Privacy Policy
Effective May 10, 2025
Introduction & scope
Loxala Global, Inc., a Delaware corporation ("Loxala," "we," "us," "our," or the "Company"), provides a global freelance marketplace and community platform. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use loxala.com, our mobile and other applications, and all related tools, features, and services (together, the "Platform").
This Policy applies to all users of the Platform worldwide, including users in the European Economic Area (EEA), the United Kingdom (UK), the United States, and elsewhere. It does not apply to the practices of companies we do not own or control, including freelancers and clients who act as independent controllers of personal data they handle for their own projects (see Section 4). Capitalized terms not defined here have the meaning given in our Terms of Use.
Definitions
To keep things clear, here's what we mean when we use these terms throughout the policy.
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable individual. |
| Special Category / Sensitive Data | Data needing extra protection, including government-issued ID, biometric data used for identification, date of birth, and precise geolocation. |
| Usage Data | Data collected automatically through use of the Platform (e.g., pages visited, time on page). |
| Cookies | Small data files stored on your device. |
| Data Controller | The party that determines the purposes and means of processing Personal Data. |
| Data Processor / Service Provider | A party that processes Personal Data on behalf of a controller. |
| Data Subject / User / you | The individual whose Personal Data is processed. |
Laws we comply with
Because we operate globally, this Policy is designed to address several data-protection regimes, including:
- The EU General Data Protection Regulation (GDPR) and the UK GDPR / Data Protection Act 2018;
- The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and comparable U.S. state privacy laws (including Virginia, Colorado, Connecticut, Texas, and others as they apply to you);
- The EU AI Act, to the extent it applies to our automated matching features (see Section 7);
- Other national and regional privacy laws where our users are located.
Our role: controller & processor
For most processing described here, including account registration, identity verification, payments, security, analytics, and our own marketing, Loxala acts as a Data Controller and determines why and how your Personal Data is processed.
When a freelancer and a client work together through the Platform, each may independently decide how to use personal data they exchange for their own project (for example, a client storing a freelancer's deliverables outside Loxala). In those cases, that party acts as an independent controller, and this Policy does not govern their practices. We encourage users to handle each other's information responsibly and lawfully.
Information we collect
5.1 Information you provide to us
- Account and profile data: name, email address, password, optional profile photo, job history, resumes/CVs, portfolios, and profile details you choose to add.
- Contact data: phone number and postal address, used for communication and identity verification.
- Identity and KYC/AML data: government-issued ID and date of birth, collected to verify identity and meet anti-money-laundering obligations (handled as Special Category / sensitive data; see Section 14).
- Work product: portfolios, project deliverables, and work samples you upload.
- Referral Program data: full name, email, country of residence, website/social links, a description of your online presence, audience metrics, and your consent to our affiliate terms.
- Support and communications: information you share when you contact us or use customer support.
5.2 Information we collect automatically
- Usage Data: pages visited, links clicked, searches run, time and date of visits, and interactions with features.
- Device and network data: IP address, device identifiers, browser type and version, operating system, and login timestamps.
- Approximate location derived from IP address, and precise geolocation where you grant permission (see 5.4).
- Cookies and similar technologies (see Section 8).
5.3 Information from third parties
- Identity verification results from providers such as Stripe Identity.
- Limited profile information from social logins (e.g., Google or Apple) if you choose to use them.
- Information from publicly accessible sources where relevant to providing our services.
5.4 Location data
We use precise location only with your permission, which you can grant or withdraw at any time through your device settings. Approximate (IP-based) location is also used for security and to meet KYC/AML requirements.
How we use your data
We use Personal Data to operate, secure, and improve the Platform, including to:
- Create and manage your account and provide the Platform's features;
- Match freelancers and clients and power Skill Matcher and the Loxi AI co-pilot (see Section 7);
- Verify identity and meet KYC/AML and other legal obligations;
- Process payments through our payment processor;
- Provide customer support and resolve disputes;
- Detect, prevent, and address fraud, abuse, and security incidents;
- Send service messages and, where permitted, our own marketing (you can opt out at any time);
- Analyze and improve the Platform and develop new features.
