Privacy policy

Last updated : May 2026

At Lofi Merch, we respect your privacy and are committed to protecting and processing your personal data in strict compliance with applicable law (including Regulation (EU) 2016/679 — the General Data Protection Regulation, the “GDPR”, and French Law No. 78-17 of 6 January 1978, the “Loi Informatique et Libertés”), with full transparency. Lofi Merch ensures that data collection is relevant, adequate, not excessive, and strictly necessary for its activities.

For your information, Article 4 of the GDPR defines personal data as any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The purpose of this personal data protection policy is to inform you, as clearly and comprehensively as possible, of the way your personal data is processed, whether you are a customer or a mere visitor of the Site.

Who is the data controller?

Pursuant to Article 4(7) of the GDPR, the data controller is the person who determines the purposes and means of the processing of your data. The data controller is Lofi Merch, 22 Avenue Pierre 1er de Serbie, 75116 Paris, France, registered under SIREN 931 785 539 with the Paris Trade and Companies Register (“Lofi Merch”, “we”, “our”, “us”).

We process your data through our website lofigirlshop.com (the “Site”) and all features, services and tools accessible through it, including in particular product browsing, the placing and processing of orders, the creation and management of customer accounts, the live chat, the newsletter subscription, and the reviews area (for further information, please refer to our Reviews Policy) (the “Features”).

We inform you that we have not appointed a Data Protection Officer (DPO), as such appointment is not mandatory under Article 37 of the GDPR, given that our activities do not meet the criteria requiring such designation. This is justified by the limited nature and scope of our data processing operations, which do not require such an arrangement. We nevertheless implement all appropriate measures to ensure that our processing operations comply with the requirements of the GDPR and that your personal data is effectively protected. For any request relating to the processing of your personal data, you may contact us at privacy@lofigirl.com.

What data is collected?

When you use the Site and its Features, we collect two categories of data:

The first category relates to personal data collected in order to process your orders:

•    identification data (first name, last name, country of residence, date of birth, email address);

•       order data (order history, size);

•       delivery data (delivery and billing addresses, telephone number).

Your payment data is processed directly and exclusively by our payment service providers acting as independent data controllers. They have their own privacy policies.

The second category relates to browsing data automatically collected when you access the Site:

•  technical and usage data (data relating to your device, browser, and geolocation);

•    analytics data requiring your consent through the cookie banner (for further information, please refer to our Cookies Policy).

For the sake of clarity, all such data shall hereinafter be collectively referred to as “Personal Data”.

What are the purposes of the processing?

•       management of the Site and customer relations: product browsing, customer account creation, live chat, provision of a reviews area;

•     order and payment processing: management of orders, payments, deliveries, invoicing, monitoring of the contractual relationship and after-sales service;

•  communications and commercial prospecting: sending newsletters and commercial offers, subject to your consent where required;

•      improvement of the Site and its Features: analysis of the use of the Site and Features in order to improve the user experience, product quality, and our communications, on the basis of aggregated or anonymised data where possible and, where applicable, subject to your consent (in particular site traffic statistics, monitoring of open rates, click-through rates and bounce rates at individual level, statistics produced on the basis of previously anonymised data).

What are the lawful bases for the processing and their purposes?

In accordance with Article 6 of the GDPR, there are several lawful bases enabling us to process your Personal Data. Among them, four apply to the processing carried out on our Site and through its Features:

•   your consent: for sending our newsletters and other potential commercial communications regarding our products, for the placement of cookies that are not strictly technical or functional, and for the creation of an account, it being understood that you have the right to withdraw your consent at any time;

•   the performance of the contract and pre-contractual measures: for the processing of orders, delivery, invoicing, and the monitoring of the contractual relationship and after-sales service;

•    our legitimate interests: to ensure a secure and functional platform, and to improve our Features, the user experience and product quality on the basis of aggregated or anonymised data, as well as to ensure effective communication with you;

•      legal obligations: in order to comply with the legal and regulatory obligations to which we are subject, in particular in matters of employment law, accounting and taxation, as well as personal data protection.

