Partners' Privacy Policy

TWOP Business – Ads

Who we are

MuseumMate, S.L.U. (“TWOP”, “we”) is the data controller of the personal data processed through twop.app/business/ads and related advertising tools and interfaces (the “Ads Partner Services

Address: C/ Arlabán, 7 – 8th floor, 28014 Madrid, Spain · VAT number: ESB88168299
Contact for privacy matters (and single point of DSA contact in the EU): legal@twop.app

Scope

This policy explains how we process personal data of professional contacts and representatives of advertisers, agencies, and partners that interact with the Ads Partner Services: account creation and management, campaign setup and delivery, invoicing, measurement, brand safety, and regulatory compliance.

This is not the end-user policy
If you use the TWOP app or site as a consumer user, please consult our Consumer Privacy Policy.

1) Categories of data we process

• Professional account and contact data: name, work email, phone, position, company, business address, account identifiers, roles/permissions.

• Verification and compliance: tax/VAT data, billing address, corporate documentation; when required by law or fraud prevention, identity verification data (e.g., copy/document number), limited to what is strictly necessary.

• Commercial and campaign data: advertiser/agency ID, campaign names, budgets, bids and pacing, targeting, creative metadata, insertion orders, billing history, invoices, and payment status.

• Delivery and measurement signals: ad requests, impressions, visibility, clicks, post-click/post-view events, frequency capping, brand safety signals, invalid traffic indicators, aggregated conversions.

• Technical and device data (from our sites/tools and ad delivery): IP, user-agent, device type, OS/browser, language/time zone, referrer/UTM, logs, errors and crashes, authentication/session tokens.

• Cookies/SDK/IDs: cookies or other technologies for authentication, fraud detection, analytics, and—where consent is given—ad measurement and personalisation. In iOS we only access the IDFA after ATT permission; in Android, personalisation respects the AAID and the user's choice.

• Communications and support: tickets, emails, chats, creativity approvals/feedback, compliance communications.

Special categories: we do not intentionally process special categories for these services.

2) Data sources

• Directly from you (forms, contracts, uploads, support).

• Automatically from your device/browser when using the Ads Partner Services.

• From your company/agency or authorised users of your account.

• From delivery/measurement partners (see “Recipients”) in aggregate or pseudonymised form.

3) Purposes and legal bases (GDPR)

Purpose

Legal basis

Create and manage professional accounts, access and roles; provide the Ads Partner Services

Contract execution (art. 6.1.b)

Invoicing, issuing invoices, taxes, and credit control

Legal obligation (6.1.c) and Contract

Brand safety, fraud/invalid traffic prevention, security, and response to abuse

Legitimate interests (6.1.f)

Ad delivery and measurement (incl. frequency capping, viewability, reporting)

Legitimate interests and—when necessary—Consent (cookies/IDs)

Product analytics and service improvement

Legitimate interests (you can object)

Service communications (issues, policy changes)

Legitimate interests

B2B marketing to existing contacts

Legitimate interests with opt-out; where required by local law, Consent

Legal compliance, attention to authorities, and defense of claims

Legal obligation and Legitimate interests

Web consent management

At twop.app we use a CMP compliant with IAB TCF 2.2 and Google Consent Mode v2. Your choices control the storage of analytics/ad-storage and personalisation.

4) Recipients and transfers

We share data when necessary with:

• Measurement, anti-fraud, and brand safety providers, ad exchanges and SSPs used to deliver and measure ads (limited access to campaign/delivery data).

• Cloud/hosting, security, logging, and email acting as processors.

• Payment and billing processors, tax advisors/auditors.

• Counters (advertiser ↔ agency) to operate the account and reconcile billing.

• Authorities when required by law or to defend claims.

We maintain an up-to-date list of processors and adtech partners at twop.app/ad-partners.

5) International transfers

When we transfer data outside the EEA/UK, we will use Standard Contractual Clauses (and the UK Addendum, if applicable) with supplementary measures where necessary. You can request them at legal@twop.app.

6) Retention

• Account and billing records: 6–10 years (tax/accounting).

• Campaign and delivery logs (incl. measurement/anti-fraud): typically 24 months (longer if there are disputes or legal requirements).

• Product analytics and system logs: 12–24 months.

• Support tickets: up to 24 months from closure.

We may retain aggregated/anonymised statistics indefinitely.

7) Your rights (EEA/UK)

You can access, rectify, delete, restrict, object (including product analytics or B2B marketing based on legitimate interest) and port your data. When the basis is consent, you can withdraw it at any time (CMP or direct contact).

Exercising rights: legal@twop.app.

You can also lodge a complaint with the AEPD (Spain) or your local authority.

8) Security

We apply appropriate technical and organisational measures: encryption in transit, access controls, logging/alerts, environment segregation, secure development practices, and due diligence of suppliers. We will notify data breaches when required by law.

9) Roles with advertisers and agencies

In most cases, TWOP acts as a independent controller (e.g., account security, anti-fraud, delivery measurement). When we process certain data sets only according to your instructions (e.g., CRM lists with hashes for matching), we will act as a processor under a Data Processing Agreement (DPA).

