Privacy Policy

Last Updated: November 02, 2025

Loboza operates as LOBOZA (SMC-PRIVATE) LIMITED (Company No. 0300129), providing a curated selection of high-quality travel gear, backpacks, duffle bags, laptop bags, travel bags, and chest bags crafted for durability, style, and functionality (the "Services"). Our platform is powered by Shopify, a trusted e-commerce infrastructure that enables secure, efficient delivery of these Services to customers worldwide. This Privacy Policy provides a comprehensive overview of our practices for collecting, using, disclosing, and protecting your personal data when you visit our site, create an account, make purchases, engage with our content, or interact with us through other channels. Our address is Mughal Market, Bhanywali Rd, Perochak, Daska, Sialkot 51310, Pakistan.

In alignment with Google Ads and Google Merchant Center (GMC) guidelines effective in 2025, we prioritize transparency in data practices, especially for advertising and product listing purposes. This includes clear disclosures on data usage for personalized ads, mandatory opt-out mechanisms for targeted advertising, compliance with global consent frameworks (e.g., GDPR, CCPA/CPRA, and emerging standards like the EU AI Act's privacy implications), and restrictions on sensitive data processing. Where our Terms of Service overlap with this Policy, this document governs all aspects of personal data handling to ensure misrepresentation-free operations and user trust. We do not "sell" or "share" personal data for cross-context behavioral advertising as defined under applicable laws, and we honor signals like Global Privacy Control (GPC) to limit such uses.

We strongly recommend reading this Policy in full before using our Services. By accessing or using any part of the platform—including browsing products, adding items to your cart, or submitting an order—you acknowledge that you have reviewed, understood, and consented to our data practices as outlined here. If you do not agree, please do not proceed with using the Services. This Policy applies to all visitors, regardless of location, but rights and obligations may vary based on your jurisdiction.

For clarity, "personal data" (or "personal information") refers to any information that identifies, relates to, or could reasonably be linked—directly or indirectly—to you or a household (e.g., name, email, purchase history). It excludes de-identified, aggregated, or publicly available data that cannot be re-associated with an individual.

Categories of Personal Data We Collect and Process

Our data collection is limited to what is necessary ("data minimization" principle per 2025 GMC guidelines) to deliver Services, improve user experience, and comply with legal requirements. We only process data with a valid legal basis, such as contract performance, legitimate interests (e.g., fraud prevention), or explicit consent (e.g., for marketing). Depending on your interactions and location, we may collect or derive the following categories, including inferences (e.g., product preferences from browsing patterns):

  • Identity and Contact Data: Full legal name, postal address (including billing and shipping details), phone number (mobile or landline), email address, date of birth (if provided for age verification), and government-issued ID (rarely, for high-value orders or disputes).
  • Financial and Transaction Data: Payment method details (e.g., credit/debit card numbers, expiration dates, CVV—encrypted and tokenized via PCI DSS-compliant processors), bank account info (for direct debits), transaction IDs, order totals, refund records, and purchase history (e.g., items viewed, added to cart, wishlisted, bought, returned, exchanged, or canceled).
  • Account and Profile Data: Username, password (hashed), security questions/answers, login timestamps, saved preferences (e.g., size/color filters for bags), wishlist items, and loyalty program details (if applicable).
  • Communication and Feedback Data: Content from emails, chat support, surveys, reviews, or social media interactions (e.g., "I love the Cordura fabric on this backpack!"), including metadata like timestamps and IP origins.
  • Technical and Device Data: IP address, device type/model (e.g., iPhone 15), operating system, browser version (e.g., Chrome 120), screen resolution, unique device IDs (e.g., IDFA or Android ID—used pseudonymously), geolocation (approximate, from IP), and cookie IDs.
  • Behavioral and Usage Data: Site navigation paths (e.g., pages visited like /backpacks vs. /travel-bags), session duration, search queries (e.g., "water-resistant laptop bag"), clickstream data, scroll depth, and engagement metrics (e.g., time spent on product pages).
  • Marketing and Advertising Data: Consent status for emails/SMS, ad interaction history (e.g., clicks on Google Ads for Loboza backpacks), and cross-device tracking signals (opt-in only, compliant with 2025 Google Ads consent requirements).

