development) and access control according to the principle of least privilege
  • Continuous infrastructure monitoring (AWS CloudWatch, AWS GuardDuty) and access logging (AWS CloudTrail)
  • Regular backups and Disaster Recovery Plan
  • Regular penetration tests and security audits

Organizational Measures

  • Internal information systems security policy (ISSP) applicable to all employees
  • Regular staff training and awareness on data protection and cybersecurity
  • Confidentiality clauses in all employment contracts and service contracts
  • Documented data breach notification procedure (Article 33 GDPR: 72-hour deadline to CDP)
  • Processing register kept up to date in accordance with Article 30 of the GDPR

In case of a personal data breach likely to result in a high risk to the rights and freedoms of the data subjects concerned, ATAYA APP undertakes to notify them as soon as possible, in accordance with Article 34 of the GDPR, and to inform the Senegal Personal Data Protection Commission (CDP) within 72 hours of becoming aware of the incident, in accordance with Article 33 of the GDPR.

10. RIGHTS OF DATA SUBJECTS

In accordance with Law No. 2008-12 of January 25, 2008 and the GDPR, every user has the following rights over their personal data:

  • Right of access: Obtain a copy of all your personal data being processed. (Response time: 3 business days)
  • Right of rectification: Correct any inaccurate or incomplete data. (Response time: 3 business days)
  • Right to erasure: Request the deletion of your data (subject to legal obligations). (Response time: 3 business days)
  • Right to portability: Receive your data in a structured and machine-readable format. (Response time: 3 business days)
  • Right to object: Object to processing based on legitimate interest. (Response time: 3 business days)
  • Right to restriction: Request temporary suspension of processing. (Response time: 3 business days)
  • Withdrawal of consent: Withdraw your consent at any time without retroactive effect. (Response time: Immediate)

10.1 How to Exercise Your Rights

To exercise any of the rights listed above, the user may contact ATAYA APP by one of the following means:

  • By email at: contact@ataya.app (response within 3 business days)
  • Via WhatsApp or by phone at: +221 77 102 56 55
  • Directly in the Application, from the "My Account" section

In order to process the request as quickly as possible and to verify the identity of the requester, ATAYA APP reserves the right to request any identification document to confirm the identity of the person exercising their rights. This information is treated confidentially and is not retained beyond the time necessary for verification.

ATAYA APP undertakes to respond to any request within a maximum of three (3) business days. In case of a particularly complex request or a large volume of simultaneous requests, this period may be extended by one (1) additional day, the user being informed in advance with the reasons for the delay.

10.2 Right of Cancellation and Refund

Users can cancel their bookings under the following deadlines and conditions:

  • Cancellation 48 hours or more before the activity date: 50% refund
  • Cancellation between 48 and 24 hours before the activity date: 25% refund, this amount covering contractual commitments to partner providers
  • Cancellation less than 24 hours before the activity date: no refund

Specific cancellation terms for each partner provider are clearly indicated on the booking page of each activity. In case of contradiction between these terms and this Policy, the specific conditions of the provider prevail for the cancellation part.

10.3 Account Deletion and Unsubscription

Any user may at any time unsubscribe from the Application and request the permanent deletion of their account. This request results in:

  • The permanent and irreversible deletion of all the user's personal data, subject to data that must be retained to comply with legal, tax, or accounting obligations
  • Technical anonymization of data that cannot be deleted for legal or technical reasons
  • Immediate and permanent loss of access to all services offered by the Application

Please read carefully: Unsubscription and account deletion must be performed BEFORE uninstalling the Application. In case of prior uninstallation without account deletion, the user's personal data will continue to be retained until the expiration of the periods provided for in Article 8 of this Policy. ATAYA APP cannot be held responsible for the maintenance of data resulting from uninstallation without prior account deletion.

11. COOKIES AND TRACKING TECHNOLOGIES

The ATAYA APP Application may use tracking technologies, including session identifiers and mobile advertising identifiers, to ensure the proper functioning of services, analyze Application usage, and, with the user's consent, offer personalized content and advertising.

The tracking technologies used fall into three categories:

  • Essential session identifiers: strictly necessary for the functioning of the Application (authentication, session maintenance). They do not require user consent.
  • Analytics technologies: allow measuring audience, analyzing browsing behavior, and improving the Application. They are only activated with user consent.
  • Advertising technologies: allow personalization of content and advertising. They are only activated with explicit user consent.

The user may at any time manage their preferences regarding tracking technologies from the Application's privacy settings or from their mobile device settings. Withdrawal of consent does not affect the lawfulness of processing carried out previously.

12. DATA PROTECTION OFFICER CONTACT

For any question relating to this Privacy Policy, the exercise of your rights, or the protection of your personal data, you may contact the Data Protection Officer (DPO) of ATAYA APP SASU by the following means:

  • Email: contact@ataya.app
  • WhatsApp / Phone: +221 77 102 56 55
  • Application: "My Account" section

If, after contacting ATAYA APP, you believe that your rights have not been respected, you have the right to lodge a complaint with the Senegal Personal Data Protection Commission (CDP), competent supervisory authority:

  • Supervisory authority: Personal Data Protection Commission (CDP) Senegal
  • Address: 7, rue Abdou Karim Bourgi, BP 15 716 Dakar, Senegal
  • Website: www.cdp.sn
  • Phone: +221 33 849 38 90

13. MODIFICATIONS TO THE PRIVACY POLICY

ATAYA APP reserves the right to modify this Privacy Policy at any time, in particular to adapt it to legal, regulatory, case law, or technical developments. In case of substantial modification affecting users' rights, ATAYA APP undertakes to inform users via notification integrated into the Application or by email, at least thirty (30) days before the entry into force of the new provisions.

The applicable version is the one in force at the time of use of the Application. Continued use of the Application after notification of modifications constitutes acceptance of the new Policy.

This Privacy Policy was written in French. In case of translation into another language, the French version prevails in case of contradiction or ambiguity.

Last updated: March 24, 2026

    Ataya - Senegal Activities & Tourism