Privacy policy

Last updated: 1 March 2026

This Privacy Policy explains how personal data is collected, used and protected when you visit or make a purchase from elisabeththeo.store.

We are committed to handling personal data transparently and in accordance with applicable data protection laws, including the Datenschutz-Grundverordnung (GDPR) and the Austrian Data Protection Act.

1. Contact

If you have any questions regarding the processing of your personal data, you may contact us at any time:

Elisabeth Theo
Freelance Artist (Sole Proprietor)
Vienna, Austria
Email: shop@elisabeththeo.studio

2. Personal Data

Personal data is any information relating to an identified or identifiable natural person. This may include:

  • name
  • email address
  • billing or shipping address
  • payment information
  • IP address
  • device information
  • order history

We process personal data only where necessary and in accordance with applicable legal bases under Article 6 GDPR.

3. Legal Bases for Processing

We process personal data based on the following legal grounds under Article 6 GDPR:

Consent (Art. 6(1)(a))
for example when subscribing to a newsletter.

Contract performance (Art. 6(1)(b))
for processing orders and payments.

Legal obligations (Art. 6(1)(c))
for example accounting and tax requirements under Austrian law.

Legitimate interests (Art. 6(1)(f))
for maintaining website security, fraud prevention and improving services.

4. Website Access and Log Files

When you visit our website, information is automatically transmitted by your browser to our server.

This may include:

  • IP address
  • browser type and version
  • operating system
  • date and time of access
  • referrer URL
  • pages accessed

IP addresses are considered personal data under EU law.

These data are processed to ensure the technical functionality, security and stability of the website.

The legal basis for this processing is our legitimate interest pursuant to Article 6(1)(f) GDPR.

5. Cookies

Our website uses cookies.

Some cookies are technically necessary for the operation of the website.
Other cookies are used only with your consent in accordance with Article 6(1)(a) GDPR.

You can manage or delete cookies through your browser settings and withdraw your consent at any time.

6. Orders and Customer Accounts

When you place an order in our online shop, we process personal data necessary for contract fulfilment.

This may include:

  • name
  • billing and shipping address
  • email address
  • payment information
  • order details

The processing of this data is necessary for the performance of a contract in accordance with Article 6(1)(b) GDPR and for compliance with legal obligations under Austrian tax law (Art. 6(1)(c) GDPR).

6.1 Customer Accounts

You have the option to create a customer account in our online store.

When registering and maintaining a customer account, we process the following personal data:

  • name
  • email address
  • password (stored in encrypted form)
  • billing and shipping addresses
  • order history
  • account preferences

The purpose of processing is:

  • to provide a personalized shopping experience
  • to enable faster checkout
  • to allow access to order history
  • to manage account settings

Legal basis:
Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).

The provision of an account is voluntary. You may delete your account at any time by contacting us at shop@elisabeththeo.studio.

Account data is retained for as long as the account remains active. If the account is deleted, data will be erased unless statutory retention obligations apply.

7. Subscription Product (Mail Club)

We offer a paid subscription product (“Mail Club”) under which subscribers receive a monthly physical letter containing artwork prints and additional items.

When you subscribe, we process the following personal data:

  • name
  • billing address
  • shipping address
  • email address
  • payment information
  • subscription status
  • transaction history

Purpose of processing:

  • conclusion and performance of the subscription contract
  • recurring billing
  • preparation and dispatch of the monthly shipment
  • customer communication regarding the subscription

The subscription renews automatically unless cancelled in accordance with the applicable terms. Personal data is processed for the duration of the active subscription.

Legal basis:

  • Art. 6(1)(b) GDPR (performance of a contract)
  • Art. 6(1)(c) GDPR (legal obligations under Austrian tax law)

Shipping is carried out directly by us via postal service providers. For this purpose, your name and shipping address are transmitted to the respective postal service provider solely for delivery.

Subscription data is retained for the duration of the subscription. After cancellation, data is retained only insofar as required by statutory retention obligations (generally up to 7 years under Austrian law).

You may cancel your subscription at any time in accordance with the applicable terms.

8. Payment Providers

Payments may be processed through external payment service providers acting as independent controllers.

These may include:

  • PayPal
  • Apple Inc. (Apple Pay)
  • Shopify Inc. (Shop Pay)

When using such services, the respective provider processes personal data necessary for the transaction in accordance with their own privacy policies.

Data may be transferred to countries outside the European Economic Area, in particular the United States. Such transfers are safeguarded through participation in the EU-US Data Privacy Framework, Standard Contractual Clauses, or other appropriate safeguards pursuant to Articles 44–49 GDPR.