10) Changes

We may update this policy. We will notify you of material changes in the Ads Partner Services and/or via email. The current version will always be available at twop.app/business/ads/privacy.

Privacy Policy for Partners — TWOP Business – Experiences

Who we are

MuseumMate, S.L.U. (“TWOP”, “we”) is the data controller of the personal data processed through twop.app/business/experiences and the marketplace tools for providers of experiences/tourist activities (the “Providers”).

Contact: legal@twop.app · Address: C/ Arlabán, 7 – 8th floor, 28014 Madrid, Spain · VAT number: ESB88168299.

Scope

This policy covers the data of providing organisations and their representatives when they publish, manage, and execute experiences in the TWOP marketplace (web interfaces, dashboards, APIs), including onboarding/KYB, managing listings, booking operations, payments, reviews, and support.

1) Categories of data we process

• Provider account and contact: legal name, trade name, registration numbers, NIF/VAT, business address, contact persons, work emails/phones, roles/permissions.

• Onboarding/KYB and compliance: proof of incorporation, licenses/permits, beneficial ownership declarations, tax forms; when required by law or risk, verification of identity of authorised signatories (type/document number, selfie/liveness), limited to what is necessary.

• Listing and operation data: titles/descriptions, media, prices, schedules/availability, meeting points, capacity, days of closure, internal notes.

• Bookings and execution: booking IDs, group size, extras, status changes, cancellations/no-shows, voucher codes, communications with travellers (through TWOP tools).

• Payments and settlements: bank account/IBAN, currency and payment timeline, invoices, credits, chargebacks, and dispute records.

• Quality and safety: incident parts, insurance details (if applicable), moderation flags, traveller complaints (including evidence provided by you or travellers).

• Technical data and logs: IP, user-agent, device type, authentication/session tokens, traces of administrative activity (who changed what/when), errors and crashes.

We do not intend to process special categories unless you voluntarily provide them in incident reports; in such cases, we will minimise and protect their processing.

2) Data sources

• Directly from you during onboarding and in ongoing management.

• Automatically when using dashboards/APIs.

• From travellers (e.g., reviews/complaints) and payment/verification providers (e.g., KYB results, chargeback signals).

3) Purposes and legal bases (GDPR)

Purpose

Legal basis

Onboard Providers, verify identity/authority and assess legal/risk (KYB)

Legal obligation and Legitimate interests (platform integrity)

Publish and manage listings, receive and manage bookings, operational support

Contract execution

Process settlements/payments, invoicing and taxes; manage chargebacks and disputes

Legal obligation and Contract

Quality, safety, anti-fraud and compliance (including moderation, misuse, and, if applicable, sanction screening)

Legitimate interests and Legal obligation

Product analytics for marketplace tools and performance reporting to the Provider

Legitimate interests (you can object)

Communications about service changes, policies, and operational notices

Legitimate interests

Marketing about B2B functionalities to contacts of the Provider

Legitimate interests with opt-out; where applicable, Consent

4) Recipients and transfers

We share data when necessary with:

• Payment providers and acquirers, as well as payout and KYC/KYB vendors.

• Cloud hosting, security, logging, email, and support acting as processors.

• Insurance and risk partners (if applicable) for incident management.

• Other marketplace participants to the necessary extent to execute bookings (e.g., names/details of bookings you need to provide the service).

• Authorities and regulators when required by law (tourism, taxation, security) and for defense of claims.

The current list of sub-processors and key partners is maintained at twop.app/ad-partners (the same page lists Ads and Marketplace).

5) International transfers

When there are transfers outside the EEA/UK, we use Standard Contractual Clauses (and UK Addendum where appropriate) with adequate supplementary measures. Request details from us at legal@twop.app.

6) Retention

• Provider account, contracts, and billing: 6–10 years (tax/accounting).

• Bookings and operational logs: typically 24 months after delivery (longer if there are disputes or legal obligations).

• KYC/KYB records: the period required by applicable law or internal risk policy (typically 2–6 years).

• Support and complaints: up to 24 months after closure.

• Statistics aggregated/anonymised: can be retained indefinitely.

7) Your rights (EEA/UK)

Provider representatives can access, rectify, delete, restrict, object (including analytics/marketing) and port their data; when the basis is consent, they may withdraw it at any time.
Requests: legal@twop.app.

Complaints: AEPD (Spain) or your local authority.

8) Security

We implement appropriate organisational and technical measures (least privilege, encryption in transit, traceability of administrative actions, review of suppliers, incident response). We will notify personal data breaches when required.

9) Roles and independent controllers

• TWOP typically acts as an independent controller in onboarding Providers, marketplace operations, and payments.

• When TWOP processes traveller data to enable your service, TWOP and the Provider act as independent controllers of their respective operations. If any specific integration requires us to process data only according to your instructions, we will sign a DPA that describes the roles.

10) Changes

We may update this policy. We will communicate material changes via the Provider dashboard and/or by email. The current version will be available at twop.app/business/experiences/privacy.