Privacy policy

  • Privacy Policy / Aviso de Privacidad

    Last updated: [19/05/2026]

    LoomyCase ("we", "us", "our") operates this store and website ("the Services") to provide a curated shopping experience. This Privacy Policy describes how we collect, use, and disclose your personal information when you visit, use, or make a purchase or other transaction using the Services, or otherwise communicate with us.

    If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal information.

    Please read this Privacy Policy carefully. By using the Services, you acknowledge that you have read and understood it. For users in the European Union, the European Economic Area, and the United Kingdom, this Privacy Policy operates as our notice under Articles 13 and 14 of the GDPR (and equivalent UK GDPR provisions). For users in Mexico, this document is our Aviso de Privacidad Integral under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP).

    1. Who We Are (Data Controller)

    For the purposes of applicable data protection laws (including GDPR, UK GDPR, and LFPDPPP), the data controller / responsable of your personal information is:
    Trade name LoomyCase
    Legal owner Ricardo Javier Muñiz Cordova (individual person, doing business as LoomyCase)
    Tax ID (RFC) MUCR9811196HA
    Business address Anaxágoras 440, Colonia Narvarte, Benito Juárez, 03020 Ciudad de México, CDMX, Mexico
    Contact email loomycase@gmail.com
    Phone +52 (55) 2323-0032

    If you have questions about how we handle your personal data, contact us at the details above.

    2. Personal Information We Collect

    When we refer to "personal information" or "personal data", we mean information that identifies or can reasonably be linked to you or another person. We do not knowingly collect sensitive personal data (such as health, religion, political opinions, sexual orientation, or biometric data) — please do not provide such information through our Services. If you upload personalized content (e.g. a photo for a phone case), please ensure it does not reveal sensitive information about yourself or third parties.

    We may collect or process the following categories of personal information, depending on how you interact with the Services:

    Category Examples
    Contact details Name, billing address, shipping address, phone number, email address
    Financial information Payment card information, transaction details, payment confirmations (processed by our payment provider — we do not store full card numbers)
    Account information Username, password (hashed), security preferences, settings (if you create an account)
    Transaction information Items viewed, added to cart, wishlisted, purchased, returned, exchanged, or cancelled; past order history
    User-submitted content Images, text, names, or other content you upload to personalize a product
    Communications Information you include when contacting customer support, leaving reviews, or otherwise communicating with us
    Device information Device type, browser, network connection, IP address, operating system, unique identifiers
    Usage information How and when you interact with the Services, pages viewed, time spent, referrer, marketing campaign attribution
    Cookie data Information stored in cookies and similar technologies (see Section 8)

    3. Where We Collect Personal Information From

    • Directly from you when you create an account, place an order, contact us, subscribe to our newsletter, or upload personalized content.
    • Automatically through the Services via cookies, pixels, server logs, and similar technologies when you use our website (see Section 8).
    • From our service providers (e.g. Shopify, payment processors, fulfillment partners, carriers) when they collect or process your data on our behalf.
    • From advertising and analytics partners (e.g. Meta) when you interact with our ads on their platforms and they share attribution data with us, subject to your consent.

    4. How We Use Your Personal Information and Legal Basis

    Depending on how you interact with us, we use your personal information for the following purposes. The table below lists each purpose, the data we use, and our legal basis under GDPR / UK GDPR. For users in Mexico, finalities marked as "Requires consent" require your tacit or express consent under the LFPDPPP; finalities marked as "Necessary" do not require separate consent because they are necessary to perform the contract or comply with the law.

    Purpose Data Used Legal Basis (EU/UK) Mexico (LFPDPPP)
    Process your order, payment, shipping, returns, customer service Contact details, financial info, transaction info, user-submitted content Performance of contract (Art. 6(1)(b)) Necessary
    Route your order to Printify and to the appropriate Print Provider for production Contact details (name, shipping address), transaction info, user-submitted content (uploaded images/text) Performance of contract (Art. 6(1)(b)) Necessary
    Create and manage your account Contact and account info Performance of contract (Art. 6(1)(b)) Necessary
    Comply with legal obligations (tax, accounting, fraud prevention, consumer protection) Transaction info, contact details Legal obligation (Art. 6(1)(c)) Necessary
    Detect and prevent fraud, secure the Services Device info, usage info, financial info Legitimate interests (Art. 6(1)(f)) — protecting our business and customers Necessary
    Send transactional emails (order confirmations, shipping updates) Contact details, transaction info Performance of contract (Art. 6(1)(b)) Necessary
    Send marketing emails about products and offers Contact details, transaction info Consent (Art. 6(1)(a)) OR legitimate interests for existing customers under soft opt-in rules Requires consent
    Show you personalized ads on Meta (Facebook/Instagram) and other platforms Cookie data, device info, usage info, email (hashed) Consent (Art. 6(1)(a)) — see Section 8 Requires consent
    Analyze website usage and improve the Services Usage info, device info Consent (for non-essential analytics) or legitimate interests (for essential metrics) Requires consent for non-essential
    Defend or assert legal claims All categories as necessary Legitimate interests (Art. 6(1)(f)) / legal obligation Necessary

