Privacidad y seguridad

Aviso de Privacidad

Cómo recopilamos, utilizamos y protegemos los datos personales cuando utilizas la plataforma Taplany.

Última actualización: April 29, 2026

1. Data Controller

The data controller responsible for personal information processed in connection with the Taplany platform (the "Service") is:

Albert Sabaté Martínez @ Taplany Carrer Gretel Ammann Martinez, 12 08020 Barcelona, Spain Tax ID (NIF): ES47986151D Email: hello@taplany.com

Where Taplany acts as a data processor on behalf of a customer organization (a travel agency using the Service to manage its end-traveler data), the customer organization is the data controller and Taplany is the data processor. The terms of that relationship are governed by the Data Processing Agreement (DPA) entered into between Taplany and the customer organization.

2. Scope

This Privacy Notice describes how Taplany collects, uses, discloses, and protects personal information of:

  • Visitors to the marketing website at taplany.com
  • Account holders and authorized users of customer organizations using the Service
  • Individuals who contact us through forms, email, or other channels

For personal data of end travelers managed by customer organizations through the Service, please refer to the privacy notice of the relevant travel agency (the data controller for that data). Taplany processes that data only on documented instructions from the customer organization, in accordance with our DPA.

3. Information We Collect

Information You Provide

  • Account information: name, email address, phone number, role within your organization, employer organization, password (stored in hashed form)
  • Billing information: company name, billing address, tax identification number, payment method details (processed by Stripe; we do not store full card numbers)
  • Communications: the content of your correspondence with us by email, support requests, contact forms, demo requests, and feedback
  • Content you upload: any data, files, images, or text you submit to the Service in the course of operating your travel-agency tenant

Information Collected Automatically

  • Usage data: pages viewed, features used, clicks, session duration, referrer URL
  • Device and connection data: IP address, browser type and version, operating system, device identifiers, language and time zone
  • Log data: server logs, error reports, request identifiers
  • Cookies and similar technologies: see our Cookies Policy

Information from Third Parties

  • Authentication providers: if you sign in via a federated identity provider, we receive basic profile information (name, email, avatar) from that provider
  • Meta WhatsApp Business: if your organization connects a WhatsApp Business account, we receive business and message metadata required to operate the integration
  • Payment processor: Stripe provides us with confirmation of payment status, last four digits of the card, and the country of issuance

4. Legal Basis for Processing

Under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), we process personal information on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): to provide the Service to you or your organization, manage your account, and process payments
  • Compliance with a legal obligation (Art. 6(1)(c) GDPR): to comply with applicable tax, accounting, anti-money-laundering, and consumer-protection laws
  • Legitimate interests (Art. 6(1)(f) GDPR): to operate, secure, and improve the Service; to prevent fraud and abuse; to communicate with you about service-related matters; and to defend our legal rights
  • Consent (Art. 6(1)(a) GDPR): for non-essential cookies, marketing communications, and other optional processing

5. How We Use Your Information

We use personal information to:

  • Provide, operate, and maintain the Service
  • Authenticate users and administer accounts
  • Process subscription payments and issue invoices
  • Send transactional messages (account changes, billing, security alerts, service announcements)
  • Provide customer support and respond to inquiries
  • Monitor performance, debug errors, and improve the Service
  • Detect, prevent, and address fraud, abuse, and security incidents
  • Comply with legal obligations and respond to lawful requests from public authorities
  • Send marketing communications about Taplany features and offerings, where you have consented or where permitted by law (you may opt out at any time)

6. Roles: Controller vs. Processor

We process personal data in two capacities:

  • As controller for: account credentials and profiles of authorized users, billing and tax records, marketing-website analytics, marketing communications, support correspondence, and security logs
  • As processor for: personal data uploaded to the Service by customer organizations about their end customers (e.g. traveler names, contact details, travel preferences, passport details, payment data, communications). Taplany processes such data only on the customer organization's documented instructions, as set out in the DPA. The customer organization is the controller and bears the obligation to provide a privacy notice to its end travelers

7. Sub-Processors and Sharing

We share personal information only with:

  • Sub-processors acting on our behalf, under written agreements that meet GDPR Article 28 requirements. The current list of sub-processors includes:
    • Cloudflare, Inc. (US) — content delivery, edge compute, R2 object storage, DDoS protection
    • Xata.io (US) — managed PostgreSQL database hosting
    • Stripe, Inc. (US/IE) — payment processing
    • Resend, Inc. (US) — transactional email delivery
    • Anthropic PBC (US) — generative AI features (no personal data is used to train Anthropic's models)
    • Sentry (Functional Software, Inc., US) — error monitoring
    • Mixpanel, Inc. (US) — product analytics
    • Google Ireland Limited (IE) — Google Analytics for the marketing website
    • Meta Platforms Ireland Limited (IE) — WhatsApp Business API and Meta Pixel
  • Professional advisers (lawyers, accountants, auditors) under confidentiality obligations
  • Public authorities when required by law, court order, or to defend legal claims
  • Successors in interest in the event of a merger, acquisition, or sale of assets, subject to equivalent data-protection commitments

We do not sell, rent, or trade personal information.

