Privacy Policy

Effective Date: December 24, 2025

Welcome to the Privacy Policy for Holland Tickets, operated by Senlac Tours Europe B.V. We appreciate your trust in choosing our ticket booking services, and we are committed to protecting the privacy and security of your personal data. This Privacy Policy outlines the types of information we collect from you, how we use and safeguard that information, and your rights regarding your personal data.

Our practices comply with current data protection regulations, including the General Data Protection Regulation (GDPR) and other relevant privacy and electronic communications legislation in Europe.

1. Scope and Applicability

1.1 Who We Are

Data Controller: Senlac Tours Europe B.V.
Registered Address: Bouriciusstraat 5, 6814 CS Arnhem, Netherlands
KVK Number: 09149367
VAT Number: NL814158663B01
Contact: info@holland-tickets.com | +31 264 431 331

1.2 Scope of This Policy

This Privacy Policy applies to all visitors, users, and customers who:

  • Browse our website holland-tickets.com
  • Submit booking requests through our platform
  • Make payments for museum tickets and tour reservations
  • Receive e-tickets and communications from us
  • Contact our customer support team
  • Subscribe to our newsletters or promotional materials

1.3 Your Acceptance

By accessing or using our website and services, you agree to the collection, storage, processing, and transfer of your personal data in accordance with this policy. If you do not agree with any aspect of this policy, please do not use our services.

1.4 Policy Updates

We reserve the right to update or modify this policy at any time. Any changes will be published on our website with an updated effective date. Material changes will be communicated via email to registered users. Please review this policy periodically to stay informed about our privacy practices.

2. Definitions and Key Terms

For the purposes of this Privacy Policy, the following definitions apply:

  • "Personal Data": Any information relating to an identified or identifiable natural person, including but not limited to name, address, email address, telephone number, payment details, and booking information.
  • "Processing": Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or deletion.
  • "Data Subject": Any individual whose personal information is processed by us (you, the customer).
  • "Cookies": Small text files placed on your device that help us provide and improve our services, analyze website usage, and deliver targeted content.
  • "Data Controller": Senlac Tours Europe B.V., which determines the purposes and means of processing personal data.
  • "Data Processor": Third parties who process personal data on our behalf (payment processors, email service providers, etc.).

3. Information We Collect

3.1 Information You Provide Directly

Booking Request Information:

When you submit a booking request for museum tickets or tours, we collect:

  • Full name(s) of all visitors
  • Email address
  • Phone number
  • City and postal code
  • Preferred visit date and time
  • Number of tickets requested
  • Special requests or accessibility needs
  • Any additional comments or questions

Payment Information:

When you complete payment through our secure payment link:

  • Payment method details (processed securely by our payment processor)
  • Billing name and address
  • Transaction ID and payment confirmation
  • Payment date and amount

Note: We do not store complete credit card numbers or CVV codes on our servers. Payment processing is handled by PCI DSS-compliant third-party payment processors.

Communication Records:

When you contact our customer support, we collect:

  • Content of your messages and inquiries
  • Email correspondence history
  • Phone call records (date, time, duration)
  • Support ticket information
  • Feedback and satisfaction surveys

Newsletter and Marketing Subscriptions:

If you opt-in to receive marketing communications:

  • Email address
  • Subscription preferences
  • Communication history and engagement data

3.2 Information Collected Automatically

Website Usage Data:

When you browse our website, we automatically collect:

  • IP address and approximate geolocation
  • Browser type, version, and settings
  • Operating system and device information
  • Pages visited and time spent on each page
  • Referral source (how you arrived at our website)
  • Click-through patterns and navigation paths
  • Date and time of website access
  • Search queries entered on our website

Cookies and Tracking Technologies:

We use cookies and similar tracking technologies to:

  • Remember your preferences and settings
  • Maintain your session when browsing our website
  • Analyze website traffic and user behavior
  • Deliver targeted advertisements through Google Ads and other platforms
  • Measure marketing campaign effectiveness

For detailed information about our cookie usage, please see Section 7 and our Cookie Policy.

3.3 Information from Third Parties

We may receive information about you from:

  • Payment Processors: Confirmation of successful transactions
  • Venue Partners: Ticket availability and booking confirmations
  • Analytics Providers: Aggregated website usage statistics
  • Social Media Platforms: If you interact with our social media pages

4. How We Use Your Information

We process your personal data for the following specific purposes, in compliance with GDPR requirements:

4.1 Booking Request Processing (Legal Basis: Contract Performance)

  • Review and confirm availability for your requested date and time
  • Reserve tickets with venue partners on your behalf
  • Send booking confirmation emails with details
  • Generate and send secure payment links
  • Process payments and issue receipts
  • Create and deliver e-tickets to your email address
  • Send booking reminders and visit information