6.1 Legal bases (EEA / UK users)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the Platform and your account | Performance of a contract |
| Identity verification, KYC/AML, tax and legal compliance | Legal obligation |
| Security, fraud prevention, dispute resolution, analytics, product improvement | Legitimate interests |
| Our own marketing communications | Legitimate interests, or consent where required |
| Non-essential cookies, targeted advertising, precise location, optional recordings | Consent |
| Processing of government ID and biometric data | Explicit consent and/or substantial public interest / legal obligation |
Automated decision-making & AI matching
Loxala uses automated systems, including Skill Matcher and the Loxi AI co-pilot, to rank, match, and recommend freelancers, clients, and opportunities. These systems analyze profile information, skills, work history, Quality Index signals, and platform activity to surface relevant matches.
Where this automated processing produces effects that are significant to you, EEA/UK users have the right under GDPR/UK GDPR Article 22 to:
- Be informed that automated decision-making is taking place and understand, in general terms, the logic involved and its likely consequences;
- Request human review of a decision;
- Express your point of view and contest the outcome.
To exercise these rights, contact us at [email protected].
We do not use your content, including portfolios, messages, or project deliverables, to train our own or third parties' general-purpose AI models. AI features process your data to deliver matching and assistance, not to build training datasets from your work.
Cookies & tracking technologies
We use cookies, pixels, tags, and similar technologies for the purposes below. In the EEA and UK, non-essential cookies are set only after you give consent through our cookie banner, and you can change your choices at any time.
| Type | Purpose |
|---|---|
| Strictly necessary | Operate the Platform, keep you logged in, and maintain security. Always active. |
| Preference | Remember your settings and preferences. |
| Analytics | Understand how the Platform is used so we can improve it. Includes a first-party identifier ("lx_vid"). |
| Advertising | Support targeted advertising and measure campaigns (see Section 9). Set only with consent where required. |
Targeted advertising, "selling" & "sharing"
We run advertising campaigns that may use cookies and pixels to reach and measure audiences across other sites and services. Under California law (CPRA), this cross-context behavioral advertising can count as "selling" or "sharing" personal information, even though no money changes hands for your data.
Because of this, we do not claim that we "never sell" your information. Instead, we give you clear control:
- California residents can use the "Do Not Sell or Share My Personal Information" link in our website footer to opt out;
- EEA/UK users can decline advertising cookies through the cookie banner;
- We honor recognized opt-out preference signals (such as Global Privacy Control) where required by law.
We do not sell or share the personal information of anyone we know to be under 18.
How we share your data
We share Personal Data only as described here, and we never trade your data for money. We share with:
- Service providers / sub-processors that process data on our behalf under contract, limited to what they need for their task (listed below);
- Other users, to the extent necessary for freelancers and clients to work together (e.g., profile details and deliverables);
- Authorities, where required by law or valid legal process, or to protect rights, safety, and the public;
- A successor, in a merger, acquisition, or asset sale, with notice provided before your data becomes subject to a different policy.
10.1 Key service providers
| Provider | Role |
|---|---|
| Amazon Web Services | Cloud hosting and infrastructure (sole hosting provider; US region). |
| Stripe | Payment processing and identity verification (PCI-DSS compliant; we do not store card details). |
| Google Analytics / Tag Manager | Web analytics and tag management. |
| OpenAI | Content moderation only; data shared is limited to moderation. |
| Social platforms | Facebook, Instagram, LinkedIn, YouTube, X, for marketing and social login where you choose to connect them. |
You can review each provider's privacy practices on their own websites. We confirm we do not share your data with these providers beyond what their stated role requires.
International data transfers
Loxala is based in the United States, and all Personal Data is currently stored and processed on AWS infrastructure in the United States. If you are located in the EEA or UK, your data is transferred to the United States, whose data-protection laws differ from your own.
To protect these transfers, we rely on appropriate safeguards under the GDPR and UK GDPR, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, and the UK International Data Transfer Addendum, incorporated into our agreements with US-based processors (including AWS under its Data Processing Addendum); and
- Supplementary technical and organizational measures, such as encryption in transit and at rest and access controls.
You may request a copy of the relevant safeguards by contacting [email protected].
