Privacy Policy
Last updated: 7 May 2026
We are committed to building strong and lasting relationships based on trust and transparency. In keeping with this philosophy, the protection of your personal data (“Personal Data”, meaning information about you or relating to you) is essential, and we wish to inform you, through this Privacy Policy, how we collect and process this Personal Data in accordance with the General Data Protection Regulation (Regulation 2016/679, “GDPR”).
This Privacy Policy (“Policy”) describes how we use the Personal Data that we may collect when you use the website www.looandlougallery.com (hereinafter the “Site”). It provides a general overview of how we process your Personal Data, as well as a detailed description of our processing activities.
Data Controller
Loo&Lou Gallery, a Luxembourg company registered in Luxembourg under number B190.747, with its registered office at 25B Boulevard Royal, L2449 Luxembourg, which operates the Loo&Lou art gallery located at 20 rue Notre-Dame de Nazareth, 75003 Paris, France (Paris Trade and Companies Register no. 809639065) (hereinafter the “Gallery”, “We”, “Our” or “Us”).
Data Collected
When browsing Our Site, we collect different categories of Personal Data concerning you. If you do not provide this data, we may be unable to perform our contract with you or provide you with the information you have requested.
Identification: first name, last name, username, password
Contact details: telephone number, email address, billing address, delivery address
Applications: professional experience, education, skills, hobbies
Content of exchanges between you and us
Payment method, basket amount, artworks purchased
Browsing data: details of your visits to the Site, including but not limited to: referrer URL, date/time of visit, entry page, session duration and activity, pages viewed, unique device identifier, unique session identifier.
We do not collect sensitive data about you (“sensitive data” means any information revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation).
Purposes and Legal Bases
We process your Personal Data for the reasons described below and on the following legal bases:
| Purpose | Legal basis/bases |
|---|---|
| Managing the recruitment process, including receiving and processing unsolicited applications via the contact form. | Performance of pre-contractual or contractual measures |
| Managing the customer relationship, including customer account creation, online orders and delivery, invoicing and accounting. | Performance of pre-contractual or contractual measures; legal obligations |
| Enabling the Site to function technically. | The Gallery’s legitimate interest in managing its Site |
| Sending a newsletter. | The Gallery’s legitimate interest in communicating with its customers and promoting its activities; consent of visitors subscribed to the newsletter |
| Inviting our customers to events organised by the Gallery. | The Gallery’s legitimate interest in communicating with its customers and promoting its activities |
| Managing user account creation. | Contractual measures; legitimate interest in offering customers an account |
| Managing litigation files, whether bringing or defending claims. | The Gallery’s legitimate interest in defending its interests in court |
| Identifying you when you contact us and responding to your request for information. | Legitimate interest in managing contact requests |
| Reorganisation of the business where the Gallery: (i) is involved in negotiations for the sale of all or part of its business to a third party; (ii) is sold to a third party; or (iii) undergoes restructuring. The Gallery may need to transfer all or part of the Personal Data to the relevant third party, or its advisers, as part of any due diligence process in order to analyse any proposed sale or restructuring. The Gallery may also transfer Personal Data to the restructured entity or third party after the sale or restructuring so that they may use it for the same purposes as those set out in this Policy. | Legitimate interests, in order to allow the Gallery to make changes to its structure and business |
| Preventing money laundering and terrorist financing and fighting corruption. | Compliance with legal and regulatory obligations, Article L561-1 et seq. of the French Monetary and Financial Code |
| Managing users’ GDPR rights requests. | Legal obligation to respond to rights requests in accordance with Article 12 GDPR |
| Producing statistics on the use of the Site by tracking browsing in order to improve and personalise your experience. | Legitimate interest in monitoring Site activity; your consent where required by law |
Recipients of the Data
Depending on the type of Personal Data and the purpose for which We use it, your Personal Data may be shared with the following authorised persons:
Selected third-party service providers acting on our behalf and according to our instructions for the purposes described above. For example, we transmit your Data to our hosting provider in order to provide you with the Site’s services.
Public and judicial authorities: we may be required to share your Data with public and judicial authorities in the event of a dispute.
Our professional advisers: we may also share your Data where necessary with our various advisers, such as lawyers, insurers, etc.
In all cases, We ensure that these recipients:
are subject to strict contractual obligations regarding the protection and confidentiality of Personal Data;
undertake to comply with all applicable laws on the protection of Personal Data and not to use your Personal Data for purposes other than those provided for in the contracts We have entered into with them;
implement appropriate technical and organisational security measures to protect the integrity and confidentiality of your Personal Data where relevant.
In all cases, We only grant access to your Personal Data on a need-to-know basis, and this access is limited to the Personal Data strictly necessary to fulfil the purpose for which such access is granted to the recipients. Under no circumstances do We rent, exchange or sell your Personal Data to third-party companies.
