Privacy Policy
Last updated: 26 June 2026
In this Privacy Policy, “we”, “us”, and “our” refer to the data controller operating under the trade name MaryFox Art, whose details are provided below.
1. Data Controller
The data controller responsible for the processing of personal data is:
Mariia Porshneva (NIF: 309757410)
Sole proprietor operating under the brand MaryFox Art
Rua Maria Telles Mendes, 15 - 4º Esq.
2770-120 Paço de Arcos
Portugal
Email: maryfoxart.info@gmail.com
The data controller determines the purposes and means of processing personal data in accordance with the General Data Protection Regulation.
For any questions related to data processing, you may contact us using the email above.
A Data Protection Officer (DPO) has not been appointed, as processing is not carried out on a large scale and does not involve special categories of data (Article 37 GDPR; CNPD guidance).
⸻
2. Scope of This Policy
This Privacy Policy applies to all personal data collected through the MaryFox Art website, including:
• browsing the website
• placing orders
• communication with users
• subscription to newsletters
• use of website technical tools
This policy is provided in accordance with Articles 12–14 GDPR to ensure transparency of data processing.
⸻
3. Categories of Personal Data
We process the following categories of personal data:
3.1 Identification Data
• full name
3.2 Contact Data
• email address
• phone number
3.3 Order Data
• shipping and billing address
• order information
• payment status
3.4 Payment Data
Payment data (such as card details) is not processed or stored by us.
It is transmitted directly to payment providers (Stripe, PayPal), which act as independent data controllers.
3.5 Technical Data
• IP address
• browser type
• device information
• cookies
• website interaction data
3.6 Communication Data
• messages submitted via forms
• email correspondence
• social media messages
3.7 Children’s Data
This website is not intended for children.
We do not knowingly collect personal data from children below the age at which consent for data processing is permitted under applicable national law within the European Economic Area (generally between 13 and 16 years, depending on the country).
Where required by applicable law, processing of children’s personal data is permitted only with verified parental consent.
If we become aware that personal data of a child has been collected without such consent, it will be deleted without undue delay.
We do not process special categories of personal data (Article 9 GDPR).
We collect only the data necessary for contract performance and website functionality (data minimization principle, Article 5 GDPR).
⸻
4. Methods of Data Collection
Personal data is collected through:
• placing an order
• filling out website forms
• contacting us
• subscribing to newsletters
• automatic collection via cookies and similar technologies
Non-essential data (such as analytics or marketing cookies) is collected only after obtaining user consent.
Users are presented with a cookie consent banner allowing them to accept, reject, or customize non-essential cookies.
Consent is obtained prior to setting non-essential cookies.
Users may withdraw or modify their consent at any time.
⸻
5. Purposes of Processing and Legal Basis
Processing is carried out in accordance with Article 6 GDPR:
5.1 Performance of a Contract (Article 6(1)(b))
• order processing
• delivery of goods
• customer support
Providing personal data is necessary for the conclusion and performance of a contract.
Failure to provide such data may result in the inability to process an order.
5.2 Legal Obligation (Article 6(1)(c))
• compliance with tax and accounting laws
• retention of financial records for 10 years (DL 28/2019, Portugal)
5.3 Legitimate Interest (Article 6(1)(f))
• communication with customers
• maintaining service quality
• improving website functionality
• ensuring security
• fraud prevention (e.g. detecting suspicious transactions or abuse of services)
Our legitimate interest consists in maintaining a proper level of service, ensuring business continuity, and protecting both the business and its users.
We ensure that such interests do not override the fundamental rights and freedoms of users.
Where required, we document and maintain Legitimate Interest Assessments (LIA).
Users have the right to object to processing based on legitimate interests at any time (Article 21 GDPR).
5.4 Consent (Article 6(1)(a))
• sending marketing communications
• use of analytics and marketing cookies
Users may unsubscribe from marketing communications at any time, free of charge.(Article 7 GDPR).
⸻
6. Data Sharing with Third Parties
We do not sell personal data.
Data is shared only when necessary with the following partners:
• Wix — hosting, website infrastructure, and analytics tools (including Wix Analytics)
• Stripe / PayPal — payment processing
• CTT Correios de Portugal — delivery services
• technical and accounting service providers
These entities:
• may act as data processors (Article 28 GDPR) or independent data controllers
• process data only on our instructions where applicable
• are contractually bound to ensure confidentiality and data security
Payment providers act as independent data controllers.
Wix may act as both a data processor and an independent data controller depending on the service.
⸻
7. International Data Transfers
Some service providers may process data outside the European Economic Area (EEA).
In such cases, appropriate safeguards are applied, including:
• Standard Contractual Clauses (SCCs)
• adequacy decisions of the European Commission
• EU–US Data Privacy Framework, where applicable
• other legally recognized safeguards
In particular:
• Wix (Israel) operates under an adequacy decision
• Stripe and PayPal (USA) rely on SCCs and/or the EU–US Data Privacy Framework
Users may request additional information about safeguards.
⸻
8. Data Retention
We comply with the storage limitation principle:
• accounting data — up to 10 years
• order data — for as long as necessary to fulfil contractual obligations, comply with legal requirements, resolve disputes, and enforce agreements
• customer inquiries — up to 12 months
• marketing data — until consent is withdrawn
• cookies — depending on type
After this period, data is deleted or anonymized.
Upon request, personal data will be erased without undue delay, except where retention is required by law.
⸻
9. Data Security
We implement appropriate technical and organizational measures:
• HTTPS
• restricted access
• encryption and data protection measures
• trusted service providers
• access control
• backups and monitoring
• regular review of security measures
No system is completely secure.
⸻
10. Data Breach Notification
In case of a personal data breach, we will notify the competent supervisory authority (including CNPD) within 72 hours where required.
Where there is a high risk, affected users will be informed without undue delay.
⸻
11. Data Subject Rights
You have the right to:
• access
• rectification
• erasure
• restriction
• portability
• objection
• withdraw consent
• lodge a complaint
The right to portability applies only where processing is based on consent or contract.
Requests:
We respond within 1 month.
⸻
12. Complaints
You may lodge a complaint with:
CNPD
Av. D. Carlos I, 134 – 1.º
1200-651 Lisboa
Or any EU supervisory authority.
⸻
13. Cookies
We use cookies in accordance with ePrivacy legislation.
Types:
• essential
• analytics
• marketing
We use tools including Wix Analytics and similar technologies.
Non-essential cookies:
• require prior consent
• can be accepted, rejected, or customized
• can be withdrawn anytime
User choices are recorded via a Consent Management Platform (CMP).
A separate Cookie Policy or cookie management interface may provide additional details about specific cookies used.
Refusing cookies does not affect basic functionality.
⸻
14. Automated Decision-Making
We do not use automated decision-making or profiling (Article 22 GDPR).
⸻
15.Third-Party Links
We may link to external platforms (Instagram, Facebook, Pinterest, etc.).
We are not responsible for their data processing.
⸻
16. Updates to This Policy
We may update this policy.
Latest version is always available on the website.
⸻
17. Severability
If any provision is invalid, the rest remains in force.
