Privacy Policy

Last updated: 13 May 2026

1. Who We Are

Musės Shop ("we", "us", "our") is operated by Musės, a marketplace connecting artisan fly tyers with buyers across the European Union and beyond. Our registered address and data controller contact can be reached at legal@muses.lt.

2. What Personal Data We Collect

We collect the following categories of personal data:

Account data: name, email address, hashed password
Order data: shipping address, billing address, phone number
Payment data: payment method token (we do not store card numbers; Stripe handles raw card data)
Seller data: company name, VAT/Tax ID, bank/payout details, seller profile content
Usage data: IP address, browser type, pages visited, session identifiers (via cookies — see our Cookie Policy)
Communications: messages sent through our contact form or to our support email

3. Purposes and Legal Bases

We process your personal data on the following legal bases under GDPR Article 6:

Contract performance (Art. 6(1)(b)): to process orders, manage your account, and facilitate marketplace transactions
Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and DAC7 reporting obligations
Legitimate interests (Art. 6(1)(f)): to prevent fraud, ensure platform security, and improve our services
Consent (Art. 6(1)(a)): to send marketing emails (you may withdraw consent at any time)

4. How Long We Keep Your Data

Account and order data: up to 7 years after account closure (tax retention obligations)
Marketing consent records: until withdrawn, plus 3 years for compliance evidence
Support communications: 3 years from last contact
Cookie analytics data: up to 26 months

5. Who We Share Your Data With

We share data with the following categories of recipients:

Stripe, Inc. — payment processing (sub-processor under a DPA)
Vercel, Inc. — hosting and edge compute
Sentry, Inc. — error monitoring (anonymised where possible)
Sellers on our platform: your name, shipping address, and order details are shared with the seller fulfilling your order

We do not sell your personal data to third parties.

6. Your GDPR Rights

As an EU/EEA data subject you have the right to:

Access the personal data we hold about you
Rectification of inaccurate data
Erasure ("right to be forgotten") subject to legal retention requirements
Restriction of processing in certain circumstances
Data portability in a machine-readable format
Object to processing based on legitimate interests or for direct marketing
Withdraw consent at any time without affecting prior processing

To exercise any right, email legal@muses.lt. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority — in Lithuania this is the State Data Protection Inspectorate (www.ada.lt).

7. Cookies

We use cookies to operate the platform and, with your consent, for analytics and marketing. See our full Cookie Policy for details.

8. Changes to This Policy

We may update this policy to reflect changes in law or our practices. Material changes will be notified by email or a prominent notice on the site. This policy was last reviewed on 13 May 2026.

2. What Personal Data We Collect

We collect the following categories of personal data:

Account data: name, email address, hashed password

Order data: shipping address, billing address, phone number

Payment data: payment method token (we do not store card numbers; Stripe handles raw card data)

Seller data: company name, VAT/Tax ID, bank/payout details, seller profile content

Usage data: IP address, browser type, pages visited, session identifiers (via cookies — see our Cookie Policy)

Communications: messages sent through our contact form or to our support email

3. Purposes and Legal Bases

We process your personal data on the following legal bases under GDPR Article 6:

Contract performance (Art. 6(1)(b)): to process orders, manage your account, and facilitate marketplace transactions

Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and DAC7 reporting obligations

Legitimate interests (Art. 6(1)(f)): to prevent fraud, ensure platform security, and improve our services

Consent (Art. 6(1)(a)): to send marketing emails (you may withdraw consent at any time)

5. Who We Share Your Data With

We share data with the following categories of recipients:

Stripe, Inc. — payment processing (sub-processor under a DPA)

Vercel, Inc. — hosting and edge compute

Sentry, Inc. — error monitoring (anonymised where possible)

Sellers on our platform: your name, shipping address, and order details are shared with the seller fulfilling your order

We do not sell your personal data to third parties.

6. Your GDPR Rights

As an EU/EEA data subject you have the right to:

Access the personal data we hold about you

Rectification of inaccurate data

Erasure ("right to be forgotten") subject to legal retention requirements

Restriction of processing in certain circumstances

Data portability in a machine-readable format

Object to processing based on legitimate interests or for direct marketing

Withdraw consent at any time without affecting prior processing