Cookie Policy

Responsible: MuseumMate, S.L.U. (“TWOP”) — C/ Arlabán, 7 – 8th floor, 28014 Madrid, Spain · CIF: ESB88168299
Contact (privacy): legal@twop.app

Scope: twop.app website and subdomains.

Last update: 1st September 2025

• What are cookies and similar technologies?
  “Cookies” are files that the browser stores on your device. We also use similar technologies such as local/session storage, tags or pixels, and device signals. We do not use fingerprinting techniques for advertising purposes.

• Purposes and legal basis
  – Technical/strictly necessary (without consent): basic functioning of the website, login, security (CSRF), load balancing, essential session preferences.
  – Preferences/personalisation (consent): remembering language, theme, and other non-essential options.
  – Analytics/measurement (consent): measuring usage and performance (e.g., Google Analytics 4).
  – Advertising and remarketing (consent): displaying and measuring ads (e.g., Google Ad Manager / Google Ads) and limiting frequency.
  – Embedded content (consent): third-party players (e.g., YouTube) and equivalent services.

• How we manage your consent (CMP and Consent Mode v2)
  We use a consent management platform (CMP) compliant with IAB TCF 2.2 and Google Consent Mode v2.
  
  

Upon entering, you will see a banner with “Accept all”, “Reject” or “Configure”. Consent is granular by purposes and partners (providers). You can change or withdraw your choice at any time from the footer link “Cookie Preferences”.

In the EU/EEA, if you reject or do not choose, we keep analytics turned off and serve non-personalised ads (NPA).

The Consent Mode v2 adjusts the ad_storage, analytics_storage, functionality_storage, security_storage, personalization_storage, ad_user_data and ad_personalization signals according to your choice.

• Browser settings and revocation
  
  

You can delete or block cookies from your browser (Chrome, Safari, Firefox, Edge). If you block the techniques, the website may not function properly. To change your choice at any time, use the “Cookie Preferences” link in the footer or contact us at legal@twop.app.

• Who places cookies?
  
  

– First-party: issued by twop.app for functioning and preferences.
– Third-party: placed by providers like Google (GA4/Ads/YouTube) or Cloudflare when you consent to the corresponding purposes.

• International transfers
  
  

Some providers use global infrastructures. When there are transfers outside the EEA, we apply Standard Contractual Clauses or other appropriate safeguards.

• Retention periods
  
  

– Session: deleted upon closing the browser.
– Persistent: last for the time indicated below or until you delete/revoke them.
– Consent preferences: retained to test your choice (12–24 months, depending on the CMP).

• Cookie and technology table

8.1. Technical/strictly necessary (do not require consent)
• twop_session — Provider: TWOP — Purpose: maintain the authenticated user session — Type: first-party cookie — Duration: session.
• twop_csrf — Provider: TWOP — Purpose: CSRF protection and form security — Type: first-party cookie — Duration: session.
• consent_preferences — Provider: TWOP/CMP — Purpose: save your consent state — Type: first-party cookie or local storage — Duration: 12–24 months.
• __cf_bm (if Cloudflare is used) — Provider: Cloudflare — Purpose: bot mitigation and performance — Type: third-party cookie — Duration: ~30 minutes.

8.2. Preferences/personalisation (requires consent)
• locale / lang — Provider: TWOP — Purpose: remember language — Type: first-party cookie/storage — Duration: 6–12 months.
• theme — Provider: TWOP — Purpose: remember theme (light/dark) — Type: first-party cookie/storage — Duration: 6–12 months.

8.3. Analytics/measurement (requires consent)
• _ga — Provider: Google Analytics 4 — Purpose: anonymous visit identifier — Type: first-party cookie — Duration: 2 years.
• _ga_XXXX — Provider: Google Analytics 4 — Purpose: maintain GA4 state/session — Type: first-party cookie — Duration: 2 years.
• _gid — Provider: Google Analytics 4 — Purpose: differentiate users within 24 hours — Type: first-party cookie — Duration: 24 hours.
• __gtm_flags (if Google Tag Manager is used) — Provider: Google Tag Manager — Purpose: tag loading control — Type: first-party storage — Duration: variable.

8.4. Advertising/remarketing (requires consent; otherwise, NPA)
• _gcl_au — Provider: Google Ads / Ad Manager — Purpose: conversion linker (measurement) — Type: first-party cookie — Duration: 3 months.
• _gcl_aw / _gcl_dc — Provider: Google Ads — Purpose: conversion attribution — Type: first-party cookie — Duration: ~90 days.
• IDE / ANID (if resources from DoubleClick are loaded) — Provider: Google — Purpose: advertising/measurement — Type: third-party cookie — Duration: ≈13 months.

8.5. Embedded content (requires consent)
• VISITOR_INFO1_LIVE — Provider: YouTube — Purpose: player preferences — Type: third-party cookie — Duration: 6–12 months.
• YSC — Provider: YouTube — Purpose: video statistics — Type: third-party cookie — Duration: session.
• PREF — Provider: YouTube — Purpose: playback settings — Type: third-party cookie — Duration: ~6 months.
Note: we recommend using the domain youtube-nocookie.com (advanced privacy mode) and loading the player only after “Marketing” consent.

• Minors
  The website is not directed at under 16s. In the EU, we do not show personalised advertising to minors under 18; if applicable, we serve non-personalised ads (NPA).

• Changes to the policy
  We may update this Policy due to legal or technical changes. We will publish the date of the last update and, if there are substantial changes, we will show a reasonable notice.

• Contact
  For inquiries or to exercise rights, write to legal@twop.app (subject: “Cookies”).

To change your choice at any time, use the “Cookie Preferences” link located in the footer.