Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
YouCan Pay is the payment arm of YouCan SARL, a Moroccan e, commerce platform. It accepts local cards (CMI, Maroc Telecommerce), international cards and mobile wallets, and is typically integrated either as a hosted checkout redirect or through a JavaScript card form. Because YouCan SARL is headquartered in Casablanca, every European merchant using the gateway transfers cardholder and order data to Morocco, a third country without an EU adequacy decision, so Standard Contractual Clauses and a Transfer Impact Assessment are required.
YouCan Pay is the payment gateway built by YouCan SARL, the Moroccan all in one e, commerce platform similar in spirit to Shopify but tuned for the MENA market. It accepts CMI cards, international Visa and Mastercard, Maroc Telecommerce mobile wallets and cash on delivery. European merchants integrate it either as a hosted checkout redirect or as a tokenised JavaScript form that posts to the YouCan Pay API.
During checkout YouCan Pay sets four cookies on its own pay.youcan.shop or checkout.youcanpay.com domain : ycp_session (session, current checkout), ycp_csrf (session, anti CSRF), ycp_locale (6 months, language) and ycp_device (1 year, fraud scoring). The 3D Secure redirect to the issuing bank may set additional bank specific cookies on the bank''s domain.
The payment itself rests on Article 6(1)(b) GDPR (contract performance) and Article 6(1)(c) for the PSD2 strong customer authentication obligation. The ycp_device fraud cookie is treated as strictly necessary by YouCan but, when the cookie supports cross merchant fraud scoring shared across YouCan customers, the merchant should document it under legitimate interest with a balancing test. ePrivacy Article 5(3) is satisfied because the cookies are essential to deliver the payment service the customer explicitly requested.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Morocco is a third country without an EU adequacy decision. The Moroccan data protection law (Loi 09, 08) is supervised by the Commission Nationale de Controle de la Protection des Donnees a Caractere Personnel (CNDP) and has been in force since 2009. Transfers from European merchants rely on Standard Contractual Clauses attached to the YouCan Pay agreement, supplemented by a Transfer Impact Assessment that documents Loi 09, 08 protections and Moroccan law enforcement access powers.
Treat the ycp_ cookies as strictly necessary and load them without consent. Sign the YouCan Pay DPA. Add Morocco and YouCan SARL to your privacy notice with a clear mention of the SCC reliance. Conduct a Transfer Impact Assessment. Keep the optional fraud sharing feature off if you want to minimise sub processor exposure. Log no card data on your own servers, rely on the YouCan tokenisation.
Websites using YouCan Pay must obtain user consent under GDPR regulations.
DPIA considerations
YouCan Pay processes cardholder data, IP, device fingerprint and order context to authenticate the payment and to detect fraud. Key DPIA considerations: (1) Morocco does not benefit from an EU adequacy decision, the transfer relies on SCCs plus a Transfer Impact Assessment that maps Loi 09, 08 (Moroccan data protection law) and the powers of the CNDP; (2) PSD2 strong customer authentication is delegated through 3D Secure 2 to the issuing bank, which may set its own cookies on its own domain; (3) the order context (cart amount, items, billing address) is sent to YouCan even when the customer chooses not to create a YouCan account; (4) sub, processors include Visa, Mastercard, CMI Maroc, AWS Cape Town and major Moroccan acquirers; (5) the gateway logs are retained for chargeback defence (typically 13 months under PSD2) and AML obligations (5 years under Moroccan law). A DPIA is recommended for any European merchant with significant volumes.
Sample consent text
When you pay through YouCan Pay (YouCan SARL, Casablanca, Morocco), the data needed to authorise the transaction (card number tokenised by your bank, billing address, transaction amount, IP, device fingerprint) is sent to YouCan servers in Morocco. Morocco is a third country without an EU adequacy decision; we rely on Standard Contractual Clauses and a Transfer Impact Assessment to protect this transfer. No consent is needed for the payment itself, but you can refuse any optional analytics or marketing cookies in our banner.
Third-party domains contacted
youcan.shoppay.youcan.shopapi.youcan.shopcheckout.youcanpay.comcmi.co.maCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ycp_session | Strictly necessary | Session | Identifies the current YouCan Pay checkout session so that the cardholder stays on the same authorisation flow even after a 3D Secure redirect. |
| ycp_csrf | Strictly necessary | Session | Anti, CSRF token that protects the payment authorisation request against cross, site request forgery. |
| ycp_locale | Functional | 6 months | Stores the preferred language for the checkout pages. |
| ycp_device | Functional | 1 year | Persistent device identifier used by the YouCan Pay fraud engine to score subsequent transactions from the same browser. |
YouCan Pay uses cookies for user preferences — inform visitors with a consent banner.
Four cookies on YouCan domains : ycp_session and ycp_csrf (strictly necessary, session), ycp_locale (functional, 6 months) and ycp_device (functional, 1 year, fraud scoring).
No, they are strictly necessary to deliver the payment the customer requested. The ePrivacy Article 5(3) exemption applies. Consent is only required for optional analytics or marketing cookies your merchant site adds alongside the checkout.
Contract performance (Article 6(1)(b) GDPR), PSD2 obligation (Article 6(1)(c)) for strong customer authentication and legitimate interest (Article 6(1)(f)) for fraud prevention.
Yes : to Morocco. Morocco has no EU adequacy decision. The transfer relies on Standard Contractual Clauses attached to the YouCan Pay agreement and on a Transfer Impact Assessment that maps Loi 09, 08 (Moroccan data protection law).
Recommended for European merchants with significant transaction volumes or sensitive product categories. Document the SCC reliance and TIA in the DPIA regardless of volume.
Prefer the hosted checkout redirect to keep PCI DSS scope minimal. Sign the YouCan Pay DPA. Add Morocco and YouCan SARL to your privacy notice. Complete the TIA. Never log raw card numbers; use the YouCan tokenisation.
Yes : Stripe, Adyen, Mollie (Netherlands), Worldline (France), or local European acquirers. For Moroccan customers specifically, CMI directly or via Maroc Telecommerce remains the canonical option.
List the four YouCan cookies (domain, duration, purpose). Add YouCan SARL as a recipient with Morocco as the destination country. Mention the SCC and the EU Morocco transfer chain in the wider privacy notice.