Privacy policy — Eva's Art & Design

Privacy Policy

Last updated: April 2026

1. Who We Are (Data Controller)

Eva's Art & Design is the data controller responsible for your personal data. We are a small business based in Portsmouth, Hampshire, United Kingdom.

If you have any questions about how we handle your data, please contact us at sales@evasartdesign.com.

This Privacy Policy explains how we collect, use, store and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

Personal Data you provide to us

When you contact us, place an order, or submit a review, we may collect:

  • Your name
  • Email address
  • Delivery address
  • Message content (from contact form)

Usage Data collected automatically

When you visit our website, we may automatically collect technical information including your IP address, browser type and version, the pages you visit, time and date of your visit, and time spent on pages. This helps us understand how our website is used and improve it.

Payment Data

We do not collect or store your payment card details. All payments are processed securely by Shopify. Please refer to Shopify's own privacy policy for details of how they handle payment data.

3. Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

  • Contract — processing is necessary to fulfil your order or respond to your enquiry
  • Legitimate interests — to improve our website and services, and to prevent fraud
  • Consent — where you have given explicit consent, such as opting in to marketing emails
  • Legal obligation — where we are required to process data to comply with the law

4. How We Use Your Data

We use your personal data for the following purposes:

  • To process and fulfil your order
  • To respond to your contact form messages and enquiries
  • To send order confirmation and delivery updates
  • To send a review request after your order is delivered (if you have agreed)
  • To send marketing emails (only if you have opted in — you can unsubscribe at any time)
  • To improve and maintain our website
  • To comply with legal obligations

5. Cookies

Our website uses cookies — small text files stored on your device — to help the site function and to improve your experience. You can instruct your browser to refuse all cookies, though this may affect some website functionality.

We use the following types of cookies:

  • Essential / Session cookies — strictly necessary for the website to function (e.g. keeping you logged in to the admin area)
  • Preference cookies — remember choices you've made (e.g. dismissing the announcement banner)
  • Analytics cookies — help us understand how visitors use the site (e.g. Google Analytics, if enabled)

6. Sharing Your Data

We do not sell your personal data. We may share your data only in the following circumstances:

  • Shopify — to process your payment securely
  • Royal Mail / courier services — your delivery address is shared to fulfil your order
  • Google Analytics — anonymised usage data to help us understand site traffic (if enabled)
  • Legal requirements — if required to do so by law or in response to valid requests by public authorities

Any third parties we share data with are required to handle it in accordance with applicable data protection law.

7. Data Retention

We retain your personal data only for as long as is necessary for the purposes described in this policy:

  • Order and customer data — retained for up to 7 years to comply with HMRC requirements
  • Contact form messages — retained for up to 2 years
  • Marketing consent records — retained until you withdraw consent

You may request deletion of your personal data at any time by contacting us. Please note that we may need to retain certain data for legal or accounting purposes even after a deletion request.

8. Data Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss or disclosure. Our website is served over HTTPS (SSL encryption) and our admin area is password protected.

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access

You can request a copy of the personal data we hold about you (Subject Access Request).

Right to Rectification

You can ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

You can ask us to delete your personal data ("right to be forgotten"), subject to certain legal exceptions.

Right to Restrict Processing

You can ask us to limit how we use your data in certain circumstances.

Right to Data Portability

You can request your personal data in a structured, machine-readable format to transfer to another service.

Right to Object

You can object to us processing your data for direct marketing or where we rely on legitimate interests.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

Right to Complain

You have the right to lodge a complaint with the ICO (Information Commissioner's Office) at ico.org.uk.

To exercise any of these rights, please contact us at sales@evasartdesign.com. We will respond within 30 days.

10. Children's Privacy

Our website is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you believe your child has provided us with personal data, please contact us and we will delete it promptly.

11. Third-Party Links

Our website may contain links to external websites not operated by us (such as Shopify, Instagram, Pinterest). We have no control over and accept no responsibility for the privacy practices or content of those sites. We encourage you to read their privacy policies.

12. International Data Transfers

Some of our third-party service providers may be based outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

13. ICO Registration

Businesses that process personal data may be required to register with the Information Commissioner's Office (ICO). For further information about data protection obligations for small businesses, visit ico.org.uk.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated date at the top. We encourage you to review this policy periodically.

15. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact us or email sales@evasartdesign.com. We aim to respond within 1–2 business days.

Business Contact Information

Eva's Art & Design
Outram Rd.
Portsmouth, UK
Email: sales@evasartdesign.com