4.2 Customer Service and Support (Legal Basis: Contract Performance & Legitimate Interest)

  • Respond to your inquiries and questions
  • Resolve booking issues or technical problems
  • Process date change requests
  • Handle complaints and disputes
  • Provide pre-visit information and guidance
  • Follow up on customer satisfaction

4.3 Service Improvement (Legal Basis: Legitimate Interest)

  • Analyze booking patterns and popular time slots
  • Improve website functionality and user experience
  • Identify and fix technical issues
  • Develop new features and services
  • Conduct internal research and analytics

4.4 Marketing Communications (Legal Basis: Consent)

Only with your explicit consent, we use your information to:

  • Send newsletters about Amsterdam attractions and events
  • Share special offers and promotional discounts
  • Provide travel tips and destination guides
  • Announce new tours and ticket availability
  • Deliver personalized recommendations based on your interests

Important: You can withdraw consent at any time by clicking "unsubscribe" in any marketing email or contacting us directly.

4.5 Legal Compliance (Legal Basis: Legal Obligation)

  • Comply with tax and accounting regulations
  • Respond to law enforcement requests
  • Prevent fraud and financial crimes
  • Enforce our Terms & Conditions
  • Protect our legal rights and interests

4.6 Security and Fraud Prevention (Legal Basis: Legitimate Interest)

  • Detect and prevent fraudulent bookings
  • Monitor for suspicious payment activity
  • Protect against cyber attacks and security threats
  • Verify identity for high-value transactions

5. Legal Bases for Processing (GDPR Compliance)

Under GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal bases:

5.1 Contractual Necessity (GDPR Art. 6(1)(b))

Processing is necessary to:

  • Process your booking request
  • Confirm ticket availability
  • Accept payment and issue tickets
  • Provide customer support

5.2 Consent (GDPR Art. 6(1)(a))

You provide explicit consent for:

  • Marketing emails and newsletters
  • Optional cookies (analytics, advertising)
  • Additional data processing beyond core services

5.3 Legitimate Interest (GDPR Art. 6(1)(f))

We have legitimate business interests in:

  • Preventing fraud and ensuring payment security
  • Improving our website and services
  • Conducting business analytics
  • Protecting our legal rights

5.4 Legal Obligation (GDPR Art. 6(1)(c))

We are legally required to:

  • Retain financial records for tax purposes (7 years)
  • Comply with anti-money laundering regulations
  • Respond to valid legal requests from authorities

6. Data Sharing and Transfers

6.1 Who We Share Your Data With

We share your personal data only with trusted third parties who help us deliver our services:

Essential Service Providers:

  • Payment Processors: To securely process your payments (e.g., Stripe, Mollie, PayPal)
  • Venue Partners: Museums and attractions receive visitor names and booking details to honor your tickets
  • Email Service Providers: To send booking confirmations, e-tickets, and communications
  • Cloud Hosting Providers: To store data securely on cloud servers

Analytics and Marketing Providers:

  • Google Analytics: Website traffic analysis (anonymized data)
  • Google Ads: Advertising campaigns and conversion tracking
  • Facebook Pixel: Social media advertising (if you consent)

Legal and Regulatory Authorities:

  • Dutch tax authorities (Belastingdienst)
  • Law enforcement agencies (when legally required)
  • Financial regulators for anti-fraud purposes

6.2 Data Processing Agreements

All third-party service providers are bound by strict data processing agreements that require them to:

  • Process data only according to our instructions
  • Implement appropriate security measures
  • Not use your data for their own purposes
  • Comply with GDPR and data protection laws
  • Delete or return data upon contract termination

6.3 International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEA). When we transfer data internationally, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU-approved legal mechanisms
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Privacy Shield: For US-based processors (where applicable)
  • Additional Safeguards: Encryption, access controls, and security audits

You have the right to request information about the safeguards we use for international transfers.

6.4 We Never Sell Your Data

Important Promise: We will NEVER sell, rent, or trade your personal information to third parties for their marketing purposes. Your data is not a commodity.

7. Cookies and Tracking Technologies

7.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences, keep you logged in, and understand how you use our website.

7.2 Types of Cookies We Use

Essential Cookies (Always Active):

  • Session management and security
  • Shopping cart functionality (booking requests)
  • Website navigation and core features
  • Load balancing and performance

These cookies are necessary for our website to function and cannot be disabled.

Analytics Cookies (Opt-In):

  • Google Analytics: Traffic analysis and user behavior
  • Heatmaps: Understanding how users interact with pages
  • Conversion tracking: Measuring booking completion rates

These cookies help us improve our website.

Marketing Cookies (Opt-In):

  • Google Ads: Remarketing and advertising campaigns
  • Facebook Pixel: Social media advertising
  • Affiliate tracking: Attribution for referral partners

These cookies deliver personalized advertisements.