We do not collect sensitive data (e.g., health, racial/ethnic origin, political views, or biometric info) unless explicitly required for legal verification (e.g., export compliance for international shipments) and with your affirmative consent.

Sources of Personal Data

To ensure accuracy and completeness per GMC listing policies, we gather data from multiple, transparent sources:

  • Directly from You: During account creation, checkout (e.g., entering shipping address for a Sialkot-origin backpack), support tickets, newsletter sign-ups, or review submissions.
  • Automatically via Technology: Cookies, pixels, SDKs, and server logs during site visits or app interactions. For example, first-party cookies track cart abandonment to remind you of unpurchased items, while Google Analytics (anonymized) measures site performance without personal identifiers.
  • From Service Providers: Third parties like Shopify (for order processing), payment gateways (e.g., Stripe for tokenized cards), or shipping partners (e.g., DHL for tracking numbers) who process data on our behalf under strict data processing agreements (DPAs).
  • From Third Parties: Advertising networks (e.g., Google Ads for retargeting based on site visits), affiliates (e.g., influencers sharing referral links), or public sources (e.g., address validation services). For GMC feeds, product data may include aggregated insights from suppliers, but never personal user data.

Under 2025 Google Ads guidelines, we disclose all automated collection tools and provide easy cookie consent banners.

How We Use Your Personal Data

All uses align with legitimate purposes, Google Ads' personalized ad policies (requiring user consent for interest-based targeting), and GMC's data accuracy mandates for product listings. We process data only as long as necessary and with safeguards:

  • Service Delivery and Personalization (Contractual Basis): To process orders (e.g., fabricating a custom-engraved chest bag), fulfill shipments from our Sialkot facility, handle returns per our policy, manage accounts, and send transactional emails (e.g., order confirmations). We use inferences to recommend items, like suggesting sustainable Cordura backpacks if you've bought eco-friendly travel gear.
  • Experience Enhancement (Legitimate Interest): Analyze usage to optimize site speed, A/B test layouts (e.g., minimalist design for bag categories), and prevent errors (e.g., stockouts on popular YKK-zipper models).
  • Marketing and Advertising (Consent or Opt-In): Send promotional content (e.g., "20% off duffle bags for travelers") via email/SMS, or display targeted Google Ads (e.g., on search results for "durable laptop bags Pakistan"). Per 2025 guidelines, we limit to non-sensitive categories, provide granular opt-outs, and do not build profiles without consent. Retargeting (e.g., ads for abandoned carts) uses hashed emails only.
  • Security and Fraud Detection (Legitimate Interest): Monitor for anomalies (e.g., unusual IP logins), authenticate via multi-factor setups, and comply with PCI DSS for payments. This includes sharing limited data with fraud tools like Sift.
  • Customer Engagement (Contractual/Legitimate Interest): Respond to queries (e.g., "Is this bag water-resistant?"), gather feedback, and maintain relationships (e.g., loyalty updates).
  • Legal and Compliance (Legal Obligation): Respond to subpoenas, audit tax records (e.g., VAT for EU shipments), enforce Terms (e.g., prohibiting resale of Loboza products), or report under anti-money laundering laws.

We pseudonymize data where possible (e.g., IP hashing) and conduct regular privacy impact assessments per 2025 global standards.

Disclosure and Sharing of Personal Data

Sharing is purpose-limited, secured via contracts, and reported transparently to meet Google Ads' third-party disclosure rules. We never sell data outright:

  • Operational Partners: Shopify for hosting/orders, payment processors (e.g., PayPal) for transactions, logistics (e.g., FedEx) for deliveries, and analytics firms (e.g., Google Analytics) for insights—all bound by DPAs ensuring no further use.
  • Advertising Ecosystems: Google Ads/GMC for campaign optimization (e.g., feeding anonymized conversion data from purchases), but only aggregated and with opt-out support. Marketing vendors (e.g., Klaviyo for emails) access consented subsets.
  • User-Directed Shares: When you choose social login (e.g., Google OAuth) or gift an order, data flows as instructed.
  • Corporate Affiliates: Limited internal sharing for unified support (e.g., Sialkot team handling queries).
  • Legal/Business Needs: In mergers (protecting buyer due diligence), court orders, or to defend rights (e.g., IP claims on Loboza designs). For GMC, product data shares with Google for feed validation, excluding personal info.

