GDPR Compliance
Last updated: March 2026
Vexcraft is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page provides information about how we handle personal data in accordance with GDPR requirements.
1. Data Controller
For the purposes of the GDPR, Vexcraft acts as the Data Controller for personal data collected through vexcraft.io. As Data Controller, we determine the purposes and means of processing your personal data.
2. Legal Basis for Processing
We process your personal data only where we have a valid legal basis to do so under Article 6 of the GDPR:
Contract Performance (Art. 6(1)(b))
Processing necessary to fulfil a contract with you, such as managing your account, processing orders, and delivering services you have purchased.
Legal Obligation (Art. 6(1)(c))
Processing required to comply with applicable legal obligations, such as tax and accounting requirements.
Legitimate Interests (Art. 6(1)(f))
Processing based on our legitimate business interests, including fraud prevention, improving our services, and maintaining the security of our platform, where these interests are not overridden by your rights.
Consent (Art. 6(1)(a))
Where we rely on your consent to process data, such as for optional marketing communications, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
3. Data Subject Rights
Under the GDPR, individuals whose personal data we process ("data subjects") have the following rights:
- •Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of that data along with supplementary information about how it is used.
- •Right to Rectification (Art. 16): You have the right to have inaccurate personal data corrected without undue delay. You may also have the right to have incomplete data completed.
- •Right to Erasure / Right to be Forgotten (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, you withdraw consent, or processing is unlawful.
- •Right to Restriction of Processing (Art. 18): You have the right to request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data or have objected to processing.
- •Right to Data Portability (Art. 20): You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- •Right to Object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately.
- •Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects.
4. How to Exercise Your Rights
To exercise any of your GDPR rights, please submit a written request to our dedicated data protection contact:
Data Protection Contact
Email: gdpr@vexcraft.io
When submitting your request, please include:
- •Your full name and email address associated with your Vexcraft account.
- •A clear description of the right you wish to exercise.
- •Any relevant details to help us identify and process your request.
We will respond to your request within 30 days. In complex cases we may extend this period by a further two months, and we will notify you accordingly. We do not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.
If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. In the EU, the relevant authority is typically the data protection authority of the EU member state in which you reside.
5. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements.
- •Account data is retained for as long as your account is active. If you request account deletion, we will erase your data within 30 days, except where retention is required by law.
- •Order and transaction records are retained for a minimum of 7 years in compliance with financial and tax regulations.
- •Support communications are retained for up to 2 years after the resolution of your enquiry.
- •Analytics data is aggregated and anonymised after 14 months.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR requirements.
We rely on the following safeguards for international transfers:
- •Adequacy decisions by the European Commission for transfers to countries deemed to provide an adequate level of protection.
- •Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to third-party service providers.
- •Binding Corporate Rules or other approved transfer mechanisms where applicable.
Our primary third-party processors (Stripe, Google) maintain their own GDPR-compliant data transfer mechanisms. You may request details of the safeguards in place for any specific transfer by contacting gdpr@vexcraft.io.
7. Contact for Data Requests
For all GDPR-related enquiries, data subject requests, or privacy concerns, please contact our dedicated data protection team: