Privacy policy

HRC Consulting (publisher of CHR Solution) respects user privacy and processes personal data in compliance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) for residents of the European Union, and with Moroccan Law no. 09-08 for individuals based in Morocco.

1. Identity of the data controller

The data controller for personal data collected via the website chrsolution.fr, the web applications (chrsolution.app, stock.chrsolution.app, purchase.chrsolution.app) and the mobile applications (CHR POS, CHR Stock, CHR Pocket) is:

HRC Consulting — SARL AU with share capital of MAD 10,000
Marrakech Trade Register 109389 · ICE 002634498000012
Registered office: Appartement n° 10, n° 7, Rue de la Liberté, Gueliz, 40000 Marrakech, Morocco
Contact: privacy@chrsolution.fr

2. EU / EEA representative (Art. 27 GDPR)

HRC Consulting being established outside the EU, it has designated a representative within the Union pursuant to Article 27 of the GDPR. If you reside in the EU and have questions about your personal data, you may contact our GDPR representative:

EU Representative — Euverify Ltd (Ireland)
Unit 3D North Point House
North Point Business Park
New Mallow Road, Cork
T23 AT2P, Ireland
Email: gdpr@euverify.com

To submit a data subject access request (DSAR), a deletion request, or any other GDPR request, use our secure portal:

https://gdpr.euverify.com/verify/caa2e205-820e-412d-99a3-7b313858e74c

This link lets you verify our designated representative and submit your GDPR requests directly. Requests submitted via this portal are logged and tracked to ensure a response within the required timeframe.

3. Personal data we collect

Depending on your interaction with our services, the following categories of data may be processed:

• Identification data: first and last name, business name, postal address, professional email, phone number.
• Account data: login identifier, hashed password (bcrypt), POS access PIN, user role.
• Business data (generated by your use of the service): receipts, sales transactions, fiscal archives (Z reports), inventory counts, supplier orders, invoices, recipes, product photos you may upload.
• Technical data: IP address, device identifier, browser type, access logs, session duration, synchronisation events.
• Communication data: content of emails exchanged with support, messages submitted via the contact form.

4. Purposes of processing

Your data is collected and processed for the following purposes:

• Service delivery: account creation and management, fulfilment of subscription contracts, access to software modules.
• Archive retention: storage of POS data in line with applicable accounting and tax obligations, traceability of operations.
• Security: fraud prevention, access logging, cryptographic signature of events (ECDSA P-256 chain).
• Customer support: response to requests via email or help centre.
• Service improvement: aggregated and anonymised analysis of usage to identify improvement opportunities.
• Contractual communication: service notifications, invoices, technical alerts (no commercial prospecting without consent).

5. Legal basis (GDPR)

• Performance of the contract (Art. 6(1)(b)): for service delivery, billing and support.
• Legal obligation (Art. 6(1)(c)): for tax record retention (in particular 6 years for French POS archives) and possible disclosure to competent authorities.
• Legitimate interest (Art. 6(1)(f)): for service security, fraud prevention and product improvement.
• Consent (Art. 6(1)(a)): for any optional promotional communication or non-essential cookies (explicitly collected where applicable).

6. Recipients and processors

Your data may be shared with:

• HRC Consulting's internal team (support, technical, accounting), bound by confidentiality obligations.
• Technical processors:
  • OVH SAS (France, EU) — web hosting, database, email
  • Mindee (France, EU) — supplier invoice OCR, when this option is activated
  • Anthropic PBC (United States) — AI assistance for text/image processing (e.g. allergen extraction), when this option is activated, under Standard Contractual Clauses
  • Transactional email and SMS providers, depending on configuration
• Administrative or judicial authorities, upon legal request.

No personal data is sold or rented to third parties for commercial purposes.

7. Data transfers outside the European Union

HRC Consulting, the publisher, is established in Morocco; data processed at the registered office may transit through or be accessed from Morocco. The primary hosting of the service remains located in France (OVH, Roubaix), within the European Union.

Where a processor located outside the EU is involved (e.g. Anthropic in the United States), HRC Consulting ensures the existence of appropriate safeguards within the meaning of Articles 44 et seq. of the GDPR: Standard Contractual Clauses issued by the European Commission, or an adequacy decision where one exists (e.g. the EU-US Data Privacy Framework).

8. Retention periods

• Active account data: throughout the contract, plus 12 months after termination.
• Business data (receipts, Z reports, inventories): 6 years from the close of the corresponding fiscal year, in accordance with applicable accounting and tax obligations.
• Technical logs: 12 months.
• Commercial prospecting data: 3 years from the last effective contact.
• Data strictly necessary for accounting and legal obligations: 10 years for accounting documents.
• At the end of these periods, data is anonymised or deleted.

9. Your rights

In accordance with the GDPR (EU residents) and Moroccan Law 09-08 (Morocco residents), you have the following rights:

• Right of access: obtain confirmation that your data is being processed and receive a copy.
• Right of rectification: have inaccurate or incomplete data corrected.
• Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
• Right to restriction: temporarily suspend processing.
• Right to object: object to processing based on legitimate interest or to direct marketing.
• Right to portability: retrieve your data in a structured, machine-readable format.
• Right to set post-mortem instructions regarding your data (French residents).
• Right to withdraw your consent at any time, where processing is based on it.

10. How to exercise your rights

Any request can be addressed to: privacy@chrsolution.fr, specifying your identity and the nature of your request. A response will be provided within one month of receipt of the request, in accordance with Article 12 of the GDPR. This period may be extended by two months for particularly complex requests, with prior notice.

To verify your identity, we may request supporting documents. Exercising your rights is free of charge, except for manifestly unfounded or excessive requests.

11. Complaints

If, after contacting us, you consider that your rights are not respected, you may lodge a complaint with the competent authority:

• EU / France residents: Commission Nationale de l'Informatique et des Libertés (CNIL) — 3 place de Fontenoy, 75007 Paris, France.
• Morocco residents: Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP) — Rabat, Morocco.

12. Cookies and trackers

The chrsolution.fr website does not use any advertising cookies or audience trackers. Only cookies strictly necessary for the proper functioning of the site (language preference, session persistence) may be deposited. These cookies do not require your prior consent under CNIL and CNDP recommendations.

The professional applications (POS, stock, purchasing) use local storage (localStorage, IndexedDB) strictly necessary for their offline operation. No information is shared with third parties for profiling purposes.

13. Mobile application privacy

The mobile applications published by HRC Consulting (CHR POS, CHR Stock, CHR Pocket) may request the following technical permissions on your smartphone or tablet, depending on usage:

• Camera: scanning of barcodes and QR codes for inventory or supplier reception.
• Storage: local offline cache, attachments (invoices).
• Bluetooth: pairing of compatible receipt printers or cash drawers.
• Notifications: service alerts (inventory completion, delivery received, updates).
• Network: synchronisation with the backend and offline state detection.

No location data is collected. No advertising is embedded. No third-party tracking SDK is included. Permissions are requested at the time of first use and can be revoked at any time in the operating system settings.

14. Security

HRC Consulting implements appropriate technical and organisational measures to protect your data: TLS 1.3 encryption for communications, bcrypt password hashing, ECDSA P-256 cryptographic signing for the fiscal event chain, regular backups, per-tenant database isolation (multi-tenant), role-based access control. Security incidents affecting your data would be notified to you without undue delay, in accordance with Article 33 of the GDPR.

15. Changes

This policy may evolve. Any substantial change will be notified to you by email or via a banner on the affected services, with reasonable advance notice. The date of the last update is indicated below.

Last updated: 23 May 2026.