Legal

The data controller responsible for processing your personal data is:

This Privacy Policy explains:

• What personal data we collect about you;
• Why and on what legal basis we process it;
• How long we retain it;
• With whom we share it;
• Your rights under the GDPR and how to exercise them;
• How to contact us or file a complaint.

This Policy applies to all visitors, users, and customers of amsluxurytours.com, including those who make bookings, create accounts, or contact us through any channel.

This Policy should be read alongside our Terms and Conditions and Cookie Policy, both available on our Website.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

"Data Subject" means the identified or identifiable natural person to whom personal data relates — in this context, the visitor or customer.

"Data Controller" means the entity that determines the purposes and means of processing personal data — in this case, We Are Amsterdam B.V.

"Data Processor" means a third party that processes personal data on behalf of the Data Controller, under a written data processing agreement.

"Consent" means a freely given, specific, informed, and unambiguous indication of the Data Subject's agreement to the processing of their personal data, as defined in Article 4(11) GDPR.

"Legitimate Interest" means a legal basis for processing under Article 6(1)(f) GDPR, applicable where processing is necessary for the purposes of the legitimate interests pursued by the Controller, except where overridden by the interests or rights of the Data Subject.

We collect personal data in the following categories:

4.1 Data You Provide Directly

• Full name;
• Email address;
• Phone number (optional, where provided);
• Billing address (where required for invoicing);
• Payment information (processed securely by our payment provider — we do not store full card details);
• Nationality or country of residence (where required by the Supplier);
• Number of persons in the booking group, including ages where relevant (e.g. child tickets);
• Correspondence and communications you send to us (e.g. via email or contact form);
• Any special requirements or accessibility needs you voluntarily disclose.

4.2 Data We Collect Automatically

• IP address;
• Browser type and version;
• Operating system;
• Device type (desktop, mobile, tablet);
• Referring URL (the page you visited before arriving on our Website);
• Pages visited and time spent on each page;
• Date and time of visit;
• Booking behaviour and interaction data (clicks, searches, filters used);
• Cookie identifiers (see our Cookie Policy for details).

4.3 Data We Receive from Third Parties

• Payment status and transaction identifiers from payment processors (e.g. Stripe, Mollie, PayPal);
• Analytics data from Google Analytics and similar services;
• Advertising performance data from Google Ads and Meta Ads platforms, in aggregated and pseudonymised form;
• Data necessary to fulfil your booking received from Suppliers (e.g. booking reference numbers).

We process your personal data only where a valid legal basis under Article 6 GDPR exists:

5.1 Where processing is based on Consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal. Withdrawal can be made via the cookie preference centre on the Website or by emailing privacy@amsluxurytours.com.

5.2 Where processing is based on Legitimate Interest, we have conducted a balancing test and concluded that our interests do not override the fundamental rights and freedoms of Data Subjects. You have the right to object to such processing at any time (see Section 11).

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.

We do not sell your personal data to third parties. We share personal data only in the following circumstances:

7.1 Suppliers and Venue Operators

We share booking-relevant data (name, booking reference, number of visitors) with the relevant museum, attraction, or tour operator to enable your entry or participation. Such Suppliers act as independent data controllers for their own processing.

7.2 Payment Processors

Your payment data is transmitted to our PCI DSS-compliant payment processing partners (such as Stripe, Mollie, or PayPal). These processors act as data processors under a written agreement and process data solely for payment fulfilment and fraud prevention.

7.3 IT Service Providers and Hosting

Our Website and systems are hosted on third-party infrastructure. These providers process data on our behalf under data processing agreements (Article 28 GDPR) and are not permitted to use data for their own purposes.

7.4 Analytics and Advertising Platforms

We use Google Analytics and Google Ads tools, which may set cookies and collect behavioural data for analytics and advertising purposes. This occurs only with your prior consent (see Section 5). Data shared with Google is subject to Google's own privacy terms. Where data is transferred outside the EEA, appropriate safeguards apply (see Section 8).

7.5 Legal and Regulatory Authorities

We may disclose personal data to competent authorities (e.g. Dutch Tax Authority, Autoriteit Persoonsgegevens, courts) where required by law or to defend legal claims. Such disclosure is limited to what is strictly necessary.

7.6 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity, provided that the same level of data protection is maintained and you are informed in advance where required by law.

8.1 Where we transfer personal data to recipients located outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V GDPR, including:

• Adequacy decisions by the European Commission (Article 45 GDPR);
• Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) GDPR);
• Binding Corporate Rules where applicable.

8.2 In particular, data shared with Google LLC (USA) is subject to the EU–US Data Privacy Framework, in respect of which the European Commission has issued an adequacy decision (July 2023).