In this context, we will ensure that a balance is struck between our legitimate interests and the protection of your privacy.

How long is your Personal Data retained?

Your Personal Data is retained for a period not exceeding that necessary for the purposes for which it was collected and until the expiry of statutory limitation periods. Certain retention periods may also be imposed by law (for cookies, see the specific periods set out in our Cookies Policy). Unless otherwise stated, the maximum retention periods for your data are as follows:

•       order data: up to 3 years after the last interaction or the end of the contract;

•       cookie data: up to 13 months;

•       accounting data: up to 10 years, in accordance with our legal obligations.

Depending on the purpose of the processing, certain data is subject to specific retention periods:

•      live chat messages: retained for a maximum period of 2 years;

•     data submitted via the contact form and comments published in the reviews area: retained for as long as your account is active, subject to the periods mentioned above;

•  newsletter subscription data: retained until you unsubscribe, subject to the periods mentioned above.

Protection of minors

The Site is accessible to the general public worldwide, including minors. However, you must be over 18 years of age to place an order on our Site, or have obtained the consent of your legal representative. If you become aware that your child has provided us with personal information without your consent, please notify us at privacy@lofigirl.com. We do not knowingly collect personal information relating to minors. If we learn that a minor has provided us with personal information, we will take the necessary steps to delete such information and close the minor’s account within a reasonable time.

To whom is your Personal Data transferred?

Furthermore, Lofi Merch cannot be held liable for the content of external sites accessible via links on the Site, in particular the information, products, services or opinions presented therein, nor for their security or privacy practices.

Processors

In order to ensure the proper operation of our Site and its Features, we engage specialised partners acting as processors. Processors are the persons who process your Personal Data on our behalf. They are contractually bound to us and must therefore follow our instructions, respect the confidentiality of the data received, and may under no circumstances use it for any purpose other than the performance of services on our behalf.

We share your Personal Data with the following processors:

•     Shopify to host our Site. To find out more about how Shopify processes your personal information, you may consult its privacy policy: https://www.shopify.com/be-en/legal/privacy;

•       Klaviyo and Brevo for email marketing and newsletters; you may consult their respective privacy policies for Klaviyo https://privacy.klaviyo.com/policies/fr/ and for Brevo https://www.brevo.com/fr/legal/privacypolicy/;

•     Cloudflare to ensure security, domain management and anti-spam protection; you may consult its privacy policy: https://www.cloudflare.com/privacypolicy/;

•  Pennylane for invoice management; you may consult its privacy policy: https://www.pennylane.com/fr/legal/privacy;

•       Logistics and shipping providers (Nextsmartship, Kairos, etc.);

•      Judge.me: for the management of the reviews area; you may consult its privacy policy: https://judge.me/privacy.

(collectively, the “Processors”).

Partners

With your consent, where justified by a legitimate interest, or for the performance of a contract, Lofi Merch may transfer some of your data to commercial Partners who act as “data controllers” within the meaning of the GDPR in respect of the processing of your data. We draw your attention to the fact that these Partners have their own personal data protection policies, which may differ from ours. For more information concerning such processing, we invite you to consult their privacy policies.

We share your Personal Data with:

•     Google Analytics to help us understand how visitors use the Site. To find out more about how Google processes your personal information, please consult https://www.google.com/intl/en/policies/privacy/. You may also disable Google Analytics here: https://tools.google.com/dlpage/gaoptout;

•       Microsoft Clarity to help us understand how visitors use the Site; please consult our partner’s privacy policy: https://www.microsoft.com/fr-fr/privacy/privacystatement. You may also find further information on Microsoft Clarity’s “Consent” mode: https://learn.microsoft.com/en-us/clarity/setup-and-installation/consent-mode;

•    Payment service providers such as PayPal, Klarna, Apple Pay and bank card networks, to securely process payment data;

•       Shopify Payments, to offer an integrated payment solution operated by Shopify for the secure processing of payments made on the Site. To find out more about how Shopify processes your data, please consult https://www.shopify.com/legal/privacy.

(collectively, the “Partners”).

