Data Processing

Date of last modification:
November 2025

This Data Processing Agreement sets out the conditions under which TuriTop, S.L. shall process personal data on behalf of the Client, in compliance with Regulation (EU) 2016/679 General Data Protection Regulation.

Its electronic acceptance shall be fully legally valid pursuant to Spanish Law 34/2002 on Information Society Services and Electronic Commerce.

This document is complementary to Turitop General Terms and Conditions, and the specific terms of each service plan. Its provisions shall apply in full from the moment of contracting, as well as in connection with the use of TuriTop services.

I. PARTIES

On one hand, the provider of the goods or services contracted by the user is TuriTop, S.L., with registered address at Avenida del Atlántico, 9, Residencial Winter Gardens, Block 3, Offices, 38639 San Miguel de Abona, Santa Cruz de Tenerife, Spain, Tax ID B-76534759, and contact email: help@turitop.com. Hereinafter, the DATA PROCESSOR.

On the other hand, the CLIENT contracting TuriTop services, whether the user creates the account themselves, or it is created by a third party with capacity to accept Turitop’s contractual contents on their behalf. The user who owns the account is responsible for the accuracy of the personal data provided to TuriTop, for full representative authority over their entity, and for communicating the contents specified here to the entity’s managers. The DATA CONTROLLER is the entity bound by data protection law regarding the processing of end customer data.

II. PURPOSE AND SCOPE OF THE SERVICES PROVIDED BY TURITOP

The DATA PROCESSOR is a tech company engaged in the development and commercialization of software-as-a-service (SaaS) solutions for businesses. These tools facilitate booking management, online payment reception, resale portal integration, website builder, and a wide range of functionalities intended to automate tasks and improve the services offered to end clients.

The DATA PROCESSOR shall provide services in accordance with the terms corresponding to the service plan contracted by the DATA CONTROLLER, including services related to the creation or enablement of Booking Systems for visits and activities, Channel Manager, integration with other online tools, among others.

In delivering said services, the DATA PROCESSOR shall process personal data for which the DATA CONTROLLER shall, for all legal purposes, be considered the data controller.

In compliance with Regulation (EU) 2016/679 General Data Protection Regulation, as well as Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, the parties intend to establish their respective obligations and responsibilities for personal data processing according to this agreement.

III. DESCRIPTION OF THE PROCESSING

The DATA PROCESSOR will process the data at its own facilities using its own IT system.

Tasks associated with the contracted service include collection of data, recording, organization, and modification of data; retention, retrieval, consultation, communication by transmission, matching, destruction, or return of data upon completion of the assigned task and expiration of applicable retention periods, as well as any periods during which the DATA PROCESSOR may be held responsible.

Data may also be restricted or erased at the request of a data subject, and may be disclosed in accordance with the instructions of the controller.

IV. IDENTIFICATION OF THE PROCESSED INFORMATION

To fulfill the duties arising from the object of this agreement, the DATA CONTROLLER authorizes the DATA PROCESSOR to process the following categories of personal data. Some data subjects may be processed indirectly or generically.

The Categories of data subjects whose data may be processed as part of the services that motivate this contract include:

Personnel and human resources
Suppliers and partners
Contact persons
Legal representatives

Clients
Visitors
Users
Applicants

Furthermore, the DATA PROCESSOR may process the following types of data, notwithstanding that many of these are ancillary and not processed directly, but stored with other information belonging to the data subject:

Identification data
Personal characteristics
Social circumstances or professional qualifications
Academic and professional background
Employment details

Commercial information
Economic, financial, and insurance data
Transactions related to goods and services

V. TERM OF THE AGREEMENT

This agreement shall take full effect from the time of contracting on the platform and shall terminate upon the expiration of the Client’s contracted term or upon the Client’s cancellation of their subscription.

Cancellation of the service requires an express action by the client, from which point the period for data retention, support, and download of client information shall commence.