7.3 Managing Cookie Preferences

You have full control over cookie settings:

  • Cookie Banner: Accept or reject optional cookies when you first visit
  • Browser Settings: Configure cookie preferences in your browser
  • Opt-Out Links:

Note: Disabling essential cookies may affect website functionality. Disabling analytics cookies will not impact your ability to book tickets.

7.4 Cookie Duration

  • Session Cookies: Deleted when you close your browser
  • Persistent Cookies: Remain on your device for a set period (up to 2 years)

For complete details, please see our separate Cookie Policy.

8. Data Retention

8.1 How Long We Keep Your Data

Booking and Transaction Data:

  • 7 years: Financial records (invoices, payments) - required by Dutch tax law
  • 3 years: Booking history and e-tickets - for customer service and dispute resolution
  • 1 year: Unsuccessful booking requests (not converted to sales)

Communication Records:

  • 3 years: Customer support correspondence
  • 6 months: General inquiries and questions

Marketing Data:

  • Until withdrawal: Newsletter subscriptions (you can unsubscribe anytime)
  • 2 years: Marketing consent records (for compliance documentation)

Website Analytics:

  • 26 months: Google Analytics data (automatically expires)
  • 14 months: Cookie data

8.2 Data Deletion

Once the retention period expires:

  • Data is securely deleted from active systems
  • Backup copies are overwritten within 90 days
  • Some data may be anonymized and retained for statistical purposes

8.3 Legal Holds

Data may be retained longer if:

  • Required by ongoing legal proceedings
  • Subject to regulatory investigation
  • Part of an unresolved dispute

9. Data Security Measures

9.1 Technical Safeguards

  • Encryption: All data transmitted via HTTPS/TLS encryption
  • Encrypted Storage: Sensitive data encrypted at rest (AES-256)
  • Secure Servers: Data hosted on ISO 27001 certified servers in EU data centers
  • Firewalls: Network protection against unauthorized access
  • DDoS Protection: Defense against denial-of-service attacks
  • Regular Backups: Automated backups with encryption

9.2 Organizational Safeguards

  • Access Controls: Role-based access - employees see only what they need
  • Authentication: Multi-factor authentication for admin accounts
  • Staff Training: Regular privacy and security training
  • Confidentiality Agreements: All staff sign NDAs
  • Background Checks: For employees with data access

9.3 Security Monitoring

  • 24/7 intrusion detection systems
  • Regular security audits and penetration testing
  • Automated threat detection and alerting
  • Incident response procedures

9.4 Payment Security

  • PCI DSS Level 1 compliant payment processors
  • Tokenization of payment card data
  • No storage of CVV codes
  • 3D Secure authentication for card transactions

9.5 Data Breach Response

In the unlikely event of a data breach:

  • We will notify affected users within 72 hours
  • Report to Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
  • Take immediate action to contain and remediate the breach
  • Provide guidance on protective measures you can take

10. Your Rights Under GDPR

As a data subject under GDPR, you have comprehensive rights regarding your personal data:

10.1 Right of Access (Art. 15)

What: Request a copy of all personal data we hold about you

Includes: Booking history, communications, payment records, marketing preferences

Timeline: We respond within 30 days (free of charge)

10.2 Right to Rectification (Art. 16)

What: Request correction of inaccurate or incomplete data

Example: Update email address, phone number, or name spelling

Timeline: Corrections made within 7 days

10.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

What: Request deletion of your personal data

Limitations: We must retain data required for:

  • Legal compliance (tax records)
  • Pending legal claims or disputes
  • Legitimate business interests (fraud prevention)

Timeline: Deletion within 30 days (where applicable)

10.4 Right to Restriction of Processing (Art. 18)

What: Request temporary halt of data processing while disputes are resolved

When: If you contest data accuracy or object to processing

10.5 Right to Data Portability (Art. 20)

What: Receive your data in structured, machine-readable format (CSV, JSON)

Purpose: Transfer data to another service provider

10.6 Right to Object (Art. 21)

What: Object to processing based on legitimate interest

Includes: Direct marketing (we will immediately stop)

Note: Doesn't apply to processing necessary for contract performance

10.7 Right to Withdraw Consent (Art. 7(3))

What: Withdraw consent for marketing, optional cookies, etc.

Effect: Processing stops going forward (past processing remains lawful)

10.8 Right to Lodge a Complaint (Art. 77)

What: File complaint with data protection authority

Dutch DPA: Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl)

10.9 How to Exercise Your Rights

Contact us with your request:

  • Email: info@holland-tickets.com (Subject: "Data Privacy Request")
  • Phone: +31 264 431 331
  • Mail: Bouriciusstraat 5, 6814 CS Arnhem, Netherlands

Verification: We may request ID verification to confirm your identity before processing requests.

