Privacy policy for TwikPMS

This privacy notice explains how Webonweb B.V (the corporation behind TwikPMS), process personal data in as per the General Data Protection Regulation (GDPR) and other relevant data protection and privacy laws applicable.

Our commitment to data protection and privacy

We deeply value the privacy and security of our users' information. Our dedication to safeguarding personal data is unwavering, driven by a commitment to uphold the highest standards of data protection. We are fully compliant with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), ensuring that your personal information is handled with the utmost care and respect.

We employ advanced security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Our team continuously monitors and updates our security practices to address emerging threats and vulnerabilities. Moreover, we believe in transparency and are committed to keeping you fully informed about how your data is used, shared, and protected.

Your trust is fundamental to our mission. We pledge to maintain the confidentiality of your personal information and to use it solely for the purposes outlined in our Privacy Policy.

Your data protection rights

  • The Right to Access - You have the right to request copies of your personal data from us.
  • The Right to Rectification - You can request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • The Right to Erasure - You have the right to request that we erase your personal data, under certain conditions.
  • The Right to Restrict Processing - You have the right to request that we restrict the processing of your personal data, under certain circumstances.
  • The Right to Object to Processing - You have the right to object to our processing of your personal data, under certain conditions.
  • The Right to Data Portability - You can request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

We are committed to ensuring that your rights are respected and facilitated without undue delay.

How we obtain your personal data

We usually handle personal data related to potential or current clients, visitors to our website, and those we engage with for vendor and partnership collaborations.

We may process personal data when you:

  • Contact/communicate with us online (email, video calls, chat, social media, etc.) or on the phone
  • Use our services/software (TwikPMS)
  • Deliver products/services to or enter into a collaboration with us

Providing personal data is optional, but without it, we're unable to offer our services to you.

We do not engage in renting, purchasing, or selling personal data to or from third parties, nor do we employ automated decision-making or profiling with your personal data. Additionally, we do not process any sensitive data categories as outlined in GDPR Article 9.

Purpose, legal grounds, and retention durations

We process your personal data with clear purposes in mind, grounded on legitimate legal bases, and only for as long as necessary. Here’s how these elements are defined:

  • Purpose - We collect and use your data to fulfill our commitments to you, enhance our services, and comply with legal obligations. This includes using your information for account management, customer support, and service improvement.
  • Lawful Basis - Our processing activities are supported by a solid legal foundation, such as contractual necessity, compliance with legal obligations, your explicit consent, or our legitimate interests in conducting and developing our business.
  • Retention Periods - We retain your personal information only for as long as it is required for the purposes it was collected. This duration varies depending on the nature of the information and our legal or operational needs. Once it is no longer necessary to keep your data, we ensure it is securely deleted or anonymized.

We will hold onto your data strictly for the period mandated by relevant legal requirements, including those related to accounting, tax, labor laws, or any other applicable regulations.

Details on the processing of personal data

This section highlights the specific instances and methods through which we handle your personal data, including our purposes for processing, the legal basis for such actions, and the duration for which we retain your data.

Communicating with us

Regardless of your status (potential or existing customer, vendor, or other), we process your personal data whenever you get in touch with us via email, phone calls, text messages, or social media. The types of data processed might include your name, contact information, IP address, and any additional details you provide. To manage this data, especially for potential and existing customers, we utilize a customer support system.

The goal is to effectively address your queries and, in certain instances, maintain records for handling complaints or legal claims. Our legal ground for this processing is based on our legitimate interest in responding to your inquiries and potentially keeping records for handling complaints or legal claims.

Survey participation

We occasionally send surveys to collect feedback, entirely voluntary. Personal data processed includes your name, contact details, and other voluntary information. Anonymous surveys do not involve personal data processing.

The goal is to improve our products and services, with consent as the legal basis. Data from surveys is assessed during GDPR audits and deleted as appropriate, but no later than two years post-response.

Vendors and partnerships

Entering an agreement with us as a vendor, partner, or data processor involves processing personal data like your name, contact details, and correspondence to manage our relationship.