Transfers of Data Outside the European Union
In principle, your Personal Data is not transferred outside the European Union or countries benefiting from an adequacy decision by the European Commission. If this were to occur, the Gallery would ensure that appropriate safeguards are implemented by its service providers as required by applicable data protection legislation, for example the signing of the European Commission’s Standard Contractual Clauses.
Security
The Gallery takes the necessary measures, in accordance with applicable legal provisions, to protect your Personal Data against destruction, loss or alteration, misuse and unauthorised access, modification or disclosure, whether unlawful or accidental.
To this end, access to your Personal Data is limited to the Gallery’s employees and service providers who need it in the performance of their duties. All persons with access to your Personal Data are bound by a confidentiality obligation and may be subject to disciplinary measures and/or other sanctions if they fail to comply with this obligation.
Technical and organisational measures have also been put in place to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services on which the processing is based.
Retention
We retain your Personal Data for the period necessary for the purposes described in this Privacy Policy.
The criteria used to determine these retention periods include in particular:
the duration of Our relationship with you;
whether there is a legal obligation to which We are subject;
the period necessary for the processing purpose or purposes for which the Data was collected, and any other authorised related purpose.
If the Gallery uses Personal Data for two purposes, such Data will be retained until the expiry of the purpose with the longest retention period, but will no longer be used for the purpose with the shorter period once that period has expired.
At the end of the relevant retention periods, your Personal Data may be archived in separate and secure IT environments solely for the purpose of complying with our legal and tax obligations or exercising our rights in court.
When the Personal Data is no longer necessary, and its retention is no longer required by law, the Gallery will irreversibly anonymise it, and may retain and use the anonymised data, or securely destroy it.
What Are Your Rights?
You have the right to ask Us, under the conditions and according to the procedures provided by law, to access, rectify, erase, stop or restrict the use of your Personal Data. You may also withdraw your consent to future processing at any time where you have consented to the processing of Personal Data. You may request a copy of the Personal Data you have provided to us, in a structured, commonly used and machine-readable format, in order to transmit it to another data controller, where applicable law provides for this right. Finally, you have the right to define instructions regarding the fate of your Personal Data after your death.
For more information on the rights provided by the French Data Protection Act, you may consult the website of the French Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (“CNIL”): www.cnil.fr.
To exercise your rights or for any question relating to the use of your Personal Data, you may contact us at the following address: contact@looandlougallery.com
If you believe that your Personal Data has not been processed correctly, or if you are not satisfied with Our response, you have the right to lodge a complaint with the CNIL.
Updates
We may update this Privacy Policy at any time in order to improve Our transparency towards you and to reflect any changes in the way We process your Personal Data. You will be informed in writing of any significant changes made to this Privacy Policy.
Cookies
A cookie is a small text file, often encrypted, stored in the internet browser. When visiting the Site, the Site sends information to the browser, which then creates a text file on the receiving device, such as a computer, phone, tablet or any other device, containing information about the visit to the Site.
The Site uses certain technical browsing cookies to carry out activities strictly necessary for the functioning or provision of the Site’s features. These cookies do not require consent.
The Site may also use cookies to provide certain features or personalised content and improve your experience, or to allow the Gallery to carry out analyses and statistics on your behaviour. These cookies require consent.
The list of cookies used on the Site appears in the appendix to this Policy.
You may accept or refuse cookies that are not necessary for the functioning of the Site:
via the cookie banner: when first visiting the Site, a banner asks you to accept or refuse the collection of cookies concerning you;
via the cookie console available on the Site: where the use of cookies is based on consent, you may give or withdraw your consent by setting your preferences purpose by purpose.
Your choices will be recorded for a reasonable period by the Site and may be modified at any time by you via the cookie console, available through a link at the bottom of each page of the Site. These settings are only valid for pages created and owned by the Gallery. Where links to external websites are integrated and you click on those links, you leave the Site and, consequently, the settings and choices made for the Site no longer apply. You must take into account the policy of the new Site you enter and its new cookie settings.
It is also possible, via the relevant features of your browser or device, to delete cookies previously stored, including those used to remember the consent initially given. Other trackers present in the browser’s local memory may be deleted by clearing the browsing history.
With regard to third-party cookies, preferences may be managed and consent may be withdrawn via the relevant opt-out link, where provided, by using the methods indicated in the third party’s privacy policy, or by contacting the third party.
You may configure the cookies placed on your device using your browser’s settings tool so that they are accepted or stored on your device or, conversely, refused. However, some Site Features will no longer be operational.
Browser settings
Google Chrome
Click the Tools menu icon.
Select Options.
Click the Advanced Options tab and go to the “Privacy” section.
Internet Explorer
In Internet Explorer, click the Tools button > Internet Options.