    5. Who We Share Personal Information With

    We share personal information with the following categories of recipients, who act either as our processors (under our instructions) or as independent controllers (under their own responsibility):

    5.1 Service providers (processors acting on our behalf)

    Recipient Role Country/Region Privacy info
    Shopify Inc. E-commerce platform, hosting, store analytics, customer accounts, fraud prevention Canada / global (data may be processed in USA and other countries) https://www.shopify.com/legal/privacy
    Shopify Payments (via Stripe) Processing card payments through our Shopify checkout Canada / USA / global https://www.shopify.com/legal/privacy
    Stripe, Inc. Processing card payments (additional payment method) USA / global https://stripe.com/privacy
    PayPal (Europe) S.à r.l. et Cie, S.C.A. / PayPal, Inc. Processing PayPal payments Luxembourg / USA https://www.paypal.com/myaccount/privacy/privacyhub
    Printify, Inc. Print-on-demand order routing, fulfillment management, transmission of order data and user-submitted content to Print Providers USA / Latvia (EU) https://printify.com/legal/privacy-policy/
    Print Providers (via Printify) Physical production, packaging, and dispatch of your order. Printify routes each order to one of its global network of independent Print Providers (located in the USA, United Kingdom, Germany, the Czech Republic, Latvia, China, Australia, Canada, and other countries depending on the product and your shipping destination). Global Governed by Printify's Privacy Policy and individual Print Provider agreements with Printify
    Shipping carriers Delivering your order (DHL, FedEx, UPS, USPS, Estafeta, Royal Mail, and other local postal/courier services) Global Each carrier's respective privacy policy
    Klaviyo, Inc. Email marketing automation, customer behavior tracking on our Site (page views, products viewed, cart activity, purchase history), email and SMS campaigns USA https://www.klaviyo.com/legal/privacy/privacy-notice

    5.2 Advertising and analytics partners (independent or joint controllers)

    Recipient Role Country Privacy info
    Meta Platforms, Inc. (Facebook, Instagram) Conversion tracking, retargeting, measurement of advertising effectiveness, audience building via Meta Pixel and (if applicable) Conversions API USA https://www.facebook.com/privacy/policy/

    We process data with Meta only when you have given your explicit consent through our cookie banner. See Section 8 for full details on Meta Pixel.

    5.3 Other recipients

    We may also disclose personal information:

    • When you direct, request, or consent to disclosure (e.g. social media login, sharing functions).
    • In connection with a business transaction such as a merger, acquisition, financing, or sale of assets.
    • To comply with applicable law or respond to valid legal process (subpoenas, court orders, government requests).
    • To enforce our policies or protect our rights, property, or safety, or those of our customers or others.

    We do not sell your personal information in the traditional sense. However, the use of tracking technologies for advertising (such as Meta Pixel) may be considered a "sale" or "share" under certain US state privacy laws — you can opt out via our cookie banner.

    6. International Data Transfers

    Because we use service providers based in different countries, your personal information may be transferred to, stored in, and processed in countries outside your country of residence — including the United States, Canada, the European Union, the United Kingdom, China, Australia, and other countries.

    In particular:

    • Shopify processes data primarily in Canada and the United States.
    • Printify processes data in the United States and Latvia (EU).
    • Print Providers producing your physical order may be located in any country where Printify has manufacturing partners (commonly the USA, UK, Germany, the Czech Republic, Latvia, China, Australia, and Canada). The country is determined by product type and shipping destination.
    • Klaviyo processes data in the United States.
    • Stripe and PayPal are global payment processors with primary processing in the USA (and Luxembourg for PayPal's European operations).
    • Meta Platforms processes data in the United States.

    For transfers from the European Economic Area or the United Kingdom to countries that have not been recognized by the European Commission (or UK ICO) as providing an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, along with additional safeguards where necessary following the Schrems II ruling of the Court of Justice of the European Union.

    For transfers from Mexico, we comply with Articles 36 and 37 of the LFPDPPP, including providing notice of transfers in this Privacy Policy and entering into contractual arrangements with recipients to ensure adequate protection.