All recipients are vetted for 2025-compliant security (e.g., SOC 2 certification).

Integration with Shopify

Shopify hosts our Services and processes interaction data (e.g., cart adds for Loboza travel bags) to enable features like one-click checkout. Your data may transfer to Shopify's global servers (e.g., US/Canada) under their Consumer Privacy Policy. We use enhanced Shopify tools (e.g., for personalized recommendations) that incorporate cross-merchant data—Shopify acts as the processor, handling your rights requests. For GMC compliance, Shopify's feeds ensure accurate product data without personal linkage. Exercise rights via Shopify Privacy Portal.

Third-Party Links and Services

Links to external sites (e.g., Google Ads landing pages or payment portals) are for convenience; we don't control or endorse them. Review their policies—e.g., Google's Privacy Policy. Social shares (e.g., tweeting a Loboza bag photo) may expose data publicly. Per 2025 guidelines, we flag affiliate links clearly.

Children's Privacy

Services are for adults 18+ (or local majority age). We do not target or knowingly collect from minors. If discovered, we'll delete promptly upon parental request to care@loboza.com. No under-16 data is shared/sold per COPPA and equivalents.

Security Measures and Data Retention

We employ industry-leading protections: AES-256 encryption for data at rest/transit, regular penetration testing, access controls (role-based), and breach response plans (notify within 72 hours per GDPR). However, no system is 100% secure—use strong passwords and HTTPS-only connections.

Retention: As minimally as possible—e.g., transaction data for 7 years (tax laws), profiles until deletion request, cookies for 13 months max. Post-need, we securely erase (e.g., NIST-compliant shredding) or anonymize.

Your Rights, Choices, and Controls

Empowering users aligns with 2025 Google Ads' consent emphasis. Rights depend on laws (e.g., full under GDPR/CCPA):

  • Access/Confirmation: Request details on processing.
  • Rectification: Fix errors (e.g., wrong address).
  • Erasure ("Right to be Forgotten"): Delete where no overriding need.
  • Portability: Receive structured copy (e.g., JSON export).
  • Restriction/Objection: Pause processing (e.g., for marketing).
  • Withdraw Consent: Revoke anytime (e.g., unsubscribe).
  • Opt-Out of Sales/Sharing/Targeted Ads: No sales occur, but limit profiling via opt-out form, cookie settings, or GPC (auto-honored). For Google Ads, use My Ad Center.
  • Non-Discrimination: No penalties for exercising rights.

EEA/UK extras: Automated decision objections (we minimize these). Submit requests via site dashboard or care@loboza.com—we verify (e.g., via email link) and respond in 30-45 days (extensions possible). Agents require notarized authorization.

Manage cookies: Our banner allows granular choices (essential vs. marketing). Unsubscribe from emails via footer links.

Complaints and Oversight

Contact us first at care@loboza.com for resolutions. Appeal denials here too. Escalate to authorities: Pakistan's PDPA enforcer, EU's EDPB list, or CCPA's CPPA. We track complaints for annual audits.

International Data Transfers

Data may flow globally (e.g., Shopify in Ireland for EU users). For adequacy: EU-US Data Privacy Framework, UK adequacy decisions, or SCCs/BCRs with impact assessments. Pakistani transfers use equivalent safeguards.

Changes to This Policy

Updates (e.g., for new GMC rules on AI-driven ads) will post here with "Last Updated" revision and in-app notices (e.g., email for material changes). Review periodically—continued use post-notice implies consent.

Contact Us

Questions? Rights exercises? Support? 
Email: care@loboza.com

Write to our registered office:
LOBOZA (SMC-PRIVATE) LIMITED
Mughal Market, Bhanywali Rd, Perochak, Daska, Sialkot 51310, Pakistan