Privacy policy

Privacy Policy

Last updated: June 23, 2026

Hexcraft Oy (Business ID: 3569616-7), located at Satelliitinkatu 1, FI-37140 Nokia, Finland ("Hexcraft", "we", "our", or "us"), operates the Hexed brand and provides our websites, online store, digital experiences, products, and related services (collectively, the "Services").

Our Services include:

• the Hexed online store at hexedcosmetics.com, powered by Shopify Inc.; and

• the HEXED Crossing experience at crossing.hexedcosmetics.com, powered by Vercel Inc., through which users can participate in our pre-launch experience and apply for early access.

Depending on the Services you use, Shopify Inc., Vercel Inc., and certain other service providers described in this Privacy Policy may process personal data on our behalf in accordance with applicable data protection laws.

This Privacy Policy explains how we collect, use, store, share, and otherwise process your personal information when you visit or use our Services, purchase our products, communicate with us, or otherwise interact with Hexcraft.

Please read this Privacy Policy carefully. By using our Services, you acknowledge that your personal information will be processed as described in this Privacy Policy.

Personal Information We Collect or Process

When we use the term "personal information," we are referring to information that identifies or can reasonably be linked to you or another person. Personal information does not include information that is collected anonymously or that has been de-identified, so that it cannot identify or be reasonably linked to you. We may collect or process the following categories of personal information, including inferences drawn from this personal information, depending on how you interact with the Services, where you live, and as permitted or required by applicable law:

Contact details including your name, address, billing address, shipping address, phone number, and email address.
Financial information including credit card, debit card, and financial account numbers, payment card information, financial account information, transaction details, form of payment, payment confirmation and other payment details.
Account information including your username, password, security questions, preferences and settings.
Transaction information including the items you view, put in your cart, add to your wishlist, or purchase, return, exchange or cancel and your past transactions.
HEXED Crossing data including your responses to the seven Ferry Crossing questions, your assigned tribe (one of Eirwyn, Nyrá, Myrkova, or Eimyrja), the personal Ferryman sentence selected for you based on your answers, and the date on which you completed the Crossing.
Communications with us including the information you include in communications with us, for example, when sending a customer support inquiry.
Device information including information about your device, browser, or network connection, your IP address, and other unique identifiers.
Usage information including information regarding your interaction with the Services, including how and when you interact with or navigate the Services.

We collect and process this personal information on the following legal bases, as permitted by applicable law:

to perform our contract with you (for example, to process your purchases and deliver products);
to comply with legal obligations (such as tax and accounting requirements);
based on your consent (for example, for marketing communications and for participating in the HEXED Crossing experience); and
for our legitimate interests (such as to improve our Services, prevent fraud, and ensure network security).

Payment information

Payment card details are processed securely by our payment service providers. Hexcraft Oy does not store or have access to your complete payment card details.

Legal Basis for Processing

We process your personal information as permitted by applicable data protection laws, on the following legal bases: to perform our contract with you; to comply with legal obligations; based on your consent; and for our legitimate business interests such as providing and improving our Services, preventing fraud, and ensuring network and information security.

No Sensitive Information

We do not collect or process any sensitive personal data (such as health, racial or ethnic origin, or biometric information). The HEXED Crossing questions are reflective and atmospheric in nature and are not designed to elicit sensitive personal data within the meaning of Article 9 GDPR.

Cookies and Tracking

Some of the personal information we collect automatically through cookies and similar technologies. You can learn more and manage your preferences in our Cookie Policy.

Automated Decision-Making

We do not use personal information for automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. The HEXED Crossing tribe assignment is a deterministic personalisation outcome — the same set of answers always yields the same tribe and Ferryman sentence — and does not affect pricing, product availability, access to services, or any other legally or similarly significant outcome.

Where personal information is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses or an adequacy decision, as required by applicable data protection laws.