11. Children's Privacy

11.1 Age Restrictions

  • Our services are not intended for children under 16
  • Bookings must be made by adults (18+)
  • We do not knowingly collect data from children

11.2 Parental Consent

If we discover we have inadvertently collected data from a child under 16:

  • We will delete it immediately
  • Parents/guardians can contact us to request deletion

11.3 Children's Tickets

When booking tickets for children:

  • Parent/guardian information is collected (not child's personal data)
  • Child's age may be collected for pricing purposes only
  • Child's name may be required by venues for ticket issuance

12. Marketing Communications

12.1 Opt-In Required

We will only send marketing emails if you:

  • Check the opt-in box during booking
  • Subscribe via our newsletter form
  • Explicitly request promotional information

12.2 What You'll Receive

With your consent, we may send:

  • Monthly newsletters about Amsterdam attractions
  • Special offers and discounts (up to 2 per month)
  • New tour announcements
  • Travel tips and destination guides

12.3 Transactional Emails (No Opt-Out)

These emails are essential and sent regardless of marketing preferences:

  • Booking confirmation
  • Payment link
  • E-ticket delivery
  • Visit reminders
  • Customer support responses

12.4 Unsubscribe Anytime

  • Click "Unsubscribe" link in any marketing email
  • Email info@holland-tickets.com
  • Call +31 264 431 331

You'll be removed within 48 hours.

13. Third-Party Links and Services

13.1 External Websites

Our website may contain links to:

  • Museum and attraction official websites
  • Payment processor portals
  • Social media platforms
  • Partner websites

Important: Once you leave holland-tickets.com, this Privacy Policy no longer applies. We are not responsible for the privacy practices of third-party websites.

13.2 Social Media

If you interact with our social media pages:

  • Your interactions are governed by the social platform's privacy policy
  • We may see limited profile information you share publicly
  • We do not collect personal data directly from social platforms

13.3 Embedded Content

Our website may embed content from:

  • Google Maps (for venue locations)
  • YouTube videos
  • Social media feeds

These embeds may place cookies on your device - see Section 7.

14. Automated Decision-Making and Profiling

14.1 No Automated Decisions

We do NOT use automated decision-making or profiling that produces legal effects or significantly affects you.

14.2 Fraud Detection

We use automated fraud detection systems that analyze:

  • Payment patterns
  • IP addresses
  • Booking behavior

However, final decisions are always made by human staff members.

14.3 Marketing Segmentation

We may segment email lists based on:

  • Booking history (which museums you've visited)
  • Expressed interests
  • Geographic location

This is limited profiling for marketing personalization only and does not affect service delivery.

15. Updates to This Privacy Policy

15.1 Change Notification

We may update this policy to reflect:

  • Changes in laws or regulations
  • New service features
  • Updated security practices
  • Feedback and improvements

15.2 How You'll Be Notified

For material changes:

  • Email notification to registered users
  • Prominent banner on website homepage
  • Pop-up notification on next website visit

15.3 Version History

Previous versions of this policy are archived and available upon request.

16. Contact Information

16.1 General Inquiries

Senlac Tours Europe B.V.
Bouriciusstraat 5
6814 CS Arnhem
Netherlands

Email: info@holland-tickets.com
Phone: +31 264 431 331
Business Hours: Monday-Friday, 9:00-18:00 CET

16.2 Data Protection Officer

For privacy-specific inquiries, data requests, or complaints:

Email: info@holland-tickets.com (Subject: "Data Protection Officer")
Response Time: Within 30 days

16.3 Supervisory Authority

If you're not satisfied with our response, you can contact:

Autoriteit Persoonsgegevens (Dutch DPA)
Postbus 93374
2509 AJ Den Haag
Netherlands

Website: www.autoriteitpersoonsgegevens.nl
Phone: +31 70 888 8500

17. Final Remarks

At Holland Tickets, we take your privacy seriously and are committed to protecting your personal information through:

  • ✅ Transparent data practices
  • ✅ Strong security measures
  • ✅ Respect for your rights
  • ✅ Full GDPR compliance
  • ✅ Continuous improvement

We understand that trust is earned through consistent, responsible data handling. If you have any questions or concerns about how we process your personal data, please don't hesitate to contact us.

Thank you for trusting Holland Tickets with your information. We look forward to helping you experience the best of Amsterdam's cultural attractions!

Document Information:
Last Updated: December 24, 2025
Version: 2.0
Effective Date: December 24, 2025
Language: English (Nederlands versie beschikbaar op verzoek)

This Privacy Policy complies with the General Data Protection Regulation (EU) 2016/679 and Dutch implementation legislation (Uitvoeringswet Algemene verordening gegevensbescherming).