Twop

Creators

Real Creator Program

About Twop

Contact

Request app access

Privacy Policy

Data Controller: MuseumMate, S.L.U. (“TWOP”, “we”)
Address: C/ Arlabán, 7 – 8th floor, 28014 Madrid, Spain
Tax ID: ESB88168299 · Privacy Contact: legal@twop.app
Scope: website twop.app, mobile app TWOP (iOS/Android) and associated services.

Last updated: 1st September 2025


This Policy explains how we handle your data when you browse, create an account, use the app, leave tips, purchase products/services or book experiences, and how to exercise your rights.


1) What data do we process


1.1 Data you provide to us


  • Account: name, alias/username, email, password (hash), profile picture (if you upload it), country/language.

  • Payments/tips/purchases: amount, currency, method (processor token), payment status, chargebacks; we do not store full card numbers.

  • Experience bookings: name and contact of the purchaser, date/time, participants, logistical preferences.

  • Support: messages, attachments, surveys.

  • Commercial communications: your consent and preferences.


1.2 Data generated automatically


  • Technical: IP, device/browser identifiers, operating system, time zone, language, errors/crash logs.

  • Usage: pages/screens viewed, clicks, searches, time in app, fraud tracking.

  • Advertising/measurement: IDFA/GAID (if you accept), IAB TCF 2.2 consent string, conversion events.


1.3 Third-party data


  • Payment processors (Apple/Google/others): tokens, statuses, and reconciliation (never the PAN).

  • Analytics/fraud prevention providers: security events and metrics.

  • Social login (if you use it): provider identifier, name and verified email.

We do not request special categories (health, religion…). If during an experience you provide sensitive data (e.g., allergies), we will only process it with your explicit consent, ensuring minimisation and deletion once the purpose has been fulfilled.


2) Why we use your data and legal basis (art. 6 GDPR)


Purpose

Legal basis

Create and manage your account; provide the service (content loading, viewing, profile tracking, wallet)

Contract

Tips, purchases and bookings; billing, reconciliation, fraud and chargebacks

Contract / Legal obligation / Legitimate interest (fraud prevention)

Customer service and support

Contract / Legitimate interest

Personalise basic content and improve security/stability (aggregated technical analytics)

Legitimate interest (balanced and with opt-out when applicable)

Advanced advertising and analytics, campaign measurement and remarketing

Consent (CMP/IAB TCF 2.2, Consent Mode v2)

Sending commercial communications (email/push)

Consent (and opt-out in each communication)

Compliance with legal obligations and requests from authorities

Legal obligation

Defending rights, preventing abuse and exercising actions

Legitimate interest


You can withdraw your consent at any time from the privacy/cookies settings or by contacting legal@twop.app.


3) Cookies and similar technologies


We use cookies and equivalent technologies to remember preferences, maintain the session, measure the audience, and, if you accept, personalise advertising. We manage consent with a CMP compliant with IAB TCF 2.2 and Consent Mode v2.
See the Cookie Policy for details (types, durations, how to set them). On iOS we comply with ATT; on Android we handle AAID.


4) Who we share your data with (processors and third parties)


  • Payment processors: Apple/Google (in-app purchases) and/or web gateways; we only receive tokens/statuses.

  • Hosting and cloud: infrastructure providers, CDN and databases.

  • Analytics, crash reporting and fraud prevention: tools for metrics, stability and security.

  • Email/push/SMS: sending transactional communications and, if you accept, commercial ones.

  • Customer service: helpdesk/chat.

  • Providers/Merchants and Experience Organisers: receive the essentials to provide what you purchase or book (e.g., name, contact and reservation details).

  • Authorities and courts: when there is a legal obligation or it is necessary for defending rights.


All our providers operate under a data processing agreement (art. 28 GDPR). We can provide an up-to-date list of providers upon request to legal@twop.app.


5) International transfers


If a provider is located outside the EEA/United Kingdom, we ensure adequate guarantees:


  • Appropriate decision of the European Commission (if it exists), and/or

  • Standard Contractual Clauses (SCCs) and, where applicable, UK IDTA/Addendum, with impact assessment of the transfer.
    For more information, contact us at legal@twop.app.


6) Minors


TWOP is not directed at those under 16 years old. If we detect that a minor under 16 has created an account without valid authorisation, we will delete the account and associated data promptly.


