top of page

                                                                                      Privacy Policy

 

​​

Last updated: 26 June 2026

In this Privacy Policy, “we”, “us”, and “our” refer to the data controller operating under the trade name MaryFox Art, whose details are provided below.

1. Data Controller

The data controller responsible for the processing of personal data is:

Mariia Porshneva (NIF: 309757410)

Sole proprietor operating under the brand MaryFox Art

Rua Maria Telles Mendes, 15 - 4º Esq.

2770-120 Paço de Arcos

Portugal

Email: maryfoxart.info@gmail.com

The data controller determines the purposes and means of processing personal data in accordance with the General Data Protection Regulation.

For any questions related to data processing, you may contact us using the email above.

A Data Protection Officer (DPO) has not been appointed, as processing is not carried out on a large scale and does not involve special categories of data (Article 37 GDPR; CNPD guidance).

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through the MaryFox Art website, including:

• browsing the website

• placing orders

• communication with users

• subscription to newsletters

• use of website technical tools

This policy is provided in accordance with Articles 12–14 GDPR to ensure transparency of data processing.

3. Categories of Personal Data

We process the following categories of personal data:

3.1 Identification Data

• full name

3.2 Contact Data

• email address

• phone number

3.3 Order Data

• shipping and billing address

• order information

• payment status

3.4 Payment Data

Payment data (such as card details) is not processed or stored by us.

It is transmitted directly to payment providers (Stripe, PayPal), which act as independent data controllers.

3.5 Technical Data

• IP address

• browser type

• device information

• cookies

• website interaction data

3.6 Communication Data

• messages submitted via forms

• email correspondence

• social media messages

3.7 Children’s Data

This website is not intended for children.

We do not knowingly collect personal data from children below the age at which consent for data processing is permitted under applicable national law within the European Economic Area (generally between 13 and 16 years, depending on the country).

Where required by applicable law, processing of children’s personal data is permitted only with verified parental consent.

If we become aware that personal data of a child has been collected without such consent, it will be deleted without undue delay.

We do not process special categories of personal data (Article 9 GDPR).

We collect only the data necessary for contract performance and website functionality (data minimization principle, Article 5 GDPR).

4. Methods of Data Collection

Personal data is collected through:

• placing an order

• filling out website forms

• contacting us

• subscribing to newsletters

• automatic collection via cookies and similar technologies

Non-essential data (such as analytics or marketing cookies) is collected only after obtaining user consent.

Users are presented with a cookie consent banner allowing them to accept, reject, or customize non-essential cookies.

Consent is obtained prior to setting non-essential cookies.

Users may withdraw or modify their consent at any time.

5. Purposes of Processing and Legal Basis

Processing is carried out in accordance with Article 6 GDPR:

5.1 Performance of a Contract (Article 6(1)(b))

• order processing

• delivery of goods

• customer support

Providing personal data is necessary for the conclusion and performance of a contract.

Failure to provide such data may result in the inability to process an order.

5.2 Legal Obligation (Article 6(1)(c))

• compliance with tax and accounting laws

• retention of financial records for 10 years (DL 28/2019, Portugal)

5.3 Legitimate Interest (Article 6(1)(f))

• communication with customers

• maintaining service quality

• improving website functionality

• ensuring security

• fraud prevention (e.g. detecting suspicious transactions or abuse of services)

Our legitimate interest consists in maintaining a proper level of service, ensuring business continuity, and protecting both the business and its users.

We ensure that such interests do not override the fundamental rights and freedoms of users.

Where required, we document and maintain Legitimate Interest Assessments (LIA).

Users have the right to object to processing based on legitimate interests at any time (Article 21 GDPR).

5.4 Consent (Article 6(1)(a))

• sending marketing communications

• use of analytics and marketing cookies

 Users may unsubscribe from marketing communications at any time, free of charge.(Article 7 GDPR).

6. Data Sharing with Third Parties

We do not sell personal data.

Data is shared only when necessary with the following partners:

• Wix — hosting, website infrastructure, and analytics tools (including Wix Analytics)

• Stripe / PayPal — payment processing

• CTT Correios de Portugal — delivery services

• technical and accounting service providers

These entities:

• may act as data processors (Article 28 GDPR) or independent data controllers

• process data only on our instructions where applicable

• are contractually bound to ensure confidentiality and data security

Payment providers act as independent data controllers.

Wix may act as both a data processor and an independent data controller depending on the service.

7. International Data Transfers

Some service providers may process data outside the European Economic Area (EEA).

In such cases, appropriate safeguards are applied, including:

• Standard Contractual Clauses (SCCs)

• adequacy decisions of the European Commission

• EU–US Data Privacy Framework, where applicable

• other legally recognized safeguards

In particular:

• Wix (Israel) operates under an adequacy decision

• Stripe and PayPal (USA) rely on SCCs and/or the EU–US Data Privacy Framework

Users may request additional information about safeguards.

8. Data Retention

We comply with the storage limitation principle:

• accounting data — up to 10 years

• order data — for as long as necessary to fulfil contractual obligations, comply with legal requirements, resolve disputes, and enforce agreements

• customer inquiries — up to 12 months

• marketing data — until consent is withdrawn

• cookies — depending on type

After this period, data is deleted or anonymized.

Upon request, personal data will be erased without undue delay, except where retention is required by law.

9. Data Security

We implement appropriate technical and organizational measures:

• HTTPS

• restricted access

• encryption and data protection measures

• trusted service providers

• access control

• backups and monitoring

• regular review of security measures

No system is completely secure.

10. Data Breach Notification

In case of a personal data breach, we will notify the competent supervisory authority (including CNPD) within 72 hours where required.

Where there is a high risk, affected users will be informed without undue delay.

11. Data Subject Rights

You have the right to:

• access

• rectification

• erasure

• restriction

• portability

• objection

• withdraw consent

• lodge a complaint

The right to portability applies only where processing is based on consent or contract.

Requests:

maryfoxart.info@gmail.com

We respond within 1 month.

12. Complaints

You may lodge a complaint with:

CNPD

Av. D. Carlos I, 134 – 1.º

1200-651 Lisboa

https://www.cnpd.pt

Or any EU supervisory authority.

13. Cookies

We use cookies in accordance with ePrivacy legislation.

Types:

• essential

• analytics

• marketing

We use tools including Wix Analytics and similar technologies.

Non-essential cookies:

• require prior consent

• can be accepted, rejected, or customized

• can be withdrawn anytime

User choices are recorded via a Consent Management Platform (CMP).

A separate Cookie Policy or cookie management interface may provide additional details about specific cookies used.

Refusing cookies does not affect basic functionality.

14. Automated Decision-Making

We do not use automated decision-making or profiling (Article 22 GDPR).

15.Third-Party Links

We may link to external platforms (Instagram, Facebook, Pinterest, etc.).

We are not responsible for their data processing.

16. Updates to This Policy

We may update this policy.

Latest version is always available on the website.

17. Severability

If any provision is invalid, the rest remains in force.

Handcrafted

EU Shipping

Real Photos & Videos

Secure Checkout

We accept:

© MaryFox Art 2026  All rights reserved.

bottom of page