Personal Information Sources

• Directly from you, including when you create an account, participate in the HEXED Crossing experience, place an order, subscribe to our newsletter, contact us, or otherwise interact with our Services.

• Automatically through the Services, including information collected from your device, browser, cookies, and similar technologies when you visit our websites or use our Services.

• From our service providers, where they process personal information on our behalf to provide services such as website hosting, payment processing, order fulfilment, analytics, customer support, email communications, or fraud prevention.

• From business partners or other third parties, where permitted by law, such as payment providers, delivery partners, social media platforms, advertising partners, or analytics providers.

How We Use Your Personal Information

Depending on how you interact with us (customerservice@hexcraft.fi) or which of the Services you use, we may use personal information for the following purposes:

Provide, Tailor, and Improve the Services. We use your personal information to provide you with the Services, including to perform our contract with you, to process your payments, to fulfill your orders, to remember your preferences and items you are interested in, to send notifications to you related to your account, to process purchases, returns, exchanges or other transactions, to create, maintain and otherwise manage your account, to arrange for shipping, to facilitate any returns and exchanges, to enable you to post reviews, and to create a customized shopping experience for you, such as recommending products related to your purchases. This may include using your personal information to better tailor and improve the Services.
HEXED Crossing Experience. We use your responses to the seven Ferry Crossing questions to determine your tribe assignment (one of Eirwyn, Nyrá, Myrkova, or Eimyrja) and to select a personal Ferryman sentence from a curated pool of eighty sentences. This information personalises the brand experience offered to you, including the visual presentation of your Marked card, the tribe-specific content available to you in The Grimoire, and any future communications you receive from us. As described above under Automated Decision-Making, the tribe assignment is deterministic and does not produce legal or similarly significant effects within the meaning of Article 22 GDPR. The information generated through the HEXED Crossing is used solely to personalise your experience within the HEXED universe and is not used to evaluate, predict, or make decisions about your personal characteristics, behaviour, financial status, health, or eligibility for any products or services.
Marketing and Advertising. We use your personal information for marketing and promotional purposes, such as to send marketing, advertising and promotional communications by email, text message or postal mail, and to show you online advertisements for products or services on the Services or other websites, including based on items you previously have purchased or added to your cart and other activity on the Services.
Security and Fraud Prevention. We use your personal information to authenticate your account, to provide a secure payment and shopping experience, to detect, investigate or take action regarding possible fraudulent, illegal, unsafe, or malicious activity, including the use of automated bot-protection systems (such as Cloudflare Turnstile) at the point of email submission. We use these tools to protect public safety, secure our services, and prevent abuse of our pre-launch list. If you choose to use the Services and register an account, you are responsible for keeping your account credentials safe. We highly recommend that you do not share your username, password or other access details with anyone else.
Communicating with You. We use your personal information to provide you with customer support, to be responsive to you, to provide effective services to you and to maintain our business relationship with you.
Legal Reasons. We use your personal information to comply with applicable law or respond to valid legal process, including requests from law enforcement or government agencies, to investigate or participate in civil discovery, potential or actual litigation, or other adversarial legal proceedings, and to enforce or investigate potential violations of our terms or policies.

Legal Bases for Use

We process your personal information under applicable data protection laws, including where it is necessary to perform a contract with you, to comply with our legal obligations, where you have given consent, and for our legitimate interests such as fraud prevention, service improvement, and customer communication. Participation in the HEXED Crossing and receipt of marketing communications are based on your consent, which you may withdraw at any time as described below.

Marketing and Consent

You may withdraw your consent to receive marketing communications at any time using the unsubscribe link in any marketing email, or by contacting us. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

Profiling and Automated Decision-Making

We may use your information to personalise your shopping and brand experience, including via the HEXED Crossing tribe assignment described above. We do not use any automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

Summary

In essence, we use your data to provide and enhance our services, deliver the HEXED Crossing and Marked experiences, communicate with you, comply with legal obligations, and maintain a safe and efficient online presence.