    You may request more details about our transfer mechanisms — including copies of relevant SCCs (with commercially sensitive information redacted) — by contacting us at loomycase@gmail.com.

    7. How Long We Keep Your Information

    We retain your personal information only as long as necessary to fulfill the purposes for which we collected it, including to satisfy legal, accounting, tax, or reporting requirements. In particular:

    Type of data Retention period
    Order and transaction data At least 5 years from the transaction date (Mexican tax law / accounting requirements); up to 10 years in some jurisdictions
    Customer account data Until you delete your account or request deletion, then up to 90 days for backups
    Customer service communications 2–3 years from last contact
    Marketing data (newsletter subscribers) Until you unsubscribe or withdraw consent, then promptly deleted
    Cookie and tracking data As specified in our cookie banner (typically 1–24 months depending on the cookie)
    User-submitted content (e.g. photos uploaded for personalization) As long as needed to produce and ship the order, plus a reasonable period for warranty and dispute resolution (typically up to 2 years from delivery)

    After these periods, we delete or anonymize your data.

    8. Cookies and Tracking Technologies (including Meta Pixel)

    The Services use cookies and similar technologies (such as pixels, web beacons, and local storage) to operate the website, remember your preferences, analyze usage, and (with your consent) deliver personalized advertising.

    8.1 Categories of cookies we use

    Category Purpose Consent required?
    Strictly necessary Enable basic functions (cart, login, checkout, fraud prevention) No
    Functional Remember your preferences (language, region) Implicit; can be disabled
    Analytics Measure how visitors use the Site (e.g. Shopify analytics) Yes (EU/UK/Mexico for non-essential analytics)
    Marketing / Advertising Personalized advertising, retargeting (Meta Pixel, etc.) Yes — explicit opt-in

    You can manage your preferences at any time through our cookie banner or your browser settings.

    8.2 Meta Pixel (Facebook / Instagram tracking)

    We use the Meta Pixel (and may use the Meta Conversions API) provided by Meta Platforms, Inc. ("Meta"). The pixel allows us to measure the effectiveness of our advertising on Facebook and Instagram, build retargeting audiences, and understand actions visitors take on our website (e.g. page views, add-to-cart, purchases).

    What data the Meta Pixel collects:

    • IP address,
    • Browser and device information,
    • Pages viewed and actions taken on our Site,
    • Cookie identifiers (_fbp, _fbc),
    • If you are logged into Facebook/Instagram on the same device, Meta may link this activity to your Facebook/Instagram profile,
    • For Conversions API events: hashed (one-way encrypted) email address, hashed phone number, and event details.

    Where the data goes: Meta Platforms, Inc. (United States). Meta acts as a joint controller with us for the collection and transmission of this data, and as an independent controller for further processing on its own platforms. We have entered into the Meta Controller Addendum, which is incorporated into the standard Meta Business Tools terms.

    Legal basis: Your explicit, opt-in consent under Article 6(1)(a) GDPR and the ePrivacy Directive, given through our cookie banner. The Meta Pixel does not fire on your device until you have actively consented to marketing cookies. If you reject marketing cookies, the pixel is blocked and no data is transmitted to Meta from your browser.

    Your rights regarding Meta: You can:

    Schrems II / international transfers: Transfers from the EU/EEA/UK to Meta in the United States are governed by the EU-US Data Privacy Framework (where applicable) or Standard Contractual Clauses. You acknowledge the risks of such transfers when you consent to marketing cookies.

    8.3 Klaviyo (email marketing and on-site tracking)

    We use Klaviyo, Inc. ("Klaviyo") for email marketing automation and customer engagement. Klaviyo provides two distinct functions, each with its own consent requirements:

    (a) Email marketing (newsletter, abandoned cart, post-purchase flows)

    • What data: Your email address, name, order history, and (if you opt in) phone number for SMS marketing.
    • When: Only after you actively subscribe to our newsletter or SMS list.
    • Legal basis: Your explicit consent under Article 6(1)(a) GDPR. For EU/UK users, we use double opt-in — you must confirm your subscription via a verification email before being added to our list.
    • Withdrawal: You can unsubscribe at any time using the link in any email we send, or by replying STOP to any SMS.

    (b) On-site tracking via klaviyo.js

    Klaviyo's tracking script can record:

    • Pages you view on our Site,
    • Products you view, add to cart, or wishlist,
    • Search queries on our Site,
    • Time spent on pages,
    • Device and browser information,
    • If you are a logged-in subscriber, it associates this browsing activity with your profile.