VI. RETURN OF DATA UPON TERMINATION OF THE AGREEMENT

Prior to termination of the contract, the DATA PROCESSOR shall allow the DATA CONTROLLER to download the data in a standard and interoperable format. Personal data processed by the DATA PROCESSOR shall not be transferred or disclosed to third parties, not even for storage purposes, without express consent from the DATA CONTROLLER.

At service termination, the DATA PROCESSOR will keep data blocked, and will delete it within a maximum period of 2 years.

TuriTop may retain data when a legal provision requires retention, in which case it must be returned to the controller, who will guarantee retention while such obligation persists.

VII. OBLIGATIONS OF THE DATA PROCESSOR

The DATA PROCESSOR and all personnel under its control undertake to:

Use the personal data subject to processing, or data collected for inclusion, only for the purpose of this assignment. Under no circumstances shall the DATA PROCESSOR use the data for its own or different purposes.
Process data according to the DATA CONTROLLER’s documented instructions.
Not carry out international data transfers without prior authorization from the DATA CONTROLLER.
Keep a written record of all categories of processing activities carried out on behalf of the DATA CONTROLLER, as required by Art. 30.2 of Regulation (EU) 2016/679.
Not disclose data to third parties, except with the express authorization of the DATA CONTROLLER, and in legally admissible cases.
Maintain the obligation of confidentiality regarding personal data processed under this agreement, even after its termination.
Ensure that persons authorized to process personal data commit, expressly and in writing, to confidentiality and to apply the necessary security measures. The DATA PROCESSOR must inform them of the security measures to be applied. The DATA PROCESSOR will keep documentation evidencing compliance available to the DATA CONTROLLER.
Ensure necessary data protection training for persons authorized to process personal data.
When data subjects exercise rights of access, rectification, erasure, opposition, restriction of processing, or portability with the DATA PROCESSOR, the DATA PROCESSOR must inform the DATA CONTROLLER at the email address the DATA CONTROLLER indicates.
Notify the DATA CONTROLLER of data security breaches. The DATA PROCESSOR shall notify the DATA CONTROLLER without undue delay and at the email address indicated by the DATA CONTROLLER.
Assist the DATA CONTROLLER in notifying security breaches to DATA PROTECTION AUTHORITES and DATA SUBJECTS: considering the nature of the processing and the information available to the DATA PROCESSOR, it will assist as set out in Art. 33 GDPR.
By the nature of the service, the DATA PROCESSOR is not obliged to provide information on processing to the data subjects included in reports created by mandate of the DATA CONTROLLER.
Make all information necessary to demonstrate compliance with its obligations available to the DATA CONTROLLER as well as for audits or inspections by the DATA CONTROLLER or another authorized auditor.
Implement necessary technical and organizational security measures to ensure confidentiality, integrity, availability, and resilience of processing systems and services.
Periodic verification, evaluation, and assessment of security measures.

The DATA PROCESSOR shall implement a periodic procedure to enable verification, evaluation, and assessment of the effectiveness of technical and organizational measures in processing systems, workplaces, and users under its control.

This procedure will lead to implementation of additional mechanisms as necessary under the GDPR.

VIII. OBLIGATIONS OF THE DATA CONTROLLER

Where applicable, the DATA CONTROLLER must carry out the Data Protection Impact Assessment (DPIA) of processing operations performed by the DATA PROCESSOR. The DATA PROCESSOR has its own impact assessments which apply solely to its own activities and is not responsible for any non-compliance by the client.
The DATA CONTROLLER must fulfill the principles of data protection law regarding the personal data processed on the platform.
Provide the DATA PROCESSOR with the data needed to provide the service.
Make any required prior consultations to the Data Protection Authorities.
Monitor GDPR compliance by the DATA PROCESSOR before and throughout processing.
Oversee the processing, including conducting inspections and audits, and providing clear instructions for processing, tailored to reality, especially considering state of the art, costs of implementation, nature, scope, context, and purposes of processing, as well as risks of varying likelihood and severity for the rights and freedoms of natural persons.