7) Data retention (criteria and periods)


  • Account and profile: while it is active; after termination, block for up to 24 months for claims and security; strictly necessary data may be retained longer if there is a legal basis.

  • Transactions and accounting: during the relationship and 6–10 years (fiscal/accounting).

  • Security logs: 12–24 months.

  • Customer support: 24 months from case closure (unless there are active incidents).

  • Marketing: until you withdraw your consent or opt-out; we retain proof of consent and opt-out in accordance with the law.

  • Sensitive data provided for experiences: only during the management of the experience and immediate deletion afterwards, unless there is a legal obligation.


Data that is anonymised/aggregated may be retained indefinitely (without reasonable possibility of re-identification).


8) Security


We apply appropriate technical and organisational measures (encryption in transit and, where appropriate, at rest; access controls; logs; backups; minimisation; security testing). However, no system is 100% infallible; we recommend keeping your devices updated and enabling 2FA if available.


9) Automated decisions and profiling


We may profile to (i) recommend content, (ii) detect fraud and (iii) measure/optimise advertising if you consent. We do not make decisions with legal or similar effects that are exclusively automated. You can object to profiling based on legitimate interest and withdraw consent for consent-based profiling (settings/ CMP or legal@twop.app).


10) Your rights (GDPR)


You have the right to access, rectification, erasure, limitation, objection, portability and to withdraw your consent at any time. You can also object to processing based on legitimate interest when there are reasons related to your particular situation.


  • How to exercise them: write to us at legal@twop.app from the email associated with your account, or use the privacy settings.

  • Verification: we may request additional information to verify your identity.

  • Deadline: we respond within max. 1 month (extendable to 2 in complex cases).

  • Supervisory authority: you can lodge a complaint with the AEPD (www.aepd.es) or your local data protection authority.


11) Commercial communications and push notifications


We only send marketing if you have given consent (or if there is applicable legal basis). You can unsubscribe at any time (link in the email, app or system settings for push). Transactional notifications (e.g., receipts, security alerts) may be sent even if you do not accept marketing.


12) Relationship with Apple/Google and other third parties


In in-app purchases, part of the payment information is processed by Apple or Google as joint controllers/independent according to their policies. TWOP only receives the information necessary to reconcile the transaction. Please also review the terms/policies of these third parties.


13) Changes to this Policy


We may update this Policy for legal, technical or operational reasons. We will notify you by pop-up and/or email when the change is material. If you do not agree, you may close your account; continuing to use it once the new version is accepted implies your acceptance.


14) Contact


MuseumMate, S.L.U. (TWOP) · C/ Arlabán, 7 – 8th floor, 28014 Madrid, Spain
Email privacy: legal@twop.app


Additional transparency notes (quick summary)


  • Control your cookies/consents from the banner and the CMP.

  • We do not sell your data; we share it with processors necessary to operate the service.

  • You can download and delete your account from settings or by writing to us.

  • If we detect abuse or fraud, we may block accounts and share evidence with authorities.


Travel without pretence.

Twop

What is Twop?

How it works

Features

Twop RealCreators

Negocios

Experiencias Empresariales

Anuncios de negocios

Community

Frequently asked questions

Help the traveller

Be a creator

Terms of use

Security

Legal

Terms and conditions

Cookies

Advertising conditions

Conditions for creators

Privacy

Partners' Privacy

More

About Twop

Press

Work with us

Contact

Privacy Policy

Terms of use

Cookies

© Twop. All rights reserved.

Travel without pretence.

Twop

What is Twop?

How it works

Features

Twop RealCreators

Negocios

Experiencias Empresariales

Anuncios de negocios

Community

Frequently asked questions

Help the traveller

Be a creator

Terms of use

Security

Legal

Terms and conditions

Cookies

Advertising conditions

Conditions for creators

Privacy

Partners' Privacy

More

About Twop

Press

Work with us

Contact

Privacy Policy

Terms of use

Cookies

© Twop. All rights reserved.

Travel without pretence.

Twop

What is Twop?

How it works

Features

Twop RealCreators

Negocios

Experiencias Empresariales

Anuncios de negocios

Community

Frequently asked questions

Help the traveller

Be a creator

Terms of use

Security

Legal

Terms and conditions

Cookies

Advertising conditions

Conditions for creators

Privacy

Partners' Privacy

More

About Twop

Press

Work with us

Contact

Privacy Policy

Terms of use

Cookies

© Twop. All rights reserved.