How We Disclose Personal Information

We share personal information only where necessary to provide our Services, fulfil our contractual obligations, comply with legal requirements, protect our legitimate interests, or where you have given your consent, in accordance with applicable data protection laws.

Service Providers (Data Processors)

We work with carefully selected third-party service providers who support the operation of our business. These providers process personal information solely on our behalf, under our instructions, and pursuant to written Data Processing Agreements (DPAs) where required under applicable data protection laws, including Article 28 GDPR.

The categories of service providers we currently use include:

Provider	Purpose	Location	Transfer Mechanism
Shopify Inc.	E-commerce platform hosting and payment infrastructure for hexedcosmetics.com	Canada / United States	EU Standard Contractual Clauses
Vercel Inc.	Hosting and serverless function infrastructure for crossing.hexedcosmetics.com	United States	EU Standard Contractual Clauses
Supabase Inc.	Database services for the HEXED Crossing experience (storage of crossing responses, tribe assignments, Ferryman sentences)	European Union	N/A (within EEA)
Klaviyo, Inc.	Email marketing platform, including welcome communications, pre-launch list management, and marketing campaigns	United States	EU Standard Contractual Clauses
Cloudflare, Inc.	Bot protection (via Cloudflare Turnstile) at the point of email submission, protecting our pre-launch list from automated abuse	United States	EU Standard Contractual Clauses
Consentmo OÜ	Cookie consent management and cookie policy generation	European Union	N/A (within EEA)
Tracklution Oy	Server-side analytics and conversion tracking	Finland (European Union)	N/A (within EEA)

We may update this list from time to time as our operations evolve. Where required by applicable law, we will notify users of material changes through our Services or by other appropriate means.

Other Disclosures

We may also disclose personal information where necessary:

• To comply with applicable laws, regulations, court orders, or lawful requests from public authorities;

• To establish, exercise, or defend legal claims;

• To investigate, prevent, or respond to fraud, security incidents, or unlawful activity;

• In connection with a merger, acquisition, corporate restructuring, financing, or sale of all or part of our business, provided that appropriate safeguards are maintained.

International Transfers

Some of our service providers operate outside the European Economic Area (EEA). Where personal information is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws. These safeguards may include an adequacy decision adopted by the European Commission or the use of the European Commission's Standard Contractual Clauses (SCCs), together with any supplementary measures required to ensure an adequate level of protection.

Relationship with Shopify

Our online store at hexedcosmetics.com is hosted by Shopify Inc., which provides the e-commerce platform through which we offer our products and services.

When you visit or make a purchase through our Shopify-hosted store, certain personal information is processed by Shopify on our behalf to enable essential store functionality, payment processing, order management, fraud prevention, and platform security. This processing is carried out in accordance with our Data Processing Agreement and applicable data protection laws.

In addition to providing the Shopify platform, Shopify may process certain information for its own legitimate business purposes, such as maintaining, securing, improving, and developing its platform and services. In these limited circumstances, Shopify may act as an independent or joint data controller under applicable data protection laws. Where Shopify acts as a controller, it is responsible for responding to requests relating to such processing.

You can learn more about Shopify's privacy practices by reviewing the Shopify Consumer Privacy Policy and, where available, by using the Shopify Privacy Portal to exercise your rights.

Data Controller and Data Processor Relationship

Hexcraft Oy (Business ID: 3569616-7)
Satelliitinkatu 1
FI-37140 Nokia
Finland

is the data controller for the personal information described in this Privacy Policy.

The following providers generally act as our data processors and process personal information solely on our behalf and under written Data Processing Agreements where required by Article 28 GDPR:

• Shopify Inc.
• Vercel Inc.
• Supabase Inc.
• Klaviyo Inc.
• Cloudflare Inc.
• Consentmo OÜ
• Tracklution Oy

International Data Transfers

Some of our service providers operate outside the European Economic Area (EEA) or the United Kingdom. Where personal information is transferred internationally, appropriate safeguards are implemented in accordance with applicable data protection laws, including the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, or other recognised transfer mechanisms.