Under the General tab, under browsing history, click Settings > View files. Select and delete files containing the prefix “Cookie” and “the Gallery”.
Firefox
In the Tools menu > Options > Privacy and Security > Manage Data.
Select and delete files containing the name “the Gallery”.
Safari
In the browser, choose the Edit menu > Preferences > Security > Show Cookies.
Select the cookies containing the name “the Gallery” and click Delete or Delete All. After deleting the cookies, click Done.
Any settings you configure in your internet browser software, and any refusal of cookies, may affect your browsing and your conditions of access to certain Site features.
Cookies Used
| Provider | Cookie | Category | Purpose | Consent required | Retention period |
|---|---|---|---|---|---|
| Polylang | pll_language | Personalisation | Stores language preferences. | Yes | 1 year |
| Sourcebuster | sbjs_current | Analytics | Stores the source of the current visit. | Yes | Session |
| Sourcebuster | sbjs_current_add | Analytics | Works in addition to sbjs_current by storing additional information: the date and time of the current visit; the site entry point, meaning the first page visited; and the referrer, meaning the exact URL from which the visitor arrived. | Yes | Session |
| Sourcebuster | sbjs_first | Analytics | Stores the source of the first visit. | Yes | Session |
| Sourcebuster | sbjs_first_add | Analytics | Similar to sbjs_current_add for the first visit. | Yes | Session |
| Sourcebuster | sbjs_migrations | Analytics | Manages changes to the Sourcebuster.js script version. It ensures that user tracking data remains consistent and accurate even when updates or changes are made to Sourcebuster. | Yes | Session |
| Sourcebuster | sbjs_session | Analytics | Stores the number of pages viewed by the user during their session and the URL of the page currently being visited. | Yes | Session |
| Sourcebuster | sbjs_udata | Analytics | Stores the number of times the user has visited the site, their current IP address and browser. | Yes | Session |
| Matomo | _pk_id.1.8300 | Analytics | Stores a unique identifier for each visitor. | Yes | 13 months |
| Matomo | _pk_ses.1.8300 | Analytics | Makes it possible to know that all your actions on the site, such as pages visited, files downloaded and clicks, during your visit belong to the same session and not to several different visitors. | Yes | 30 minutes |
| Amauri Champeaux | tarteaucitron | Technical / Functional | Stores cookie banner choices. | No | 1 year |
| WordPress | wordpress_logged_in_63b50f2d903d95b2a52be1cf893ecfaa | Technical / Functional | Recognises that you are authenticated each time you browse the site, without asking you for your password again on each page. | No | Session |
| WordPress | wordpress_sec_63b50f2d903d95b2a52be1cf893ecfaa | Technical / Functional | Secures sensitive areas of the site, in particular the /wp-admin dashboard. | No | Session |
| WooCommerce | wp_woocommerce_session_63b50f2d903d95b2a52be1cf893ecfaa | Technical / Functional | Contains a unique code for each customer so that the cart data can be located in the database for each customer. | No | 48 hours |
| WooCommerce | woocommerce_cart_hash | Technical / Functional | Detects when the contents/data of the cart change. | No | Session |
| WooCommerce | woocommerce_items_in_cart | Technical / Functional | Also detects when the contents/data of the cart change. | No | Session |
| Loo&Lou | email_id | Technical / Functional | Stores the email address of your account. | No | 2 hours and 30 minutes |
| Stripe | __stripe_sid | Technical / Functional | Stores a unique identifier assigned to your session, used by Stripe to detect fraudulent behaviour. | No | 30 minutes |
| Stripe | _stripe_mid | Technical / Functional | Stores a unique identifier assigned to your browser/device, used by Stripe to detect fraudulent behaviour. | No | 1 year |
| Stripe | m | Technical / Functional | Used for fraud detection. Allows Stripe to assess the risk associated with an attempted transaction on your website. | No | 2 years |
| Stripe | machine_identifier | Technical / Functional | For fraud prevention; allows Stripe to identify the computer used on the Stripe dashboard. | No | 1 year |
| Stripe | private_machine_identifier | Technical / Functional | Stores a persistent identifier linked to your device/computer, allowing Stripe to recognise the same machine from one session to another and from one user to another, for the purpose of detecting fraudulent behaviour. | No | 1 year |
| Stripe | cookie-perms | Technical / Functional | Stores your cookie preferences. | No | 6 months |
| Cloudflare | __cf_bm | Technical / Functional | Enables the operation of anti-bot tools. | No | 30 minutes |
| hCaptcha | hmt_id | Technical / Functional | Stores a unique identifier to distinguish visitors for bot detection purposes. | No | 13 months |
| Cloudflare | __cflb | Technical / Functional | Determines which server should handle incoming requests, thereby facilitating load balancing between servers. | No | 30 minutes |