    This tracking is separate from email subscription. We treat it as marketing/profiling activity requiring explicit opt-in consent via our cookie banner. If you reject marketing cookies, Klaviyo on-site tracking is disabled.

    Where the data goes: Klaviyo, Inc. (United States). Transfers from the EU/EEA/UK rely on Standard Contractual Clauses and additional safeguards.

    Klaviyo's privacy policy: https://www.klaviyo.com/legal/privacy/privacy-notice

    8.4 Other tracking

    If we add other tracking tools (Google Analytics, TikTok Pixel, Pinterest Tag, etc.) in the future, we will update this Privacy Policy and our cookie banner accordingly, and obtain your consent where required.

    9. Your Rights

    Depending on where you live, you have some or all of the following rights regarding your personal information. We will not discriminate against you for exercising these rights.

    9.1 Rights available to all users

    • Access: Request a copy of the personal information we hold about you.
    • Rectification / Correction: Request that we correct inaccurate or incomplete information.
    • Deletion / Erasure: Request that we delete your personal information, subject to legal retention obligations.
    • Restriction: Request that we limit our processing in certain situations.
    • Objection: Object to our processing of your data based on legitimate interests, including profiling and direct marketing.
    • Data portability: Receive your data in a structured, commonly-used, machine-readable format, and transmit it to another controller.
    • Withdrawal of consent: Where processing is based on consent, withdraw it at any time (without affecting the lawfulness of past processing).
    • Lodge a complaint with a data protection authority (see Section 9.4).

    9.2 Specific to Mexico — Derechos ARCO

    Under the LFPDPPP, you have the rights of Acceso, Rectificación, Cancelación y Oposición (ARCO). To exercise these rights, send a request to loomycase@gmail.com with:

    • Your full name and a means of contact,
    • Documents that prove your identity (or your representative's identity and authority),
    • A clear and precise description of the personal data over which you wish to exercise a right,
    • Any other element or document that facilitates locating the data.

    We will respond within 20 business days of receiving your request. If we grant the right, we will give effect to it within 15 business days of our response.

    You may also revoke at any time the consent you have given for the processing of your personal data. To revoke your consent, use the same procedure as for ARCO rights.

    9.3 Specific to EU/UK users

    In addition to the rights above, EU/EEA and UK users have the right to:

    • Object to processing based on legitimate interests, including profiling for direct marketing (which we will always honor).
    • Withdraw consent at any time, easily and free of charge.

    9.4 How to exercise your rights and how to complain

    To exercise any of these rights, email us at loomycase@gmail.com with "Privacy Request" in the subject line. We will respond within the timeframes required by applicable law (typically 30 days under GDPR, 20 business days under LFPDPPP for ARCO requests).

    If you are not satisfied with our response, you can complain to:

    10. Children's Privacy

    The Services are not intended for children under 16 (or the age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, contact us at loomycase@gmail.com and we will delete it.

    As of the effective date of this Privacy Policy, we do not have actual knowledge that we share or sell personal information of individuals under 16.

    11. Security

    We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include:

    • TLS/SSL encryption for data in transit,
    • Access controls and authentication for our systems,
    • Use of reputable processors (Shopify, payment providers) that maintain their own security certifications (PCI-DSS for payment data),
    • Regular review of our security practices.

    However, no security system is impenetrable. We cannot guarantee absolute security of data transmitted to us. We recommend that you do not send sensitive information through unsecure channels and that you keep your account credentials confidential.

    In the event of a personal data breach that poses a risk to your rights, we will notify the competent authority within 72 hours where required, and you directly if the risk is high, in accordance with applicable law.

    12. Third-Party Websites and Links

    The Services may contain links to third-party websites (social media, payment processors, carriers' tracking pages). We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before providing personal information.

    13. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We will:

    • Post the updated Privacy Policy on this page,
    • Update the "Last updated" date at the top,
    • Where the change is material, provide additional notice (e.g. email or prominent notice on the Site) and, where required by law, seek your renewed consent.

    Continued use of the Services after a change becomes effective constitutes acceptance, except for changes that require explicit consent under applicable law.

    14. Contact / Data Protection Inquiries

    For any questions about this Privacy Policy or to exercise your rights:

    LoomyCase Legal owner: Ricardo Javier Muñiz Cordova Email: loomycase@gmail.com Phone: +52 (55) 2323-0032 Address: Anaxágoras 440, Colonia Narvarte, Benito Juárez, 03020 Ciudad de México, CDMX, Mexico RFC: MUCR9811196HA

    For the purposes of applicable data protection laws, we are the data controller / responsable of your personal information.

    Related Policies