8. International Transfers

Some of our sub-processors are established in countries outside the European Economic Area (EEA), primarily the United States. When personal data is transferred outside the EEA, we rely on the appropriate safeguards under Chapter V of the GDPR, including:

  • European Commission adequacy decisions (e.g. EU–US Data Privacy Framework where applicable)
  • EU Standard Contractual Clauses (Decision (EU) 2021/914)
  • Supplementary technical and organizational measures where required by the Schrems II ruling

A copy of the relevant transfer mechanism is available on request.

9. Data Retention

We retain personal information only for as long as necessary for the purposes described in this notice, and in any case for no longer than:

  • Account data: for the duration of the subscription and for up to 12 months after account closure, unless a longer period is required by law
  • Billing and tax records: 6 years, in accordance with Spanish General Tax Law (Ley 58/2003) and the Commercial Code (Real Decreto de 22 de agosto de 1885)
  • Support and contact correspondence: up to 3 years from the last interaction
  • Marketing-website analytics: as configured in the relevant tool, typically 14 to 26 months
  • Security logs: up to 12 months

When personal data is no longer needed, we delete or irreversibly anonymize it.

10. Your Rights Under GDPR

You have the following rights regarding your personal information:

  • Right of access (Art. 15): to obtain a copy of the personal data we hold about you
  • Right to rectification (Art. 16): to have inaccurate or incomplete data corrected
  • Right to erasure (Art. 17): to request deletion, subject to legal-retention obligations
  • Right to restriction of processing (Art. 18): in the circumstances set out in the GDPR
  • Right to data portability (Art. 20): to receive your data in a structured, commonly used, machine-readable format
  • Right to object (Art. 21): to processing based on legitimate interests, and at any time to processing for direct marketing
  • Right to withdraw consent (Art. 7(3)): at any time, without affecting the lawfulness of processing carried out before withdrawal
  • Right not to be subject to solely automated decisions (Art. 22): Taplany does not make decisions producing legal or similarly significant effects on you based solely on automated processing

To exercise any of these rights, email hello@taplany.com from the address registered with your account, with the subject line "Data Subject Request". We will respond within one month, with one extension of up to two further months for complex requests, in accordance with Art. 12(3) GDPR. If you are an end traveler whose data is held by a customer organization, please address your request to that organization (the controller); we will assist the controller as required by the DPA.

11. Security

We implement appropriate technical and organizational measures to protect personal data, in accordance with Art. 32 GDPR, including:

  • TLS encryption in transit and AES encryption at rest
  • Row-level security (RLS) and tenant isolation in the database layer
  • Role-based access control with the principle of least privilege
  • Audit logging and security monitoring
  • Regular dependency, vulnerability, and access reviews
  • Incident-response procedures and a 72-hour breach-notification policy in line with Art. 33 GDPR

12. Cookies and Similar Technologies

The Service and the marketing website use cookies and similar technologies. See our Cookies Policy for details on the cookies we use, their purpose, duration, and how to manage your preferences.

13. Children's Privacy

The Service is a business-to-business product intended for use by professional travel agencies and their authorized personnel. It is not directed at children under the age of 16, and we do not knowingly collect personal data of children. If we become aware that we have collected such data without verifiable parental consent, we will delete it promptly.

14. Complaints

If you believe that the processing of your personal data infringes the GDPR or Spanish data-protection law, you have the right to lodge a complaint with the Spanish Data Protection Agency:

Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6 28001 Madrid, Spain Website: www.aepd.es

You may also lodge a complaint with the supervisory authority of your country of residence within the EEA.

15. Changes to This Notice

We may update this Privacy Notice to reflect changes in our practices, in technology, or in legal or regulatory requirements. The "Last updated" date at the top of this page indicates when the most recent changes took effect. Material changes will be communicated by email or through the Service.

16. Contact

For any question about this Privacy Notice or about the processing of your personal data, please contact us at:

Albert Sabaté Martínez @ Taplany Carrer Gretel Ammann Martinez, 12 08020 Barcelona, Spain Email: hello@taplany.com