Privacy Policy

Privacy Policy

Operated by MB “Loli”, Vilnius, Lithuania Last updated: October 26, 2025

This Privacy Policy describes how Art & Potatoes (“A&P”, “we”, “us”, “our”) collects, uses, and shares information when you use our marketplace (the “Service”). It also explains your rights under GDPR and other applicable laws.

By using the Service, you agree to this Privacy Policy.

  1. Interpretation and Definitions

Account — your user account for the Service. Application / Service — the Art & Potatoes online marketplace (web/mobile). Buyer — users purchasing artworks or goods. Seller — users listing artworks or goods for sale. Company / Operator / Data Controller — Art & Potatoes, operated by MB “Loli”, Vilnius, Lithuania. Country — Lithuania (EU). Personal Data — any information relating to an identified or identifiable person. Processor / Service Provider — third parties processing data on our behalf (e.g., Sharetribe, Stripe). Website — www.artandpotatoes.com

You — the individual or legal entity using the Service (also “Data Subject” under GDPR).

  1. Contact Us (Data Controller)

Company: MB “Loli” Email: hello@artandpotatoes.com

Contact page: www.artandpotatoes.com/contact

Supervisory authority (Lithuania): State Data Protection Inspectorate (VDAI)

  1. What We Collect 3.1 Personal Data you provide

Identity & contact: name, email, phone, billing/shipping address

Account data: username, profile details, preferences, saved items

Transaction data: order details, prices, taxes, messages between Buyer/Seller

Verification / payouts (Sellers): identity/KYC info, business info and bank details (collected/processed by Stripe ; we don’t store full bank or card data)

Support data: enquiries, claims/disputes, documents you submit

3.2 Automatically collected (Usage Data, Cookies)

Device info, IP address, browser, pages viewed, time spent, referrer/UTM, and cookies (see Section 6).

3.3 From third parties (optional/connected)

Social login (if enabled): name, email from Google/Apple/etc.

Payment status: from Stripe (success, payout timing, refunds, disputes)

Shipping status: delivery updates as provided by the Seller or their chosen carrier

  1. Why We Use Your Data (GDPR legal bases)

Provide the Service & contracts (Art. 6(1)(b))

Payments & fraud prevention (Art. 6(1)(b),(f)) via Stripe

Curation & moderation (Art. 6(1)(f))

Communications (Art. 6(1)(b),(f))

Marketing (soft opt-in / consent) (Art. 6(1)(f)/(a))

Analytics & improvements (Art. 6(1)(f))

Legal obligations (Art. 6(1)(c))

Showcasing public listing images in A&P social/ads (Art. 6(1)(f)); you may object at any time (see Your Rights).

  1. Sharing Your Data

We share data only as needed:

Platform provider: Sharetribe (hosting/marketplace functionality)

Payments: Stripe (cards, payouts, KYC). We do not store full card/bank details.

Shipping: the carrier chosen by the Seller. We provide the Seller with delivery details (name, address, phone) so they can arrange shipping; the Seller may share those details with their selected carrier to fulfill delivery. Carriers process data under their own privacy policies.

Email/notifications, analytics, support tools: where used.

Authorities/legal: when required by law.

Business changes: if we merge/sell assets, subject to this Policy.

Note on roles: For shipments, Sellers act as independent data controllers for their own fulfillment. They must handle buyer data in compliance with GDPR and only for delivery and related communications.

  1. Cookies & Tracking

We use essential, functional, analytics (aggregated), and—if enabled—marketing cookies. You can manage cookies in your browser. Essential cookies are required for login/checkout.

  1. International Transfers

If data is processed outside the EEA (e.g., by Stripe or analytics providers), we use EU Standard Contractual Clauses or other lawful safeguards.

  1. Retention

We keep data only as long as needed for the Service, legal obligations (e.g., tax/accounting), dispute handling, and fraud prevention. Then we delete or anonymize it.

  1. Your Rights (GDPR)

You may contact us at hello@artandpotatoes.com to:

Access your personal data

Rectify inaccurate data

Erase personal data (“Right to be forgotten”)

Restrict or object to processing (including marketing and use of your listing images in A&P promotional channels)

Port your data

Withdraw consent

You may also file a complaint with the State Data Protection Inspectorate (VDAI) .

  1. Payments & Payouts (Stripe)

Buyers’ card data is processed by Stripe (we don’t store full card details).

Sellers’ KYC and bank data are collected/processed by Stripe; we receive payout status only.

Payouts follow our Terms (triggered on completion/auto-completion); Stripe typically transfers funds in 5–10 business days (bank times may apply).

  1. Shipping

We provide delivery details to the Seller (name, address, phone, order info). The Seller selects the shipping partner and shares delivery details with their chosen carrier solely to fulfill the order and provide status updates. A&P does not dictate the carrier and may not control the carrier’s independent processing; carriers act under their own privacy terms.

  1. Children’s Privacy

Not directed to children under 13. We don’t knowingly collect their data. Contact us to delete if collected inadvertently.

  1. California Privacy (CCPA/CPRA)

If California law applies, you may have rights to access, delete, know categories/sources/uses/disclosures, and opt-out of “sale/share” (we do not sell personal info in the common sense). Exercise rights via hello@artandpotatoes.com .

  1. Security

We use appropriate technical and organizational measures. No system is 100% secure—keep your credentials safe and notify us of any suspected breach.

  1. Changes to this Policy

We may update this Policy from time to time. We’ll change the “Last updated” date and, where appropriate, notify you within the Service or by email. Please review regularly.