9. Newsletter

You may subscribe to our newsletter.

To send the newsletter we process:

  • email address
  • registration date and time
  • IP address used during registration

Subscription occurs via a double opt-in procedure.

The legal basis for this processing is your consent under Article 6(1)(a) GDPR.

You can unsubscribe at any time via the unsubscribe link contained in each email or by contacting shop@elisabeththeo.studio

10. Service Providers

To operate our website and online store we use third-party service providers.

Shopify

The online shop is operated via Shopify Inc..

Shopify provides the e-commerce platform and may process:

  • name
  • billing and shipping address
  • email address
  • payment information
  • IP address
  • order data

Data may be processed in Canada (subject to an EU adequacy decision) and in the United States under appropriate safeguards pursuant to Articles 44–49 GDPR.

10.1 Relationship with Shopify

Our store is hosted on Shopify Inc.. Shopify provides the online e-commerce platform that allows us to sell our products and services.

Shopify may process personal data in order to:

  • provide hosting and infrastructure
  • enable checkout and payment processing
  • improve and secure the Services
  • provide fraud prevention and analytics features

In certain cases, Shopify may act as an independent controller, particularly where enhanced features or cross-merchant services are used.

For further information on how Shopify processes personal data, please refer to Shopify’s Consumer Privacy Policy at https://privacy.shopify.com.

theprintspace / Creativehub (Print Fulfilment and Production)

For the production, fulfilment and drop-shipping of fine art prints, we use services provided by theprintspace via its Creativehub software platform.

When you place an order for a print, the following personal data may be transmitted to theprintspace for the purpose of contract performance:

  • name
  • shipping address
  • order details
  • print specifications

Theprintspace processes this data exclusively for the purpose of producing and dispatching the ordered artwork on our behalf.

Legal basis:
Art. 6(1)(b) GDPR (performance of a contract).

Role under data protection law:
Theprintspace acts as a data processor within the meaning of Art. 28 GDPR.

International processing:
Theprintspace operates production facilities within the European Union, including Germany (e.g. Düsseldorf), as well as in the United Kingdom.

Where processing takes place within the European Union, no international data transfer occurs.

Where processing takes place in the United Kingdom, this transfer is covered by an adequacy decision of the European Commission pursuant to Article 45 GDPR.

Seal Subscriptions (Subscription Management)

We use the Shopify application “Seal Subscriptions” to manage recurring subscription payments and subscription contracts.

For this purpose, personal data such as:

  • name
  • email address
  • billing and shipping address
  • subscription status
  • order history
  • payment token information

may be processed in order to manage, renew, or cancel subscriptions.

Legal basis:
Art. 6(1)(b) GDPR (performance of a contract).

Seal Subscriptions acts as a data processor within the meaning of Art. 28 GDPR.

Where personal data is processed outside the European Economic Area, appropriate safeguards pursuant to Articles 44–49 GDPR are applied.

Cloudflare

We use services provided by Cloudflare Inc. to improve website security and performance.

Cloudflare may process IP addresses and technical connection data.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in secure website operation).

hCaptcha

We use Intuition Machines Inc. to protect the website against spam and automated abuse.

Technical information such as IP address, browser information and interaction data may be processed.

Legal basis: Article 6(1)(f) GDPR.

11. International Data Transfers

Some service providers may process personal data outside the European Economic Area (EEA), particularly in the United States.

Where such transfers occur, we ensure that an adequate level of data protection is maintained through:

  • an adequacy decision (Art. 45 GDPR), or
  • Standard Contractual Clauses (Art. 46 GDPR), or
  • participation in the EU-US Data Privacy Framework, where applicable.

12. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected.

Due to Austrian accounting and tax regulations, certain data must be retained for up to 7 years.

13. Data Subject Rights

Under the GDPR you have the following rights:

  • right of access
  • right to rectification
  • right to erasure
  • right to restriction of processing
  • right to data portability
  • right to withdraw consent
  • right to object to processing

You may exercise these rights by contacting us at: shop@elisabeththeo.studio

14. Right to Lodge a Complaint

If you believe that the processing of your personal data violates applicable data protection law, or that your data protection rights have otherwise been infringed, you may lodge a complaint with us at shop@elisabeththeo.studio or with the Austrian Data Protection Authority at https://www.dsb.gv.at/.

Österreichische Datenschutzbehörde
Barichgasse 40–42
1030 Vienna
Austria

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal or technical changes. The current version will always be available on our website.