Privacy Policy

This privacy notice explains how Webonweb B.V (the corporation behind TwikPMS), process personal data in as per the General Data Protection Regulation (GDPR) and other relevant data protection and privacy laws applicable.

For Business Customers

If you are a hotel or property using TwikPMS, please also review our Data Processing Agreement which outlines our role as Data Processor for your guest data.

1. Definitions

To ensure clarity throughout this Privacy Policy, we use the following definitions consistent with GDPR terminology:

Personal Data - Any information relating to an identified or identifiable natural person (a "Data Subject"). This includes names, email addresses, identification numbers, location data, and other identifiers.
Data Subject - The individual whose Personal Data is being processed. This may be you as a website visitor, client contact, or end-user of our services.
Data Controller - The entity that determines the purposes and means of processing Personal Data. In most contexts, our clients (hotels/properties) are the Data Controllers for their guests' data.
Data Processor - The entity that processes Personal Data on behalf of the Data Controller. TwikPMS acts as a Data Processor when handling guest data for our hotel clients.
Processing - Any operation performed on Personal Data, including collection, recording, organization, storage, use, disclosure, or deletion.

2. Our Commitment to Data Protection

We deeply value the privacy and security of our users' information. Our dedication to safeguarding personal data is unwavering, driven by a commitment to uphold the highest standards of data protection. We are fully compliant with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), ensuring that your personal information is handled with the utmost care and respect.

We employ advanced security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Our team continuously monitors and updates our security practices to address emerging threats and vulnerabilities. Moreover, we believe in transparency and are committed to keeping you fully informed about how your data is used, shared, and protected.

Your trust is fundamental to our mission. We pledge to maintain the confidentiality of your personal information and to use it solely for the purposes outlined in our Privacy Policy.

3. Your Data Protection Rights

The Right to Access - You have the right to request copies of your personal data from us.
The Right to Rectification - You can request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
The Right to Erasure - You have the right to request that we erase your personal data, under certain conditions.
The Right to Restrict Processing - You have the right to request that we restrict the processing of your personal data, under certain circumstances.
The Right to Object to Processing - You have the right to object to our processing of your personal data, under certain conditions.
The Right to Data Portability - You can request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

We are committed to ensuring that your rights are respected and facilitated without undue delay.

4. How We Obtain Your Personal Data

We usually handle personal data related to potential or current clients, visitors to our website, and those we engage with for vendor and partnership collaborations.

We may process personal data when you:

Contact/communicate with us online (email, video calls, chat, social media, etc.) or on the phone
Use our services/software (TwikPMS)
Deliver products/services to or enter into a collaboration with us

Providing personal data is optional, but without it, we're unable to offer our services to you.

We do not engage in renting, purchasing, or selling personal data to or from third parties, nor do we employ automated decision-making or profiling with your personal data.

5. Special Categories of Data (Article 9 GDPR)

In the course of providing our hotel management services, we process certain Special Categories of Personal Data as defined under Article 9 of the GDPR. This processing is essential for delivering our services effectively and ensuring guest comfort and safety.

The Special Categories of Data we process include:

Dietary Requirements - We process information about food allergies, dietary restrictions, and preferences which may reveal religious beliefs or philosophical convictions. This data is processed based on your explicit consent (Article 9(2)(a)) and is necessary for providing appropriate food services.
Health-Related Accessibility Information - We process data concerning disabilities, mobility requirements, and other health-related accessibility needs to ensure appropriate room assignments and facility access. This processing is based on your explicit consent (Article 9(2)(a)) and is necessary for service delivery.
Biometric Data for Identity Verification - We process photographs of identity documents (passports, driver's licenses) and selfie images for identity verification during check-in. Where required by national law, ID document storage falls under legal obligation (Article 9(2)(b)). Biometric processing for verification is based on your explicit consent (Article 9(2)(a)).

We apply enhanced security measures to protect these Special Categories of Data, including encryption, strict access controls, and automated deletion protocols. These data are retained only for the duration necessary to fulfill the purposes outlined above and in compliance with applicable legal retention requirements.

6. Purpose, Legal Grounds, and Retention

We process your personal data with clear purposes in mind, grounded on legitimate legal bases, and only for as long as necessary. Here's how these elements are defined:

Purpose - We collect and use your data to fulfill our commitments to you, enhance our services, and comply with legal obligations. This includes using your information for account management, customer support, and service improvement.
Lawful Basis - Our processing activities are supported by a solid legal foundation, such as contractual necessity, compliance with legal obligations, your explicit consent, or our legitimate interests in conducting and developing our business.
Retention Periods - We retain your personal information only for as long as it is required for the purposes it was collected. This duration varies depending on the nature of the information and our legal or operational needs. Once it is no longer necessary to keep your data, we ensure it is securely deleted or anonymized.

We will hold onto your data strictly for the period mandated by relevant legal requirements, including those related to accounting, tax, labor laws, or any other applicable regulations.

7. Details on the Processing of Personal Data

This section highlights the specific instances and methods through which we handle your personal data, including our purposes for processing, the legal basis for such actions, and the duration for which we retain your data.

Revenue Management Module

Our Revenue Management system analyzes pricing patterns, occupancy data, and market positioning to help hotels optimize their revenue strategies. The data processed includes aggregated booking information, rate structures, occupancy statistics, and market trends. Where possible, this data is pseudonymized to protect individual guest privacy.

The purpose is to provide hotels with actionable insights for pricing decisions and competitive positioning. The legal basis for this processing is our legitimate interest in delivering business analytics services that enhance our clients' operational efficiency.