Questions About Our Service Providers

If you have questions about how Hexcraft Oy processes your personal information, please contact us using the contact details provided in this Privacy Policy.

If you have questions relating to the independent processing activities of one of our third-party providers, you may also contact that provider directly through its own privacy policy."

Third Party Websites and Links

Our Services may contain links to websites, applications, or online services operated by third parties. These third-party services are not owned or controlled by Hexcraft Oy and are subject to their own privacy policies, terms of use, and security practices.

We encourage you to review the privacy policies of any third-party service before providing personal information. Once you leave our Services or interact directly with a third-party platform, the processing of your personal information is governed by that third party's own policies.

Where our Services include integrated third-party features (such as social media buttons, embedded content, or payment services), certain technical information—such as your IP address, browser information, device identifiers, or interaction data—may be transmitted directly to the relevant provider where necessary for the functionality of those services or where you have provided the required consent.

Unless otherwise stated in this Privacy Policy, Hexcraft Oy does not disclose your personal information to third-party websites or platforms unless you actively choose to interact with them, initiate the connection yourself, or where such disclosure is necessary to provide the requested Service.

The inclusion of links to third-party websites does not constitute an endorsement or recommendation of their content, products, services, or privacy practices. We are not responsible for the content, availability, security, or privacy practices of third-party websites or services.

Children's Privacy

Our Services are not intended for children under the age of 15, or the minimum age required by applicable law in your country.

We do not knowingly collect or process personal information from children without the appropriate consent of a parent or legal guardian where such consent is required by applicable law.

If we become aware that we have collected personal information from a child without the required consent, we will take reasonable steps to delete that information without undue delay.

If you are a parent or legal guardian and believe that your child has provided us with personal information, please contact us using the contact details provided in this Privacy Policy. We will investigate your request and, where appropriate, delete the relevant personal information.

Where parental consent is required under Article 8 GDPR or other applicable laws, we process the personal information of minors only to the extent permitted by that consent.

Security and Retention of Your Information

We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it from unauthorised access, disclosure, alteration, or destruction. These measures include encryption of sensitive data, access controls, secure storage systems, regular security assessments, and staff awareness training.

Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee "perfect security." In addition, any information you send to us may not be secure while in transit. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us.

We retain personal information only for as long as necessary to fulfil the purposes described in this Privacy Policy and as required by applicable law. In particular:

Order and transaction data – retained for up to 6 years to meet accounting and tax obligations under Finnish law.
Account information – retained while your account remains active or until you request deletion.
HEXED Crossing data (your responses, tribe assignment, Ferryman sentence, crossing date) – retained for as long as you remain a member of our pre-launch list and The Marked community, and for up to 3 years following a period of inactivity, unless you request earlier deletion.
Marketing and communications data – retained until you withdraw your consent or unsubscribe, plus a reasonable suppression period to ensure you do not receive further communications in error.
Customer support records – typically kept for up to 12 months after resolution.
Bot-protection tokens (Cloudflare Turnstile) – ephemeral; single-use and not retained beyond the verification of your form submission.

After the relevant retention period expires, we securely delete or anonymise your personal information in accordance with our data retention policy. We regularly review the personal information we hold to ensure it is accurate, limited to what is necessary, and up to date.

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the appropriate data protection authorities and, where required, affected individuals, in compliance with applicable data protection laws.

Your Rights

Depending on your place of residence and the applicable data protection laws, you may have some or all of the following rights in relation to your personal information.

These rights are not absolute and may be subject to certain legal conditions or exceptions.

You may have the right to:

• Access your personal information and obtain a copy of the personal information we hold about you.

• Correct inaccurate or incomplete personal information.

• Request the deletion of your personal information, including your HEXED Crossing responses, tribe assignment, Ferryman sentence, and other information associated with your account, where applicable.

