Welcome to Loox, a web application that provides an online reviews and marketing solution owned and operated by Loox Online Ltd. (“we”, “us”, “our”).
We are committed to complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), UK GDPR and the California Privacy Rights Act (CPRA).
The Service is not directed to Merchants or Website Visitors under the age of 18. We do not knowingly collect information or data from children under the age of 18 or knowingly allow children under the age of 18 to use the Service.
This Policy may be amended from time to time. We will post any change to this Policy on our Service at a reasonable time in advance of the effective date of the change, and we will also make efforts to proactively notify you by email of the changes if we have your email address.
If you have any questions, comments or concerns regarding this Policy or our processing of your personal information, please contact us at firstname.lastname@example.org or through our online contact form, at: https://loox.app/get-in-touch.
<span id="what-we-collect-and-why-m">What we collect and why</span>
Methods and sources for collecting your personal information
We collect the personal information from several sources:
- Directly from Shopify when you install and use the Service through the Shopify app store, or directly from you when you provide your personal information to us through our Service contact forms and email communications.
- From Shopify store customers’ when they use the service or leave a review on the Merchant’s store.
- From our service providers helping us to operate the Service.
- Through the device you use to access our Service, including through third party cookies and analytics tools, and our own internal event tracking system.
- You are not legally obligated to provide us with your personal information, but if you do not, we will not be able to handle or respond to your inquiry, or fulfill your request to access or to use our Service functionalities.
<span id="sharing-your-personal-information-m">Sharing your personal information</span>
We will not share your information with third parties, except in the events listed below or when you provide us with your explicit and informed consent.
Data retention and security
We retain your information for the duration we need it to operate the Service and our business, to interact with you, and thereafter as needed for record-keeping matters.
We will retain your information for the duration needed to support our ordinary business activities operating the Service and interacting with you. Thereafter, we will still retain your personal information as necessary to comply with our legal obligations, resolve disputes, establish, and defend legal claims and enforce our agreements. The overall period of retention is approximately 7 years.
We implement measures to secure your information
We implement measures to reduce the risks of damage, loss of information and unauthorized access or use of information. However, these measures do not provide absolute information security. Therefore, although efforts are made to secure your personal information, there is no guarantee that it will be immune from information security risks.
<span id="additional-information-for-individuals-in-the-eu-or-uk-m">Additional information for individuals in the EU or UK</span>
Controller, GDPR and UK representatives
Loox is the data Controller for the personal information described in this Policy, such as personal information it collects from its Website Visitors.
International data transfers
If we transfer your information from within the EU to the United States or other countries, which are not recognized by the European commission as having adequate protection for personal data, we will endeavor to do so under the terms of a data transfer agreement which contain standard data protection contract clauses with adequate safeguards determined by the EU Commission and UK Information Commissioner’s Office.
<span id="legal-basis-for-processing-your-personal-data-m">Legal basis for processing your personal data</span>
Data subject rights
If you are in the EU or the UK, you have the following rights under the GDPR:
Right to Access and receive a copy of your personal information that we process.
Right to Rectify inaccurate personal information we have concerning you and to have incomplete personal information completed.
Right to easily and at any time withdraw your consent to us processing your personal data to email you our marketing purposes or to the use of non-essential cookies on our Service. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Right to Data Portability, that is, to receive the personal information that you provided to us, in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another person or entity. Where technically feasible, you have the right to have your personal information transmitted directly from us to the person or entity you designate.
Right to Object to our processing of your personal information based on our legitimate interest. However, we may override the objection if we demonstrate compelling legitimate grounds, or if we need to process such personal information for the establishment, exercise, or defense of legal claims.
Right to Restrict us from processing your personal information (except for storing it): (a) if you contest the accuracy of the personal information (in which case the restriction applies only for a period enabling us to determine the accuracy of the personal information); (b) if the processing is unlawful and you prefer to restrict the processing of the personal information rather than requiring the deletion of such data by us; (c) if we no longer need the personal information for the purposes outlined in this Policy, but you require the personal information to establish, exercise or defend legal claims; or (d) if you object to our processing based on our legitimate interest (in which case the restriction applies only for the period enabling us to determine whether our legitimate grounds for processing override yours).
Right to be Forgotten. Under certain circumstances, such as when you object to our processing of your personal information based on our legitimate interest and there are no overriding legitimate grounds for the processing, you have the right to ask us to erase your personal information. However, notwithstanding such request, we may still process your personal information if it is necessary to comply with our legal obligations, or for the establishment, exercise, or defense of legal claims. If you wish to exercise any of these rights, please contact us through the channels listed in this Policy.
When you contact us, we reserve the right to ask for reasonable evidence to verify your identity before we provide you with information. Where we are not able to provide you with information that you have asked for, we will explain the reason.
Subject to applicable law, you have the right to lodge a complaint with your local data protection authority. If you are in the EU, then according to Article 77 of the GDPR, you can lodge a complaint to the supervisory authority, in the Member State of your residence, place of work or place of alleged infringement of the GDPR. For a list of supervisory authorities in the EU, click <rte-link-break>(http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=50061).<rte-link-break>
If you are in the UK, you can lodge a complaint to the Information Commissioner’s Office (ICO) pursuant to the instructions provided here
<span id="additional-information-for-individuals-in-california-m">Additional information for individuals in California</span>
If you are an individual residing in California, we provide you with the following information pursuant to the California Privacy Rights Act (CPRA). We do not sell or share your personal information for cross-behavioral advertising and have not done so in the past 12 months.