Legal bases include contract execution, legal obligations related to business operations, and legitimate interests in effective communication. We retain this data for the duration of our business relationship and up to 6 years afterward for legal purposes.

Website usage

Your IP address and user agent are processed when using our website. Post-DDoS attack, we maintain partial access logs for security with tracking specific page views.

The purposes are to safeguard against cyberattacks and optimize our website, based on legitimate interests in business protection and efficiency.

Whom we share your personal data with

To ensure the smooth operation and security of our services, it's sometimes necessary for us to share your personal information with trusted third parties, including:

  • Data Processors - These are service providers who process personal information on our behalf, encompassing a range of operations essential to our business.
  • Our Accountant - To manage financial records and comply with fiscal regulations.
  • Professional Advisors - Experts in legal, financial, and other sectors who provide us with guidance.
  • IT Support - External support services may access certain data to resolve technical issues as needed.
  • Public Authorities - We may be legally required to disclose information to government entities.

We insist that all such parties adhere to stringent data protection standards, aligning with the safeguards detailed in this Privacy Notice. Our approach includes rigorous vetting of vendors and data processors, and we establish formal data processing agreements/addendums to ensure compliance and protection of your data.

Our data processors are engaged for specific tasks, such as:

  • Email, Calendar, and Digital Meeting Tools
  • Accounting/Bookkeeping Services
  • Website Management and Online Payment Processing
  • Transactional Email Communications with Customers
  • Customer Support Ticketing System

Transfer of personal data outside the EU/EEA

In the operation of our business at, there may be occasions when it is necessary to transfer your personal data to countries outside the European Union (EU) and the European Economic Area (EEA). Such transfers are conducted with the utmost care and in accordance with legal requirements to ensure your data remains protected.

We conduct risk assessments for every data processor we use in our business. In addition, where your personal data is transferred outside the EU/EEA, we conduct an additional risk assessment. We review, in particular, the data processor's technical and organizational security measures, reputation and safeguards for international transfers of personal data.

Our approach to international data transfers is designed to maintain the integrity and security of your personal data, aligning with our overall commitment to privacy and data protection.

Should you have any further concerns or questions, please don't hesitate to reach out to us.

Information security

We prioritize information security on par with privacy, committing ourselves to protect your personal data with the utmost diligence. To this end, we employ robust security measures, including the use of strong passwords, data encryption, two-factor authentication, and various other protocols to safeguard our data. These measures are designed to prevent unauthorized access, alteration, deletion, or any form of compromise to the data we hold, including your personal details.

Access to your personal data is strictly limited, permitted only under our direct instructions and solely for necessary reasons, such as essential IT support scenarios.

Moreover, we have established a comprehensive IT security policy outlining our technical and organizational safeguards, along with procedures for managing data breaches. In the event of a personal data breach that results in a risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, and if this risk is medium to high for those impacted, we commit to notifying the relevant national data authority within 72 hours. Should there be a high risk to the individuals affected, we aim to inform them directly, whenever feasible, to ensure transparency and responsibility in our data handling practices.

Understanding our data processor role

As you use twikPMS at your property, we act as a data processor for the guest information that stays at your property. In this scenario, you hold the position of data controller, while we process the data under your direction. We fulfill the obligations outlined in GDPR Article 28, ensuring:

  • We process data solely based on your directives and for the purposes you specify.
  • We implement robust technical and organizational measures to safeguard the data processed on your behalf.
  • Our team is obligated to maintain the confidentiality of your data.
  • Our processing activities are governed by a contract, specifically a data processing addendum (DPA), which will be made publicly available shortly.

Additionally, we may utilize other (sub)processors without your consent but will keep you informed of any potential changes regarding these (sub)processors, allowing you the opportunity to object to such changes if they do not align with your preferences.

For a comprehensive understanding of the data flow when using twikPMS on your site, we invite you to review the detailed Data Journey which will be made publicly available shortly.

Contacting us

Should you have any inquiries about this Privacy Policy or wish to access your information, please reach out to us through the following means:

We're here to assist with any questions or concerns you may have.

This privacy policy was last updated: 31 March 2024