We at Looxa are committed to protecting and respecting your privacy and this Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be handled and hereby also confirms our compliance with the EU General Data Protection Regulation (GDPR), in force from 25 May 2018.

The GDPR provides a set of rights and protections for EU citizens in terms of the data that individuals and organizations hold about them, and the responsibilities of those organizations on what data they can hold, how they can process and use that data, and how individuals can access or request changes to or deletion of the data held about them.

In this Privacy Policy/Statement of Compliance we will lay out what data we hold, for what purposes, our legal obligations which cannot be breached without your consent and your rights regarding this data. Both co-owners, Ana-Martina Lukić and Lana Kovačić, have read and agreed to all points of the Policy/Statement and are aware of its implications and your rights.

Please be aware that we are not responsible for the privacy practices of any third parties, such as our partners, and we urge you to familiarize yourself with their privacy terms when giving out any personal data


We may collect the following information from our clients and users of our products and services (be they private person or a legal entity or business such as registered yoga school, center, retreat, bookstore, web retailer, brand…)

  1. E-mail address

– Email addresses of people who have emailed us directly or through the Looxa web shop and to whom we have replied – automatically saved in mail server software

– E-mail addresses we were referred to with direct permission to contact them

-Individuals who have used the online form to opt in to receive news from Looxa and have willingly chosen to be notified (This data comprises Email Address, First Name and Family Name )

– Explicitly given email addresses – orally or via business cards on gatherings, workshops, teacher trainings, yoga festivals, yoga shows…

*** To be able to maintain the relationship, for the purposes of sending orders or invoices, notifications  about order statuses, activities and current offers, and occasional updates and marketing

  1. First/Last Name

– Gained through direct e-mail contact, via the web shop, contacted via inbox on Facebook or Instagram

-Be it a private person or a person (owner, employee, outside associate) representing or speaking on behalf of a brand, organization, specific department within the business that deals in marketing, acquisition of new products, content management, accounting…

*** In order to be able to personalize the communication

  1. Company name and VAT number

-Gained through direct communication

*** To be able to issue an invoice

  1. Address (private and/or business location)

– Only explicitly given for finalized orders

***For delivery purposes

  1. Log of order history

– For all previous customers

*** In order to be able to keep track of the preferences of our clients, customize the experience and judge the interest in a potential new product (marketing purposes) and speed up repetitive orders

  1. Method of payment and associated information

– For all previous customers

***Necessary to complete the transaction


– To communicate with you regarding order status, provide information and ask for relevant information to complete the order;

– To operate and improve our products and services;

– To develop, improve, and protect the products;

– For market research;

– To improve customer service;

– To personalize user experience;

– To run a promotion, contest, survey or other related feature;

!!! Your data is not disclosed, sold, leased rented or otherwise discloses to any third party and is used exclusively for Looxa’s purposes, excluding the cases  below:

-To public authorities, such as law enforcement, if we are legally required to do so or if we need to protect our rights;

– To our subsidiaries and affiliates; or a subsequent owner, co-owner or operator of Looxa in connection with a corporate merger, consolidation, restructuring, or the sale of substantially all of our stock and/or assets or other corporate reorganization


We acknowledge the rights of an individual as specified in the GDPR and will make best efforts to respond to any requests from individuals in association with these rights within the one month timescale required by GDPR. Rights recognized:

– The right to be informed about what personal data we hold about you

– The right of access

– The right to rectification – you can have incomplete, incorrect, outdated, or unnecessary personal data corrected, deleted, or updated

– The right to erasure “right to be forgotten” -right to opt out of receiving electronic direct marketing and be completely erased from the data base. Rare electronic direct marketing communications that you may receive will give you an option of not receiving such communications from us in the future

– The right to restrict processing

– The right to data portability

– The right to object

– The right not to be subject to automated decision-making including profiling


Data is collected and processed under the legal basis of ‘Legitimate Interests’ via the three-part test:

Identify a legitimate interest:

By signing up for a newsletter or expressing interest in our product via any communication channel or social network in use, by purchasing a product, individuals have expressed a legitimate interest in Looxa’s work

Show that the processing is necessary to achieve it:

Since we do business internationally, communication via email is absolutely fundamental to the operation of Looxa

Balance it against the individual’s interests, rights and freedoms:

The individual has the absolute right to request complete deletion of their data at any time and will be removed from data base immediately


Data is used in a way which has minimal privacy impact and only that necessary for the operations stated is collected. Reasonable steps are taken to prevent data breaches, including the use of secure servers and strong password protection of devices and online accounts. We recognize the need to notify the superimposed structures in case of data breach.