• Restrict or object to certain processing activities, including processing based on our legitimate interests.

• Withdraw your consent at any time where processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

• Receive your personal information in a structured, commonly used, and machine-readable format and, where technically feasible, request that it be transferred to another service provider (data portability).

• Not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

Managing Marketing Preferences

You may withdraw your consent to receive marketing communications at any time by using the unsubscribe link included in our emails or by contacting us directly.

Please note that even if you opt out of marketing communications, we may still send you service-related communications, such as order confirmations, shipping updates, account notifications, or important information relating to your use of our Services.

Exercising Your Rights

You may exercise your rights by contacting us using the contact details provided in this Privacy Policy or, where available, through the settings within our Services.

Before responding to your request, we may ask you to verify your identity in order to protect your personal information and prevent unauthorised access.

We will respond to valid requests without undue delay and, in any event, within one month of receipt, unless a longer period is permitted by applicable law.

Authorised Representatives

Where permitted by applicable law, you may authorise another person to exercise your rights on your behalf. Before fulfilling such a request, we may require appropriate evidence of that person's authority and may ask you to verify your identity directly.

Complaints

If you believe that our processing of your personal information does not comply with applicable data protection laws, you have the right to lodge a complaint with the competent supervisory authority in your country of residence.

If you are located in Finland, the competent supervisory authority is:

Office of the Data Protection Ombudsman
(Tietosuojavaltuutetun toimisto)

https://tietosuoja.fi/

Shopify

Where Shopify acts as an independent data controller for certain processing activities, requests relating specifically to those activities should be directed to Shopify.

Further information is available in the Shopify Consumer Privacy Policy and through the Shopify Privacy Portal.

Complaints

If you have complaints about how we process your personal information, please contact us using the contact details provided below. Depending on where you live, you may have the right to appeal our decision by contacting us using the contact details set out below, or to lodge your complaint with your local data protection authority. For the EEA, you can find a list of the responsible data protection supervisory authorities through the European Data Protection Board.

If you have concerns about how we handle your personal information, we encourage you to contact us first so we can try to resolve the matter directly.

You also have the right to lodge a complaint with your local data protection authority, particularly in the country of your habitual residence, place of work, or where an alleged infringement has occurred.

In Finland, the relevant supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto):

Address: Ratapihantie 9, 00520 Helsinki, Finland
Website: https://tietosuoja.fi
Email: tietosuoja@om.fi

Making a complaint does not affect any other rights or remedies you may have under law.

International Transfers

Some of our service providers operate outside the European Economic Area (EEA) or the United Kingdom. As a result, your personal information may be transferred to, stored in, or processed in countries outside your country of residence.

Where personal information is transferred outside the EEA or the United Kingdom, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws. Depending on the circumstances, these safeguards may include:

• an adequacy decision adopted by the European Commission or the relevant UK authority;

• the European Commission's Standard Contractual Clauses (SCCs);

• the UK International Data Transfer Addendum; or

• another lawful transfer mechanism recognised under applicable data protection laws.

In addition to these legal safeguards, we require our service providers to implement appropriate technical and organisational security measures designed to protect personal information, including encryption, access controls, network security, and other appropriate information security measures.

You may contact us at any time if you would like further information about the safeguards used when transferring your personal information internationally.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on this website, update the "Last updated" date and provide notice as required by applicable law.

Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we process your personal information, please contact us:

Hexcraft Oy
Business ID: 3569616-7

Satelliitinkatu 1
FI-37140 Nokia
Finland

Email: customerservice@hexcraft.fi
Phone: +358 45 861 9591

For the purposes of applicable data protection laws, Hexcraft Oy is the data controller responsible for the processing of your personal information. You may contact us at any time to exercise your data protection rights or to ask questions about how we process your personal information.

HEXED is a registered trademark or trademark of Hexcraft Oy, where applicable.

Product descriptions, formulations, packaging, pricing, availability, and other information presented on our Services may be updated or changed without prior notice.