Disclosures to third parties
The chart below explains what is the personal information we disclosed for a business purpose to third parties in the preceding 12 months.
Your rights under the CPRA if you are a resident of California
Knowing the personal information we collect about you
You have the right to know:
- The categories of personal information we have collected about you.
- The categories of sources from which the personal information is collected.
- Our business or commercial purpose is for collecting personal information.
- The categories of third parties with whom we share personal information, if any.
- The specific pieces of personal information we have collected about you.
Right to deletion
Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:
- Delete your personal information from our records; and
- Direct any service providers to delete your personal information from their records.
Please note that we may not delete your personal information if it is necessary to:
- Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us.
- Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the ability to complete such research, provided we have obtained your informed consent.
- Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us and compatible with the context in which you provided the information.
- Comply with an existing legal obligation.
We also will deny your request to delete if it proves impossible or involves disproportionate effort, or if another exception to the CPRA applies. We will provide you with a detailed explanation that includes enough facts to give you a meaningful understanding as to why we cannot comply with the request to delete your information.
Right to correct inaccurate personal information
If we receive a verifiable request from you to correct your information and we determine the accuracy of the corrected information you provide, we will correct inaccurate personal information that we maintain about you.
In determining the accuracy of the personal information that is the subject of your request to correct, we will consider the totality of the circumstances relating to the contested personal information.
We also may require that you provide documentation if we believe it is necessary to rebut our own documentation that the personal information is accurate.
We may deny your request to correct in the following cases:
- We have a good-faith, reasonable, and documented belief that your request to correct is fraudulent or abusive.
- We determine that the contested personal information is more likely than not accurate based on the totality of the circumstances.
- Conflict with federal or state law.
- Other exception to the CPRA.
- Inadequacy in the required documentation
- Compliance proves impossible or involves disproportionate effort.
We will provide you a detailed explanation that includes enough facts to give you a meaningful understanding as to why we cannot comply with the request to correct your information.
Protection against discrimination
You have the right to not be discriminated against by us because you exercised any of your rights under the CPRA. Exercising your CPRA rights by yourself or through an authorized agent
If you would like to exercise any of your CPRA rights as described in this Policy, please contact us by e-mail at: email@example.com or through our online contact form, at: https://loox.app/get-in-touch.
We will ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you, by using a two or three points of data verification process, depending on the type of information you require and the nature of your request.
We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you, by using a two or three points of data verification process, depending on the type of information you require.
You may also designate an authorized agent to make a request under the CPRA on your behalf. To do so, you need to provide the authorized agent with written permission to do so and the agent will need to submit to us proof that they have been authorized by you. We will also require that you verify your own identity, as explained below.
Do Not Track
Our Do Not Track Notice. We do not currently respond or take any action with respect to web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of Personal Data about a Merchant’s and Website Visitors’ online activities over time and across third-party web sites or online services. We do allow third parties who provide us with analytics tools, to collect Personal Data about a Merchant’s and Website Visitors’’ online activities when a Merchant or a Website Visitor uses the Service.
Alleged infringement notice
If you believe that the Service was used to infringe your copyrights, you may send our designated copyright agent (the "Agent") a written notification that includes substantially the following:
- A physical or electronic signature of the person authorized to act on behalf of the owner of the right that is allegedly infringed;
2. Loox Terms of Service available here
- Identification of the copyrighted work claimed to be infringed, or if copyrighted works are covered by a single notification, a representative list of such elements;
- Identification of the content that is claimed to infringe or to be the subject of infringing activity and the access to which is to be disabled, and information reasonably sufficient to permit us to locate the content, including the exact Service page in which you discovered the allegedly infringing content;
- Information reasonably sufficient to permit us to contact you, such as an address, telephone number, and, if available, an electronic mail address at which you may be contacted;
- A statement that you have a good faith belief that the use of the material, in the manner complained of, is not authorized by the owner of the copyrighted work, its agent, or the law;
- A statement that the information in the notification is accurate, and under penalty of perjury, that you are authorized to act on behalf of the owner of the copyrighted work that is allegedly infringed.
Upon your notification, we may remove or disable access to the content that you claim to be infringing. We may ask you to provide further or supplemental information, prior to removing or disabling access to any content displayed on the Service, as we deem necessary to comply with the law. We may also provide the Service user who submitted the allegedly infringing content, with your contact details, in order for that person to be able to contact you and challenge your claim.
If we’ve removed or disabled access to content that you submitted, pursuant to a notification of claimed infringement that we received, then you have an opportunity to respond to the notice and takedown by submitting a counter-notification to our Agent. To be effective, your counter notification must be a written communication that includes substantially the following:
- Your physical or electronic signature;
- Identification of the removed content, or of the content to which access has been disabled and the location at which the content appeared before its removal or before access to it was disabled;
- A statement, under penalty of perjury, that you have a good faith belief that the content was removed or disabled as a result of mistake or misidentification of the content;
- Your name, address, and telephone number, and a statement that you consent to the jurisdiction of the competent courts in any judicial district in which your address is located or in which you may be found, and that you will accept service of process from the person who provided notification or an agent of such person.
After receipt of a counter notification, we will provide the person who submitted the claimed infringement notification, with a copy of the counter notification.
Subject to the applicable law, we may then replace the removed content and cease disabling access to it within 10 to 14 business days following receipt of the counter notice, unless our Agent first receives notice from the person who notified us of the claimed infringement that such person has filed an action seeking a court order to restrain the user from engaging in infringing activity relating to the content on the Service.