IX. SUBCONTRACTING AND ENGAGEMENT OF SUBPROCESSORS

The DATA PROCESSOR is authorized to subcontract, subject to prior authorization from the DATA CONTROLLER, all or part of the services covered by this Agreement, which may involve the processing of personal data.

Should the need to subcontract arise, this shall be previously communicated to the DATA CONTROLLER, identifying the subcontracted processing and clearly identifying the subcontractor and its contact details. Subcontracting may proceed if the DATA CONTROLLER does not object within the specified period.

The DATA PROCESSOR shall ensure that the sub-processor is bound by the same conditions (instructions, obligations, security measures) and formal requirements as itself. In the event of a breach by the sub-processor, the original DATA PROCESSOR shall remain fully responsible to the DATA CONTROLLER for compliance with this Agreement.

Express subcontracting authorizations in this contract

The DATA CONTROLLER authorizes the DATA PROCESSOR to subcontract any direct or indirect processing of personal data carried out by auxiliary service providers such as IT maintenance, consulting, auditing, software management and maintenance, required for the normal operation of its business.

In such cases, the third party, i.e., the sub-processor, is likewise considered a data processor.

The initial DATA PROCESSOR must regulate the new relationship so that the new processor is bound by the same conditions (instructions, obligations, security measures) and the same formal requirements as itself regarding appropriate data processing and guaranteeing affected persons’ rights. In the event of a breach by the sub-processor, the initial PROCESSOR remains fully responsible to the DATA CONTROLLER for fulfillment.

Subcontracting authorizations shall be included as an annex to this contract..

X. BREACH OR NON-COMPLIANCE

The parties undertake to fulfill their obligations and ensure proper execution of the present agreement. In particular, should the DATA PROCESSOR determine the purposes or means of processing in violation of the GDPR, it shall be considered a DATA CONTROLLER for such processing.

XI. LIABILITY

The parties acknowledge that they shall maintain strict confidentiality and duty of professional secrecy regarding any data obtained in connection with this agreement, both during the provision of services and after its termination.

The DATA PROCESSOR, during and after the term of this agreement, shall treat all information owned by the DATA CONTROLLER as strictly confidential, taking all necessary measures to prevent its disclosure to, or access by, third parties without express authorization from the CONTROLLER.

XII. CONFIDENTIALITY

XIII. INFORMATION ON DATA PROTECTION FOR SIGNATORIES AND CONTACT PERSONS

The personal data of the parties involved in contracting, whether they are individuals or representatives of a legal entity, shall be processed by the other party for the purpose of executing this agreement and on that basis as the legal ground for processing.

For individuals whose data is collected during provision of the services, the data shall be processed for proper performance of the contract, in accordance with the legitimate interests of the parties under Article 19 Spanish LOPD 3/2018.

Data shall be retained in accordance with the periods established by applicable fiscal, tax and commercial legislation.

Both parties are hereby informed of the possibility of exercising their rights of access, rectification, erasure, and, there applicable, portability and restriction of processing. For these rights, they may request forms from the other party or download them from www.aepd.es. If not satisfied with the response, they may file a complaint with the Spanish Data Protection authority www.aepd.es.

XIV. AUTONOMY OF THE PARTIES

Each Party expressly declares that the relationship does not constitute employment, partnership, or any other similar relationship, and that each contractor is independent and autonomous from the other, assuming responsibility for their respective activities, management, commitments, and obligations, and exercising full discretion in decision-making, scheduling, and functions. Furthermore, Parties acknowledge that the DATA PROCESSOR or its personnel shall not be considered agents or employees of the DATA CONTROLLER.

XV. NULLITY OR VOIDABILITY OF THIS AGREEMENT

If any provision of this data processing agreement is found to be invalid or voidable, it shall be deemed severed, without affecting the validity or enforceability of the remaining provisions, which shall remain binding upon the Parties.