We share with our advertising partners information about your use of the Site, your purchases, and your interactions with our advertisements displayed on other websites, directly or through cookies or other similar technologies. For more information on how targeted advertising works, please consult the educational page of the Network Advertising Initiative (“NAI”): https://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

In addition, you may use the Digital Advertising Alliance opt-out portal at the following address: https://optout.aboutads.info/.

Lofi Merch undertakes not to sell, rent or assign your Personal Data to third parties.

International transfers

Your personal data will not be transferred or disclosed to Processors or data controllers, referred to as Partners, outside the European Economic Area except to the extent legally permitted. Where applicable, appropriate measures will be taken to ensure that your Personal Data is meaningfully protected and that such disclosures or transfers are lawful and legitimate. If a disclosure or transfer occurs to a country not recognised by the European Commission as offering an adequate level of protection, such disclosure or transfer will be subject to the conclusion of standard contractual clauses as adopted by the European Commission, or to the adoption of binding corporate rules.

For more information on the compliance of data transfers with the GDPR, please consult Shopify’s white paper on the GDPR: https://help.shopify.com/en/manual/your-account/privacy/GDPR.

Users’ rights

Under the GDPR, you have a right of access, a right of rectification, a right to erasure, and a right to data portability. Under certain conditions, you also have the right to object to the processing or to obtain its restriction. These rights are free of charge and may be exercised at any time.

•     right of access: you have the right to access the data concerning you and to receive a copy of it;

•       right of rectification (Article 16 GDPR): you have the right to have inaccurate or outdated data corrected. We take all reasonable steps to ensure that the data we hold is up to date and to erase data that proves to be inaccurate or that is no longer necessary for the processing. If you hold an account, you may directly rectify or update the data appearing therein;

•       right to erasure (Article 17 GDPR): in certain circumstances (for example, where the data processed is no longer necessary for the purpose of the processing), you have the right to ask us to delete it;

•   right to restriction of processing: you may request the restriction of the processing of your data, in which case your data will no longer be processed (but will be retained);

•      right to data portability: you have the right to have the data you have provided to us transmitted to you in a structured, commonly used and machine-readable format;

•       right to object (Article 21 GDPR): where the processing of your data is based on a legitimate interest of Lofi Merch, you have the right to object to it at any time, on grounds relating to your particular situation. In such case, Lofi Merch will however have the right to invoke compelling legitimate grounds justifying the continuation of the processing. Please note that you have the right to object, at any time and free of charge, to the processing of your data for direct marketing purposes, without any exception being raised against you. This also includes the right to object to profiling to the extent that it is related to such marketing;

•       withdrawal of consent: where the processing by Lofi Merch is based on your consent, you may withdraw it at any time. Such withdrawal will not affect the lawfulness of the processing of your data carried out before such withdrawal. In the case of the newsletter and other potential commercial communications, the link included in each mailing allows you to modify your choices or to unsubscribe completely;

•     right to object to processing based solely on automated decision-making (Article 22 GDPR, which includes profiling), where such decision-making produces legal effects concerning you or significantly affects you.

In accordance with the GDPR, we do not make any fully automated decisions producing legal effects or significantly affecting you. Our processor Shopify uses automated decision-making with human assistance limited to fraud prevention; such decision-making does not produce legal effects or significantly affect you.

The services that include automated decision-making elements are the following:

•       a temporary blacklist of IP addresses associated with repeated failed transactions (lasting for a few hours);

•       a temporary blacklist of credit cards associated with IP addresses on the blacklist (lasting for a few days).

How is your data protected?

In accordance with Article 24 of the GDPR, we implement technical and organisational measures designed to protect your personal data, including in particular secure hosting environments, encrypted connections (HTTPS), restricted access to authorised personnel, and anti-spam and anti-abuse protection mechanisms. We do not store and do not have access to users’ passwords; authentication is managed directly by third-party providers.

Changes to the policy

We may update this Policy to reflect legal or operational developments. The date of the last update appears at the top of this page.

The Privacy Policy terms have been drafted in French. In the event of any conflict or inconsistency between translated versions of the Privacy Policy, the French version shall prevail.