We retain this analytical data for 5 years to enable long-term trend analysis, seasonal pattern recognition, and financial planning support.

Communicating with Us

Regardless of your status (potential or existing customer, vendor, or other), we process your personal data whenever you get in touch with us via email, phone calls, text messages, or social media. The types of data processed might include your name, contact information, IP address, and any additional details you provide. To manage this data, especially for potential and existing customers, we utilize a customer support system.

The goal is to effectively address your queries and, in certain instances, maintain records for handling complaints or legal claims. Our legal ground for this processing is based on our legitimate interest in responding to your inquiries and potentially keeping records for handling complaints or legal claims.

Survey Participation

We occasionally send surveys to collect feedback, entirely voluntary. Personal data processed includes your name, contact details, and other voluntary information. Anonymous surveys do not involve personal data processing.

The goal is to improve our products and services, with consent as the legal basis. Data from surveys is assessed during GDPR audits and deleted as appropriate, but no later than two years post-response.

Vendors and Partnerships

Entering an agreement with us as a vendor, partner, or data processor involves processing personal data like your name, contact details, and correspondence to manage our relationship.

Legal bases include contract execution, legal obligations related to business operations, and legitimate interests in effective communication. We retain this data for the duration of our business relationship and up to 6 years afterward for legal purposes.

Website Usage

Your IP address and user agent are processed when using our website. Post-DDoS attack, we maintain partial access logs for security with tracking specific page views.

The purposes are to safeguard against cyberattacks and optimize our website, based on legitimate interests in business protection and efficiency.

To ensure the smooth operation and security of our services, it's sometimes necessary for us to share your personal information with trusted third parties, including:

Data Processors - These are service providers who process personal information on our behalf, encompassing a range of operations essential to our business.
Our Accountant - To manage financial records and comply with fiscal regulations.
Professional Advisors - Experts in legal, financial, and other sectors who provide us with guidance.
IT Support - External support services may access certain data to resolve technical issues as needed.
Public Authorities - We may be legally required to disclose information to government entities.

We insist that all such parties adhere to stringent data protection standards, aligning with the safeguards detailed in this Privacy Notice. Our approach includes rigorous vetting of vendors and data processors, and we establish formal data processing agreements/addendums to ensure compliance and protection of your data.

Our Sub-processors

Below is a complete list of third-party sub-processors we engage to provide our services:

Entity name	Subprocessing activity	Entity country
Google Cloud	Cloud Service Provider	United States
Cloudflare	Content Delivery Network	United States
Postmarkapp	Email	United States
Crisp chat	Support requests	France
Stripe	Payment processing	United States
Asperion	Accounting	Netherlands
Posthog	Event analytics	United States

Last updated: 11 August 2025

9. International Data Transfers

In the operation of our business at TwikPMS.com, there may be occasions when it is necessary to transfer your personal data to countries outside the European Union (EU) and the European Economic Area (EEA). Such transfers are conducted with the utmost care and in accordance with legal requirements to ensure your data remains protected.

We conduct risk assessments for every data processor we use in our business. In addition, where your personal data is transferred outside the EU/EEA, we conduct an additional risk assessment. We review, in particular, the data processor's technical and organizational security measures, reputation and safeguards for international transfers of personal data.

Our approach to international data transfers is designed to maintain the integrity and security of your personal data, aligning with our overall commitment to privacy and data protection.

Should you have any further concerns or questions, please don't hesitate to reach out to us.

10. Information Security

We prioritize information security on par with privacy, committing ourselves to protect your personal data with the utmost diligence. To this end, we employ robust security measures, including the use of strong passwords, data encryption, two-factor authentication, and various other protocols to safeguard our data. These measures are designed to prevent unauthorized access, alteration, deletion, or any form of compromise to the data we hold, including your personal details.

Access to your personal data is strictly limited, permitted only under our direct instructions and solely for necessary reasons, such as essential IT support scenarios.

Moreover, we have established a comprehensive IT security policy outlining our technical and organizational safeguards, along with procedures for managing data breaches. In the event of a personal data breach that results in a risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, and if this risk is medium to high for those impacted, we commit to notifying the relevant national data authority within 72 hours. Should there be a high risk to the individuals affected, we aim to inform them directly, whenever feasible, to ensure transparency and responsibility in our data handling practices.

11. Understanding Our Data Processor Role

As you use TwikPMS at your property, we act as a Data Processor for the guest information that stays at your property. In this scenario, you hold the position of Data Controller, while we process the data under your direction. We fulfill the obligations outlined in GDPR Article 28, ensuring:

We process data solely based on your directives and for the purposes you specify.
We implement robust technical and organizational measures to safeguard the data processed on your behalf.
Our team is obligated to maintain the confidentiality of your data.
Our processing activities are governed by a contract, specifically our Data Processing Agreement (DPA).

Additionally, we may utilize sub-processors to deliver our services. We will keep you informed of any changes regarding these sub-processors with at least 14 days' advance notice, allowing you the opportunity to object to such changes if they do not align with your preferences. You can view our current list of sub-processors here.

For comprehensive details about our data processing practices, cooperation models, security measures, and your rights as a Data Controller, please review our complete Data Processing Agreement.

Contact Information

Should you have any inquiries about this Privacy Policy or wish to access your information, please reach out to us:

Email: [email protected]
Data Protection Officer: [email protected]

Changes to this Privacy Policy

TwikPMS may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify you of any material changes via email or through a prominent notice on our website at least 30 days before the changes take effect. Continued use of the services after changes become effective constitutes acceptance of the updated Privacy Policy.

This page was last updated: 21 December 2024