Skip to content
Navigation
Home About Surf Camp Surf Spots Packages Reviews Blog Contact Us
Switch language: EN DE FR
Book Now

Privacy Policy

Effective Date: April 28, 2026

Nomad Surf Camp ("we," "our," or "us") respects your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, who we share it with, and the rights you have under the EU/UK General Data Protection Regulation (GDPR) and Moroccan Law 09-08.

By using nomad.surf or booking with us, you agree to the practices described below. If you do not agree, please do not use the site.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

  • Nomad Surf Camp
  • Hay Tissaliouine, Tamraght, Agadir 80020, Morocco
  • Email: contact@nomad.surf
  • Phone: +212 528 315 902

2. Information We Collect

We collect personal data only when you choose to provide it (e.g. booking a stay, contacting us, signing up for our newsletter), and limited technical data automatically when you visit the site.

  • Identity & contact data: name, email address, phone number, country of residence.
  • Booking data: arrival/departure dates, package selected, dietary requirements, surf level, emergency contact, and any notes you provide.
  • Payment data: processed directly by PayPal — we never see or store your full card number. We retain a transaction reference for accounting.
  • Communications: the content of emails, WhatsApp messages or contact-form submissions you send us.
  • Technical data: IP address, approximate city/country (via IP geolocation), browser type, device type, pages visited, referrer URL, and timestamps.
  • Cookie & analytics data: see Section 7 for the full list.

3. Why We Use It (Purposes & Legal Bases)

Under GDPR Art. 6, every use of your data has a defined legal basis:

Purpose Legal basis
Manage your booking, take payment, prepare your arrivalContract (Art. 6(1)(b))
Reply to your enquiries, contact form, WhatsApp messagesContract / legitimate interest (Art. 6(1)(b)/(f))
Send you a confirmation, reminder, or arrival instructionsContract (Art. 6(1)(b))
Send marketing emails, promotions, newslettersConsent (Art. 6(1)(a)) — opt-in only
Site analytics & session recordings (Microsoft Clarity, Google Analytics)Consent (Art. 6(1)(a))
Advertising performance & remarketing (Google Ads)Consent (Art. 6(1)(a))
Security, fraud prevention, server logsLegitimate interest (Art. 6(1)(f))
Comply with tax, accounting, and legal obligationsLegal obligation (Art. 6(1)(c))

4. Who We Share It With

We never sell or rent your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

  • Payment processor: PayPal (Europe) S.à r.l. et Cie, S.C.A. — for processing payments.
  • Email delivery: our SMTP / mail provider — for transactional emails (booking confirmations, etc.).
  • Analytics & advertising (only with your consent): Microsoft Clarity (Microsoft Corporation), Google Analytics & Google Tag Manager (Google Ireland Ltd.), Google Ads (Google Ireland Ltd.).
  • Hosting & infrastructure: our website host, who stores the database where bookings and analytics logs are kept.
  • Legal authorities: when required by Moroccan or applicable foreign law.

Each provider acts under a written Data Processing Agreement and is bound to use your data only for the purposes we instruct.

5. International Transfers

Our servers are located in Morocco. Some processors (Google, Microsoft, PayPal) may transfer data to the United States or other countries. These transfers rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework, ensuring an adequate level of protection.

6. How Long We Keep It

  • Booking records & invoices: 10 years (Moroccan accounting law).
  • Customer-support emails: 3 years from last contact.
  • Marketing list (newsletter): until you unsubscribe, plus 30 days for processing.
  • Analytics logs (our own database): 24 months, then anonymised.
  • Server / security logs: 12 months.
  • Cookies: see Section 7 for individual retention periods.

7. Cookies & Similar Technologies

We use cookies and similar technologies (localStorage, sessionStorage) for the purposes described below. You can accept, reject, or customise non-essential cookies at any time using our cookie banner or by clicking .

7.1 Strictly necessary (always on)

Name Provider Purpose Retention
PHPSESSIDnomad.surfMaintains your session (login, basket, CSRF protection)Session
nomad_cookie_consent_v2 (localStorage)nomad.surfRemembers your cookie preferences6 months
csrf_token (server session)nomad.surfPrevents Cross-Site Request Forgery on formsSession

7.2 Analytics (only with your consent)

Name Provider Purpose Retention
_clck, _clsk, CLID, ANONCHK, MUIDMicrosoft ClaritySession recording, heatmaps, anonymous user behaviour analysisUp to 1 year
_ga, _ga_*, _gid, _gatGoogle Analytics 4Aggregated traffic statistics, visitor counts, page popularityUp to 2 years

7.3 Marketing (only with your consent)

Name Provider Purpose Retention
_gcl_au, _gcl_aw, _gac_*Google AdsConversion tracking, attribution, campaign measurementUp to 90 days
NID, IDE, DSIDGoogle (DoubleClick)Remarketing & ad personalisationUp to 13 months

We use Google Consent Mode v2 — until you grant marketing consent, Google's tags do not set advertising cookies and only receive aggregated, cookieless signals.

8. Your Rights Under GDPR

If you are in the EU, EEA, UK, or Switzerland, you have the following rights regarding your personal data:

  • Access (Art. 15) — request a copy of the data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure / "right to be forgotten" (Art. 17) — request deletion of your data, subject to our legal retention duties.
  • Restriction (Art. 18) — limit how we process your data.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing.
  • Lodge a complaint (Art. 77) — with your local supervisory authority (e.g. CNIL in France, ICO in the UK, BfDI in Germany), or with the Moroccan Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP).

To exercise any of these rights, email contact@nomad.surf. We will respond within 30 days. We may ask you to confirm your identity before acting on the request.

9. Data Security

We use HTTPS for all traffic, hashed passwords, parameterised database queries, server-side input validation, a Content Security Policy, and access controls on our admin panel. Despite these measures, no internet transmission is 100% secure; we cannot guarantee absolute security but commit to notifying affected users and the relevant authority within 72 hours of any breach affecting personal data, as required by GDPR Art. 33–34.

10. Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal obligations. The "Effective Date" at the top will indicate the latest revision. For material changes affecting your rights, we will notify you by email or by a prominent notice on the website.

13. Contact Us

For any privacy question, request, or complaint:

contact@nomad.surf

Nomad Surf Camp · Hay Tissaliouine, Tamraght, Agadir 80020, Morocco