Data retention
We keep Personal Data only for as long as necessary for the purposes in this Policy, then delete or anonymize it. Indicative periods:
| Data | Retention |
|---|---|
| Account and profile data | While your account is active, then deleted or anonymized within a set period after closure. |
| KYC / identity verification records | As long as required by AML and other laws (often several years after the relationship ends). |
| Payment records | As required by tax and accounting law. |
| Recordings and screen captures | Only as long as needed for the dispute/quality purpose, then deleted (see Section 13). |
| Usage and analytics data | A shorter period, unless needed for security or legal reasons. |
| Marketing data | Until you opt out, then suppressed from further marketing. |
Recording, screen capture & monitoring
To support quality, security, and dispute resolution, the Platform includes the following features. Where the law requires consent (including from all participants), we obtain it before recording.
- Video-call recording: calls conducted through the Platform may be recorded. All participants are notified, and recordings are used for dispute resolution and quality assurance.
- Time Tracker screen capture: when enabled for a project, the Time Tracker captures periodic screenshots to verify work progress. These are visible to the relevant client and used to resolve disputes.
- Messaging and call logs: messages, call logs (time, participants, duration), and task updates may be stored and reviewed to maintain safety, resolve disputes, and uphold platform standards.
- Community content moderation: user-generated community content is monitored for compliance with our guidelines, and prohibited content is removed.
Special-category & sensitive data
Some data needs heightened protection. We handle it as follows:
- Government-issued ID and date of birth: collected for identity verification and KYC/AML, on the basis of explicit consent and legal obligation, and processed through our verification provider.
- Biometric data (MFA): if you choose biometric multi-factor authentication (e.g., fingerprint), the biometric match is performed on your own device; we do not collect or store your biometric template.
- Precise geolocation: collected only with permission, and for security/KYC purposes.
Your privacy rights
15.1 EEA / UK users (GDPR)
You have the right to access, rectify, erase, restrict, and port your data; to object to certain processing; to withdraw consent at any time; and to lodge a complaint with your local supervisory authority. Where possible, you can exercise these rights in your account settings, or by contacting [email protected]. We may verify your identity before responding.
15.2 California residents (CCPA/CPRA)
You have the right to know what personal information we collect and how we use and disclose it; to access and delete it; to correct inaccurate information; to opt out of "sale" or "sharing" for cross-context advertising; and not to be discriminated against for exercising your rights. Use the "Do Not Sell or Share My Personal Information" link, or contact us. We respond to Do Not Track and Global Privacy Control signals as required by law.
15.3 Other U.S. states
Residents of states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, and Texas) have similar rights to access, correct, delete, and opt out of targeted advertising and certain profiling. Contact us to exercise them.
Security
We use commercially reasonable technical and organizational measures to protect your data, including encryption in transit and at rest, access controls, multi-factor authentication, and secure hosting on AWS. Passwords are stored hashed and salted, and card details are handled by PCI-DSS-compliant processors outside our environment. No system is completely secure; in the event of a data breach, we will notify affected users and regulators as required by law.
Children
The Platform is not intended for anyone under 18, and we do not knowingly collect personal data from people under 18. If you are under 18, do not use the Platform or provide any information about yourself. If we learn we have collected data from someone under 18 without proper consent, we will delete it. If you believe a minor has provided us data, contact [email protected]. California residents under 16 may have additional rights regarding the sale or sharing of their information.
EU/UK representative & Data Protection Officer
Because we offer services to individuals in the EEA and UK but are established only in the United States, we appoint representatives as required by GDPR Article 27 and UK GDPR. You may contact them on data-protection matters:
| Role | Contact |
|---|---|
| EU Representative (GDPR Art. 27) | Available on request via [email protected] |
| UK Representative (UK GDPR) | Available on request via [email protected] |
| Data Protection Officer | [email protected] |
Changes to this policy
We may update this Policy from time to time. We will post the updated version here and, for material changes, provide additional notice (such as email or an in-product message). Please review it periodically.
Contact us
Questions or requests about this Policy or your data: [email protected]. You can also make a data request through your account settings where available.
Questions about your privacy?
Our privacy team is here to help. Reach out anytime and a real person will get back to you, no tickets lost in the void.