XVI. ELECTRONIC ACCEPTANCE AND VALIDITY

Acceptance of this Agreement through registration or contracting in the TuriTop online platform shall be fully legally valid under current applicable law. The DATA CONTROLLER acknowledges having read, understood, and accepted all terms of this agreement by ticking the acceptance box and/or completing the contracting process.

Cookie	Duración	Descripción
__hstc	6 months	HubSpot sets this primary cookie to track visitors. It contains the domain, the initial timestamp (first visit), the last timestamp (last visit), the current timestamp (this visit) and the session number (which increments with each subsequent session).
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for site analytics reporting. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_pk_id.* _pk_id.* _pk_id.* _pk_id.*	1 year 1 month	Matomo sets this cookie to store a unique user ID.
_pk_ses.*	1 hour	Matomo sets this cookie to store a unique session ID in order to collect information about how users use the website.
cookielawinfo-checkbox-analiticas	11 months	This cookie is set by the cookie consent supplement of the GDPR. The cookie is used to store user consent for cookies in the "Analytics" category.
hubspotutk	6 months	HubSpot sets this cookie to track visitors to the website. This cookie is sent to HubSpot when submitting a form and is used when duplicating contacts.
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and store information about the user's actions in cookies. This cookie, which is both analytical and behavioural, is used to improve the visitor's experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores information about user actions in cookies. This analytical and behavioural cookie is used to improve the visitor's experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and store information about the user's actions in cookies. This cookie, which is both analytical and behavioural, is used to improve the visitor's experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and store information about the user's actions in cookies. This cookie, which is both analytical and behavioural, is used to improve the visitor's experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores information about user actions in cookies. This analytical and behavioural cookie is used to improve the visitor's experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and store information about the user's actions in cookies. This cookie, which is both analytical and behavioural, is used to improve the visitor's experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and store information about the user's actions in cookies. This cookie, which is both analytical and behavioural, is used to improve the visitor's experience on the website.

Cookie	Duración	Descripción
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support the management of Cloudflare bots.
__hssc	1 hour	HubSpot sets this cookie to track sessions and to determine whether HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by HubSpot each time the session cookie changes. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
_cfuvid	session	Cloudflare sets this cookie to track users across sessions in order to optimise the user experience by maintaining session consistency and providing personalised services.
cookielawinfo-checkbox-analytics	1 year	CookieYes sets this cookie to store user consent for cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	Set by the GDPR cookie consent plugin to store user consent for cookies in the "Functional" category.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by the cookie consent supplement of the GDPR. Cookies are used to store user consent for cookies in the "Necessary" category.
cookielawinfo-checkbox-performance	1 year	Set by the GDPR cookie consent plugin to record user consent for cookies in the "Performance" category.
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the status of the default button of the corresponding category and the status of the CCPA. It works only in coordination with the main cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a unique user session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all browser windows are closed.
viewed_cookie_policy	1 year	The GDPR cookie consent plugin sets the cookie to store whether the user has consented to the use of cookies or not. It does not store any personal data.
wpEmojiSettingsSupports	session	This cookie is set by WordPress when a user interacts with emojis on a WordPress site. It helps determine whether the user's browser can display emojis correctly.

Cookie	Duración	Descripción
cookielawinfo-checkbox-necessary	1 year	The description is not available at the moment.
Cookielawinfo-checkbox-other	11 months	This cookie is set by the cookie consent supplement of the GDPR. The cookie is used to store user consent for cookies in the "Other" category.
cookie_policy_view	11 months	The cookie is set by the GDPR Cookie Consent add-on and is used to store whether or not the user has consented to the use of cookies. It does not store any personal data.
returnUrl	1 hour	The description is not available at the moment.
SERVERID231924	session	The description is not available at the moment.
wffn_browser	2 days	The description is not available at the moment.
wffn_fl_url	2 days	The description is not available at the moment.
wffn_flt	2 days	The description is not available at the moment.
wffn_is_mobile	2 days	The description is not available at the moment.
wffn_referrer	2 days	The description is not available at the moment.
wffn_timezone	2 days	The description is not available at the moment.