8.3 You may request a copy of the applicable transfer safeguards by contacting privacy@amsluxurytours.com.

9.1 Our Website uses cookies and similar tracking technologies (pixels, local storage). We distinguish between:

• Strictly necessary cookies: Required for the Website to function. These do not require consent.
• Analytical cookies: Used to measure Website traffic and performance (e.g. Google Analytics). Require consent.
• Marketing / advertising cookies: Used for personalised advertising and remarketing via Google Ads and Meta Ads. Require consent.

9.2 On your first visit, you will be presented with a cookie consent banner allowing you to accept or refuse non-essential cookies. You can change your preferences at any time via the cookie settings link in the Website footer.

9.3 Full details of the cookies we use, their purposes, providers, and duration are set out in our Cookie Policy at amsluxurytours.com/cookie-policy.

10.1 We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR.

10.2 These measures include, but are not limited to:

• HTTPS encryption (TLS) for all data transmitted via the Website;
• Access controls limiting data access to authorised personnel only;
• Regular security assessments and vulnerability monitoring;
• Use of PCI DSS-compliant payment processing (we do not store full card numbers);
• Data processing agreements with all third-party processors.

10.3 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours (Article 33 GDPR) and, where required, notify affected Data Subjects without undue delay (Article 34 GDPR).

Under the GDPR, you have the following rights in relation to your personal data:

11.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data and information about how it is processed.

11.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data without undue delay.

11.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data where:

• The data is no longer necessary for the purposes for which it was collected;
• You withdraw consent and no other legal basis applies;
• You object to processing and no overriding legitimate grounds exist;
• The data has been unlawfully processed.

This right does not apply where retention is required by law (e.g. tax records).

11.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your data in certain circumstances, such as while a dispute about accuracy is resolved.

11.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.

11.6 Right to Object (Article 21)

You have the right to object at any time to:

• Processing based on legitimate interest (Article 6(1)(f) GDPR), including profiling;
• Processing for direct marketing purposes.

Upon receipt of an objection to direct marketing, we will cease processing your data for that purpose immediately and without exception.

11.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

11.8 Right Not to Be Subject to Automated Decision-Making (Article 22)

We do not make decisions that produce legal or similarly significant effects based solely on automated processing, including profiling.

12.1 To exercise any of the rights described in Section 11, please submit a written request to:

Email: privacy@amsluxurytours.com

Post: We Are Amsterdam B.V., Herengracht 564, 1017 CH Amsterdam, Netherlands

12.2 We will respond to your request within one calendar month of receipt (Article 12(3) GDPR). Where requests are complex or numerous, we may extend this period by a further two months, in which case we will inform you within the initial one-month period.

12.3 We will not charge a fee for handling your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request.

12.4 To verify your identity, we may ask you to provide additional information. This is to protect your data from being disclosed to unauthorised persons.

If you believe that we have processed your personal data in violation of applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority.

In the Netherlands, the supervisory authority is:

Autoriteit Persoonsgegevens (AP)

Postbus 93374, 2509 AJ Den Haag

Website: autoriteitpersoonsgegevens.nl

Telephone: +31 (0)88 1805 250

If you are located in another EU member state, you may also lodge a complaint with the supervisory authority in your country of residence. A list of EU supervisory authorities is available at: edpb.europa.eu

We encourage you to contact us first at privacy@amsluxurytours.com so that we can attempt to resolve your concern directly.

14.1 Our Website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent, in accordance with Article 8 GDPR and the Dutch Uitvoeringswet AVG.

14.2 If you believe that a child under 16 has provided us with personal data without appropriate consent, please contact us at privacy@amsluxurytours.com and we will promptly delete such data.

15.1 We may send you promotional emails about our products, offers, and Amsterdam experiences if:

• You have made a booking with us and have not opted out of marketing communications (soft opt-in, in accordance with Article 13(2) of the Dutch Telecommunicatiewet); or
• You have explicitly consented to receive marketing communications.

15.2 Every marketing email we send contains a clear and functional unsubscribe link. You may also opt out at any time by emailing privacy@amsluxurytours.com with the subject line "Unsubscribe."

15.3 We do not share your email address with third parties for their own marketing purposes.

16.1 We reserve the right to update or amend this Privacy Policy at any time to reflect changes in our data processing practices, legal obligations, or regulatory guidance.

16.2 The current version will always be available at amsluxurytours.com/privacy-policy, with the "Last updated" date revised accordingly.

16.3 Where changes are material, we will notify you by email (if we hold your email address) or by a prominent notice on the Website prior to the change taking effect. Continued use of the Website following notification constitutes acceptance of the revised Policy.

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

We Are Amsterdam B.V.

Herengracht 564, 1017 CH Amsterdam, Netherlands

Email: privacy@amsluxurytours.com

Website: amsluxurytours.com

KvK: 71166017 | VAT: NL858605879B01